mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
351 lines
11 KiB
Text
351 lines
11 KiB
Text
#
|
|
# Note:
|
|
#
|
|
# If for any reason autoconf fails, run "autoreconf -i --install " and try again.
|
|
# This is how the error looks like on Arch Linux:
|
|
# ./configure: line 3064: syntax error near unexpected token `newline'
|
|
# ./configure: line 3064: `AX_CHECK_COMPILE_FLAG('
|
|
#
|
|
# We rely solely on autoconf, without automake. Apparently, in this case
|
|
# the macros from m4 directory are not picked up by default by automake.
|
|
# "autoreconf -i --install" seems to fix the problem.
|
|
#
|
|
|
|
AC_PREREQ([2.68])
|
|
AC_INIT([firejail], [0.9.74], [https://github.com/netblue30/firejail/issues],
|
|
[], [https://firejail.wordpress.com])
|
|
|
|
AC_CONFIG_SRCDIR([src/firejail/main.c])
|
|
AC_CONFIG_MACRO_DIR([m4])
|
|
|
|
AC_PROG_CC
|
|
AC_CHECK_PROGS([CODESPELL], [codespell])
|
|
AC_CHECK_PROGS([CPPCHECK], [cppcheck])
|
|
AC_CHECK_PROGS([GAWK], [gawk])
|
|
AC_CHECK_PROGS([GZIP], [gzip])
|
|
AC_CHECK_PROGS([SCAN_BUILD], [scan-build])
|
|
AC_CHECK_PROGS([STRIP], [strip])
|
|
AC_CHECK_PROGS([TAR], [tar])
|
|
|
|
DEPS_CFLAGS=""
|
|
AC_SUBST([DEPS_CFLAGS])
|
|
AX_CHECK_COMPILE_FLAG([-MMD -MP], [
|
|
DEPS_CFLAGS="$DEPS_CFLAGS -MMD -MP"
|
|
])
|
|
|
|
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=2], [
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS -D_FORTIFY_SOURCE=2"
|
|
], [], [$CFLAGS $CPPFLAGS -Werror])
|
|
|
|
HAVE_SPECTRE="no"
|
|
AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
|
|
HAVE_SPECTRE="yes"
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
|
|
])
|
|
AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
|
|
HAVE_SPECTRE="yes"
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
|
|
])
|
|
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [
|
|
HAVE_SPECTRE="yes"
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
|
|
])
|
|
|
|
AC_ARG_ENABLE([analyzer],
|
|
[AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer])])
|
|
AS_IF([test "x$enable_analyzer" = "xyes"], [
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
|
|
])
|
|
|
|
AC_ARG_ENABLE([sanitizer],
|
|
[AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@],
|
|
[enable a compiler-based sanitizer (debug)])],
|
|
[],
|
|
[enable_sanitizer=no])
|
|
AS_IF([test "x$enable_sanitizer" != "xno" ], [
|
|
AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
|
|
EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
|
|
], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
|
|
])
|
|
|
|
HAVE_SANDBOX_CHECK=""
|
|
AC_SUBST([HAVE_SANDBOX_CHECK])
|
|
AC_ARG_ENABLE([sandbox-check],
|
|
[AS_HELP_STRING([--disable-sandbox-check],
|
|
[disable checking if firejail is running within a sandbox, only use
|
|
this when developing firejail inside of a sandbox])])
|
|
AS_IF([test "x$enable_sandbox_check" != "xno"], [
|
|
HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
|
|
])
|
|
|
|
HAVE_IDS=""
|
|
