WIP: Build firejail with meson

.github/workflows/build-extra.yml

@@ -31,20 +31,26 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
-    - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
-    - name: make
-      run: make
+    - name: install dependencies
+      run: sudo apt-get install ninja-build
+    - name: Install meson
+      run: pip install --pre meson
+    - name: meson setup
+      run: CC=clang-11 meson _builddir --werror
+    - name: meson compile
+      run: ninja -C _builddir
   scan-build:
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
-    - name: install clang-tools-11
-      run: sudo apt-get install clang-tools-11
-    - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+    - name: install dependencies
+      run: sudo apt-get install clang-tools-11 ninja-build
+    - name: Install meson
+      run: pip install --pre meson
+    - name: meson setup
+      run: CC=clang-11 meson _builddir --werror
     - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
+      run: ninja -C _builddir scan-build
   cppcheck:
     runs-on: ubuntu-20.04
     steps:

.github/workflows/build.yml

@@ -24,12 +24,16 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: install dependencies
-      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
-    - name: configure
-      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
-    - name: make
-      run: make
-    - name: make install
-      run: sudo make install
-    - name: run tests
-      run: SHELL=/bin/bash make test-github
+      run: sudo apt-get install expect gcc-11 libapparmor-dev libselinux1-dev ninja-build xzdec
+    - name: Install meson
+      run: pip install meson==0.49.2
+    - name: meson setup
+      run: CC=gcc-11 meson _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true
+    - name: meson compile
+      run: ninja -C _builddir
+    - name: meson install
+      run: sudo -E ninja -C _builddir install
+    # TODO: Why do we run this for profile changes?
+    # TODO: meson test
+    #- name: meson test
+    #  run: SHELL=/bin/bash meson test

contrib/meson.build

@@ -0,0 +1,24 @@
+contrib_scripts = [
+  'firejail-welcome.sh',
+  'fix_private-bin.py',
+  'fjclip.py',
+  'fjdisplay.py',
+  'fj-mkdeb.py',
+  'fjresize.py',
+  'gdb-firejail.sh',
+  'jail_prober.py',
+  'sort.py',
+  'syscalls.sh',
+  'update_deb.sh',
+]
+install_data(contrib_scripts,
+  install_dir: libdir_firejail,
+  install_mode: 'rwxr-xr-x',
+)
+
+install_data('vim/ftdetect/firejail.vim',
+  install_dir: datadir / 'vim' / 'vimfiles' / 'ftdetect',
+)
+install_data('vim/syntax/firejail.vim',
+  install_dir: datadir / 'vim' / 'vimfiles' / 'syntax',
+)

etc/meson.build

@@ -0,0 +1,55 @@
+install_data('firejail.config', 'ids.config', 'login.users',
+  install_dir: sysconfdir / project_name,
+)
+
+foreach dir : ['inc', 'net', 'profile-a-l', 'profile-m-z']
+  install_subdir(dir,
+    exclude_files: ['disable-common.inc'],
+    install_dir: sysconfdir / project_name,
+    strip_directory: true,
+  )
+endforeach
+
+if get_option('busybox-workaround')
+  meson.add_install_script(sh.path(), '-e', '-c',
+'''
+disable_common_inc="$MESON_INSTALL_DESTDIR_PREFIX/$1/firejail/disable-common.inc"
+cat >"$disable_common_inc" <<\EOF
+# Workaround for systems where common UNIX utilities are symlinks to busybox.
+# If this is not your case you can remove -Dbusybox-workaround=true from
+# meson setup options, for added security.
+noblacklist ${PATH}/busybox
+noblacklist ${PATH}/crontab
+noblacklist ${PATH}/mount
+noblacklist ${PATH}/nc
+noblacklist ${PATH}/su
+noblacklist ${PATH}/sudo
+noblacklist ${PATH}/umount
+
+EOF
+cat >>"$disable_common_inc" <"$2"
+''', '--', sysconfdir, meson.current_source_dir() / 'inc/disable-common.inc',
+  )
+else
+  install_data('inc/disable-common.inc',
+    install_dir: sysconfdir / project_name,
+  )
+endif
+
+install_subdir('templates',
+  install_dir: docdir,
+  strip_directory: true,
+)
+
+if get_option('apparmor')
+  install_data('apparmor/firejail-default',
+    install_dir: sysconfdir / 'apparmor.d',
+  )
+  install_data('apparmor/firejail-local',
+    install_dir: sysconfdir / 'apparmor.d' / 'local',
+    rename: 'firejail-default',
+  )
+  install_data('apparmor/firejail-base',
+    install_dir: sysconfdir / 'apparmor.d' / 'abstractions' / 'base.d',
+  )
+endif

