Merge pull request #5275 from netblue30/ci_ubuntu_2204

CI: bump ubuntu to 22.04 and use newer compilers / analyzers
2026-05-15 14:16:14 -06:00 · 2022-07-30 11:07:38 +02:00 · 2022-07-30 11:07:38 +02:00 · 364a5659c9
commit 364a5659c9
parent 89441e48e8 53f0b39507
11 changed files with 47 additions and 37 deletions
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@ -28,11 +28,13 @@ on:

 jobs:
  build-clang:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install dependencies
+      run: sudo apt-get install libapparmor-dev libselinux1-dev
    - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
    - name: make
      run: make
    - name: make install
@ -40,16 +42,26 @@ jobs:
    - name: print version
      run: command -V firejail && firejail --version
  scan-build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
-    - name: install clang-tools-11
-      run: sudo apt-get install clang-tools-11
+    - name: install clang-tools-14 and dependencies
+      run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
    - name: configure
-      run: CC=clang-11 ./configure --enable-fatal-warnings
+      run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux
    - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
+      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
  cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c .
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also
+  # with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
    runs-on: ubuntu-20.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -20,15 +20,15 @@ on:

 jobs:
  build_and_test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
    - name: update package information
      run: sudo apt-get update
    - name: install dependencies
-      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
    - name: configure
-      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+      run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
    - name: make
      run: make
    - name: make install
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@ -18,7 +18,7 @@ on:

 jobs:
  profile-checks:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
    - name: sort.py
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@ -27,7 +27,7 @@

 static int prog_cnt = 0;

-static char *paths[] = {
+static const char * const paths[] = {
 	"/usr/local/bin",
 	"/usr/bin",
 	"/bin",
@ -40,7 +40,7 @@ static char *paths[] = {
 };

 // return 1 if found, 0 if not found
-static char *check_dir_or_file(const char *name) {
+static const char *check_dir_or_file(const char *name) {
 	EUID_ASSERT();
 	assert(name);
 	struct stat s;
@ -160,7 +160,7 @@ static void duplicate(char *fname) {
 	else {
 		// Find the standard directory (by looping through paths[])
 		// where the filename fname is located
-		char *path = check_dir_or_file(fname);
+		const char *path = check_dir_or_file(fname);
 		if (!path)
 			return;
 		if (asprintf(&full_path, "%s/%s", path, fname) == -1)
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@ -300,7 +300,7 @@ void fs_var_utmp(void) {

 	// read current utmp
 	struct utmp *u;
-	struct utmp u_boot;
+	struct utmp u_boot = {0};
 	setutent();
 	while ((u = getutent()) != NULL) {
 		if (u->ut_type == BOOT_TIME) {
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@ -47,7 +47,7 @@ int is_lib_64(const char *exe) {
 	if (fd < 0)
 		return 0;

-	unsigned char buf[EI_NIDENT];
+	unsigned char buf[EI_NIDENT] = {0};
 	ssize_t len = 0;
 	while (len < EI_NIDENT) {
 		ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
--- a/test/Makefile
+++ b/test/Makefile
@ -3,7 +3,7 @@ TESTS=$(patsubst %/,%,$(wildcard */))
 .PHONY: $(TESTS)
 $(TESTS):
 	cd $@ && ./$@.sh 2>&1 | tee $@.log
-	cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+	cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log

 .PHONY: clean
 clean:
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@ -110,23 +110,23 @@ expect {
 send -- "exit\r"
 sleep 1

-send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
-expect {
-	timeout {puts "TESTING ERROR 6.1\n";exit}
-	"connect"
-}
-expect {
-	timeout {puts "TESTING ERROR 6.2\n";exit}
-	"208.67.222.222"
-}
-expect {
-	timeout {puts "TESTING ERROR 6.3\n";exit}
-	"53"
-}
-after 100
+# test disabled, as Github CI uses systemd-resolved, which does not work
+# properly with --dns=, so curl does not use the specified nameserver
+#send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r"
+#expect {
+#	timeout {puts "TESTING ERROR 6.1\n";exit}
+#	"connect"
+#}
+#expect {
+#	timeout {puts "TESTING ERROR 6.2\n";exit}
+#	"208.67.222.222"
+#}
+#expect {
+#	timeout {puts "TESTING ERROR 6.3\n";exit}
+#	"53"
+#}
+#after 100

-send -- "rm index.html\r"
-after 100
 send -- "exit\r"
 sleep 1

--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@ -11,6 +11,7 @@ send -- "firejail less sysutils.sh\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+	"Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
 	"MALLOC_CHECK"
 }
 expect {
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@ -11,6 +11,7 @@ send -- "man firejail\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	"(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
+	"Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit}
 	"Linux namespaces sandbox program"
 }
 after 100
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@ -67,10 +67,6 @@ expect {
 	"wget:fopen64 /etc/wgetrc" {puts "OK\n";}
 	"wget:fopen /etc/wgetrc"  {puts "OK\n";}
 }
-expect {
-	timeout {puts "TESTING ERROR 8.4\n";exit}
-	"wget:fopen /etc/hosts"
-}
 expect {
 	timeout {puts "TESTING ERROR 8.5\n";exit}
 	"wget:connect"