WIP: meson build system

Rebased and updated from #4656 by rusty-snake.

Author: topimiettinen

.github/workflows/build-extra.yml

@@ -61,32 +61,13 @@ jobs:
         libapparmor-dev libselinux1-dev
     - name: print env
       run: ./ci/printenv.sh
-    - uses: actions/checkout@v2
     - name: install dependencies
       run: sudo apt-get install ninja-build
     - name: Install meson
-      run: pip install --pre meson==0.49.2
+      run: pip install --pre meson==0.56.2 # https://packages.debian.org/oldstable/meson
     - name: meson setup
-      run: CC=clang-11 meson _builddir --werror
+      run: CC=clang-14 meson setup _builddir -Dprefix=/usr -Dapparmor=true -Dselinux=true --werror
     - name: meson compile
-      run: ninja -C _builddir
-  scan-build:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: install dependencies
-      run: sudo apt-get install clang-tools-11 ninja-build
-    - name: Install meson
-      run: pip install --pre meson
-    - name: meson setup
-      run: CC=clang-11 meson _builddir --werror
-    - name: scan-build
-      run: ninja -C _builddir scan-build
-  cppcheck:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: install cppcheck
-      run: sudo apt-get install cppcheck
-    - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+      run: meson compile -C _builddir
+    - name: meson install
+      run: meson install -C _builddir

.github/workflows/build.yml

@@ -74,18 +74,14 @@ jobs:
     - name: install dependencies
       run: >
         sudo apt-get install -qy
-        gcc-12 libapparmor-dev libselinux1-dev expect ninja-build xzdec
+        gcc-12 libapparmor-dev libselinux1-dev ninja-build
     - name: print env
       run: ./ci/printenv.sh
     - name: Install meson
       run: pip install meson
     - name: meson setup
-      run: CC=gcc-11 meson _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true
+      run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true
     - name: meson compile
-      run: ninja -C _builddir
+      run: meson compile -C _builddir
     - name: meson install
-      run: sudo -E ninja -C _builddir install
-    # TODO: Why do we run this for profile changes?
-    # TODO: meson test
-    #- name: meson test
-    #  run: SHELL=/bin/bash meson test
+      run: sudo -E meson install -C _builddir

.github/workflows/requirements.txt

@@ -0,0 +1,19 @@
+meson==1.3.1 \
+    --hash=sha256:6020568bdede1643d4fb41e28215be38eff5d52da28ac7d125457c59e0032ad7 \
+    --hash=sha256:d5223ecca9564d735d36daaba2571abc6c032c8c3a7ffa0674e803ef0c7e0219
+ninja==1.11.1.1 \
+    --hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \
+    --hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \
+    --hash=sha256:376889c76d87b95b5719fdd61dd7db193aa7fd4432e5d52d2e44e4c497bdbbee \
+    --hash=sha256:3e0f9be5bb20d74d58c66cc1c414c3e6aeb45c35b0d0e41e8d739c2c0d57784f \
+    --hash=sha256:73b93c14046447c7c5cc892433d4fae65d6364bec6685411cb97a8bcf815f93a \
+    --hash=sha256:7563ce1d9fe6ed5af0b8dd9ab4a214bf4ff1f2f6fd6dc29f480981f0f8b8b249 \
+    --hash=sha256:76482ba746a2618eecf89d5253c0d1e4f1da1270d41e9f54dfbd91831b0f6885 \
+    --hash=sha256:84502ec98f02a037a169c4b0d5d86075eaf6afc55e1879003d6cab51ced2ea4b \
+    --hash=sha256:95da904130bfa02ea74ff9c0116b4ad266174fafb1c707aa50212bc7859aebf1 \
+    --hash=sha256:9d793b08dd857e38d0b6ffe9e6b7145d7c485a42dcfea04905ca0cdb6017cc3c \
+    --hash=sha256:9df724344202b83018abb45cb1efc22efd337a1496514e7e6b3b59655be85205 \
+    --hash=sha256:aad34a70ef15b12519946c5633344bc775a7656d789d9ed5fdb0d456383716ef \
+    --hash=sha256:d491fc8d89cdcb416107c349ad1e3a735d4c4af5e1cb8f5f727baca6350fdaea \
+    --hash=sha256:ecf80cf5afd09f14dcceff28cb3f11dc90fb97c999c89307aea435889cb66877 \
+    --hash=sha256:fa2ba9d74acfdfbfbcf06fad1b8282de8a7a8c481d9dee45c859a8c93fcc1082

