diff --git a/.github/workflows/package_updates.yml b/.github/workflows/package_updates.yml index 67db33b7ab0..ba60d9a50ac 100644 --- a/.github/workflows/package_updates.yml +++ b/.github/workflows/package_updates.yml @@ -113,13 +113,15 @@ jobs: size: 16G priority: 100 device_name: /dev/zram0 + - name: Load Docker image + run: | + ./scripts/run-docker.sh echo "" - name: Free additional disk space - run: CLEAN_DOCKER_IMAGES=false ./scripts/free-space.sh + run: ./scripts/free-space.sh - name: Process package updates env: GITHUB_TOKEN: ${{ secrets.TERMUXBOT2_TOKEN }} BUILD_PACKAGES: "true" - TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES: "true" CREATE_ISSUE: "true" GIT_COMMIT_PACKAGES: "true" GIT_PUSH_PACKAGES: "true" diff --git a/.github/workflows/packages.yml b/.github/workflows/packages.yml index 83494fa3335..7bdf45cddf8 100644 --- a/.github/workflows/packages.yml +++ b/.github/workflows/packages.yml @@ -20,6 +20,10 @@ on: packages: description: "A space-separated names of packages selected for rebuilding" required: true + free-space: + description: "Free space even if not building large package (useful when building a large number of packages)" + type: boolean + default: false permissions: {} # none @@ -98,7 +102,6 @@ jobs: # Forces CI to cancel current build with status 'passed' if grep -qiP '^\s*%ci:no-build\s*$' <(git log --format="%B" -n 1 --no-merges "HEAD"); then tar cf artifacts/debs-${{ matrix.target_arch }}.tar debs - echo "docker-build=true" >> $GITHUB_OUTPUT echo "[!] Force exiting as tag '%ci:no-build' was applied to HEAD commit message." exit 0 fi @@ -186,31 +189,33 @@ jobs: echo "packages: ${packages[*]}" - docker='true' + free_space='false' + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + free_space=${{ github.event.inputs.free-space }} + else + if grep -qiP '^\s*%ci:free-disk\s*$' <(git log --format="%B" -n 1 --no-merges "HEAD"); then + free_space=true + fi + fi if [[ "${#packages[@]}" -gt 0 ]]; then for pkg in "${packages[@]}"; do if grep -qFx "$pkg" ./scripts/big-pkgs.list; then - docker='false' + free_space='true' break fi done fi + echo "free-space=$free_space" >> $GITHUB_OUTPUT - echo "docker-build=$docker" >> $GITHUB_OUTPUT + needs_docker_build=false if [ "${{ github.event_name }}" != "workflow_dispatch" ]; then # Build local Docker image if setup scripts were changed. # Useful for pull requests submitting changes for both build environment and packages. if grep -qP '^scripts/(Dockerfile|properties\.sh|setup-android-sdk\.sh|setup-ubuntu\.sh)$' <<< "$CHANGED_FILES"; then - echo "Detected changes for environment setup scripts. Building custom Docker image now." - if [ $docker == 'false' ]; then - echo "Skipping due to building large packages." - exit 0 - fi - cd ./scripts - docker build -t ghcr.io/termux/package-builder:latest . - cd .. + needs_docker_build=true fi fi + echo "needs-docker-build=$needs_docker_build" >> $GITHUB_OUTPUT - name: Lint packages run: | @@ -235,22 +240,24 @@ jobs: priority: 100 device_name: /dev/zram0 + - name: Build docker image + if: ${{ steps.build-info.outputs.needs-docker-build == 'true' }} + run: | + docker build -t ghcr.io/termux/package-builder:latest scripts/ + docker buildx prune -af + + - name: Load Docker image + if: ${{ steps.build-info.outputs.free-space == 'true' && steps.build-info.outputs.skip-building != 'true' }} + run: | + ./scripts/run-docker.sh echo "" + - name: Free additional disk space (if needed) - if: ${{ steps.build-info.outputs.docker-build == 'false' && steps.build-info.outputs.skip-building != 'true' }} + if: ${{ steps.build-info.outputs.free-space == 'true' && steps.build-info.outputs.skip-building != 'true' }} run: | - ./scripts/setup-ubuntu.sh - # need to unset these for setup-android-sdk.sh. - unset NDK ANDROID_HOME - ./scripts/setup-android-sdk.sh - rm -f ${HOME}/lib/ndk-*.zip ${HOME}/lib/sdk-*.zip - sudo apt install ninja-build ./scripts/free-space.sh - name: Build packages if: ${{ steps.build-info.outputs.skip-building != 'true' }} - env: - DOCKER_BUILD: ${{ steps.build-info.outputs.docker-build }} - TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES: "true" run: | declare -a packages=() for repo_path in $(jq --raw-output 'del(.pkg_format) | keys | .[]' repo.json); do @@ -263,16 +270,7 @@ jobs: echo "packages: ${packages[*]}" if [[ "${#packages[@]}" -gt 0 ]]; then - if [ "$DOCKER_BUILD" == 'false' ]; then - # these need to be unset a second time again for ./build-package.sh - # when it is run outside of Docker, because GitHub Actions does not - # support permanently unsetting variables at time of writing. - # https://github.com/actions/runner/issues/1126 - unset NDK ANDROID_HOME - ./build-package.sh -I -C -a "${{ matrix.target_arch }}" "${packages[@]}" - else - ./scripts/run-docker.sh ./build-package.sh -I -C -a "${{ matrix.target_arch }}" "${packages[@]}" - fi + ./scripts/run-docker.sh -d ./build-package.sh -I -C -a "${{ matrix.target_arch }}" "${packages[@]}" fi - name: Generate build artifacts @@ -317,6 +315,10 @@ jobs: with: name: debs-${{ matrix.target_arch }}-${{ github.sha }} path: ./artifacts + - name: AppArmor Logs + if: always() + run: | + sudo dmesg | grep apparmor test-buildorder-random: permissions: diff --git a/CODEOWNERS b/CODEOWNERS index 2496769d95c..7937b7da653 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -15,6 +15,10 @@ /scripts/ @Grimler91 @thunder-coding /repo.json @Grimler91 @thunder-coding +# Docker security profiles +/scripts/profile.json @thunder-coding @licy183 +/scripts/*.apparmor @thunder-coding + # Build script linter /scripts/lint-packages.sh @TomJo2000 diff --git a/build-package.sh b/build-package.sh index d96694a0aec..c234c26e6bf 100755 --- a/build-package.sh +++ b/build-package.sh @@ -149,6 +149,10 @@ source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_ldc.sh" # shellcheck source=scripts/build/setup/termux_setup_no_integrated_as.sh source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_no_integrated_as.sh" +# Utility function for setting up build-python for cross-compilation of Python and crossenv +# shellcheck source=scripts/build/setup/termux_setup_build_python.sh +source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_build_python.sh" + # Utility function for python packages to setup a python. # shellcheck source=scripts/build/setup/termux_setup_python_pip.sh source "$TERMUX_SCRIPTDIR/scripts/build/setup/termux_setup_python_pip.sh" diff --git a/clean.sh b/clean.sh index ee687bef988..3439ab5cb4c 100755 --- a/clean.sh +++ b/clean.sh @@ -93,5 +93,16 @@ fi rm -Rf "/data/data/.built-packages" fi - rm -Rf "$TERMUX_TOPDIR" + # unmount overlayfs before we remove the parent directory + [ -d "$TERMUX_TOPDIR" ] && for dir in $(find "$TERMUX_TOPDIR" -type d); do + if mountpoint -q "$dir"; then + umount "$dir" + fi + done + + # We can't use rm -Rf "$TERMUX_TOPDIR" in case the "$TERMUX_TOPDIR" is mounted as a Docker volume + if [ -d "$TERMUX_TOPDIR" ]; then + find "$TERMUX_TOPDIR" -type f,l -delete + find "$TERMUX_TOPDIR" -type d ! -path "$TERMUX_TOPDIR" -delete + fi } 5< "$TERMUX_BUILD_LOCK_FILE" diff --git a/packages/at-spi2-core/build.sh b/packages/at-spi2-core/build.sh index 2aaded88922..e9e00249b8c 100644 --- a/packages/at-spi2-core/build.sh +++ b/packages/at-spi2-core/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Assistive Technology Service Provider Interface (AT-SPI) TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="2.58.3" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/at-spi2-core/${TERMUX_PKG_VERSION%.*}/at-spi2-core-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=b0fabea6c9742eda8c9c675f9b8c1d1babba1da82da03ea1103710233717c1b0 TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/dbus-python/build.sh b/packages/dbus-python/build.sh index 19aa3f7c7d8..1b7a67360fa 100644 --- a/packages/dbus-python/build.sh +++ b/packages/dbus-python/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python bindings for D-Bus" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.4.0" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://gitlab.freedesktop.org/dbus/dbus-python/-/archive/dbus-python-${TERMUX_PKG_VERSION}/dbus-python-dbus-python-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=da4ee9bbb9eb901d463a7cc9f99dfdbe6c751c8b48b29b78d378985a3c9656ad TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/gst-python/build.sh b/packages/gst-python/build.sh index b77e5824ac7..5f5bcf54c2c 100644 --- a/packages/gst-python/build.sh +++ b/packages/gst-python/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python bindings for GStreamer" TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.28.1" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://gstreamer.freedesktop.org/src/gst-python/gst-python-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=d47cea95adb95ba10443ed7812c7c5fa0807aef43b98cd1c6d8fb9f9a86f7085 TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/libunbound/build.sh b/packages/libunbound/build.sh index 87fd9cd942e..523f2b6ff93 100644 --- a/packages/libunbound/build.sh +++ b/packages/libunbound/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="A validating, recursive, caching DNS resolver" TERMUX_PKG_LICENSE="BSD 3-Clause" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.24.2" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://nlnetlabs.nl/downloads/unbound/unbound-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=44e7b53e008a6dcaec03032769a212b46ab5c23c105284aa05a4f3af78e59cdb TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/libxml2/build.sh b/packages/libxml2/build.sh index a9666a74c15..51b943c443c 100644 --- a/packages/libxml2/build.sh +++ b/packages/libxml2/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Library for parsing XML documents" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="2.15.1" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/libxml2/${TERMUX_PKG_VERSION%.*}/libxml2-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=c008bac08fd5c7b4a87f7b8a71f283fa581d80d80ff8d2efd3b26224c39bc54c TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/nala/build.sh b/packages/nala/build.sh index b3399cd03d4..da25199204d 100644 --- a/packages/nala/build.sh +++ b/packages/nala/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Commandline frontend for the apt package manager" TERMUX_PKG_LICENSE="GPL-3.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="0.16.0" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://gitlab.com/volian/nala/-/archive/v${TERMUX_PKG_VERSION}/nala-v${TERMUX_PKG_VERSION}.tar.bz2 TERMUX_PKG_SHA256=49e384aa3b94597d09c61b7accc41d1cf10cb6beea85d4620c80c28d7cdc4d5f TERMUX_PKG_DEPENDS="python-apt, python-pip" diff --git a/packages/pycairo/build.sh b/packages/pycairo/build.sh index 8699446c06a..16c33c7fa26 100644 --- a/packages/pycairo/build.sh +++ b/packages/pycairo/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python bindings for the cairo graphics library" TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.29.0" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://github.com/pygobject/pycairo/releases/download/v${TERMUX_PKG_VERSION}/pycairo-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=f3f7fde97325cae80224c09f12564ef58d0d0f655da0e3b040f5807bd5bd3142 TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/pygobject/build.sh b/packages/pygobject/build.sh index 7a737f6f8b2..1c17853c8b8 100644 --- a/packages/pygobject/build.sh +++ b/packages/pygobject/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python package which provides bindings for GObject based TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="3.56.0" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/pygobject/${TERMUX_PKG_VERSION%.*}/pygobject-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=4fbb5bf47524e01026f8e309dd54233eb0f75f2281392c5bf0df5d9041cc7891 TERMUX_PKG_AUTO_UPDATE=true diff --git a/packages/python-apt/build.sh b/packages/python-apt/build.sh index 9ff0f556bfc..990d5fb57ec 100644 --- a/packages/python-apt/build.sh +++ b/packages/python-apt/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python bindings for APT" TERMUX_PKG_LICENSE="GPL-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="3.1.0" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://ftp.debian.org/debian/pool/main/p/python-apt/python-apt_${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=daf46b0ed85061ccee64c3aa3004c695b33047f9f62f0de7863966c287731d5a TERMUX_PKG_DEPENDS="apt, libandroid-support, libc++, python" diff --git a/packages/python-cmake/build.sh b/packages/python-cmake/build.sh index b8f4317eeff..20ffc71a375 100644 --- a/packages/python-cmake/build.sh +++ b/packages/python-cmake/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python wrapper for CMake" TERMUX_PKG_LICENSE="Apache-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="4.2.3" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL="https://github.com/scikit-build/cmake-python-distributions/archive/refs/tags/$TERMUX_PKG_VERSION.tar.gz" TERMUX_PKG_SHA256=6d563b85888e26789d1dbf0ecf1df142cabe6bf4bac9d134cadc0e638a3f2638 TERMUX_PKG_DEPENDS="cmake, cmake-curses-gui, python, python-pip" diff --git a/packages/python-lxml/build.sh b/packages/python-lxml/build.sh index 72dbf7ebc01..57f34624356 100644 --- a/packages/python-lxml/build.sh +++ b/packages/python-lxml/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python binding for the libxml2 and libxslt libraries" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="6.0.2" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://github.com/lxml/lxml/releases/download/lxml-$TERMUX_PKG_VERSION/lxml-$TERMUX_PKG_VERSION.tar.gz TERMUX_PKG_SHA256=cd79f3367bd74b317dda655dc8fcfa304d9eb6e4fb06b7168c5cf27f96e0cd62 TERMUX_PKG_DEPENDS="libxml2, libxslt, python, python-pip" diff --git a/packages/python-numpy/build.sh b/packages/python-numpy/build.sh index 482f759ef2b..c32910f698c 100644 --- a/packages/python-numpy/build.sh +++ b/packages/python-numpy/build.sh @@ -4,7 +4,7 @@ TERMUX_PKG_LICENSE="BSD 3-Clause" TERMUX_PKG_MAINTAINER="@termux" # Revbump revdeps after updating TERMUX_PKG_VERSION="2.2.5" -TERMUX_PKG_REVISION=3 +TERMUX_PKG_REVISION=4 TERMUX_PKG_SRCURL=git+https://github.com/numpy/numpy TERMUX_PKG_DEPENDS="libc++, libopenblas, python" TERMUX_PKG_AUTO_UPDATE=false @@ -73,6 +73,6 @@ termux_step_make() { termux_step_make_install() { local _pyv="${TERMUX_PYTHON_VERSION/./}" - local _whl="numpy-$TERMUX_PKG_VERSION-cp$_pyv-cp$_pyv-linux_$TERMUX_ARCH.whl" + local _whl="numpy-$TERMUX_PKG_VERSION-cp$_pyv-cp$_pyv-android_$TERMUX_ARCH.whl" pip install --no-deps --prefix=$TERMUX_PREFIX --force-reinstall $TERMUX_PKG_SRCDIR/dist/$_whl } diff --git a/packages/python-pip/android-api-abi.patch b/packages/python-pip/android-api-abi.patch new file mode 100644 index 00000000000..9d82927a735 --- /dev/null +++ b/packages/python-pip/android-api-abi.patch @@ -0,0 +1,14 @@ +Allow installing without specifying abi version. Needed for crossenv specifically. +May not be needed for on-device, but let's just keep it just in case in case there is some psycho who is doing this already +diff --git a/src/pip/_vendor/packaging/tags.py b/src/pip/_vendor/packaging/tags.py +index 8522f59c4..ef55342fb 100644 +--- a/src/pip/_vendor/packaging/tags.py ++++ b/src/pip/_vendor/packaging/tags.py +@@ -563,6 +563,7 @@ def android_platforms( + # without major patching. Yield every API level from the maximum down to the + # minimum, inclusive. + min_api_level = 16 ++ yield f"android_{abi}" + for ver in range(api_level, min_api_level - 1, -1): + yield f"android_{ver}_{abi}" + diff --git a/packages/python/0001-fix-hardcoded-paths.patch b/packages/python/0001-fix-hardcoded-paths.patch index 16a7a683194..467e7a7bc97 100644 --- a/packages/python/0001-fix-hardcoded-paths.patch +++ b/packages/python/0001-fix-hardcoded-paths.patch @@ -1,26 +1,3 @@ ---- a/Lib/aifc.py -+++ b/Lib/aifc.py -@@ -920,7 +920,7 @@ - if __name__ == '__main__': - import sys - if not sys.argv[1:]: -- sys.argv.append('/usr/demos/data/audio/bach.aiff') -+ sys.argv.append('@TERMUX_PREFIX@/demos/data/audio/bach.aiff') - fn = sys.argv[1] - with open(fn, 'r') as f: - print("Reading", fn) ---- a/Lib/mailcap.py -+++ b/Lib/mailcap.py -@@ -55,7 +55,8 @@ - # Don't bother with getpwuid() - home = '.' # Last resort - mailcaps = [home + '/.mailcap', '/etc/mailcap', -- '/usr/etc/mailcap', '/usr/local/etc/mailcap'] -+ '/usr/etc/mailcap', '/usr/local/etc/mailcap', -+ '@TERMUX_PREFIX@/etc/mailcap'] - return mailcaps - - --- a/Lib/mimetypes.py +++ b/Lib/mimetypes.py @@ -49,6 +49,7 @@ diff --git a/packages/python/0005-impl-multiprocessing.patch b/packages/python/0005-impl-multiprocessing.patch index a4468610ae4..f1ffe2f270d 100644 --- a/packages/python/0005-impl-multiprocessing.patch +++ b/packages/python/0005-impl-multiprocessing.patch @@ -10,18 +10,6 @@ _dir_candidates = [] ---- a/Modules/_multiprocessing/multiprocessing.c -+++ b/Modules/_multiprocessing/multiprocessing.c -@@ -172,7 +172,7 @@ - _MULTIPROCESSING_RECV_METHODDEF - _MULTIPROCESSING_SEND_METHODDEF - #endif --#if !defined(POSIX_SEMAPHORES_NOT_ENABLED) && !defined(__ANDROID__) -+#if !defined(POSIX_SEMAPHORES_NOT_ENABLED) - _MULTIPROCESSING_SEM_UNLINK_METHODDEF - #endif - {NULL} - --- a/Modules/_multiprocessing/posixshmem.c +++ b/Modules/_multiprocessing/posixshmem.c @@ -11,6 +11,72 @@ diff --git