meson.build

@@ -0,0 +1,165 @@
+project('firejail', 'c',
+  license: 'GPL-2.0-or-later',
+  default_options: [
+    # -D_FORTIFY_SOURCE=2 requires optimization
+    'buildtype=debugoptimized',
+    'strip=true',
+    'b_pie=true',
+  ],
+  # https://packages.debian.org/oldstable/meson
+  meson_version: '>=0.49.2',
+  version: '0.9.67',
+)
+
+# # # # # # # # # #
+
+c_compiler = meson.get_compiler('c')
+cc = find_program(c_compiler.cmd_array()[0])
+sh = find_program('sh')
+gawk = find_program('gawk')
+
+project_name = meson.project_name()
+prefix = get_option('prefix')
+bindir = get_option('bindir')
+datadir = get_option('datadir')
+bashcompletiondir = datadir / 'bash-completion' / 'completions'
+docdir = datadir / 'doc' / project_name
+zshcompletiondir = datadir / 'zsh' / 'site-functions'
+sysconfdir = get_option('sysconfdir')
+libdir = get_option('libdir')
+libdir_firejail = libdir / project_name
+firejail_perms = get_option('suid') ? 'rwsr-xr-x' : 'rwxr-xr-x'
+sbox_apps_non_dumpable_perms = 'rwx--x--x'
+
+noopdep = dependency('', required: false)
+libapparmor = get_option('apparmor') ? dependency('libapparmor') : noopdep
+libselinux = get_option('selinux') ? dependency('libselinux') : noopdep
+
+# # # # # # # # # #
+
+if get_option('lts')
+  # meson _builddir_lts --prefix=/usr -Dlts=true -Dchroot=false -Ddbusproxy=false -Dfile-transfer=false -Dfiretunnel=false -Dglobalcfg=false -Doutput=false -Dprivate-home=false -Duserns=false -Dusertmpfs=false -Dx11=false
+  foreach option : ['chroot', 'dbusproxy', 'file-transfer', 'firetunnel', 'globalcfg',
+                    'output', 'private-home', 'userns', 'usertmpfs', 'x11']
+    assert(get_option(option) == false, 'get_option(\'@0@\') == false'.format(option))
+  endforeach
+endif
+
+
+# Enable static analysis if wanted and supported.
+if get_option('analyzer') and c_compiler.has_argument('-fanalyzer')
+  add_project_arguments('-fanalyzer', language: 'c')
+  add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c')
+endif
+
+c_args = []
+if get_option('buildtype') != 'plain'
+  c_args += c_compiler.get_supported_arguments([
+    '-mretpoline',
+    '-fstack-protector-strong',
+    '-fstack-clash-protection',
+    '-D_FORTIFY_SOURCE=2',
+  ])
+  if get_option('warning_level').to_int() > 0
+    c_args += ['-Wformat', '-Wformat-security']
+  endif
+endif
+
+
+facilities = []
+foreach option, flag : {
+    'apparmor': '-DHAVE_APPARMOR',
+    'chroot': '-DHAVE_CHROOT',
+    'dbusproxy': '-DHAVE_DBUSPROXY',
+    'file-transfer': '-DHAVE_FILE_TRANSFER',
+    'firetunnel': '-DHAVE_FIRETUNNEL',
+    'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS',
+    'globalcfg': '-DHAVE_GLOBALCFG',
+    'lts': '-DHAVE_LTS',
+    'network': '-DHAVE_NETWORK',
+    'output': '-DHAVE_OUTPUT',
+    'private-home': '-DHAVE_PRIVATE_HOME',
+    'selinux': '-DHAVE_SELINUX',
+    'suid': '-DHAVE_SUID',
+    'userns': '-DHAVE_USERNS',
+    'usertmpfs': '-DHAVE_USERTMPFS',
+    'x11': '-DHAVE_X11',
+  }
+
+  if get_option(option)
+    facilities += flag
+  endif
+endforeach
+
+
+constants = []
+foreach name, value : {
+  'PREFIX': prefix,
+  'BINDIR': prefix / bindir,
+  'SYSCONFDIR': prefix / sysconfdir / project_name,
+  'LIBDIR': prefix / libdir,
+  'VARDIR': '/var/lib' / project_name,
+  'VERSION': meson.project_version(),
+  }
+
+  constants += '-D@0@="@1@"'.format(name, value)
+endforeach
+
+# # # # # # # # # #
+
+if get_option('contrib')
+  subdir('contrib')
+endif
+subdir('etc')
+subdir('src')
+subdir('test')
+
+install_data('COPYING', 'README', 'RELNOTES',
+  install_dir: docdir,
+)
+
+# # # # # # # # # #
+
+cppcheck = find_program('cppcheck', required: false)
+if cppcheck.found()
+  run_target('cppcheck',
+    command: [
+      cppcheck, '--force', '--error-exitcode=1', '--enable=warning,performance', meson.source_root(),
+    ],
+  )
+endif
+
+# # # # # # # # # #
+
+show_summary = true
+if show_summary and meson.version().version_compare('>=0.53.0')
+  summary('prefix', prefix, section: 'Directories')
+  summary('bindir', bindir, section: 'Directories')
+  summary('datadir', datadir, section: 'Directories')
+  summary('docdir', docdir, section: 'Directories')
+  summary('sysconfdir', sysconfdir, section: 'Directories')
+  summary('libdir', libdir, section: 'Directories')
+  summary('libdir_firejail', libdir_firejail, section: 'Directories')
+
+  summary('apparmor', get_option('apparmor'), section: 'Facilities')
+  summary('chroot', get_option('chroot'), section: 'Facilities')
+  summary('dbusproxy', get_option('dbusproxy'), section: 'Facilities')
+  summary('file-transfer', get_option('file-transfer'), section: 'Facilities')
+  summary('firetunnel', get_option('firetunnel'), section: 'Facilities')
+  summary('force-nonewprivs', get_option('force-nonewprivs'), section: 'Facilities')
+  summary('globalcfg', get_option('globalcfg'), section: 'Facilities')
+  summary('network', get_option('network'), section: 'Facilities')
+  summary('output', get_option('output'), section: 'Facilities')
+  summary('private-home', get_option('private-home'), section: 'Facilities')
+  summary('selinux', get_option('selinux'), section: 'Facilities')
+  summary('suid', get_option('suid'), section: 'Facilities')
+  summary('userns', get_option('userns'), section: 'Facilities')
+  summary('usertmpfs', get_option('usertmpfs'), section: 'Facilities')
+  summary('x11', get_option('x11'), section: 'Facilities')
+
+  summary('lts', get_option('lts'), section: 'LTS')
+
+  summary('busybox-workaround', get_option('busybox-workaround'), section: 'Misc')
+  summary('contrib', get_option('contrib'), section: 'Misc')
+  summary('manpage', get_option('manpage'), section: 'Misc')
+endif