config.sh.in

@@ -1,4 +1,4 @@
-# @configure_input@
+# configure_input
 #
 # shellcheck shell=sh
 # shellcheck disable=SC2034

contrib/meson.build

@@ -1,5 +1,4 @@
 contrib_scripts = [
-  'firejail-welcome.sh',
   'fix_private-bin.py',
   'fjclip.py',
   'fjdisplay.py',
@@ -19,6 +18,6 @@ install_data(contrib_scripts,
 install_data('vim/ftdetect/firejail.vim',
   install_dir: datadir / 'vim' / 'vimfiles' / 'ftdetect',
 )
-install_data('vim/syntax/firejail.vim',
+install_data('syntax/files/firejail.vim.in',
   install_dir: datadir / 'vim' / 'vimfiles' / 'syntax',
 )

meson.build

@@ -7,8 +7,8 @@ project('firejail', 'c',
     'b_pie=true',
   ],
   # https://packages.debian.org/oldstable/meson
-  meson_version: '>=0.49.2',
-  version: '0.9.67',
+  meson_version: '>=0.56.2',
+  version: '0.9.73',
 )
 
 # # # # # # # # # #
@@ -75,14 +75,17 @@ foreach option, flag : {
     'firetunnel': '-DHAVE_FIRETUNNEL',
     'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS',
     'globalcfg': '-DHAVE_GLOBALCFG',
+    'ids': '-DHAVE_IDS',
     'lts': '-DHAVE_LTS',
     'network': '-DHAVE_NETWORK',
     'output': '-DHAVE_OUTPUT',
+#    'overlayfs': '-DHAVE_OVERLAYFS',
     'private-home': '-DHAVE_PRIVATE_HOME',
     'selinux': '-DHAVE_SELINUX',
     'suid': '-DHAVE_SUID',
     'userns': '-DHAVE_USERNS',
     'usertmpfs': '-DHAVE_USERTMPFS',
+#    'whitelist': '-DHAVE_WHITELIST',
     'x11': '-DHAVE_X11',
   }
 
@@ -148,13 +151,16 @@ if show_summary and meson.version().version_compare('>=0.53.0')
   summary('firetunnel', get_option('firetunnel'), section: 'Facilities')
   summary('force-nonewprivs', get_option('force-nonewprivs'), section: 'Facilities')
   summary('globalcfg', get_option('globalcfg'), section: 'Facilities')
+  summary('ids', get_option('ids'), section: 'Facilities')
   summary('network', get_option('network'), section: 'Facilities')
   summary('output', get_option('output'), section: 'Facilities')
+  summary('overlayfs', get_option('overlayfs'), section: 'Facilities')
   summary('private-home', get_option('private-home'), section: 'Facilities')
   summary('selinux', get_option('selinux'), section: 'Facilities')
   summary('suid', get_option('suid'), section: 'Facilities')
   summary('userns', get_option('userns'), section: 'Facilities')
   summary('usertmpfs', get_option('usertmpfs'), section: 'Facilities')
+  summary('whitelist', get_option('whitelist'), section: 'Facilities')
   summary('x11', get_option('x11'), section: 'Facilities')
 
   summary('lts', get_option('lts'), section: 'LTS')
@@ -163,3 +169,17 @@ if show_summary and meson.version().version_compare('>=0.53.0')
   summary('contrib', get_option('contrib'), section: 'Misc')
   summary('manpage', get_option('manpage'), section: 'Misc')
 endif
+
+conf = configuration_data()
+conf.set('PACKAGE_BUGREPORT', '[email protected]')
+conf.set('PACKAGE_NAME', 'firejail')
+conf.set('PACKAGE_STRING', 'firejail ' + meson.project_version())
+conf.set('PACKAGE_TARNAME', 'firejail')
+conf.set('PACKAGE_VERSION', meson.project_version())
+conf.set_quoted('PACKAGE_URL', 'https://firejail.wordpress.com')
+
+test_config_sh = configure_file(
+  configuration: conf,
+  input: 'config.sh.in',
+  output: '@BASENAME@',
+)

meson_options.txt

@@ -17,10 +17,14 @@ option('force-nonewprivs', type: 'boolean', value: true,
        description: 'force nonewprivs')
 option('globalcfg', type: 'boolean', value: true,
        description: 'Abort execution if the global config is not present')
+option('ids', type: 'boolean', value: false,
+       description: 'IDS support')
 option('network', type: 'boolean', value: true,
        description: 'network')
 option('output', type: 'boolean', value: true,
        description: '--output logging')
+option('overlayfs', type: 'boolean', value: true,
+       description: 'overlayfs support')
 option('private-home', type: 'boolean', value: true,
        description: 'private home feature')
 option('selinux', type: 'boolean', value: false,
@@ -31,6 +35,8 @@ option('userns', type: 'boolean', value: true,
        description: 'user namespace')
 option('usertmpfs', type: 'boolean', value: true,
        description: 'tmpfs as regular user')
+option('whitelist', type: 'boolean', value: true,
+       description: 'whitelist support')
 option('x11', type: 'boolean', value: true,
        description: 'X11 sandboxing support')
 

src/firejail/meson.build

@@ -5,7 +5,6 @@ firejail_sources = [
   'arp.c',
   'bandwidth.c',
   'caps.c',
-  'cgroup.c',
   'checkcfg.c',
   'chroot.c',
   'cmdline.c',
@@ -28,6 +27,7 @@ firejail_sources = [
   'fs_whitelist.c',
   'ids.c',
   'join.c',
+  'landlock.c',
   'ls.c',
   'macros.c',
   'mountinfo.c',
@@ -36,9 +36,11 @@ firejail_sources = [
   'network.c',
   'network_main.c',
   'no_sandbox.c',
+  'oom.c',
   'output.c',
   'paths.c',
   'preproc.c',
+  'process.c',
   'profile.c',
   'protocol.c',
   'pulseaudio.c',

src/firemon/meson.build

@@ -3,9 +3,7 @@ firemon_sources = [
   'apparmor.c',
   'arp.c',
   'caps.c',
-  'cgroup.c',
   'cpu.c',
-  'interface.c',
   'list.c',
   'netstats.c',
   'procevent.c',

src/fseccomp/meson.build

@@ -1,6 +1,7 @@
 fseccomp_sources = [
   'main.c',
   'protocol.c',
+  'namespaces.c',
   'seccomp.c',
   'seccomp_file.c',
   'seccomp_secondary.c',

src/man/meson.build

@@ -23,7 +23,7 @@ foreach manpage : manpages
   section = manpage.split('.')[1]
   configured_manpage = configure_file(
     configuration: manconf,
-    input: manpage.split('.')[0] + '.txt',
+    input: manpage + '.in',
     output: '@PLAINNAME@',
   )
   custom_target(manpage,

src/meson.build

@@ -21,7 +21,9 @@ subdir('profstats')
 
 # SBOX_APPS
 subdir('fbuilder')
-subdir('fids')
+if get_option('ids')
+  subdir('fids')
+endif
 subdir('ftee')
 
 # SBOX_APPS_NON_DUMPABLE

test/build-test.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+src=$1
+dir=$2
+build=$3
+log=test/${dir}.log
+
+echo src:$src
+echo dir:$dir
+echo log:$log
+echo build:$build
+
+(cd $src/$dir && BUILD_ROOT=$build ./${dir}.sh 2>&1) | tee $log
+grep -a TESTING $log && ! grep -a -q "TESTING ERROR" $log
+
+exit 0