Remove what remains of the Intrusion Detection System (IDS)/fids,
`--ids` commands and the `--enable-ids` configure option.
Commands:
* `--ids-check`
* `--ids-init`
Related commits:
* 5e962ff78 ("removed IDS feature, it was never enabled by default in
our builds", 2025-12-17)
Relates to #6995.
Instead of manually specifying which source files depend on which
headers, use compiler flags to automatically generate depfiles (.d),
which declare the correct header (make) dependencies for each source
file (.c).
Use `-MMD` (which ignores system headers) to generate the dependencies
and `-MP` to prevent make from complaining when a header file is removed
while it is listed as a dependency in a depfile.
If depfiles exist, just include them. If not, make each object file
(.o) unconditionally depend on all header files in its source directory
and in src/include, to ensure that rebuilds are done when needed. The
latter case applies to the first build after `make clean` (which would
build everything anyway) and when the compiler does not support
generating depfiles.
Note that both gcc and clang have supported these options for a long
time.
Misc: This depends on the changes from commit 5b1bd33c7 ("build: use
full paths on compile/link targets", 2023-07-02) / PR #6158 to avoid
issues with make dependency tracking.
Simplify the main targets and use wildcards instead of repeating the
filenames manually.
Also, restore the `man` target and building only when `HAVE_MAN` is
enabled.
Note: Make automatically removes intermediate files (.1 and .5), so in
general only the .gz files have to be cleaned.
Commands used to rename the man pages:
cd src/man
git mv firecfg.txt firecfg.1.in
git mv firejail-login.txt firejail-login.5.in
git mv firejail-profile.txt firejail-profile.5.in
git mv firejail-users.txt firejail-users.5.in
git mv firejail.txt firejail.1.in
git mv firemon.txt firemon.1.in
git mv jailcheck.txt jailcheck.1.in
This is kind of a follow-up to commit 9e206b7f2 ("rework src/man
Makefile", 2023-07-07).
Changes:
* Generate firejail.vim from firejail.vim.in
* Generate firejail-profile.lang from firejail-profile.lang.in
* Update the manual syntax file steps on the new command checklist on
CONTRIBUTING.md to use `make syntax` instead
Relates to #2679#5502#5577#5612.
Changes:
* Use the commands from contrib/vim/syntax/firejail.vim to create
makefile targets to generate syntax lists in contrib/syntax/lists
* Add contrib/syntax/files/example.in as an example of how to generate
syntax files
* Generate and add the syntax lists, to make it easier to spot if they
are properly updated when a new command is added or if their recipes
also need changes
* Add "syntax" and "contrib" makefile targets
Note: The generation commands are executed mostly silently to avoid
generating too much noise when also making other targets.
Note2: In some generation commands, a `$$` escape is used to pass `$` to
the shell, to avoid being interpreted by make as the start of a macro.
Note3: `@make_input@` is used in example.in to make it clear that the
file is generated (and that it is generated by make rather than
configure), similarly to how `@configure_input@` is used in configure
input files. See also apparmor.vim:
$ head -n 2 /usr/share/vim/vimfiles/syntax/apparmor.vim
" generated from apparmor.vim.in by create-apparmor.vim.py
" do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead
Environment: apparmor 3.1.2-1 on Artix Linux.
Relates to #2679#5502#5577#5612.
Ignore it only on the repository root path, as a directory that matches
`firejail-*` could eventually be added.
Note that the dist archive is already ignored since commit da6b131c3
("chore(.gitignore) ignore built packages", 2018-01-15) / PR #1733.
Example paths:
* build dir: firejail-0.9.71/
* archive: firejail-0.9.71.tar.xz
See `$(NAME)-$(VERSION)` and `$(NAME)-$(VERSION).tar.xz` in the "dist"
target on the root Makefile.
Configure summary: autoconf essentially only parses configure.ac and
generates the configure script (that is, the "./configure" shell
script). The latter is what actually checks what is available on the
system and internally sets the value of the output variables. It then,
for every filename foo in AC_CONFIG_FILES (and for every output variable
name BAR in AC_SUBST), reads foo.in, replaces every occurrence of
`@BAR@` with the value of the shell variable `$BAR` and generates the
file foo from the result. After this, configure is finished and `make`
could be executed to start the build.
Now that (as of #5140) all output variables are only defined on
config.mk.in and on config.sh.in, there is no need to generate any
makefile nor any other mkfile or shell script at configure time. So
rename every "Makefile.in" to "Makefile", mkdeb.sh.in to mkdeb.sh,
src/common.mk.in to src/common.mk and leave just config.mk and config.sh
as the files to be generated at configure time.
This allows editing and committing all makefiles directly, without
potentially having to run ./configure in between.
Commands used to rename the makefiles:
$ git ls-files -z -- '*Makefile.in' | xargs -0 -I '{}' sh -c \
"git mv '{}' \"\$(dirname '{}')/Makefile\""
Additionally, from my (rudimentary) testing, this commit reduces the
time it takes to run ./configure by about 20~25% compared to commit
72ece92ea ("Transmission fixes: drop private-lib (#5213)", 2022-06-22).
Environment: dash 0.5.11.5-1, gcc 12.1.0-2, Artix Linux, ext4 on an HDD.
Commands used for benchmarking each commit:
$ : >time_configure && ./configure && make distclean &&
for i in $(seq 1 10); do
{ time -p ./configure; } 2>>time_configure; done
$ grep real time_configure |
awk '{ total += $2 } END { print total/NR }'
Currently, the configure-time variables (that is, the ones that assign
to placeholders, such as "@HAVE_MAN@", which are set/replaced at
configure-time) are defined on multiple files (such as on Makefile.in
and on common.mk.in).
To avoid duplication, centralize these variables on a single file
(config.mk.in) and replace all of the other definitions of them with an
include of config.mk.
Don't have duplicate descriptions and put = signs where they belong to
zsh completion function now dynamically adjusts for options (e.g. no --apparmor option without AppArmor configured)
No EXTRA_CFLAGS for cpp
Found main.c which does the argument processing. Moved some arguments into the correct #ifdef blocks
Profile selection now much better
Not more cpp. Using preproc.awk instead.
Updated bash firejail command completion to add profiles
ignore bash and zsh dynamically created completion scripts
Moved bash/zsh completions out of ALL_ITEMS to fix make install
Cleanup
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes#1479
