configure*: fix build with non-bash /bin/sh #4293
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The configure script happens to work if /bin/sh supports the non-POSIX "+=" operator (e.g.: bash) and fails otherwise (e.g.: dash). This usage first appeared on configure.ac on commit 66a4764 ("gcov support"), which is from 2016. If the --enable-apparmor flag is passed to ./configure (which is the default on Arch Linux), running `make` fails due to the missing -lapparmor LDFLAG. Thus, building firejail-git from the AUR does not work if /bin/sh is e.g.: dash. Errors when running the build commands below from makepkg: $ ./configure --prefix=/usr --enable-apparmor >/dev/null ./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found ./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found ./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found ./configure: 3518: EXTRA_CFLAGS+= : not found $ make >/dev/null /usr/bin/ld: apparmor.o: in function `apparmor_test': /tmp/firejail-git/src/firejail-git/src/jailcheck/apparmor.c:28: undefined reference to `aa_gettaskcon' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: jailcheck] Error 1 make: *** [Makefile:42: src/jailcheck/jailcheck] Error 2 make: *** Waiting for unfinished jobs.... /usr/bin/ld: apparmor.o: in function `print_apparmor': /tmp/firejail-git/src/firejail-git/src/firemon/apparmor.c:28: undefined reference to `aa_gettaskcon' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firemon] Error 1 make: *** [Makefile:42: src/firemon/firemon] Error 2 /usr/bin/ld: join.o: in function `extract_apparmor': /tmp/firejail-git/src/firejail-git/src/firejail/join.c:65: undefined reference to `aa_is_enabled' /usr/bin/ld: sandbox.o: in function `set_apparmor': /tmp/firejail-git/src/firejail-git/src/firejail/sandbox.c:133: undefined reference to `aa_change_onexec' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firejail] Error 1 make: *** [Makefile:42: src/firejail/firejail] Error 2 Without the apparmor flag, the CFLAGS related to HAVE_SPECTRE do not get applied either, but `make` does not error out, so the problem is harder to detect in this case. Diff comparing the output of `./configure 2>&1` when running without and then with this patch: $ git --no-pager diff --no-index configure_current.log configure_patch.log diff --git a/configure_current.log b/configure_patch.log index f5e814f..099d836 100644 --- a/configure_current.log +++ b/configure_patch.log @@ -10,12 +10,9 @@ checking for gcc option to accept ISO C89... none needed checking for a BSD-compatible install... /usr/bin/install -c checking for ranlib... ranlib checking whether C compiler accepts -mindirect-branch=thunk... yes -./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found checking whether C compiler accepts -mretpoline... no checking whether C compiler accepts -fstack-clash-protection... yes -./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found checking whether C compiler accepts -fstack-protector-strong... yes -./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for gawk... yes @@ -88,7 +85,7 @@ Configuration options: busybox workaround: no Spectre compiler patch: yes EXTRA_LDFLAGS: - EXTRA_CFLAGS: + EXTRA_CFLAGS: -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong fatal warnings: Gcov instrumentation: Install contrib scripts: yes
|
@reinerh By the way, how does the build work on Debian if it uses dash as I don't know much about Debian packaging, but I tried looking at [1] from [2], #!/bin/bash
LOGFILE="$ADTTMP/test-network.log"
# copy tests to temporary directory, as current one might be read-only
cp -a test "$ADTTMP"
cd "$ADTTMP/test"
pushd network
bash -x ./configure
runuser -u nobody -g nogroup -- bash -x ./network.sh | tee "$LOGFILE"
popd
echo "======================================"
grep "TESTING" "$LOGFILE"
echo "======================================"
[ $(grep -c "TESTING ERROR" "$LOGFILE") -gt 0 ] && exit 1
exit 0While the main build looks rather default[3]. From #!/usr/bin/make -f
#export DH_VERBOSE=1
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
%:
dh $@
override_dh_auto_configure:
dh_auto_configure -- --enable-apparmor --enable-contrib-install=no
override_dh_fixperms-arch:
dh_fixperms
chmod 4755 debian/firejail/usr/bin/firejailDoes [1] https://deb.debian.org/debian/pool/main/f/firejail/firejail_0.9.58.2-2+deb10u2.debian.tar.xz |
|
Hi @kmk3,
It looks like on Debian I'm not exactly sure where this is coming from. Maybe from autotools. But I'm quite sure this does not come from Debian tool (debhelper), I didn't find anything in the code there. But your changes look good to me. Getting rid of bashisms is worth it, thanks! |
reinerh
approved these changes
May 22, 2021
Fred-Barclay
approved these changes
May 22, 2021
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
May 28, 2021
This fixes the following warning:
$ autoconf
configure.ac:306: warning: AC_OUTPUT should be used without arguments.
configure.ac:306: You should run autoupdate.
