Merge pull request netblue30#6230 from kmk3/build-reduce-inconsistencies

build: reduce hardcoding and inconsistencies

.github/workflows/build-extra.yml

@@ -48,12 +48,10 @@ jobs:
  with:
  egress-policy: block
  allowed-endpoints: >
- archive.ubuntu.com:80
  azure.archive.ubuntu.com:80
  github.com:443
  packages.microsoft.com:443
  ppa.launchpadcontent.net:443
- security.ubuntu.com:80
  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
  - name: update package information
  run: sudo apt-get update -qy
@@ -65,12 +63,13 @@ jobs:
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
- --enable-selinux
+ ./configure CC=clang-14
+ --prefix=/usr --enable-fatal-warnings
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make
  - name: make install
  run: sudo make install
  - name: print version
- run: command -V firejail && firejail --version
+ run: make print-version

.github/workflows/build.yml

@@ -74,18 +74,18 @@ jobs:
  - name: install dependencies
  run: >
  sudo apt-get install -qy
- gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
- bridge-utils
+ gcc-12 libapparmor-dev libselinux1-dev
  - name: print env
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
- --enable-analyzer --enable-apparmor --enable-selinux
+ ./configure CC=gcc-12
+ --prefix=/usr --enable-fatal-warnings --enable-analyzer
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make
  - name: make install
  run: sudo make install
- - name: print firejail version
- run: command -V firejail && firejail --version
+ - name: print version
+ run: make print-version

.github/workflows/check-c.yml

@@ -8,9 +8,9 @@ on:
  branches-ignore:
  - 'dependabot/**'
  paths:
+ - '**.c'
+ - '**.h'
  - 'm4/**'
- - 'src/**.c'
- - 'src/**.h'
  - 'src/**.mk'
  - 'src/**Makefile'
  - .github/workflows/check-c.yml
@@ -22,9 +22,9 @@ on:
  - configure.ac
  pull_request:
  paths:
+ - '**.c'
+ - '**.h'
  - 'm4/**'
- - 'src/**.c'
- - 'src/**.h'
  - 'src/**.mk'
  - 'src/**Makefile'
  - .github/workflows/check-c.yml
@@ -68,7 +68,8 @@ jobs:
  - name: configure
  run: >
  ./configure CC=clang-14 SCAN_BUILD=scan-build-14
- --enable-fatal-warnings --enable-apparmor --enable-selinux
+ --prefix=/usr --enable-fatal-warnings
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: scan-build
  run: make scan-build

.github/workflows/test.yml

@@ -73,15 +73,16 @@ jobs:
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
- --enable-analyzer --enable-apparmor --enable-selinux
+ ./configure CC=gcc-12
+ --prefix=/usr --enable-fatal-warnings --enable-analyzer
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make -j "$(nproc)"
  - name: make install
  run: sudo make install
- - name: print firejail version
- run: command -V firejail && firejail --version
+ - name: print version
+ run: make print-version
  - run: make lab-setup
  - run: make test-seccomp-extra
  - run: make test-firecfg
@@ -121,15 +122,16 @@ jobs:
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
- --enable-analyzer --enable-apparmor --enable-selinux
+ ./configure CC=gcc-12
+ --prefix=/usr --enable-fatal-warnings --enable-analyzer
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make -j "$(nproc)"
  - name: make install
  run: sudo make install
- - name: print firejail version
- run: command -V firejail && firejail --version
+ - name: print version
+ run: make print-version
  - run: make lab-setup
  - run: make test-private-etc
  - run: make test-fs
@@ -160,15 +162,16 @@ jobs:
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
- --enable-analyzer --enable-apparmor --enable-selinux
+ ./configure CC=gcc-12
+ --prefix=/usr --enable-fatal-warnings --enable-analyzer
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make -j "$(nproc)"
  - name: make install
  run: sudo make install
- - name: print firejail version
- run: command -V firejail && firejail --version
+ - name: print version
+ run: make print-version
  - run: make lab-setup
  - run: make test-environment
  - run: make test-profiles
@@ -202,15 +205,16 @@ jobs:
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
- --enable-analyzer --enable-apparmor --enable-selinux
+ ./configure CC=gcc-12
+ --prefix=/usr --enable-fatal-warnings --enable-analyzer
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make -j "$(nproc)"
  - name: make install
  run: sudo make install
- - name: print firejail version
- run: command -V firejail && firejail --version
+ - name: print version
+ run: make print-version
  - run: make lab-setup
  - run: make test-utils
 