AC_SUBST([HAVE_IDS])
|
|
AC_ARG_ENABLE([ids],
|
|
[AS_HELP_STRING([--enable-ids], [enable ids])])
|
|
AS_IF([test "x$enable_ids" = "xyes"], [
|
|
HAVE_IDS="-DHAVE_IDS"
|
|
])
|
|
|
|
HAVE_APPARMOR=""
|
|
AC_SUBST([HAVE_APPARMOR])
|
|
AC_ARG_ENABLE([apparmor],
|
|
[AS_HELP_STRING([--enable-apparmor], [enable apparmor])])
|
|
AS_IF([test "x$enable_apparmor" = "xyes"], [
|
|
HAVE_APPARMOR="-DHAVE_APPARMOR"
|
|
PKG_CHECK_MODULES([AA], [libapparmor], [
|
|
EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS"
|
|
LIBS="$LIBS $AA_LIBS"
|
|
])
|
|
])
|
|
|
|
HAVE_SELINUX=""
|
|
AC_SUBST([HAVE_SELINUX])
|
|
AC_ARG_ENABLE([selinux],
|
|
[AS_HELP_STRING([--enable-selinux], [SELinux labeling support])])
|
|
AS_IF([test "x$enable_selinux" = "xyes"], [
|
|
HAVE_SELINUX="-DHAVE_SELINUX"
|
|
LIBS="$LIBS -lselinux"
|
|
])
|
|
|
|
HAVE_LANDLOCK=""
|
|
AC_SUBST([HAVE_LANDLOCK])
|
|
AC_ARG_ENABLE([landlock],
|
|
[AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
|
|
AS_IF([test "x$enable_landlock" != "xno"], [
|
|
AC_CHECK_HEADER([linux/landlock.h],
|
|
[HAVE_LANDLOCK="-DHAVE_LANDLOCK"],
|
|
[AC_MSG_WARN([header not found: linux/landlock.h, building without Landlock support])])
|
|
])
|
|
|
|
AC_SUBST([EXTRA_CFLAGS])
|
|
AC_SUBST([EXTRA_LDFLAGS])
|
|
|
|
HAVE_DBUSPROXY=""
|
|
AC_SUBST([HAVE_DBUSPROXY])
|
|
AC_ARG_ENABLE([dbusproxy],
|
|
[AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])])
|
|
AS_IF([test "x$enable_dbusproxy" != "xno"], [
|
|
HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
|
|
])
|
|
|
|
# The --overlay and related options are not supported anymore due to security
|
|
# concerns (see CVE-2021-26910 and #4178), issues on newer kernels (see #2799)
|
|
# and overall lack of interest in fixing and maintaining them.
|
|
#
|
|
# Support is unlikely to be restored for the foreseeable future unless someone
|
|
# picks up the work, as it would require auditing the overlayfs code to ensure
|
|
# that it is secure and that it works properly.
|
|
#
|
|
# It is highly recommended to leave this option disabled; the overlayfs code
|
|
# that remains is only intended for testing/debugging purposes.
|
|
HAVE_OVERLAYFS=""
|
|
AC_SUBST([HAVE_OVERLAYFS])
|
|
#AC_ARG_ENABLE([overlayfs],
|
|
# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
|
|
#AS_IF([test "x$enable_overlayfs" != "xno"], [
|
|
# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
|
|
#])
|
|
|
|
HAVE_OUTPUT=""
|
|
AC_SUBST([HAVE_OUTPUT])
|
|
AC_ARG_ENABLE([output],
|
|
[AS_HELP_STRING([--disable-output], [disable --output logging])])
|
|
AS_IF([test "x$enable_output" != "xno"], [
|
|
HAVE_OUTPUT="-DHAVE_OUTPUT"
|
|
])
|
|
|
|
HAVE_USERTMPFS=""
|
|
AC_SUBST([HAVE_USERTMPFS])
|
|
AC_ARG_ENABLE([usertmpfs],
|
|
[AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])])
|
|
AS_IF([test "x$enable_usertmpfs" != "xno"], [
|
|
HAVE_USERTMPFS="-DHAVE_USERTMPFS"
|
|
])
|
|
|
|
HAVE_MAN="no"
|
|
AC_SUBST([HAVE_MAN])
|
|
AC_ARG_ENABLE([man],
|
|