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q autoconf
autoconf 2.71-1
Though keep AC_PREREQ at 2.68 (released on 2010-09-23[1]), as version
2.71 (which autoupdate automatically bumps to) is rather recent
(released on 2021-01-28[2]) and the changes do not appear to require a
version bump, as on `AC_INIT` it only adds some quotes, and the rest of
the changes are consistent with the autoconf 2.68 manual. From Section
18.4, Obsolete Macros[3]:
> — Macro: AC_OUTPUT ([file]..., [extra-cmds], [init-cmds])
>
> The use of AC_OUTPUT with arguments is deprecated. This obsoleted
> interface is equivalent to:
>
> AC_CONFIG_FILES(file...)
> AC_CONFIG_COMMANDS([default],
> extra-cmds, init-cmds)
> AC_OUTPUT
>
> See AC_CONFIG_FILES, AC_CONFIG_COMMANDS, and AC_OUTPUT.
Note: The usage of the above format has been present since the inception
of configure.ac, on commit 1379851 ("Baseline firejail 0.9.28").
Misc: This is a continuation of netblue30#4293.
[1] https://lists.gnu.org/archive/html/info-gnu/2010-09/msg00013.html
[2] https://lists.gnu.org/archive/html/autoconf/2021-01/msg00126.html
[3] https://www.gnu.org/software/autoconf/manual/autoconf-2.68/html_node/Obsolete-Macros.html#index-AC_005fOUTPUT-2058
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
May 28, 2021
This fixes the following warning:
$ autoconf
configure.ac:306: warning: AC_OUTPUT should be used without arguments.
configure.ac:306: You should run autoupdate.
Environment:
$ grep '^NAME' /etc/os-release
NAME="Artix Linux"
$ pacman -Q autoconf
autoconf 2.71-1
Though keep `AC_PREREQ` at 2.68 (released on 2010-09-23[1]), as version
2.71 (which autoupdate automatically bumps to) is rather recent
(released on 2021-01-28[2]) and the changes do not appear to require a
version bump, as on `AC_INIT` it only adds some quotes, and the rest of
the changes are consistent with the autoconf 2.68 manual. From Section
18.4, Obsolete Macros[3]:
> — Macro: AC_OUTPUT ([file]..., [extra-cmds], [init-cmds])
>
> The use of AC_OUTPUT with arguments is deprecated. This obsoleted
> interface is equivalent to:
>
> AC_CONFIG_FILES(file...)
> AC_CONFIG_COMMANDS([default],
> extra-cmds, init-cmds)
> AC_OUTPUT
>
> See AC_CONFIG_FILES, AC_CONFIG_COMMANDS, and AC_OUTPUT.
Note: The usage of the above format has been present since the inception
of configure.ac, on commit 1379851 ("Baseline firejail 0.9.28").
Misc: This is a continuation of netblue30#4293.
[1] https://lists.gnu.org/archive/html/info-gnu/2010-09/msg00013.html
[2] https://lists.gnu.org/archive/html/autoconf/2021-01/msg00126.html
[3] https://www.gnu.org/software/autoconf/manual/autoconf-2.68/html_node/Obsolete-Macros.html#index-AC_005fOUTPUT-2058
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The configure script happens to work if /bin/sh supports the non-POSIX
"+=" operator (e.g.: bash) and fails otherwise (e.g.: dash).
This usage first appeared on configure.ac on commit 66a4764 ("gcov
support"), which is from 2016.
If the --enable-apparmor flag is passed to ./configure (which is the
default on Arch Linux), running
makefails due to the missing-lapparmor LDFLAG. Thus, building firejail-git from the AUR does not
work if /bin/sh is e.g.: dash.
Errors when running the build commands below from makepkg:
Without the apparmor flag, the CFLAGS related to HAVE_SPECTRE do not get
applied either, but
makedoes not error out, so the problem is harderto detect in this case.
Diff comparing the output of
./configure 2>&1when running without andthen with this patch: