sh #5103

New issue

Closed

opened 2026-05-05 10:32:21 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:32:21 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/4293
Author: @kmk3
Created: 5/22/2021
Status: ✅ Merged
Merged: 5/22/2021
Merged by: @reinerh

Base: master ← Head: configure-fix-portability

📝 Commits (1)

0c5d5d7 configure*: fix build with non-bash /bin/sh

📊 Changes

2 files changed (+17 additions, -16 deletions)

View changed files

📝 configure (+8 -8)
📝 configure.ac (+9 -8)

📄 Description

The configure script happens to work if /bin/sh supports the non-POSIX
"+=" operator (e.g.: bash) and fails otherwise (e.g.: dash).

This usage first appeared on configure.ac on commit 66a476419 ("gcov
support"), which is from 2016.

If the --enable-apparmor flag is passed to ./configure (which is the
default on Arch Linux), running make fails due to the missing
-lapparmor LDFLAG. Thus, building firejail-git from the AUR does not
work if /bin/sh is e.g.: dash.

Errors when running the build commands below from makepkg:

$ ./configure --prefix=/usr --enable-apparmor >/dev/null
./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found
./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found
./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found
./configure: 3518: EXTRA_CFLAGS+= : not found
$ make >/dev/null
/usr/bin/ld: apparmor.o: in function `apparmor_test':
/tmp/firejail-git/src/firejail-git/src/jailcheck/apparmor.c:28: undefined reference to `aa_gettaskcon'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: jailcheck] Error 1
make: *** [Makefile:42: src/jailcheck/jailcheck] Error 2
make: *** Waiting for unfinished jobs....
/usr/bin/ld: apparmor.o: in function `print_apparmor':
/tmp/firejail-git/src/firejail-git/src/firemon/apparmor.c:28: undefined reference to `aa_gettaskcon'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firemon] Error 1
make: *** [Makefile:42: src/firemon/firemon] Error 2
/usr/bin/ld: join.o: in function `extract_apparmor':
/tmp/firejail-git/src/firejail-git/src/firejail/join.c:65: undefined reference to `aa_is_enabled'
/usr/bin/ld: sandbox.o: in function `set_apparmor':
/tmp/firejail-git/src/firejail-git/src/firejail/sandbox.c:133: undefined reference to `aa_change_onexec'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firejail] Error 1
make: *** [Makefile:42: src/firejail/firejail] Error 2

Without the apparmor flag, the CFLAGS related to HAVE_SPECTRE do not get
applied either, but make does not error out, so the problem is harder
to detect in this case.

Diff comparing the output of ./configure 2>&1 when running without and
then with this patch:

$ git --no-pager diff --no-index configure_current.log configure_patch.log
diff --git a/configure_current.log b/configure_patch.log
index f5e814f..099d836 100644
--- a/configure_current.log
+++ b/configure_patch.log
@@ -10,12 +10,9 @@ checking for gcc option to accept ISO C89... none needed
 checking for a BSD-compatible install... /usr/bin/install -c
 checking for ranlib... ranlib
 checking whether C compiler accepts -mindirect-branch=thunk... yes
-./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found
 checking whether C compiler accepts -mretpoline... no
 checking whether C compiler accepts -fstack-clash-protection... yes
-./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found
 checking whether C compiler accepts -fstack-protector-strong... yes
-./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found
 checking for pkg-config... /usr/bin/pkg-config
 checking pkg-config is at least version 0.9.0... yes
 checking for gawk... yes
@@ -88,7 +85,7 @@ Configuration options:
    busybox workaround: no
    Spectre compiler patch: yes
    EXTRA_LDFLAGS:
-   EXTRA_CFLAGS:
+   EXTRA_CFLAGS:  -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong
    fatal warnings:
    Gcov instrumentation:
    Install contrib scripts: yes

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/4293 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 5/22/2021 **Status:** ✅ Merged **Merged:** 5/22/2021 **Merged by:** [@reinerh](https://github.com/reinerh) **Base:** `master` ← **Head:** `configure-fix-portability` --- ### 📝 Commits (1) - [`0c5d5d7`](https://github.com/netblue30/firejail/commit/0c5d5d77b334059716ed753687abb3bf823bfcfa) configure*: fix build with non-bash /bin/sh ### 📊 Changes **2 files changed** (+17 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `configure` (+8 -8) 📝 `configure.ac` (+9 -8) </details> ### 📄 Description The configure script happens to work if /bin/sh supports the non-POSIX "+=" operator (e.g.: bash) and fails otherwise (e.g.: dash). This usage first appeared on configure.ac on commit 66a476419 ("gcov support"), which is from 2016. If the --enable-apparmor flag is passed to ./configure (which is the default on Arch Linux), running `make` fails due to the missing -lapparmor LDFLAG. Thus, building firejail-git from the AUR does not work if /bin/sh is e.g.: dash. Errors when running the build commands below from makepkg: $ ./configure --prefix=/usr --enable-apparmor >/dev/null ./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found ./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found ./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found ./configure: 3518: EXTRA_CFLAGS+= : not found $ make >/dev/null /usr/bin/ld: apparmor.o: in function `apparmor_test': /tmp/firejail-git/src/firejail-git/src/jailcheck/apparmor.c:28: undefined reference to `aa_gettaskcon' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: jailcheck] Error 1 make: *** [Makefile:42: src/jailcheck/jailcheck] Error 2 make: *** Waiting for unfinished jobs.... /usr/bin/ld: apparmor.o: in function `print_apparmor': /tmp/firejail-git/src/firejail-git/src/firemon/apparmor.c:28: undefined reference to `aa_gettaskcon' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firemon] Error 1 make: *** [Makefile:42: src/firemon/firemon] Error 2 /usr/bin/ld: join.o: in function `extract_apparmor': /tmp/firejail-git/src/firejail-git/src/firejail/join.c:65: undefined reference to `aa_is_enabled' /usr/bin/ld: sandbox.o: in function `set_apparmor': /tmp/firejail-git/src/firejail-git/src/firejail/sandbox.c:133: undefined reference to `aa_change_onexec' collect2: error: ld returned 1 exit status make[1]: *** [Makefile:10: firejail] Error 1 make: *** [Makefile:42: src/firejail/firejail] Error 2 Without the apparmor flag, the CFLAGS related to HAVE_SPECTRE do not get applied either, but `make` does not error out, so the problem is harder to detect in this case. Diff comparing the output of `./configure 2>&1` when running without and then with this patch: $ git --no-pager diff --no-index configure_current.log configure_patch.log diff --git a/configure_current.log b/configure_patch.log index f5e814f..099d836 100644 --- a/configure_current.log +++ b/configure_patch.log @@ -10,12 +10,9 @@ checking for gcc option to accept ISO C89... none needed checking for a BSD-compatible install... /usr/bin/install -c checking for ranlib... ranlib checking whether C compiler accepts -mindirect-branch=thunk... yes -./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found checking whether C compiler accepts -mretpoline... no checking whether C compiler accepts -fstack-clash-protection... yes -./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found checking whether C compiler accepts -fstack-protector-strong... yes -./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for gawk... yes @@ -88,7 +85,7 @@ Configuration options: busybox workaround: no Spectre compiler patch: yes EXTRA_LDFLAGS: - EXTRA_CFLAGS: + EXTRA_CFLAGS: -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong fatal warnings: Gcov instrumentation: Install contrib scripts: yes --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:32:21 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5103

No description provided.

Rows
Columns