@@ -248,15 +252,16 @@ jobs:
  run: ./ci/printenv.sh
  - name: configure
  run: >
- CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
- --enable-analyzer --enable-apparmor --enable-selinux
+ ./configure CC=gcc-12
+ --prefix=/usr --enable-fatal-warnings --enable-analyzer
+ --enable-apparmor --enable-selinux
  || (cat config.log; exit 1)
  - name: make
  run: make -j "$(nproc)"
  - name: make install
  run: sudo make install
- - name: print firejail version
- run: command -V firejail && firejail --version
+ - name: print version
+ run: make print-version
  - run: make lab-setup
  - run: make test-fnetfilter
  - run: make test-sysutils

.gitlab-ci.yml

@@ -1,10 +1,13 @@
-# Basic notes: builds firejail on 5 different systems for 2 package systems:
-# 1. Debian-based systems. Use debian:jessie to ensure reasonable backwards
-# compat and ubuntu:rolling for new setups
-# 2. Redhat-based systems. Use centos:latest for reasonable backwards compat
-# and fedora:latest for new setups
-# 3. Alpine for installing directly from source
-# Also builds apparmor package for Ubuntu LTS
+# Builds on multiple systems using different package managers:
+#
+# - Debian-based systems: Use oldest working/supported debian image for
+# reasonable backwards compatibility and ubuntu:rolling for new setups.
+# Additionally, ensure that the package works without apparmor.
+#
+# - Redhat-based systems: Use a centos-like distribution for reasonable
+# backwards compatibility and fedora:latest for new setups.
+#
+# - Alpine: Use it for installing directly from source.
 
 build_ubuntu_package:
  image: ubuntu:rolling
@@ -19,9 +22,10 @@ build_ubuntu_package:
  | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
  - ./ci/printenv.sh
  - ./configure || (cat config.log; exit 1)
- - make deb
- - dpkg -i firejail*.deb
- - command -V firejail && firejail --version
+ - make dist
+ - ./mkdeb.sh --enable-fatal-warnings
+ - dpkg -i ./*.deb
+ - make print-version
 
 build_debian_package:
  image: debian:buster
@@ -36,9 +40,31 @@ build_debian_package:
  | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
  - ./ci/printenv.sh
  - ./configure || (cat config.log; exit 1)
- - make deb
- - dpkg -i firejail*.deb
- - command -V firejail && firejail --version
+ - make dist
+ - ./mkdeb.sh --enable-fatal-warnings
+ - dpkg -i ./*.deb
+ - make print-version
+
+build_no_apparmor:
+ image: ubuntu:latest
+ timeout: 10 minutes
+ variables:
+ DEBIAN_FRONTEND: noninteractive
+ script:
+ - apt-get update -qy
+ - >
+ apt-get install --no-install-recommends -qy
+ build-essential fakeroot lintian pkg-config gawk
+ | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
+ - ./ci/printenv.sh
+ - ./configure || (cat config.log; exit 1)
+ - make dist
+ - >
+ ./mkdeb.sh --enable-fatal-warnings
+ --disable-apparmor
+ - dpkg -i ./*.deb
+ - make print-version
+ - make print-version | grep -F 'AppArmor support is disabled'
 
 build_redhat_package:
  image: almalinux:latest
@@ -48,9 +74,10 @@ build_redhat_package:
  - dnf install -y rpm-build gcc make
  - ./ci/printenv.sh
  - ./configure || (cat config.log; exit 1)
- - make rpms
- - rpm -i firejail*.rpm
- - command -V firejail && firejail --version
+ - make dist
+ - ./platform/rpm/mkrpm.sh --enable-fatal-warnings
+ - rpm -i ./*.rpm
+ - make print-version
 
 build_fedora_package:
  image: fedora:latest
@@ -60,9 +87,10 @@ build_fedora_package:
  - dnf install -y rpm-build gcc make
  - ./ci/printenv.sh
  - ./configure || (cat config.log; exit 1)
- - make rpms
- - rpm -i firejail*.rpm
- - command -V firejail && firejail --version
+ - make dist
+ - ./platform/rpm/mkrpm.sh --enable-fatal-warnings
+ - rpm -i ./*.rpm
+ - make print-version
 
 build_src_package:
  image: alpine:latest
@@ -72,29 +100,14 @@ build_src_package:
  - apk upgrade
  - apk add build-base linux-headers gawk
  - ./ci/printenv.sh
- - ./configure --prefix=/usr || (cat config.log; exit 1)
+ # Note: Do not use ` --enable-fatal-warnings` because the build
+ # currently produces warnings on Alpine (see #6224).
+ - >
+ ./configure --prefix=/usr
+ || (cat config.log; exit 1)
  - make
  - make install-strip
- - command -V firejail && firejail --version
-
-build_no_apparmor:
- image: ubuntu:latest
- timeout: 10 minutes
- variables:
- DEBIAN_FRONTEND: noninteractive
- script:
- - apt-get update -qy
- - >
- apt-get install --no-install-recommends -qy
- build-essential fakeroot lintian pkg-config gawk
- | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
- - ./ci/printenv.sh
- - ./configure || (cat config.log; exit 1)
- - make dist
- - ./mkdeb.sh --disable-apparmor
- - dpkg -i firejail*.deb
- - command -V firejail && firejail --version
- - firejail --version | grep -F 'AppArmor support is disabled'
+ - make print-version
 
 debian_ci:
  image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
@@ -103,6 +116,7 @@ debian_ci:
  DEBFULLNAME: "$GITLAB_USER_NAME"
  DEBEMAIL: "$GITLAB_USER_EMAIL"
  DEBIAN_FRONTEND: noninteractive
+ PKGNAME: firejail
  before_script:
  - git checkout -B ci_build "$CI_COMMIT_SHA"
  - gitlab-ci-enable-sid
@@ -117,17 +131,17 @@ debian_ci:
  - git config user.email "$DEBEMAIL"
  - |
  cd "$CI_PROJECT_DIR/.."
- apt-get source --download-only -t experimental firejail ||
- apt-get source --download-only firejail
+ apt-get source --download-only -t experimental "$PKGNAME" ||
+ apt-get source --download-only "$PKGNAME"
  - |
  cd "$CI_PROJECT_DIR"
- tar xf ../firejail_*.debian.tar.*
+ tar xf "../${PKGNAME}"_*.debian.tar.*
  - rm -rf debian/patches/
  - |
  VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)"
  dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.'
- git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD
- pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build
+ git archive -o "../${PKGNAME}_${VERSION}.orig.tar.gz" HEAD
+ pristine-tar commit "../${PKGNAME}_${VERSION}.orig.tar.gz" ci_build
  git branch -m pristine-tar origin/pristine-tar
  - git add debian
  - git commit -m 'add debian/'

Makefile

@@ -391,6 +391,10 @@ codespell:
 print-env:
  ./ci/printenv.sh
 
+.PHONY: print-version
+print-version: config.mk
+ command -V $(TARNAME) && $(TARNAME) --version
+
 #
 # make test
 #

contrib/update_deb.sh

@@ -16,7 +16,7 @@ sed -i "s/# restricted-network .*/restricted-network yes/" \
  etc/firejail.config
 
 make deb
-sudo dpkg -i firejail*.deb
+sudo dpkg -i ./*.deb
 echo "Firejail updated."
 cd ..
 rm -rf firejail