a/packages/python/0006-disable-multiarch.patch b/packages/python/0006-disable-multiarch.patch new file mode 100644 index 00000000000..7a429da96fc --- /dev/null +++ b/packages/python/0006-disable-multiarch.patch @@ -0,0 +1,12 @@ +diff --git a/configure.ac b/configure.ac +index 597a44b331a..fa78e09c192 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1134,6 +1134,7 @@ dnl architecture. PLATFORM_TRIPLET will be a pair or single value for these + dnl platforms. + AC_MSG_CHECKING([for multiarch]) + AS_CASE([$ac_sys_system], ++ [Linux-android], [MULTIARCH=""], + [Darwin*], [MULTIARCH=""], + [iOS], [MULTIARCH=""], + [FreeBSD*], [MULTIARCH=""], diff --git a/packages/python/0006-do-not-use-xattr.patch b/packages/python/0006-do-not-use-xattr.patch deleted file mode 100644 index 1f4996315c4..00000000000 --- a/packages/python/0006-do-not-use-xattr.patch +++ /dev/null @@ -1,13 +0,0 @@ -https://github.com/termux/termux-packages/issues/16879 - ---- a/Modules/posixmodule.c -+++ b/Modules/posixmodule.c -@@ -280,7 +280,7 @@ - # undef HAVE_SCHED_SETAFFINITY - #endif - --#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LINUX_LIMITS_H) && !defined(__FreeBSD_kernel__) && !defined(__GNU__) -+#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LINUX_LIMITS_H) && !defined(__FreeBSD_kernel__) && !defined(__GNU__) && !defined(__ANDROID__) - # define USE_XATTRS - # include // Needed for XATTR_SIZE_MAX on musl libc. - #endif diff --git a/packages/python/0007-disable-multiarch.patch b/packages/python/0007-disable-multiarch.patch deleted file mode 100644 index 79c1c787135..00000000000 --- a/packages/python/0007-disable-multiarch.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/configure -+++ b/configure -@@ -6939,6 +6939,8 @@ - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for multiarch" >&5 - printf %s "checking for multiarch... " >&6; } - case $ac_sys_system in #( -+ Linux-android) : -+ MULTIARCH="" ;; #( - Darwin*) : - MULTIARCH="" ;; #( - FreeBSD*) : diff --git a/packages/python/0008-do-not-use-link.patch b/packages/python/0007-do-not-use-link.patch similarity index 100% rename from packages/python/0008-do-not-use-link.patch rename to packages/python/0007-do-not-use-link.patch diff --git a/packages/python/0008-fix-pkgconfig-variable-substitution.patch b/packages/python/0008-fix-pkgconfig-variable-substitution.patch new file mode 100644 index 00000000000..70c08ec7471 --- /dev/null +++ b/packages/python/0008-fix-pkgconfig-variable-substitution.patch @@ -0,0 +1,16 @@ +Needed for proper substitution of @LIBPYTHON@ in python3.pc.in + +The former style of substitution is fine in Makefiles where variables are expanded, not in static generated files. +diff --git a/configure.ac b/configure.ac +index 043ec957f40..53bed63310e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -6424,7 +6424,7 @@ LIBPYTHON='' + # On Android and Cygwin the shared libraries must be linked with libpython. + if test "$PY_ENABLE_SHARED" = "1" && ( test -n "$ANDROID_API_LEVEL" || test "$MACHDEP" = "cygwin"); then + MODULE_DEPS_SHARED="$MODULE_DEPS_SHARED \$(LDLIBRARY)" +- LIBPYTHON="\$(BLDLIBRARY)" ++ LIBPYTHON="$(BLDLIBRARY)" + fi + + # On iOS the shared libraries must be linked with the Python framework diff --git a/packages/python/0009-build-with-fPIC.patch b/packages/python/0009-build-with-fPIC.patch deleted file mode 100644 index 5fd66f38140..00000000000 --- a/packages/python/0009-build-with-fPIC.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/configure -+++ b/configure -@@ -12838,7 +12840,7 @@ - then CCSHARED="-fPIC"; - else CCSHARED="+z"; - fi;; -- Linux-android*) ;; -+ Linux-android*) CCSHARED="-fPIC";; - Linux*|GNU*) CCSHARED="-fPIC";; - Emscripten*|WASI*) - if test "x$enable_wasm_dynamic_linking" = xyes diff --git a/packages/python/0009-fix-ctypes-util-find_library.patch b/packages/python/0009-fix-ctypes-util-find_library.patch new file mode 100644 index 00000000000..a432320bd91 --- /dev/null +++ b/packages/python/0009-fix-ctypes-util-find_library.patch @@ -0,0 +1,22 @@ +This was introduced in https://github.com/python/cpython/commit/1f8b24ef69896680d6ba6005e75e1cc79a744f9e but breaks our builds as we need directories from other paths as well + +diff --git a/Lib/ctypes/util.py b/Lib/ctypes/util.py +index 117bf06cb01..12d7428fe9a 100644 +--- a/Lib/ctypes/util.py ++++ b/Lib/ctypes/util.py +@@ -89,15 +89,6 @@ def find_library(name): + + from ctypes._aix import find_library + +-elif sys.platform == "android": +- def find_library(name): +- directory = "/system/lib" +- if "64" in os.uname().machine: +- directory += "64" +- +- fname = f"{directory}/lib{name}.so" +- return fname if os.path.isfile(fname) else None +- + elif os.name == "posix": + # Andreas Degert's find functions, using gcc, /sbin/ldconfig, objdump + import re, tempfile diff --git a/packages/python/0011-do-not-hardlink.patch b/packages/python/0010-do-not-hardlink.patch similarity index 68% rename from packages/python/0011-do-not-hardlink.patch rename to packages/python/0010-do-not-hardlink.patch index daca89efbcb..4291d12e96a 100644 --- a/packages/python/0011-do-not-hardlink.patch +++ b/packages/python/0010-do-not-hardlink.patch @@ -1,15 +1,17 @@ +diff --git a/Makefile.pre.in b/Makefile.pre.in +index a7dc9709d62..d6b84dc8905 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -817,7 +817,7 @@ $(LIBRARY): $(LIBRARY_OBJS) - libpython$(LDVERSION).so: $(LIBRARY_OBJS) $(DTRACE_OBJS) - if test $(INSTSONAME) != $(LDLIBRARY); then \ - $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM); \ +@@ -917,7 +917,7 @@ libpython$(LDVERSION).so: $(LIBRARY_OBJS) $(DTRACE_OBJS) + $(BLDSHARED) -o $@ $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM); \ + fi + if test $(INSTSONAME) != $@; then \ - $(LN) -f $(INSTSONAME) $@; \ + $(LN) -sf $(INSTSONAME) $@; \ - else \ - $(BLDSHARED) -o $@ $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM); \ fi -@@ -1971,7 +1971,7 @@ altbininstall: $(BUILDPYTHON) @FRAMEWORKPYTHONW@ + + libpython3.so: libpython$(LDVERSION).so +@@ -2202,7 +2202,7 @@ altbininstall: $(BUILDPYTHON) @FRAMEWORKPYTHONW@ if test -f $(DESTDIR)$(BINDIR)/python$(VERSION)$(EXE) -o -h $(DESTDIR)$(BINDIR)/python$(VERSION)$(EXE); \ then rm -f $(DESTDIR)$(BINDIR)/python$(VERSION)$(EXE); \ fi; \ diff --git a/packages/python/0010-link-modules-against-libpython.patch b/packages/python/0010-link-modules-against-libpython.patch deleted file mode 100644 index 541eb1ea0c0..00000000000 --- a/packages/python/0010-link-modules-against-libpython.patch +++ /dev/null @@ -1,23 +0,0 @@ -Borrowed from https://github.com/msys2-contrib/cpython-mingw/commit/c4c698ec8fd7413068fce2de966938b3f8462de8 - ---- a/Modules/makesetup -+++ b/Modules/makesetup -@@ -97,6 +97,9 @@ - ExtraLibDir='$(LIBPL)' - fi - ExtraLibs="-L$ExtraLibDir -lpython\$(LDVERSION)";; -+Linux*) -+ ExtraLibs='$(BLDLIBRARY)' -+ ExtraLibDepends='$(LIBRARY_DEPS)';; - esac - - # Main loop -@@ -285,7 +288,7 @@ - BUILT_SHARED="$BUILT_SHARED $mod" - ;; - esac -- rule="$file: $objs" -+ rule="$file: $objs $ExtraLibDepends" - rule="$rule; \$(BLDSHARED) $objs $libs $ExtraLibs -o $file" - echo "$rule" >>$rulesf - done diff --git a/packages/python/0011-fix-module-linking.patch b/packages/python/0011-fix-module-linking.patch new file mode 100644 index 00000000000..ba23f4ac9e3 --- /dev/null +++ b/packages/python/0011-fix-module-linking.patch @@ -0,0 +1,14 @@ +Based off https://github.com/msys2-contrib/cpython-mingw/commit/e719663e07d6655e042f9c48910c65606cc4ae5e +diff --git a/Modules/makesetup b/Modules/makesetup +index 8bb971b152a..e6cf14460aa 100755 +--- a/Modules/makesetup ++++ b/Modules/makesetup +@@ -274,7 +274,7 @@ sed -e 's/[ ]*#.*//' -e '/^[ ]*$/d' | + ;; + esac + rule="$file: $objs" +- rule="$rule; \$(BLDSHARED) $objs $libs \$(LIBPYTHON) -o $file" ++ rule="$rule; \$(BLDSHARED) $objs $libs \$(BLDLIBRARY) -o $file" + echo "$rule" >>$rulesf + done + done diff --git a/packages/python/0012-hardcode-android-api-level.diff b/packages/python/0012-hardcode-android-api-level.diff new file mode 100644 index 00000000000..4c3625248fe --- /dev/null +++ b/packages/python/0012-hardcode-android-api-level.diff @@ -0,0 +1,13 @@ +diff --git a/Lib/platform.py b/Lib/platform.py +index 8895177e326..e02999739bf 100755 +--- a/Lib/platform.py ++++ b/Lib/platform.py +@@ -599,7 +599,7 @@ def getprop(name, default): + return buffer.value.decode("UTF-8", "backslashreplace") + + release = getprop("ro.build.version.release", release) +- api_level = int(getprop("ro.build.version.sdk", api_level)) ++ api_level = @TERMUX_PKG_API_LEVEL@ + manufacturer = getprop("ro.product.manufacturer", manufacturer) + model = getprop("ro.product.model", model) + device = getprop("ro.product.device", device) diff --git a/packages/python/build.sh b/packages/python/build.sh index 43ccec77d78..ddda88b4618 100644 --- a/packages/python/build.sh +++ b/packages/python/build.sh @@ -3,16 +3,15 @@ TERMUX_PKG_DESCRIPTION="Python 3 programming language intended to enable clear p # License: PSF-2.0 TERMUX_PKG_LICENSE="custom" TERMUX_PKG_LICENSE_FILE="LICENSE" -TERMUX_PKG_MAINTAINER="@termux" -TERMUX_PKG_VERSION=3.12.12 -TERMUX_PKG_REVISION=1 +TERMUX_PKG_MAINTAINER="Yaksh Bariya " +TERMUX_PKG_VERSION="3.13.12" _DEBPYTHON_COMMIT=f358ab52bf2932ad55b1a72a29c9762169e6ac47 TERMUX_PKG_SRCURL=( https://www.python.org/ftp/python/${TERMUX_PKG_VERSION}/Python-${TERMUX_PKG_VERSION}.tar.xz https://salsa.debian.org/cpython-team/python3-defaults/-/archive/${_DEBPYTHON_COMMIT}/python3-defaults-${_DEBPYTHON_COMMIT}.tar.gz ) TERMUX_PKG_SHA256=( - fb85a13414b028c49ba18bbd523c2d055a30b56b18b92ce454ea2c51edc656c4 + 2a84cd31dd8d8ea8aaff75de66fc1b4b0127dd5799aa50a64ae9a313885b4593 3b7a76c144d39f5c4a2c7789fd4beb3266980c2e667ad36167e1e7a357c684b0 ) TERMUX_PKG_AUTO_UPDATE=false @@ -25,9 +24,6 @@ TERMUX_PKG_REPLACES="python-dev" # Let "python3" will be alias to this package. TERMUX_PKG_PROVIDES="python3" -# https://github.com/termux/termux-packages/issues/15908 -TERMUX_PKG_MAKE_PROCESSES=1 - _MAJOR_VERSION="${TERMUX_PKG_VERSION%.*}" # Set ac_cv_func_wcsftime=no to avoid errors such as "character U+ca0025 is not in range [U+0000; U+10ffff]" @@ -58,6 +54,8 @@ TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" ac_cv_func_shm_unlink=yes" TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" ac_cv_working_tzset=yes" # prevents 'configure: error: Cross compiling requires --with-build-python' (even during on-device build) TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" --with-build-python=python$_MAJOR_VERSION" +# https://github.com/termux/termux-packages/issues/16879 +TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" ac_cv_header_sys_xattr_h=no" TERMUX_PKG_RM_AFTER_INSTALL=" lib/python${_MAJOR_VERSION}/test @@ -67,10 +65,18 @@ lib/python${_MAJOR_VERSION}/site-packages/*/ " termux_step_post_get_source() { + patch="$TERMUX_PKG_BUILDER_DIR/0012-hardcode-android-api-level.diff" + echo "Applying patch: $(basename "$patch")" + test -f "$patch" && sed \ + -e "s%\@TERMUX_PKG_API_LEVEL\@%${TERMUX_PKG_API_LEVEL}%g" \ + "$patch" | patch --silent -p1 + + mv "$TERMUX_PKG_SRCDIR/python3-defaults-$_DEBPYTHON_COMMIT" "$TERMUX_PKG_SRCDIR/debpython" } termux_step_pre_configure() { + termux_setup_build_python # -O3 gains some additional performance on at least aarch64. CFLAGS="${CFLAGS/-Oz/-O3}" @@ -79,6 +85,8 @@ termux_step_pre_configure() { # if extension modules should be built (specifically, the # zlib extension module is not built without this): CPPFLAGS+=" -I$TERMUX_STANDALONE_TOOLCHAIN/sysroot/usr/include" + # Without this all symbols are removed from the built libpython3.so + LDFLAGS="${LDFLAGS/-Wl,--as-needed/}" LDFLAGS+=" -L$TERMUX_STANDALONE_TOOLCHAIN/sysroot/usr/lib" if [ $TERMUX_ARCH = x86_64 ]; then LDFLAGS+=64; fi @@ -86,6 +94,7 @@ termux_step_pre_configure() { # on devices that have API levels newer than $TERMUX_PKG_API_LEVEL if [[ "$TERMUX_PKG_API_LEVEL" -lt 28 ]]; then TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" ac_cv_func_fexecve=no" + TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" ac_cv_func_getlogin_r=no" fi if [[ "$TERMUX_PKG_API_LEVEL" -lt 29 ]]; then @@ -114,6 +123,7 @@ termux_step_pre_configure() { sed -i -e "s|@TERMUX_PYTHON_VERSION@|${_MAJOR_VERSION}|g" \ -e "s|@TERMUX_PKG_FULLVERSION@|$(test ${TERMUX_PACKAGE_FORMAT} = pacman && echo ${TERMUX_PKG_FULLVERSION_FOR_PACMAN} || echo ${TERMUX_PKG_FULLVERSION})|g" \ $(find "$TERMUX_PKG_SRCDIR/debpython" -type f) + autoreconf -fi } termux_step_post_make_install() { @@ -165,9 +175,9 @@ termux_step_create_debscripts() { echo fi - if [ -d $TERMUX_PREFIX/lib/python3.11/site-packages ]; then + if [[ -d $TERMUX_PREFIX/lib/python3.11/site-packages || -d $TERMUX_PREFIX/lib/python3.12/site-packages ]]; then echo - echo "NOTE: The system python package has been updated to 3.12." + echo "NOTE: The system python package has been updated to 3.13." echo "NOTE: Run 'pkg upgrade' to update system python packages." echo "NOTE: Packages installed using pip needs to be re-installed." echo diff --git a/packages/recoll/build.sh b/packages/recoll/build.sh index d3a56b8a817..f3e4f03f344 100644 --- a/packages/recoll/build.sh +++ b/packages/recoll/build.sh @@ -5,6 +5,7 @@ TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.43.13" TERMUX_PKG_SRCURL="https://www.recoll.org/recoll-${TERMUX_PKG_VERSION}.tar.gz" TERMUX_PKG_SHA256=140bf1e4fc51299f60dad580dffd64733e1d06fb14c6f752e2a34d4d70540c19 +TERMUX_PKG_REVISION=1 TERMUX_PKG_AUTO_UPDATE=true TERMUX_PKG_DEPENDS="aspell, file, jsoncpp, libc++, libiconv, libxapian, libxml2, libxslt, zlib" TERMUX_PKG_PYTHON_COMMON_BUILD_DEPS="wheel" diff --git a/packages/speechd/build.sh b/packages/speechd/build.sh index fa90a66d69e..a7fdb951fe1 100644 --- a/packages/speechd/build.sh +++ b/packages/speechd/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Common interface to speech synthesis" TERMUX_PKG_LICENSE="LGPL-2.1, GPL-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="0.12.1" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SHA256=32a730f6fb5981b9bec7e04f3674fd7d29e54935f46cf6354dbb9ab1f9b23b2d TERMUX_PKG_SRCURL=https://github.com/brailcom/speechd/archive/refs/tags/${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_DEPENDS="dotconf, espeak, glib, libiconv, libltdl, libsndfile, pulseaudio, python, speechd-data, libandroid-posix-semaphore" diff --git a/packages/xcb-proto/build.sh b/packages/xcb-proto/build.sh index 26d6f6089b7..467d31de775 100644 --- a/packages/xcb-proto/build.sh +++ b/packages/xcb-proto/build.sh @@ -4,7 +4,7 @@ TERMUX_PKG_DESCRIPTION="XML-XCB protocol descriptions" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.17.0" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://xorg.freedesktop.org/archive/individual/proto/xcb-proto-$TERMUX_PKG_VERSION.tar.xz TERMUX_PKG_SHA256=2c1bacd2110f4799f74de6ebb714b94cf6f80fb112316b1219480fd22562148c TERMUX_PKG_AUTO_UPDATE=true @@ -12,6 +12,13 @@ TERMUX_PKG_PLATFORM_INDEPENDENT=true TERMUX_PKG_CONFLICTS="xcbproto" TERMUX_PKG_REPLACES="xcbproto" TERMUX_PKG_EXTRA_CONFIGURE_ARGS=" -PYTHON=python${TERMUX_PYTHON_VERSION} +PYTHON=/usr/bin/python3 am_cv_python_pythondir=$TERMUX_PYTHON_HOME/site-packages " + +termux_step_post_make_install() { + # We are using Ubuntu's host python for installing the package which may be of + # different major version. Python bytecode isn't compatible across versions. + # So get rid of it + rm -r "$TERMUX_PREFIX/lib/python3.13/site-packages/xcbgen/__pycache__/" +} diff --git a/scripts/build/setup/termux_setup_build_python.sh b/scripts/build/setup/termux_setup_build_python.sh new file mode 100644 index 00000000000..b78d92a0294 --- /dev/null +++ b/scripts/build/setup/termux_setup_build_python.sh @@ -0,0 +1,87 @@ +# This script adds it's own python build to $PATH which overrides the Ubuntu's +# packaged version. Packages installed using apt on Ubuntu won't work. This +# python build is supposed to be used only for cross-compilation of pip +# packages. +# +# Before using this script manually anywhere it is highly recommended to read +# https://crossenv.readthedocs.io/en/latest/quickstart.html +# For cross compilation of python packages as well as python, a host build of +# python of the same version is required. For pip package cross compilation, +# ideally same version of python is recommended by crossenv. +termux_setup_build_python() { + if [ "$TERMUX_ON_DEVICE_BUILD" = "true" ]; then + if [[ "$TERMUX_APP_PACKAGE_MANAGER" = "apt" && "$(dpkg-query -W -f '${db:Status-Status}\n' python 2>/dev/null)" != "installed" ]] || + [[ "$TERMUX_APP_PACKAGE_MANAGER" = "pacman" && ! "$(pacman -Q python 2>/dev/null)" ]]; then + echo "Package 'python is not installed." + echo "You can install it with" + echo + echo " pkg install python" + echo + echo " pacman -S python" + echo + echo "Note that package 'python' is known to be problematic for building on device." + exit 1 + fi + else + local _PYTHON_VERSION + local _PYTHON_SRCURL + local _PYTHON_SHA256 + local _PYTHON_FOLDER + _PYTHON_VERSION="$(. "$TERMUX_SCRIPTDIR/packages/python/build.sh"; echo "$TERMUX_PKG_VERSION")" + _PYTHON_SRCURL="$(. "$TERMUX_SCRIPTDIR/packages/python/build.sh"; echo "$TERMUX_PKG_SRCURL")" + _PYTHON_SHA256="$(. "$TERMUX_SCRIPTDIR/packages/python/build.sh"; echo "$TERMUX_PKG_SHA256")" + if [[ "${TERMUX_PACKAGES_OFFLINE-false}" = "true" ]]; then + _PYTHON_FOLDER=${TERMUX_SCRIPTDIR}/build-tools/python-${_PYTHON_VERSION} + else + _PYTHON_FOLDER=${TERMUX_COMMON_CACHEDIR}/python-${_PYTHON_VERSION} + fi + export TERMUX_BUILD_PYTHON_DIR=$_PYTHON_FOLDER + + if [[ ! -d "$_PYTHON_FOLDER" ]]; then + local LAST_PWD="$(pwd)" + termux_download \ + "$_PYTHON_SRCURL" "python-$_PYTHON_VERSION.tar.xz" "$_PYTHON_SHA256" + mkdir "$_PYTHON_FOLDER" + tar \ + --extract \ + --strip-components=1 \ + -C "$_PYTHON_FOLDER" \ + -f "python-$_PYTHON_VERSION.tar.xz" + cd "$_PYTHON_FOLDER" + + for f in "$TERMUX_SCRIPTDIR"/packages/python/0009-fix-ctypes-util-find_library.patch; do + echo "[${FUNCNAME[0]}]: Applying $(basename "$f")" + cat "$f" | sed -e "s|@@TERMUX_PKG_API_LEVEL@@|${TERMUX_PKG_API_LEVEL}|g" | patch --silent -p1 + done + + # Perform a hostbuild of python. We are kind of doing a minimal build, which + # may break some stuff that rely on an extended python release + mkdir host-build/ + cd host-build/ + # We are using env -i as there are a lot of environment variable that need + # to be unset, so better just start from scratch + # Also whoever on crack wrote the build scripts for python, didn't think of + # supporting the standard LD environment variable or even LDFLAGS properly. + # So instead of using LDFLAGS we have to pass linker arguments to CC and CXX + # and hope that Clang C and C++ drivers keep on ignoring link flags. It is + # not at all possible to specify a separate linker without patches as it is + # hardcoded to "$(CC) -shared" and "$(CXX) -shared" + # Whoever that person is needs to stop writing build scripts and instead + # question his impact on his mere existence on the world + env -i \ + CC="clang-${TERMUX_HOST_LLVM_MAJOR_VERSION} -fuse-ld=lld" \ + CXX="clang++-${TERMUX_HOST_LLVM_MAJOR_VERSION} -fuse-ld=lld" \ + LDFLAGS="-Wl,-rpath=$_PYTHON_FOLDER/host-build-prefix/lib" \ + PATH="/usr/bin" \ + ../configure \ + --with-ensurepip=install \ + --enable-shared \ + --prefix="$_PYTHON_FOLDER/host-build-prefix" + env -i \ + make -j "$(nproc)" install + cd "$LAST_PWD" + fi + # Add our own built python to path + export PATH="$_PYTHON_FOLDER/host-build-prefix/bin:$PATH" + fi +} diff --git a/scripts/build/setup/termux_setup_python_pip.sh b/scripts/build/setup/termux_setup_python_pip.sh index a2b83511c02..3040485e868 100644 --- a/scripts/build/setup/termux_setup_python_pip.sh +++ b/scripts/build/setup/termux_setup_python_pip.sh @@ -54,7 +54,7 @@ termux_setup_python_pip() { if [ ! -d "$TERMUX_PYTHON_CROSSENV_PREFIX" ]; then cd "$TERMUX_PYTHON_CROSSENV_SRCDIR" - /usr/bin/python${TERMUX_PYTHON_VERSION} -m crossenv \ + "$TERMUX_BUILD_PYTHON_DIR/host-build-prefix/bin/python${TERMUX_PYTHON_VERSION}" -m crossenv \ "$TERMUX_PREFIX/bin/python${TERMUX_PYTHON_VERSION}" \ "${TERMUX_PYTHON_CROSSENV_PREFIX}" fi diff --git a/scripts/build/termux_step_setup_toolchain.sh b/scripts/build/termux_step_setup_toolchain.sh index e4709039a60..186e6a0cbfc 100644 --- a/scripts/build/termux_step_setup_toolchain.sh +++ b/scripts/build/termux_step_setup_toolchain.sh @@ -7,10 +7,10 @@ termux_step_setup_toolchain() { # toolchain setup to ensure that everyone gets an updated # toolchain if [ "${TERMUX_NDK_VERSION}" = "29" ]; then - TERMUX_STANDALONE_TOOLCHAIN+="-v3" + TERMUX_STANDALONE_TOOLCHAIN+="-v4" termux_setup_toolchain_29 elif [ "${TERMUX_NDK_VERSION}" = 23c ]; then - TERMUX_STANDALONE_TOOLCHAIN+="-v10" + TERMUX_STANDALONE_TOOLCHAIN+="-v11" termux_setup_toolchain_23c else termux_error_exit "We do not have a setup_toolchain function for NDK version $TERMUX_NDK_VERSION" diff --git a/scripts/build/toolchain/termux_setup_toolchain_29.sh b/scripts/build/toolchain/termux_setup_toolchain_29.sh index cd17364b794..27abb3e2422 100644 --- a/scripts/build/toolchain/termux_setup_toolchain_29.sh +++ b/scripts/build/toolchain/termux_setup_toolchain_29.sh @@ -128,14 +128,22 @@ termux_setup_toolchain_29() { return fi - if [ -d $TERMUX_STANDALONE_TOOLCHAIN ]; then - return + [ -d "$TERMUX_STANDALONE_TOOLCHAIN" ] || mkdir -p "$TERMUX_STANDALONE_TOOLCHAIN" + [ -d "${TERMUX_STANDALONE_TOOLCHAIN}-upper" ] || mkdir -p "${TERMUX_STANDALONE_TOOLCHAIN}-upper" + [ -d "${TERMUX_STANDALONE_TOOLCHAIN}-work" ] || mkdir -p "${TERMUX_STANDALONE_TOOLCHAIN}-work" + + + if ! mountpoint -q "${TERMUX_STANDALONE_TOOLCHAIN}"; then + fuse-overlayfs \ + "${TERMUX_STANDALONE_TOOLCHAIN}" \ + -o lowerdir="${NDK}/toolchains/llvm/prebuilt/linux-x86_64" \ + -o upperdir="${TERMUX_STANDALONE_TOOLCHAIN}-upper" \ + -o workdir="${TERMUX_STANDALONE_TOOLCHAIN}-work" fi - # Do not put toolchain in place until we are done with setup, to avoid having a half setup - # toolchain left in place if something goes wrong (or process is just aborted): - local _TERMUX_TOOLCHAIN_TMPDIR=${TERMUX_STANDALONE_TOOLCHAIN}-tmp - rm -Rf $_TERMUX_TOOLCHAIN_TMPDIR + if [ -f "${TERMUX_STANDALONE_TOOLCHAIN}/.termux-standalone-toolchain" ]; then + return + fi local _NDK_ARCHNAME=$TERMUX_ARCH if [ "$TERMUX_ARCH" = "aarch64" ]; then @@ -143,55 +151,52 @@ termux_setup_toolchain_29() { elif [ "$TERMUX_ARCH" = "i686" ]; then _NDK_ARCHNAME=x86 fi - cp $NDK/toolchains/llvm/prebuilt/linux-x86_64 $_TERMUX_TOOLCHAIN_TMPDIR -r - cp $NDK/source.properties $_TERMUX_TOOLCHAIN_TMPDIR - # Remove android-support header wrapping not needed on android-21: - rm -Rf $_TERMUX_TOOLCHAIN_TMPDIR/sysroot/usr/local + rm -Rf $TERMUX_STANDALONE_TOOLCHAIN/sysroot/usr/local for HOST_PLAT in aarch64-linux-android armv7a-linux-androideabi i686-linux-android x86_64-linux-android; do - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT$TERMUX_PKG_API_LEVEL-clang \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-clang - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT$TERMUX_PKG_API_LEVEL-clang++ \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-clang++ + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT$TERMUX_PKG_API_LEVEL-clang \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-clang + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT$TERMUX_PKG_API_LEVEL-clang++ \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-clang++ - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT$TERMUX_PKG_API_LEVEL-clang \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-cpp + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT$TERMUX_PKG_API_LEVEL-clang \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-cpp sed -i 's|"$bin_dir/clang"|& -E|' \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-cpp + $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-cpp - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-clang \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-gcc - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-clang++ \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/$HOST_PLAT-g++ + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-clang \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-gcc + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-clang++ \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/$HOST_PLAT-g++ done - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/armv7a-linux-androideabi$TERMUX_PKG_API_LEVEL-clang \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/arm-linux-androideabi-clang - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/armv7a-linux-androideabi$TERMUX_PKG_API_LEVEL-clang++ \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/arm-linux-androideabi-clang++ - cp $_TERMUX_TOOLCHAIN_TMPDIR/bin/armv7a-linux-androideabi-cpp \ - $_TERMUX_TOOLCHAIN_TMPDIR/bin/arm-linux-androideabi-cpp + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/armv7a-linux-androideabi$TERMUX_PKG_API_LEVEL-clang \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/arm-linux-androideabi-clang + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/armv7a-linux-androideabi$TERMUX_PKG_API_LEVEL-clang++ \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/arm-linux-androideabi-clang++ + cp $TERMUX_STANDALONE_TOOLCHAIN/bin/armv7a-linux-androideabi-cpp \ + $TERMUX_STANDALONE_TOOLCHAIN/bin/arm-linux-androideabi-cpp # rust 1.75.0+ expects this directory to be present - rm -fr "${_TERMUX_TOOLCHAIN_TMPDIR}"/toolchains - mkdir -p "${_TERMUX_TOOLCHAIN_TMPDIR}"/toolchains/llvm/prebuilt - ln -fs ../../.. "${_TERMUX_TOOLCHAIN_TMPDIR}"/toolchains/llvm/prebuilt/linux-x86_64 + rm -fr "${TERMUX_STANDALONE_TOOLCHAIN}"/toolchains + mkdir -p "${TERMUX_STANDALONE_TOOLCHAIN}"/toolchains/llvm/prebuilt + ln -fs ../../.. "${TERMUX_STANDALONE_TOOLCHAIN}"/toolchains/llvm/prebuilt/linux-x86_64 # Create a pkg-config wrapper. We use path to host pkg-config to # avoid picking up a cross-compiled pkg-config later on. local _HOST_PKGCONFIG _HOST_PKGCONFIG=$(command -v pkg-config) mkdir -p "$PKG_CONFIG_LIBDIR" - cat > $_TERMUX_TOOLCHAIN_TMPDIR/bin/pkg-config <<-HERE + cat > $TERMUX_STANDALONE_TOOLCHAIN/bin/pkg-config <<-HERE #!/bin/sh export PKG_CONFIG_DIR= export PKG_CONFIG_LIBDIR=$PKG_CONFIG_LIBDIR exec $_HOST_PKGCONFIG "\$@" HERE - chmod +x "$_TERMUX_TOOLCHAIN_TMPDIR"/bin/pkg-config + chmod +x "$TERMUX_STANDALONE_TOOLCHAIN"/bin/pkg-config - cd $_TERMUX_TOOLCHAIN_TMPDIR/sysroot + cd $TERMUX_STANDALONE_TOOLCHAIN/sysroot for f in $TERMUX_SCRIPTDIR/ndk-patches/$TERMUX_NDK_VERSION/*.patch; do echo "Applying ndk-patch: $(basename $f)" sed "s%\@TERMUX_PREFIX\@%${TERMUX_PREFIX}%g" "$f" | \ @@ -226,6 +231,7 @@ termux_setup_toolchain_29() { echo 'INPUT(-lunwind)' > $dir/libgcc.a done - grep -lrw $_TERMUX_TOOLCHAIN_TMPDIR/sysroot/usr/include/c++/v1 -e 'include ' | xargs -n 1 sed -i 's/include /include \"version\"/g' - mv $_TERMUX_TOOLCHAIN_TMPDIR $TERMUX_STANDALONE_TOOLCHAIN + grep -lrw $TERMUX_STANDALONE_TOOLCHAIN/sysroot/usr/include/c++/v1 -e 'include ' | xargs -n 1 sed -i 's/include /include \"version\"/g' + + touch ${TERMUX_STANDALONE_TOOLCHAIN}/.termux-standalone-toolchain } diff --git a/scripts/free-space.sh b/scripts/free-space.sh index 78a883f6a7a..80208d07cac 100755 --- a/scripts/free-space.sh +++ b/scripts/free-space.sh @@ -1,6 +1,6 @@ #!/bin/sh -# This script clears about ~22G of space. +# This script clears about ~36G of space. # Test: # echo "Listing 100 largest packages after" @@ -12,11 +12,11 @@ if [ "${CI-false}" != "true" ]; then exit 1 else # shellcheck disable=SC2046 - sudo apt purge -yq $( + sudo apt purge -yq --allow-remove-essential $( dpkg -l | grep '^ii' | awk '{ print $2 }' | - grep -P '(mecab|linux-azure-tools-|aspnetcore|liblldb-|netstandard-|clang-tidy|clang-format|gfortran-|mysql-|google-cloud-cli|postgresql-|cabal-|dotnet-|ghc-|mongodb-|libmono|llvm-16|llvm-17)' + grep -P '(mecab|linux-azure-tools-|aspnetcore|liblldb-|netstandard-|llvm|clang|gcc-12|gcc-13|cpp-|g\+\+-|temurin-|gfortran-|mysql-|google-cloud-cli|postgresql-|cabal-|dotnet-|ghc-|mongodb-|libmono|temurin-|mesa-|ant|liblua|python3|grub2-|grub-|shim-signed)' ) sudo apt purge -yq \ @@ -33,24 +33,25 @@ else azure-cli \ powershell \ shellcheck \ - firefox \ - google-chrome-stable \ - microsoft-edge-stable + firefox + # google-chrome-stable + # microsoft-edge-stable already removed by the deps in the above apt purge # Directories - sudo rm -fr /opt/ghc /opt/hostedtoolcache /usr/share/dotnet /usr/share/swift - sudo rm -rf /usr/local + sudo rm -rf /opt/ghc /opt/az /opt/hostedtoolcache /opt/actionarchivecache /opt/runner-cache + sudo rm -rf /opt/pipx /usr/share/dotnet /usr/share/swift /usr/share/miniconda /usr/share/az_* /usr/share/gradle-* /usr/share/java /home/runner/.rustup + sudo rm -rf /etc/skel /home/packer /home/linuxbrew + sudo rm -rf /usr/local /usr/src/ # https://github.com/actions/runner-images/issues/709#issuecomment-612569242 sudo rm -rf "$AGENT_TOOLSDIRECTORY" - # We shouldn't remove docker & it's images when running from `package_updates` workflow. - if [ "${CLEAN_DOCKER_IMAGES-true}" = "true" ]; then - sudo docker image prune --all --force - sudo docker builder prune -a - sudo apt purge -yq containerd.io - fi + # Clean compressed docker images + # Docker has already deflated them before free-space.sh was called in CI, so + # the compressed parts are just collecting junk on the disk + sudo rm -rf /var/lib/containerd/io.containerd.content.v1.content/ sudo apt autoremove -yq sudo apt clean + sudo rm -rf /var/lib/apt /var/lib/dpkg fi diff --git a/scripts/profile-relaxed.apparmor b/scripts/profile-relaxed.apparmor new file mode 100644 index 00000000000..94fb48c21b9 --- /dev/null +++ b/scripts/profile-relaxed.apparmor @@ -0,0 +1,48 @@ +#include + + +profile _custom-termux-package-builder-{{CONTAINER_NAME}} flags=(attach_disconnected,mediate_deleted) { + + #include + + network, + capability, + file, + umount, + # Host (privileged) processes may send signals to container processes. + signal (receive) peer=unconfined, + # runc may send signals to container processes. + signal (receive) peer=runc, + # crun may send signals to container processes. + signal (receive) peer=crun, + # Manager may send signals to container processes. + signal (receive) peer=unconfined, + # Container processes may send signals amongst themselves. + signal (send,receive) peer=_custom-termux-package-builder-{{CONTAINER_NAME}}, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/devices/virtual/powercap/** rwklx, + deny /sys/kernel/security/** rwklx, + + # allow processes within the container to trace each other, + # provided all other LSM and yama setting allow it. + ptrace (trace,tracedby,read,readby) peer=_custom-termux-package-builder-{{CONTAINER_NAME}}, + + # Allow all mount operations + mount, +} diff --git a/scripts/profile-restricted.apparmor b/scripts/profile-restricted.apparmor new file mode 100644 index 00000000000..430aeecd0e9 --- /dev/null +++ b/scripts/profile-restricted.apparmor @@ -0,0 +1,63 @@ +#include + + +profile _custom-termux-package-builder-{{CONTAINER_NAME}} flags=(attach_disconnected,mediate_deleted) { + + #include + + network, + capability, + file, + umount, + # Host (privileged) processes may send signals to container processes. + signal (receive) peer=unconfined, + # runc may send signals to container processes. + signal (receive) peer=runc, + # crun may send signals to container processes. + signal (receive) peer=crun, + # Manager may send signals to container processes. + signal (receive) peer=unconfined, + # Container processes may send signals amongst themselves. + signal (send,receive) peer=_custom-termux-package-builder-{{CONTAINER_NAME}}, + + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) + # deny write to files not in /proc//** or /proc/sys/** + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + deny @{PROC}/kcore rwklx, + + deny /sys/[^f]*/** wklx, + deny /sys/f[^s]*/** wklx, + deny /sys/fs/[^c]*/** wklx, + deny /sys/fs/c[^g]*/** wklx, + deny /sys/fs/cg[^r]*/** wklx, + deny /sys/firmware/** rwklx, + deny /sys/devices/virtual/powercap/** rwklx, + deny /sys/kernel/security/** rwklx, + + # allow processes within the container to trace each other, + # provided all other LSM and yama setting allow it. + ptrace (trace,tracedby,read,readby) peer=_custom-termux-package-builder-{{CONTAINER_NAME}}, + + # Allow mounting fuse overlayfs filesystems in ~/.termux-build/ + # This is used for mounting overlayfs of our build toolchain. This is + # more efficient than copying over the entire NDK as this takes up + # just under 50MB storage than 2.4GB + mount fstype=fuse.fuse-overlayfs -> /home/builder/.termux-build/**, + + # Deal with privilege escalation + deny capability setuid, + deny capability setgid, + + # Do not allow the container to modify trusted scripts + deny /home/builder/termux-packages/[^o]** wlk, + # Explicitly allow storing built debs + allow /home/builder/termux-packages/output/** rw, + + # Do not allow the container to modify the build toolchain + deny /home/builder/lib/** wlk, +} diff --git a/scripts/profile.json b/scripts/profile.json index 9969af8269d..d71a9e122de 100644 --- a/scripts/profile.json +++ b/scripts/profile.json @@ -1,5 +1,5 @@ { - "description": "This is a custom seccomp profile which allows the personality system call, based on https://github.com/moby/moby/blob/e258d66f176a4447931edfd9398c55b3e8ee4a07/profiles/seccomp/default.json.", + "description": "This is a custom seccomp profile which allows the personality, mount and umount2 system calls, based on https://github.com/moby/moby/blob/e258d66f176a4447931edfd9398c55b3e8ee4a07/profiles/seccomp/default.json.", "defaultAction": "SCMP_ACT_ERRNO", "defaultErrnoRet": 1, "archMap": [ @@ -579,30 +579,8 @@ }, { "names": [ - "bpf", - "clone", - "clone3", - "fanotify_init", - "fsconfig", - "fsmount", - "fsopen", - "fspick", - "lookup_dcookie", "mount", - "mount_setattr", - "move_mount", - "name_to_handle_at", - "open_tree", - "perf_event_open", - "quotactl", - "quotactl_fd", - "setdomainname", - "sethostname", - "setns", - "syslog", - "umount", - "umount2", - "unshare" + "umount2" ], "action": "SCMP_ACT_ALLOW", "includes": { @@ -624,9 +602,6 @@ } ], "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ], "arches": [ "s390", "s390x" @@ -653,9 +628,6 @@ ] }, "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] } }, { @@ -665,9 +637,6 @@ "action": "SCMP_ACT_ERRNO", "errnoRet": 38, "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] } }, { diff --git a/scripts/run-docker.sh b/scripts/run-docker.sh index c706b9cdda2..cc886767fe8 100755 --- a/scripts/run-docker.sh +++ b/scripts/run-docker.sh @@ -1,20 +1,78 @@ -#!/bin/sh +#!/bin/bash set -e -u TERMUX_SCRIPTDIR=$(cd "$(realpath "$(dirname "$0")")"; cd ..; pwd) +: ${TERMUX_BUILDER_IMAGE_NAME:=ghcr.io/termux/package-builder} +: ${CONTAINER_NAME:=termux-package-builder} BUILDSCRIPT_NAME="build-package.sh" -if [ "${1:-}" = "-p" ] || [ "${1:-}" = "--pre-check-if-will-build-packages" ]; then - shift 1 - TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES="true" -fi +: ${TERMUX_BUILDER_IMAGE_NAME:=ghcr.io/termux/package-builder} +: ${CONTAINER_NAME:=termux-package-builder} +: ${TERMUX_DOCKER_RUN_EXTRA_ARGS:=} +: ${TERMUX_DOCKER_EXEC_EXTRA_ARGS:=} +CONTAINER_HOME_DIR=/home/builder + +_show_usage() { + echo "Usage: $0 [OPTIONS] [COMMAND]" + echo "" + echo "Run a command in the Termux package builder container. If no command is given, an interactive shell will be started." + echo "" + echo "Options:" + echo " -h, --help Show this help message and exit" + echo " -d, --dry-run Run 'build-package-dry-run-simulation.sh' before" + echo " building any package. This is useful for CI to" + echo " skip unnecessary docker runs." + echo " -m, --mount-termux-dirs Mount /data and ~/.termux-build into the container." + echo " This is useful for building locally for development" + echo " with host IDE and editors." + echo "Supported environment variables:" + echo " TERMUX_BUILDER_IMAGE_NAME The name of the Docker image to use" + echo " CONTAINER_NAME The name of the Docker container to create/use" + echo " TERMUX_DOCKER_RUN_EXTRA_ARGS Extra arguments to pass to 'docker run' while" + echo " creating the container" + echo " TERMUX_DOCKER_EXEC_EXTRA_ARGS Extra arguments to pass to 'docker exec' while" + echo " running the command in the container" + echo " TERMUX_DOCKER_USE_SUDO If set to any non-empty value, 'sudo' will be" + echo " used to run 'docker' commands" + echo "" + echo "" + echo "Kindly note that:" + echo "- TERMUX_DOCKER_RUN_EXTRA_ARGS is only considered when creating the container," + echo " and will not be applied when running the command in the container if the" + echo " container already exists." + echo "- To apply new TERMUX_DOCKER_RUN_EXTRA_ARGS, the existing container needs to be" + echo " removed first." + echo "- The above rules also apply to -m/--mount-termux-dirs option as it adds the" + echo " mount arguments to TERMUX_DOCKER_RUN_EXTRA_ARGS." + echo "- The dry-run option will only work if the first argument passed to this script" + echo " which runs docker contains '$BUILDSCRIPT_NAME', and it will run" + echo " 'build-package-dry-run-simulation.sh' with arguments passed to this script." + exit 0 +} + +dry_run="false" + +while (( $# != 0 )); do + case "$1" in + -h|--help) shift 1; _show_usage;; + -d|--dry-run) + dry_run="true" + shift 1;; + -m|--mount-termux-dirs) + TERMUX_DOCKER_RUN_EXTRA_ARGS="--volume /data:/data --volume $HOME/.termux-build:$CONTAINER_HOME_DIR/.termux-build $TERMUX_DOCKER_RUN_EXTRA_ARGS" + shift 1;; + --) shift 1; break;; + -*) echo "Error: Unknown option '$1'" 1>&2; shift 1; exit 1;; + *) break;; + esac +done # If 'build-package-dry-run-simulation.sh' does not return 85 (EX_C__NOOP), or if # $1 (the first argument passed to this script which runs docker) does not contain # $BUILDSCRIPT_NAME, this condition will evaluate false and this script which # runs docker will continue. -if [ "${TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES:-}" = "true" ]; then +if [ "${dry_run}" = "true" ]; then case "${1:-}" in *"/$BUILDSCRIPT_NAME") RETURN_VALUE=0 @@ -31,7 +89,6 @@ if [ "${TERMUX_DOCKER__CONTAINER_EXEC_COMMAND__PRE_CHECK_IF_WILL_BUILD_PACKAGES: esac fi -CONTAINER_HOME_DIR=/home/builder UNAME=$(uname) if [ "$UNAME" = Darwin ]; then # Workaround for mac readlink not supporting -f. @@ -39,7 +96,7 @@ if [ "$UNAME" = Darwin ]; then SEC_OPT="" else REPOROOT="$(dirname $(readlink -f $0))/../" - SEC_OPT=" --security-opt seccomp=$REPOROOT/scripts/profile.json" + SEC_OPT=" --security-opt seccomp=$REPOROOT/scripts/profile.json --security-opt apparmor=_custom-termux-package-builder-$CONTAINER_NAME --cap-add CAP_SYS_ADMIN --device /dev/fuse" fi if [ "${CI:-}" = "true" ]; then @@ -57,9 +114,6 @@ else VOLUME=$REPOROOT:$CONTAINER_HOME_DIR/termux-packages fi -: ${TERMUX_BUILDER_IMAGE_NAME:=ghcr.io/termux/package-builder} -: ${CONTAINER_NAME:=termux-package-builder} - USER=builder if [ -n "${TERMUX_DOCKER_USE_SUDO-}" ]; then @@ -77,6 +131,32 @@ else DOCKER_TTY="" fi +APPARMOR_PARSER="" +if command -v apparmor_parser > /dev/null; then + APPARMOR_PARSER="apparmor_parser" +fi + +if [ -z "$APPARMOR_PARSER" ] || ! $SUDO aa-status --enabled; then + echo "WARNING: apparmor_parser not found, AppArmor profiles will not be loaded!" + echo " This is not recommended, as it may cause security issues and unexpected behavior" + echo " Avoid executing untrusted code in the container" + APPARMOR_PARSER="" +fi + +load_apparmor_profile() { + local profile_path="$1" + local msg="${2:-}" + if [ -n "$APPARMOR_PARSER" ]; then + if [ -n "$msg" ]; then + echo "$msg..." + fi + cat "$profile_path" | sed -e "s/{{CONTAINER_NAME}}/$CONTAINER_NAME/g" | sudo "$APPARMOR_PARSER" -rK + fi +} + +# Load the relaxed AppArmor profile first as we might need to change permissions +load_apparmor_profile ./scripts/profile-relaxed.apparmor + $SUDO docker start $CONTAINER_NAME >/dev/null 2>&1 || { echo "Creating new container..." $SUDO docker run \ @@ -86,23 +166,26 @@ $SUDO docker start $CONTAINER_NAME >/dev/null 2>&1 || { --volume $VOLUME \ $SEC_OPT \ --tty \ + $TERMUX_DOCKER_RUN_EXTRA_ARGS \ $TERMUX_BUILDER_IMAGE_NAME if [ "$UNAME" != Darwin ]; then if [ $(id -u) -ne 1001 -a $(id -u) -ne 0 ]; then echo "Changed builder uid/gid... (this may take a while)" - $SUDO docker exec $DOCKER_TTY $CONTAINER_NAME sudo chown -R $(id -u) $CONTAINER_HOME_DIR - $SUDO docker exec $DOCKER_TTY $CONTAINER_NAME sudo chown -R $(id -u) /data - $SUDO docker exec $DOCKER_TTY $CONTAINER_NAME sudo usermod -u $(id -u) builder - $SUDO docker exec $DOCKER_TTY $CONTAINER_NAME sudo groupmod -g $(id -g) builder + $SUDO docker exec $DOCKER_TTY $TERMUX_DOCKER_EXEC_EXTRA_ARGS $CONTAINER_NAME sudo chown -R $(id -u):$(id -g) $CONTAINER_HOME_DIR + $SUDO docker exec $DOCKER_TTY $TERMUX_DOCKER_EXEC_EXTRA_ARGS $CONTAINER_NAME sudo chown -R $(id -u):$(id -g) /data + $SUDO docker exec $DOCKER_TTY $TERMUX_DOCKER_EXEC_EXTRA_ARGS $CONTAINER_NAME sudo usermod -u $(id -u) builder + $SUDO docker exec $DOCKER_TTY $TERMUX_DOCKER_EXEC_EXTRA_ARGS $CONTAINER_NAME sudo groupmod -g $(id -g) builder fi fi } -# Set traps to ensure that the process started with docker exec and all its children are killed. +load_apparmor_profile ./scripts/profile-restricted.apparmor "Loading restricted AppArmor profile" + +# Set traps to ensure that the process started with docker exec and all its children are killed. . "$TERMUX_SCRIPTDIR/scripts/utils/docker/docker.sh"; docker__setup_docker_exec_traps if [ "$#" -eq "0" ]; then set -- bash fi -$SUDO docker exec $CI_OPT --env "DOCKER_EXEC_PID_FILE_PATH=$DOCKER_EXEC_PID_FILE_PATH" --interactive $DOCKER_TTY $CONTAINER_NAME "$@" +$SUDO docker exec $CI_OPT --env "DOCKER_EXEC_PID_FILE_PATH=$DOCKER_EXEC_PID_FILE_PATH" --interactive $DOCKER_TTY $TERMUX_DOCKER_EXEC_EXTRA_ARGS $CONTAINER_NAME "$@" diff --git a/scripts/setup-ubuntu.sh b/scripts/setup-ubuntu.sh index 75dfbeecadd..024a3930e99 100755 --- a/scripts/setup-ubuntu.sh +++ b/scripts/setup-ubuntu.sh @@ -25,6 +25,10 @@ PACKAGES+=" lzop" PACKAGES+=" lz4" PACKAGES+=" zstd" +# userspace overlayfs implementation for rootless containers +# Used to setup NDK toolchain without having to copy the whole toolchain to save some disk space +PACKAGES+=" fuse-overlayfs" + # Used by common build systems. PACKAGES+=" autoconf" PACKAGES+=" autogen" @@ -344,6 +348,7 @@ LLVM_PACKAGES="" LLVM_PACKAGES+=" llvm-${TERMUX_HOST_LLVM_MAJOR_VERSION}-dev" LLVM_PACKAGES+=" llvm-${TERMUX_HOST_LLVM_MAJOR_VERSION}-tools" LLVM_PACKAGES+=" clang-${TERMUX_HOST_LLVM_MAJOR_VERSION}" +LLVM_PACKAGES+=" lld-${TERMUX_HOST_LLVM_MAJOR_VERSION}" $SUDO apt-get -yq update diff --git a/scripts/updates/utils/termux_pkg_upgrade_version.sh b/scripts/updates/utils/termux_pkg_upgrade_version.sh index 32f442eca2d..35a25a684d1 100755 --- a/scripts/updates/utils/termux_pkg_upgrade_version.sh +++ b/scripts/updates/utils/termux_pkg_upgrade_version.sh @@ -139,7 +139,7 @@ termux_pkg_upgrade_version() { _termux_should_cleanup "${big_package}" && "${TERMUX_SCRIPTDIR}/scripts/run-docker.sh" ./clean.sh - if ! "${TERMUX_SCRIPTDIR}/scripts/run-docker.sh" ./build-package.sh -C -a "${TERMUX_ARCH}" -i "${TERMUX_PKG_NAME}"; then + if ! "${TERMUX_SCRIPTDIR}/scripts/run-docker.sh" -d ./build-package.sh -C -a "${TERMUX_ARCH}" -i "${TERMUX_PKG_NAME}"; then _termux_should_cleanup "${big_package}" && "${TERMUX_SCRIPTDIR}/scripts/run-docker.sh" ./clean.sh git checkout -- "${TERMUX_SCRIPTDIR}" termux_error_exit "failed to build." diff --git a/x11-packages/gjots2/build.sh b/x11-packages/gjots2/build.sh index da70146956d..6f2e40e876d 100644 --- a/x11-packages/gjots2/build.sh +++ b/x11-packages/gjots2/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="A hierarchical note jotter" TERMUX_PKG_LICENSE="GPL-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION=3.2.1 -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://sourceforge.net/projects/gjots2/files/gjots2/${TERMUX_PKG_VERSION}/gjots2-${TERMUX_PKG_VERSION}.tgz TERMUX_PKG_SHA256=815d66f3d344ffb3dca4d8d4a1e69229160cee9c9d940d50d899d2b5ec5d9e11 TERMUX_PKG_DEPENDS="gtksourceview4, pygobject, python" diff --git a/x11-packages/gnumeric/build.sh b/x11-packages/gnumeric/build.sh index 91d9fe4699f..91471b7eb80 100644 --- a/x11-packages/gnumeric/build.sh +++ b/x11-packages/gnumeric/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="The GNOME spreadsheet" TERMUX_PKG_LICENSE="GPL-2.0, GPL-3.