[AS_HELP_STRING([--disable-man], [disable man pages])])
|
|
AS_IF([test "x$enable_man" != "xno"], [
|
|
HAVE_MAN="-DHAVE_MAN"
|
|
AS_IF([test "x$GAWK" = "x"], [AC_MSG_ERROR([*** gawk not found ***])])
|
|
])
|
|
|
|
HAVE_PRIVATE_HOME=""
|
|
AC_SUBST([HAVE_PRIVATE_HOME])
|
|
AC_ARG_ENABLE([private-home],
|
|
[AS_HELP_STRING([--disable-private-home], [disable private home feature])])
|
|
AS_IF([test "x$enable_private_home" != "xno"], [
|
|
HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
|
|
])
|
|
|
|
HAVE_PRIVATE_LIB=""
|
|
AC_SUBST([HAVE_PRIVATE_LIB])
|
|
AC_ARG_ENABLE([private-lib],
|
|
[AS_HELP_STRING([--disable-private-lib], [disable private lib feature])])
|
|
AS_IF([test "x$enable_private_lib" = "xyes"], [
|
|
HAVE_PRIVATE_LIB="-DHAVE_PRIVATE_LIB"
|
|
])
|
|
|
|
HAVE_CHROOT=""
|
|
AC_SUBST([HAVE_CHROOT])
|
|
AC_ARG_ENABLE([chroot],
|
|
[AS_HELP_STRING([--disable-chroot], [disable chroot])])
|
|
AS_IF([test "x$enable_chroot" != "xno"], [
|
|
HAVE_CHROOT="-DHAVE_CHROOT"
|
|
])
|
|
|
|
HAVE_GLOBALCFG=""
|
|
AC_SUBST([HAVE_GLOBALCFG])
|
|
AC_ARG_ENABLE([globalcfg],
|
|
[AS_HELP_STRING([--disable-globalcfg],
|
|
[if the global config file firejail.config is not present, continue the program using defaults])])
|
|
AS_IF([test "x$enable_globalcfg" != "xno"], [
|
|
HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
|
|
])
|
|
|
|
HAVE_NETWORK=""
|
|
AC_SUBST([HAVE_NETWORK])
|
|
AC_ARG_ENABLE([network],
|
|
[AS_HELP_STRING([--disable-network], [disable network])])
|
|
AS_IF([test "x$enable_network" != "xno"], [
|
|
HAVE_NETWORK="-DHAVE_NETWORK"
|
|
])
|
|
|
|
HAVE_USERNS=""
|
|
AC_SUBST([HAVE_USERNS])
|
|
AC_ARG_ENABLE([userns],
|
|
[AS_HELP_STRING([--disable-userns], [disable user namespace])])
|
|
AS_IF([test "x$enable_userns" != "xno"], [
|
|
HAVE_USERNS="-DHAVE_USERNS"
|
|
])
|
|
|
|
HAVE_X11=""
|
|
AC_SUBST([HAVE_X11])
|
|
AC_ARG_ENABLE([x11],
|
|
[AS_HELP_STRING([--disable-x11], [disable X11 sandboxing support])])
|
|
AS_IF([test "x$enable_x11" != "xno"], [
|
|
HAVE_X11="-DHAVE_X11"
|
|
])
|
|
|
|
HAVE_FILE_TRANSFER=""
|
|
AC_SUBST([HAVE_FILE_TRANSFER])
|
|
AC_ARG_ENABLE([file-transfer],
|
|
[AS_HELP_STRING([--disable-file-transfer], [disable file transfer])])
|
|
AS_IF([test "x$enable_file_transfer" != "xno"], [
|
|
HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
|
|
])
|
|
|
|
HAVE_SUID=""
|
|
AC_SUBST([HAVE_SUID])
|
|
AC_ARG_ENABLE([suid],
|
|
[AS_HELP_STRING([--disable-suid], [install as a non-SUID executable])])
|
|
AS_IF([test "x$enable_suid" != "xno"], [
|
|
HAVE_SUID="-DHAVE_SUID"
|
|
])
|
|
|
|
HAVE_FATAL_WARNINGS=""
|
|
AC_SUBST([HAVE_FATAL_WARNINGS])
|
|
AC_ARG_ENABLE([fatal_warnings],
|
|
[AS_HELP_STRING([--enable-fatal-warnings], [-W -Werror])])
|
|
AS_IF([test "x$enable_fatal_warnings" = "xyes"], [
|
|
HAVE_FATAL_WARNINGS="-W -Werror"
|
|
])
|
|
|
|
BUSYBOX_WORKAROUND="no"
|
|
AC_SUBST([BUSYBOX_WORKAROUND])
|
|
AC_ARG_ENABLE([busybox-workaround],
|
|
[AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])])
