netblue30 · netblue30 · Feb 29, 2024 · Feb 26, 2024 · Feb 22, 2024 · Feb 26, 2024
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
@@ -48,12 +48,10 @@ jobs:
       with:
         egress-policy: block
         allowed-endpoints: >
-          archive.ubuntu.com:80
           azure.archive.ubuntu.com:80
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: update package information
       run: sudo apt-get update -qy
@@ -65,12 +63,13 @@ jobs:
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
-        --enable-selinux
+        ./configure CC=clang-14
+        --prefix=/usr --enable-fatal-warnings
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make
     - name: make install
       run: sudo make install
     - name: print version
-      run: command -V firejail && firejail --version
+      run: make print-version
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -74,18 +74,18 @@ jobs:
     - name: install dependencies
       run: >
         sudo apt-get install -qy
-        gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
-        bridge-utils
+        gcc-12 libapparmor-dev libselinux1-dev
     - name: print env
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
-        --enable-analyzer --enable-apparmor --enable-selinux
+        ./configure CC=gcc-12
+        --prefix=/usr --enable-fatal-warnings --enable-analyzer
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make
     - name: make install
       run: sudo make install
-    - name: print firejail version
-      run: command -V firejail && firejail --version
+    - name: print version
+      run: make print-version
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
@@ -8,9 +8,9 @@ on:
     branches-ignore:
       - 'dependabot/**'
     paths:
+      - '**.c'
+      - '**.h'
       - 'm4/**'
-      - 'src/**.c'
-      - 'src/**.h'
       - 'src/**.mk'
       - 'src/**Makefile'
       - .github/workflows/check-c.yml
@@ -22,9 +22,9 @@ on:
       - configure.ac
   pull_request:
     paths:
+      - '**.c'
+      - '**.h'
       - 'm4/**'
-      - 'src/**.c'
-      - 'src/**.h'
       - 'src/**.mk'
       - 'src/**Makefile'
       - .github/workflows/check-c.yml
@@ -68,7 +68,8 @@ jobs:
     - name: configure
       run: >
         ./configure CC=clang-14 SCAN_BUILD=scan-build-14
-        --enable-fatal-warnings --enable-apparmor --enable-selinux
+        --prefix=/usr --enable-fatal-warnings
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: scan-build
       run: make scan-build

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -73,15 +73,16 @@ jobs:
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
-        --enable-analyzer --enable-apparmor --enable-selinux
+        ./configure CC=gcc-12
+        --prefix=/usr --enable-fatal-warnings --enable-analyzer
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make -j "$(nproc)"
     - name: make install
       run: sudo make install
-    - name: print firejail version
-      run: command -V firejail && firejail --version
+    - name: print version
+      run: make print-version
     - run: make lab-setup
     - run: make test-seccomp-extra
     - run: make test-firecfg
@@ -121,15 +122,16 @@ jobs:
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
-        --enable-analyzer --enable-apparmor --enable-selinux
+        ./configure CC=gcc-12
+        --prefix=/usr --enable-fatal-warnings --enable-analyzer
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make -j "$(nproc)"
     - name: make install
       run: sudo make install
-    - name: print firejail version
-      run: command -V firejail && firejail --version
+    - name: print version
+      run: make print-version
     - run: make lab-setup
     - run: make test-private-etc
     - run: make test-fs
@@ -160,15 +162,16 @@ jobs:
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
-        --enable-analyzer --enable-apparmor --enable-selinux
+        ./configure CC=gcc-12
+        --prefix=/usr --enable-fatal-warnings --enable-analyzer
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make -j "$(nproc)"
     - name: make install
       run: sudo make install
-    - name: print firejail version
-      run: command -V firejail && firejail --version
+    - name: print version
+      run: make print-version
     - run: make lab-setup
     - run: make test-environment
     - run: make test-profiles
@@ -202,15 +205,16 @@ jobs:
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
-        --enable-analyzer --enable-apparmor --enable-selinux
+        ./configure CC=gcc-12
+        --prefix=/usr --enable-fatal-warnings --enable-analyzer
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make -j "$(nproc)"
     - name: make install
       run: sudo make install
-    - name: print firejail version
-      run: command -V firejail && firejail --version
+    - name: print version
+      run: make print-version
     - run: make lab-setup
     - run: make test-utils
 