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="1.12.60" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/gnumeric/${TERMUX_PKG_VERSION%.*}/gnumeric-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=bb02feb286062805564438534e1fea459f97cebac8a090b1a7e47ca251e07467 TERMUX_PKG_AUTO_UPDATE=true diff --git a/x11-packages/libncnn/build.sh b/x11-packages/libncnn/build.sh index b1560be257c..693ce88d9d1 100644 --- a/x11-packages/libncnn/build.sh +++ b/x11-packages/libncnn/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="A high-performance neural network inference framework op TERMUX_PKG_LICENSE="BSD 3-Clause" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="20250503" -TERMUX_PKG_REVISION=4 +TERMUX_PKG_REVISION=5 TERMUX_PKG_SRCURL=https://github.com/Tencent/ncnn/releases/download/${TERMUX_PKG_VERSION}/ncnn-${TERMUX_PKG_VERSION}-full-source.zip TERMUX_PKG_SHA256=b3190d1b6beae3aac30fa99f4d3fd89a2b47a010b888d2d2389189784743a690 TERMUX_PKG_AUTO_UPDATE=false diff --git a/x11-packages/meld/build.sh b/x11-packages/meld/build.sh index e44f18ac087..4adb3e6e51a 100644 --- a/x11-packages/meld/build.sh +++ b/x11-packages/meld/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="A visual diff and merge tool targeted at developers" TERMUX_PKG_LICENSE="GPL-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="3.23.1" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/meld/${TERMUX_PKG_VERSION%.*}/meld-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=73f827924663c7c6b451a74c8385304d99feaa13c81f4e0a171da597c6843574 TERMUX_PKG_AUTO_UPDATE=true diff --git a/x11-packages/mlt/build.sh b/x11-packages/mlt/build.sh index 4eec030724b..fd714b4485e 100644 --- a/x11-packages/mlt/build.sh +++ b/x11-packages/mlt/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Multimedia Framework. Author, manage, and run multitrack TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_VERSION="7.36.1" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://github.com/mltframework/mlt/releases/download/v${TERMUX_PKG_VERSION}/mlt-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=0d2b956864ba2ff58bb4e2b2779aa36870bd2a3a835e2dbfda33faa5fc6f4d3a TERMUX_PKG_DEPENDS="alsa-lib, ffmpeg, fftw, fontconfig, frei0r-plugins, gdk-pixbuf, glib, jack, movit, libebur128, libepoxy, libexif, libsamplerate, libvidstab, libvorbis, libx11, libxml2, qt6-qt5compat, qt6-qtbase, qt6-qtsvg, opengl, pango, python, rubberband, sdl, sdl2 | sdl2-compat, sox, zlib" @@ -19,6 +20,7 @@ TERMUX_PKG_EXTRA_CONFIGURE_ARGS=" " termux_step_pre_configure() { + termux_setup_python_pip TERMUX_PKG_EXTRA_CONFIGURE_ARGS+=" -DCMAKE_CXX_COMPILER_CLANG_SCAN_DEPS=${TERMUX_STANDALONE_TOOLCHAIN}/bin/clang-scan-deps " diff --git a/x11-packages/opencv/build.sh b/x11-packages/opencv/build.sh index 9bb7506a826..7684a4f715c 100644 --- a/x11-packages/opencv/build.sh +++ b/x11-packages/opencv/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Open Source Computer Vision Library" TERMUX_PKG_LICENSE="Apache-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="4.13.0" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=( https://github.com/opencv/opencv/archive/refs/tags/${TERMUX_PKG_VERSION}/opencv-${TERMUX_PKG_VERSION}.tar.gz https://github.com/opencv/opencv_contrib/archive/refs/tags/${TERMUX_PKG_VERSION}/opencv_contrib-${TERMUX_PKG_VERSION}.tar.gz diff --git a/x11-packages/orca/build.sh b/x11-packages/orca/build.sh index 42f7bb2a2b4..aba542a8ba5 100644 --- a/x11-packages/orca/build.sh +++ b/x11-packages/orca/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="A free, open source, flexible, and extensible screen rea TERMUX_PKG_LICENSE="LGPL-2.1" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="49.5" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/orca/${TERMUX_PKG_VERSION%.*}/orca-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=53df41558319e97c1e84ad604989957a02b5d0ff531419190f0587ea6b256034 TERMUX_PKG_AUTO_UPDATE=true diff --git a/x11-packages/pyatspi/build.sh b/x11-packages/pyatspi/build.sh index 32aa6d2d52b..103ffb5cd81 100644 --- a/x11-packages/pyatspi/build.sh +++ b/x11-packages/pyatspi/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="A python client library for the AT-SPI D-Bus accessibili TERMUX_PKG_LICENSE="LGPL-2.0, GPL-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="2.58.1" +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://download.gnome.org/sources/pyatspi/${TERMUX_PKG_VERSION%.*}/pyatspi-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=3f1f079935f926584331025c7531858deb42245c993b65121f4f4b01e6b04536 TERMUX_PKG_AUTO_UPDATE=true diff --git a/x11-packages/pyqt5/build.sh b/x11-packages/pyqt5/build.sh index ba943b25c65..3231f8818d0 100644 --- a/x11-packages/pyqt5/build.sh +++ b/x11-packages/pyqt5/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Comprehensive Python Bindings for Qt v5" TERMUX_PKG_LICENSE="GPL-3.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="5.15.11" -TERMUX_PKG_REVISION=3 +TERMUX_PKG_REVISION=4 TERMUX_PKG_SRCURL=https://files.pythonhosted.org/packages/source/P/PyQt5/PyQt5-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=fda45743ebb4a27b4b1a51c6d8ef455c4c1b5d610c90d2934c7802b5c1557c52 TERMUX_PKG_DEPENDS="libc++, python, qt5-qtbase, qt5-qtdeclarative, qt5-qtlocation, qt5-qtmultimedia, qt5-qtsensors, qt5-qtsvg, qt5-qttools, qt5-qtwebchannel, qt5-qtwebsockets, qt5-qtx11extras, qt5-qtxmlpatterns, python-pip" diff --git a/x11-packages/python-opencv-python/build.sh b/x11-packages/python-opencv-python/build.sh index 7948fd8fd1a..ddc563bcfeb 100644 --- a/x11-packages/python-opencv-python/build.sh +++ b/x11-packages/python-opencv-python/build.sh @@ -3,6 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python wrapper for Python bindings for OpenCV" TERMUX_PKG_LICENSE="Apache-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="92" +TERMUX_PKG_REVISION=1 TERMUX_PKG_REPOLOGY_METADATA_VERSION="$(. "$TERMUX_SCRIPTDIR/x11-packages/opencv/build.sh"; echo "$TERMUX_PKG_VERSION").${TERMUX_PKG_VERSION}" TERMUX_PKG_SRCURL="https://github.com/opencv/opencv-python/archive/refs/tags/${TERMUX_PKG_VERSION}.tar.gz" TERMUX_PKG_SHA256=049293f56726a3ebb01bb7508b973e14e62752a4a0e067ac6af4e371d6aa30d3 diff --git a/x11-packages/python-pyqtwebengine/build.sh b/x11-packages/python-pyqtwebengine/build.sh index 1c2cebf84aa..0905d0d74ac 100644 --- a/x11-packages/python-pyqtwebengine/build.sh +++ b/x11-packages/python-pyqtwebengine/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Python Bindings for the Qt WebEngine Framework" TERMUX_PKG_LICENSE="GPL-3.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION="5.15.7" -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://files.pythonhosted.org/packages/source/P/PyQtWebEngine/PyQtWebEngine-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=f121ac6e4a2f96ac289619bcfc37f64e68362f24a346553f5d6c42efa4228a4d TERMUX_PKG_DEPENDS="libc++, pyqt5, python, python-pip, qt5-qtbase, qt5-qtwebengine" diff --git a/x11-packages/python-qscintilla/build.sh b/x11-packages/python-qscintilla/build.sh index 5fc57f2df1c..88ff953ba1f 100644 --- a/x11-packages/python-qscintilla/build.sh +++ b/x11-packages/python-qscintilla/build.sh @@ -4,7 +4,7 @@ TERMUX_PKG_LICENSE="GPL-3.0" TERMUX_PKG_MAINTAINER="@termux" # Align the version with `qscintilla` package. TERMUX_PKG_VERSION=2.14.1 -TERMUX_PKG_REVISION=3 +TERMUX_PKG_REVISION=4 TERMUX_PKG_SRCURL=https://www.riverbankcomputing.com/static/Downloads/QScintilla/${TERMUX_PKG_VERSION}/QScintilla_src-${TERMUX_PKG_VERSION}.tar.gz TERMUX_PKG_SHA256=dfe13c6acc9d85dfcba76ccc8061e71a223957a6c02f3c343b30a9d43a4cdd4d TERMUX_PKG_DEPENDS="libc++, pyqt5, python, python-pip, qscintilla (>= ${TERMUX_PKG_VERSION}), qt5-qtbase"