#
# Note:
#
# If for any reason autoconf fails, run "autoreconf -i --install " and try again.
# This is how the error looks like on Arch Linux:
#        ./configure: line 3064: syntax error near unexpected token `newline'
#        ./configure: line 3064: `AX_CHECK_COMPILE_FLAG('
#
# We rely solely on autoconf, without automake. Apparently, in this case
# the macros from m4 directory are not picked up by default by automake.
# "autoreconf -i --install" seems to fix the problem.
#

AC_PREREQ([2.68])
AC_INIT([firejail], [0.9.73], [netblue30@protonmail.com], [],
    [https://firejail.wordpress.com])

AC_CONFIG_SRCDIR([src/firejail/main.c])
AC_CONFIG_MACRO_DIR([m4])

AC_PROG_CC
AC_CHECK_PROGS([CODESPELL], [codespell])
AC_CHECK_PROGS([CPPCHECK], [cppcheck])
AC_CHECK_PROGS([GAWK], [gawk])
AC_CHECK_PROGS([SCAN_BUILD], [scan-build])

DEPS_CFLAGS=""
AC_SUBST([DEPS_CFLAGS])
AX_CHECK_COMPILE_FLAG([-MMD -MP], [
	DEPS_CFLAGS="$DEPS_CFLAGS -MMD -MP"
])

AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=2], [
	EXTRA_CFLAGS="$EXTRA_CFLAGS -D_FORTIFY_SOURCE=2"
], [], [$CFLAGS $CPPFLAGS -Werror])

HAVE_SPECTRE="no"
AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
	HAVE_SPECTRE="yes"
	EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
])
AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
	HAVE_SPECTRE="yes"
	EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
])
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [
	HAVE_SPECTRE="yes"
	EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
])

AC_ARG_ENABLE([analyzer],
    [AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])])
AS_IF([test "x$enable_analyzer" = "xyes"], [
	EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
])

AC_ARG_ENABLE([sanitizer],
    [AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@],
        [enable a compiler-based sanitizer (debug)])],
    [],
    [enable_sanitizer=no])
AS_IF([test "x$enable_sanitizer" != "xno" ], [
	AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
		EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
		EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
	], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
])

HAVE_IDS=""
AC_SUBST([HAVE_IDS])
AC_ARG_ENABLE([ids],
    [AS_HELP_STRING([--enable-ids], [enable ids])])
AS_IF([test "x$enable_ids" = "xyes"], [
	HAVE_IDS="-DHAVE_IDS"
])

HAVE_APPARMOR=""
AC_SUBST([HAVE_APPARMOR])
AC_ARG_ENABLE([apparmor],
    [AS_HELP_STRING([--enable-apparmor], [enable apparmor])])
AS_IF([test "x$enable_apparmor" = "xyes"], [
	HAVE_APPARMOR="-DHAVE_APPARMOR"
	PKG_CHECK_MODULES([AA], [libapparmor], [
		EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS"
		LIBS="$LIBS $AA_LIBS"
	])
])

HAVE_SELINUX=""
AC_SUBST([HAVE_SELINUX])
AC_ARG_ENABLE([selinux],
    [AS_HELP_STRING([--enable-selinux], [SELinux labeling support])])
AS_IF([test "x$enable_selinux" = "xyes"], [
	HAVE_SELINUX="-DHAVE_SELINUX"
	LIBS="$LIBS -lselinux"
])

HAVE_LANDLOCK=""
AC_SUBST([HAVE_LANDLOCK])
AC_ARG_ENABLE([landlock],
    [AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
AS_IF([test "x$enable_landlock" != "xno"], [
	AC_CHECK_HEADER([linux/landlock.h],
	    [HAVE_LANDLOCK="-DHAVE_LANDLOCK"],
	    [AC_MSG_WARN([header not found: linux/landlock.h, building without Landlock support])])
])

AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])

HAVE_DBUSPROXY=""
AC_SUBST([HAVE_DBUSPROXY])
AC_ARG_ENABLE([dbusproxy],
    [AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])])
AS_IF([test "x$enable_dbusproxy" != "xno"], [
	HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
])