@@ -248,15 +252,16 @@ jobs:
       run: ./ci/printenv.sh
     - name: configure
       run: >
-        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
-        --enable-analyzer --enable-apparmor --enable-selinux
+        ./configure CC=gcc-12
+        --prefix=/usr --enable-fatal-warnings --enable-analyzer
+        --enable-apparmor --enable-selinux
         || (cat config.log; exit 1)
     - name: make
       run: make -j "$(nproc)"
     - name: make install
       run: sudo make install
-    - name: print firejail version
-      run: command -V firejail && firejail --version
+    - name: print version
+      run: make print-version
     - run: make lab-setup
     - run: make test-fnetfilter
     - run: make test-sysutils

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,10 +1,13 @@
-# Basic notes: builds firejail on 5 different systems for 2 package systems:
-# 1. Debian-based systems. Use debian:jessie to ensure reasonable backwards
-# compat and ubuntu:rolling for new setups
-# 2. Redhat-based systems. Use centos:latest for reasonable backwards compat
-# and fedora:latest for new setups
-# 3. Alpine for installing directly from source
-# Also builds apparmor package for Ubuntu LTS
+# Builds on multiple systems using different package managers:
+#
+# - Debian-based systems: Use oldest working/supported debian image for
+# reasonable backwards compatibility and ubuntu:rolling for new setups.
+# Additionally, ensure that the package works without apparmor.
+#
+# - Redhat-based systems: Use a centos-like distribution for reasonable
+# backwards compatibility and fedora:latest for new setups.
+#
+# - Alpine: Use it for installing directly from source.
 
 build_ubuntu_package:
     image: ubuntu:rolling
@@ -19,9 +22,10 @@ build_ubuntu_package:
             | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
         - ./ci/printenv.sh
         - ./configure || (cat config.log; exit 1)
-        - make deb
-        - dpkg -i firejail*.deb
-        - command -V firejail && firejail --version
+        - make dist
+        - ./mkdeb.sh --enable-fatal-warnings
+        - dpkg -i ./*.deb
+        - make print-version
 
 build_debian_package:
     image: debian:buster
@@ -36,9 +40,31 @@ build_debian_package:
             | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
         - ./ci/printenv.sh
         - ./configure || (cat config.log; exit 1)
-        - make deb
-        - dpkg -i firejail*.deb
-        - command -V firejail && firejail --version
+        - make dist
+        - ./mkdeb.sh --enable-fatal-warnings
+        - dpkg -i ./*.deb
+        - make print-version
+
+build_no_apparmor:
+    image: ubuntu:latest
+    timeout: 10 minutes
+    variables:
+        DEBIAN_FRONTEND: noninteractive
+    script:
+        - apt-get update -qy
+        - >
+            apt-get install --no-install-recommends -qy
+            build-essential fakeroot lintian pkg-config gawk
+            | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
+        - ./ci/printenv.sh
+        - ./configure || (cat config.log; exit 1)
+        - make dist
+        - >
+            ./mkdeb.sh --enable-fatal-warnings
+            --disable-apparmor
+        - dpkg -i ./*.deb
+        - make print-version
+        - make print-version | grep -F 'AppArmor support is disabled'
 
 build_redhat_package:
     image: almalinux:latest
@@ -48,9 +74,10 @@ build_redhat_package:
         - dnf install -y rpm-build gcc make
         - ./ci/printenv.sh
         - ./configure || (cat config.log; exit 1)
-        - make rpms
-        - rpm -i firejail*.rpm
-        - command -V firejail && firejail --version
+        - make dist
+        - ./platform/rpm/mkrpm.sh --enable-fatal-warnings
+        - rpm -i ./*.rpm
+        - make print-version
 
 build_fedora_package:
     image: fedora:latest
@@ -60,9 +87,10 @@ build_fedora_package:
         - dnf install -y rpm-build gcc make
         - ./ci/printenv.sh
         - ./configure || (cat config.log; exit 1)
-        - make rpms
-        - rpm -i firejail*.rpm
-        - command -V firejail && firejail --version
+        - make dist
+        - ./platform/rpm/mkrpm.sh --enable-fatal-warnings
+        - rpm -i ./*.rpm
+        - make print-version
 
 build_src_package:
     image: alpine:latest
@@ -72,29 +100,14 @@ build_src_package:
         - apk upgrade
         - apk add build-base linux-headers gawk
         - ./ci/printenv.sh
-        - ./configure --prefix=/usr || (cat config.log; exit 1)
+        # Note: Do not use ` --enable-fatal-warnings` because the build
+        # currently produces warnings on Alpine (see #6224).
+        - >
+            ./configure --prefix=/usr
+            || (cat config.log; exit 1)
         - make
         - make install-strip
-        - command -V firejail && firejail --version
-
-build_no_apparmor:
-    image: ubuntu:latest
-    timeout: 10 minutes
-    variables:
-        DEBIAN_FRONTEND: noninteractive
-    script:
-        - apt-get update -qy
-        - >
-            apt-get install --no-install-recommends -qy
-            build-essential fakeroot lintian pkg-config gawk
-            | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
-        - ./ci/printenv.sh
-        - ./configure || (cat config.log; exit 1)
-        - make dist
-        - ./mkdeb.sh --disable-apparmor
-        - dpkg -i firejail*.deb
-        - command -V firejail && firejail --version
-        - firejail --version | grep -F 'AppArmor support is disabled'
+        - make print-version
 
 debian_ci:
     image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
@@ -103,6 +116,7 @@ debian_ci:
         DEBFULLNAME: "$GITLAB_USER_NAME"
         DEBEMAIL: "$GITLAB_USER_EMAIL"
         DEBIAN_FRONTEND: noninteractive
+        PKGNAME: firejail
     before_script:
         - git checkout -B ci_build "$CI_COMMIT_SHA"
         - gitlab-ci-enable-sid
@@ -117,17 +131,17 @@ debian_ci:
         - git config user.email "$DEBEMAIL"
         - |
             cd "$CI_PROJECT_DIR/.."
-            apt-get source --download-only -t experimental firejail ||
-            apt-get source --download-only firejail
+            apt-get source --download-only -t experimental "$PKGNAME" ||
+            apt-get source --download-only "$PKGNAME"
         - |
             cd "$CI_PROJECT_DIR"
-            tar xf ../firejail_*.debian.tar.*
+            tar xf "../${PKGNAME}"_*.debian.tar.*
         - rm -rf debian/patches/
         - |
             VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)"
             dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.'
-            git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD
-            pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build
+            git archive -o "../${PKGNAME}_${VERSION}.orig.tar.gz" HEAD
+            pristine-tar commit "../${PKGNAME}_${VERSION}.orig.tar.gz" ci_build
             git branch -m pristine-tar origin/pristine-tar
         - git add debian
         - git commit -m 'add debian/'

diff --git a/Makefile b/Makefile
@@ -391,6 +391,10 @@ codespell:
 print-env:
 	./ci/printenv.sh
 
+.PHONY: print-version
+print-version: config.mk
+	command -V $(TARNAME) && $(TARNAME) --version
+
 #
 # make test
 #

diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh
@@ -16,7 +16,7 @@ sed -i "s/# restricted-network .*/restricted-network yes/" \
     etc/firejail.config
 
 make deb
-sudo dpkg -i firejail*.deb
+sudo dpkg -i ./*.deb
 echo "Firejail updated."
 cd ..
 rm -rf firejail