meson_options.txt

@@ -0,0 +1,45 @@
+option('analyzer', type: 'boolean', value: false,
+       description: 'Enable gcc\'s Static Analyzer')
+# sanitizer: Use -Db_sanitize=<none|address|thread|undefined|memory|address,undefined>
+# gcov: TODO
+
+option('apparmor', type: 'boolean', value: false,
+       description: 'AppArmor support')
+option('chroot', type: 'boolean', value: true,
+       description: 'chroot')
+option('dbusproxy', type: 'boolean', value: true,
+       description: 'D-Bus proxy support')
+option('file-transfer', type: 'boolean', value: true,
+       description: 'file transfer')
+option('firetunnel', type: 'boolean', value: true,
+       description: 'firetunnel')
+option('force-nonewprivs', type: 'boolean', value: true,
+       description: 'force nonewprivs')
+option('globalcfg', type: 'boolean', value: true,
+       description: 'Abort execution if the global config is not present')
+option('network', type: 'boolean', value: true,
+       description: 'network')
+option('output', type: 'boolean', value: true,
+       description: '--output logging')
+option('private-home', type: 'boolean', value: true,
+       description: 'private home feature')
+option('selinux', type: 'boolean', value: false,
+       description: 'SELinux labeling support')
+option('suid', type: 'boolean', value: true,
+       description: 'Install firejail as SUID executable')
+option('userns', type: 'boolean', value: true,
+       description: 'user namespace')
+option('usertmpfs', type: 'boolean', value: true,
+       description: 'tmpfs as regular user')
+option('x11', type: 'boolean', value: true,
+       description: 'X11 sandboxing support')
+
+option('lts', type: 'boolean', value: false,
+       description: 'LTS')
+
+option('busybox-workaround', type: 'boolean', value: false,
+       description: 'busybox workaround')
+option('contrib', type: 'boolean', value: true,
+       description: 'Install contrib files')
+option('manpage', type: 'boolean', value: true,
+       description: 'Manpages')

mkman.sh

@@ -5,8 +5,8 @@
 
 set -e
 
-sed "s/VERSION/$1/g" $2 > $3
+sed "s/@VERSION@/$1/g" $2 > $3
 MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
-sed -i "s/MONTH/$MONTH/g" $3
+sed -i "s/@MONTH@/$MONTH/g" $3
 YEAR=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y`
-sed -i "s/YEAR/$YEAR/g" $3
+sed -i "s/@YEAR@/$YEAR/g" $3

src/bash_completion/Makefile.in

@@ -5,7 +5,7 @@ include ../common.mk
 
 firejail.bash_completion: firejail.bash_completion.in
 	gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
-	sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
+	sed "s|@SYSCONFDIR@|$(sysconfdir)|" < $@.tmp > $@
 	rm $@.tmp
 
 .PHONY: clean

src/bash_completion/firejail.bash_completion.in

@@ -15,7 +15,7 @@ _profiles() {
     fi
 }
 _all_profiles() {
-    local sys_profiles=$(_profiles _SYSCONFDIR_/firejail)
+    local sys_profiles=$(_profiles @SYSCONFDIR@/firejail)
     local user_profiles=$(_profiles $HOME/.config/firejail)
     COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur"))
 }