# overlayfs features temporarily disabled pending fixes
HAVE_OVERLAYFS=""
AC_SUBST([HAVE_OVERLAYFS])
#AC_ARG_ENABLE([overlayfs],
#    [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
#AS_IF([test "x$enable_overlayfs" != "xno"], [
#	HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
#])

HAVE_OUTPUT=""
AC_SUBST([HAVE_OUTPUT])
AC_ARG_ENABLE([output],
    [AS_HELP_STRING([--disable-output], [disable --output logging])])
AS_IF([test "x$enable_output" != "xno"], [
	HAVE_OUTPUT="-DHAVE_OUTPUT"
])

HAVE_USERTMPFS=""
AC_SUBST([HAVE_USERTMPFS])
AC_ARG_ENABLE([usertmpfs],
    [AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])])
AS_IF([test "x$enable_usertmpfs" != "xno"], [
	HAVE_USERTMPFS="-DHAVE_USERTMPFS"
])

HAVE_MAN="no"
AC_SUBST([HAVE_MAN])
AC_ARG_ENABLE([man],
    [AS_HELP_STRING([--disable-man], [disable man pages])])
AS_IF([test "x$enable_man" != "xno"], [
	HAVE_MAN="-DHAVE_MAN"
	AS_IF([test "x$GAWK" = "x"], [AC_MSG_ERROR([*** gawk not found ***])])
])

HAVE_PRIVATE_HOME=""
AC_SUBST([HAVE_PRIVATE_HOME])
AC_ARG_ENABLE([private-home],
    [AS_HELP_STRING([--disable-private-home], [disable private home feature])])
AS_IF([test "x$enable_private_home" != "xno"], [
	HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
])

HAVE_PRIVATE_LIB=""
AC_SUBST([HAVE_PRIVATE_LIB])
AC_ARG_ENABLE([private-lib],
    [AS_HELP_STRING([--disable-private-lib], [disable private lib feature])])
AS_IF([test "x$enable_private_lib" = "xyes"], [
	HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB"
])

HAVE_CHROOT=""
AC_SUBST([HAVE_CHROOT])
AC_ARG_ENABLE([chroot],
    [AS_HELP_STRING([--disable-chroot], [disable chroot])])
AS_IF([test "x$enable_chroot" != "xno"], [
	HAVE_CHROOT="-DHAVE_CHROOT"
])

HAVE_GLOBALCFG=""
AC_SUBST([HAVE_GLOBALCFG])
AC_ARG_ENABLE([globalcfg],
    [AS_HELP_STRING([--disable-globalcfg],
        [if the global config file firejail.config is not present, continue the program using defaults])])
AS_IF([test "x$enable_globalcfg" != "xno"], [
	HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
])

HAVE_NETWORK=""
AC_SUBST([HAVE_NETWORK])
AC_ARG_ENABLE([network],
    [AS_HELP_STRING([--disable-network], [disable network])])
AS_IF([test "x$enable_network" != "xno"], [
	HAVE_NETWORK="-DHAVE_NETWORK"
])

HAVE_USERNS=""
AC_SUBST([HAVE_USERNS])
AC_ARG_ENABLE([userns],
    [AS_HELP_STRING([--disable-userns], [disable user namespace])])
AS_IF([test "x$enable_userns" != "xno"], [
	HAVE_USERNS="-DHAVE_USERNS"
])

HAVE_X11=""
AC_SUBST([HAVE_X11])
AC_ARG_ENABLE([x11],
    [AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support])])
AS_IF([test "x$enable_x11" != "xno"], [
	HAVE_X11="-DHAVE_X11"
])

HAVE_FILE_TRANSFER=""
AC_SUBST([HAVE_FILE_TRANSFER])
AC_ARG_ENABLE([file-transfer],
    [AS_HELP_STRING([--disable-file-transfer], [disable file transfer])])
AS_IF([test "x$enable_file_transfer" != "xno"], [
	HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
])