|
|
AS_IF([test "x$enable_busybox_workaround" = "xyes"], [
|
|
BUSYBOX_WORKAROUND="yes"
|
|
])
|
|
|
|
HAVE_GCOV=""
|
|
AC_SUBST([HAVE_GCOV])
|
|
AC_ARG_ENABLE([gcov],
|
|
[AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])])
|
|
AS_IF([test "x$enable_gcov" = "xyes"], [
|
|
HAVE_GCOV="--coverage -DHAVE_GCOV"
|
|
EXTRA_LDFLAGS="$EXTRA_LDFLAGS --coverage"
|
|
LIBS="$LIBS -lgcov"
|
|
])
|
|
|
|
HAVE_CONTRIB_INSTALL="yes"
|
|
AC_SUBST([HAVE_CONTRIB_INSTALL])
|
|
AC_ARG_ENABLE([contrib-install],
|
|
[AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])])
|
|
AS_IF([test "x$enable_contrib_install" = "xno"], [
|
|
HAVE_CONTRIB_INSTALL="no"
|
|
])
|
|
|
|
HAVE_FORCE_NONEWPRIVS=""
|
|
AC_SUBST([HAVE_FORCE_NONEWPRIVS])
|
|
AC_ARG_ENABLE([force-nonewprivs],
|
|
[AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs])])
|
|
AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
|
|
HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
|
|
])
|
|
|
|
HAVE_ONLY_SYSCFG_PROFILES=""
|
|
AC_SUBST([HAVE_ONLY_SYSCFG_PROFILES])
|
|
AC_ARG_ENABLE([only-syscfg-profiles],
|
|
[AS_HELP_STRING([--enable-only-syscfg-profiles], [disable profiles in $HOME/.config/firejail])])
|
|
AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
|
|
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
|
|
])
|
|
|
|
AC_CHECK_HEADER([linux/seccomp.h], [],
|
|
[AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])])
|
|
|
|
# set sysconfdir
|
|
if test "$prefix" = /usr; then
|
|
test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
|
|
fi
|
|
|
|
AC_CONFIG_FILES([config.mk config.sh])
|
|
AC_OUTPUT
|
|
|
|
cat <<EOF
|
|
|
|
Compile options:
|
|
CC: $CC
|
|
CFLAGS: $CFLAGS
|
|
CPPFLAGS: $CPPFLAGS
|
|
LDFLAGS: $LDFLAGS
|
|
EXTRA_CFLAGS: $EXTRA_CFLAGS
|
|
DEPS_CFLAGS: $DEPS_CFLAGS
|
|
EXTRA_LDFLAGS: $EXTRA_LDFLAGS
|
|
LIBS: $LIBS
|
|
fatal warnings: $HAVE_FATAL_WARNINGS
|
|
gcov instrumentation: $HAVE_GCOV
|
|
install as a SUID executable: $HAVE_SUID
|
|
install contrib scripts: $HAVE_CONTRIB_INSTALL
|
|
prefix: $prefix
|
|
sysconfdir: $sysconfdir
|
|
Spectre compiler patch: $HAVE_SPECTRE
|
|
|
|
Features:
|
|
allow tmpfs as regular user: $HAVE_USERTMPFS
|
|
always enforce filters: $HAVE_FORCE_NONEWPRIVS
|
|
apparmor: $HAVE_APPARMOR
|
|
busybox workaround: $BUSYBOX_WORKAROUND
|
|
chroot: $HAVE_CHROOT
|
|
DBUS proxy support: $HAVE_DBUSPROXY
|
|
disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
|
|
enable --output logging: $HAVE_OUTPUT
|
|
file transfer support: $HAVE_FILE_TRANSFER
|
|
global config: $HAVE_GLOBALCFG
|
|
IDS support: $HAVE_IDS
|
|
Landlock support: $HAVE_LANDLOCK
|
|
manpage support: $HAVE_MAN
|
|
network: $HAVE_NETWORK
|
|
overlayfs support: $HAVE_OVERLAYFS
|
|
private home support: $HAVE_PRIVATE_HOME
|
|
private lib support: $HAVE_PRIVATE_LIB
|
|
sandbox check: $HAVE_SANDBOX_CHECK
|
|
SELinux labeling support: $HAVE_SELINUX
|
|
user namespace: $HAVE_USERNS
|
|
X11 sandboxing support: $HAVE_X11
|
|
|
|
EOF
|