HAVE_SUID=""
AC_SUBST([HAVE_SUID])
AC_ARG_ENABLE([suid],
    [AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])])
AS_IF([test "x$enable_suid" != "xno"], [
	HAVE_SUID="-DHAVE_SUID"
])

HAVE_FATAL_WARNINGS=""
AC_SUBST([HAVE_FATAL_WARNINGS])
AC_ARG_ENABLE([fatal_warnings],
    [AS_HELP_STRING([--enable-fatal-warnings], [-W -Werror])])
AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
	HAVE_FATAL_WARNINGS="-W -Werror"
])

BUSYBOX_WORKAROUND="no"
AC_SUBST([BUSYBOX_WORKAROUND])
AC_ARG_ENABLE([busybox-workaround],
    [AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])])
AS_IF([test "x$enable_busybox_workaround" = "xyes"], [
	BUSYBOX_WORKAROUND="yes"
])

HAVE_GCOV=""
AC_SUBST([HAVE_GCOV])
AC_ARG_ENABLE([gcov],
    [AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])])
AS_IF([test "x$enable_gcov" = "xyes"], [
	HAVE_GCOV="--coverage -DHAVE_GCOV"
	EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage"
	LIBS="$LIBS -lgcov"
])

HAVE_CONTRIB_INSTALL="yes"
AC_SUBST([HAVE_CONTRIB_INSTALL])
AC_ARG_ENABLE([contrib-install],
    [AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])])
AS_IF([test "x$enable_contrib_install" = "xno"], [
	HAVE_CONTRIB_INSTALL="no"
])

HAVE_FORCE_NONEWPRIVS=""
AC_SUBST([HAVE_FORCE_NONEWPRIVS])
AC_ARG_ENABLE([force-nonewprivs],
    [AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])])
AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
	HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
])

HAVE_ONLY_SYSCFG_PROFILES=""
AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
AC_ARG_ENABLE([only-syscfg-profiles],
    [AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
	HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
])

AC_CHECK_HEADER([linux/seccomp.h], [],
    [AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])])

# set sysconfdir
if test "$prefix" = /usr; then
	test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
fi

AC_CONFIG_FILES([config.mk config.sh])
AC_OUTPUT

cat <<EOF

Compile options:
   CC: $CC
   CFLAGS: $CFLAGS
   CPPFLAGS: $CPPFLAGS
   LDFLAGS: $LDFLAGS
   EXTRA_CFLAGS: $EXTRA_CFLAGS
   DEPS_CFLAGS: $DEPS_CFLAGS
   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
   LIBS: $LIBS
   fatal warnings: $HAVE_FATAL_WARNINGS
   gcov instrumentation: $HAVE_GCOV
   install as a SUID executable: $HAVE_SUID
   install contrib scripts: $HAVE_CONTRIB_INSTALL
   prefix: $prefix
   sysconfdir: $sysconfdir
   Spectre compiler patch: $HAVE_SPECTRE

Features:
   allow tmpfs as regular user: $HAVE_USERTMPFS
   always enforce filters: $HAVE_FORCE_NONEWPRIVS
   apparmor: $HAVE_APPARMOR
   busybox workaround: $BUSYBOX_WORKAROUND
   chroot: $HAVE_CHROOT
   DBUS proxy support: $HAVE_DBUSPROXY
   disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
   enable --output logging: $HAVE_OUTPUT
   file transfer support: $HAVE_FILE_TRANSFER
   global config: $HAVE_GLOBALCFG
   IDS support: $HAVE_IDS
   Landlock support: $HAVE_LANDLOCK
   manpage support: $HAVE_MAN
   network: $HAVE_NETWORK
   overlayfs support: $HAVE_OVERLAYFS
   private home support: $HAVE_PRIVATE_HOME
   private lib support: $HAVE_PRIVATE_LIB
   SELinux labeling support: $HAVE_SELINUX
   user namespace: $HAVE_USERNS
   X11 sandboxing support: $HAVE_X11

EOF