/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2018-08-15 09:26:02 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 368.
  • Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u
http://bugs.debian.org/894495
mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

Show diffs side-by-side

added added

removed removed

Lines of Context:
Makefile
1
 
WARN=-O -Wall -Wformat=2 -Winit-self -Wmissing-include-dirs \
2
 
        -Wswitch-default -Wswitch-enum -Wunused-parameter \
3
 
        -Wstrict-aliasing=1 -Wextra -Wfloat-equal -Wundef -Wshadow \
 
1
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
 
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
 
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
 
5
        -Wsuggest-attribute=noreturn -Wfloat-equal -Wundef -Wshadow \
4
6
        -Wunsafe-loop-optimizations -Wpointer-arith \
5
7
        -Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \
6
 
        -Wconversion -Wstrict-prototypes -Wold-style-definition \
7
 
        -Wpacked -Wnested-externs -Winline -Wvolatile-register-var
8
 
#       -Wunreachable-code
9
 
#DEBUG=-ggdb3
10
 
# For info about _FORTIFY_SOURCE, see
11
 
# <http://www.kernel.org/doc/man-pages/online/pages/man7/feature_test_macros.7.html>
12
 
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
13
 
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
14
 
LINK_FORTIFY_LD=-z relro -z now
15
 
LINK_FORTIFY=
 
8
        -Wconversion -Wlogical-op -Waggregate-return \
 
9
        -Wstrict-prototypes -Wold-style-definition \
 
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
 
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
 
12
        -Wvolatile-register-var -Woverlength-strings
 
13
#DEBUG:=-ggdb3 -fsanitize=address 
 
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
 
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
 
18
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
 
19
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
 
20
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
 
21
        -fsanitize=return -fsanitize=signed-integer-overflow \
 
22
        -fsanitize=bounds -fsanitize=alignment \
 
23
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
 
24
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
 
25
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
 
26
        -fsanitize=enum
 
27
# Check which sanitizing options can be used
 
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
 
29
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
 
30
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
 
31
LINK_FORTIFY_LD:=-z relro -z now
 
32
LINK_FORTIFY:=
16
33
 
17
34
# If BROKEN_PIE is set, do not build with -pie
18
35
ifndef BROKEN_PIE
20
37
LINK_FORTIFY += -pie
21
38
endif
22
39
#COVERAGE=--coverage
23
 
OPTIMIZE=-Os
24
 
LANGUAGE=-std=gnu99
25
 
htmldir=man
26
 
version=1.6.2
27
 
SED=sed
 
40
OPTIMIZE:=-Os -fno-strict-aliasing
 
41
LANGUAGE:=-std=gnu11
 
42
htmldir:=man
 
43
version:=1.7.19
 
44
SED:=sed
28
45
 
29
 
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
30
 
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
 
46
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
47
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
31
48
 
32
49
## Use these settings for a traditional /usr/local install
33
 
# PREFIX=$(DESTDIR)/usr/local
34
 
# CONFDIR=$(DESTDIR)/etc/mandos
35
 
# KEYDIR=$(DESTDIR)/etc/mandos/keys
36
 
# MANDIR=$(PREFIX)/man
37
 
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
38
 
# STATEDIR=$(DESTDIR)/var/lib/mandos
39
 
# LIBDIR=$(PREFIX)/lib
 
50
# PREFIX:=$(DESTDIR)/usr/local
 
51
# CONFDIR:=$(DESTDIR)/etc/mandos
 
52
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
 
53
# MANDIR:=$(PREFIX)/man
 
54
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
 
55
# STATEDIR:=$(DESTDIR)/var/lib/mandos
 
56
# LIBDIR:=$(PREFIX)/lib
40
57
##
41
58
 
42
59
## These settings are for a package-type install
43
 
PREFIX=$(DESTDIR)/usr
44
 
CONFDIR=$(DESTDIR)/etc/mandos
45
 
KEYDIR=$(DESTDIR)/etc/keys/mandos
46
 
MANDIR=$(PREFIX)/share/man
47
 
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
48
 
STATEDIR=$(DESTDIR)/var/lib/mandos
49
 
LIBDIR=$(shell \
 
60
PREFIX:=$(DESTDIR)/usr
 
61
CONFDIR:=$(DESTDIR)/etc/mandos
 
62
KEYDIR:=$(DESTDIR)/etc/keys/mandos
 
63
MANDIR:=$(PREFIX)/share/man
 
64
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
 
65
STATEDIR:=$(DESTDIR)/var/lib/mandos
 
66
LIBDIR:=$(shell \
50
67
        for d in \
51
68
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
52
69
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
57
74
        done)
58
75
##
59
76
 
60
 
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
 
77
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
 
78
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
61
79
 
62
 
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
63
 
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
64
 
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
65
 
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
66
 
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
67
 
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
80
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
 
81
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
 
82
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
 
83
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
 
84
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
85
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
68
86
        getconf LFS_LDFLAGS)
 
87
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
88
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
69
89
 
70
90
# Do not change these two
71
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
72
 
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
73
 
        -DVERSION='"$(version)"'
 
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
 
92
        $(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
74
93
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
75
94
 
76
95
# Commands to format a DocBook <refentry> document into a manual page
82
101
        --param man.authors.section.enabled     0 \
83
102
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
84
103
        $(notdir $<); \
85
 
        $(MANPOST) $(notdir $@);\
86
104
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
87
105
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
88
106
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
89
107
        fi >/dev/null)
90
 
# DocBook-to-man post-processing to fix a '\n' escape bug
91
 
MANPOST=$(SED) --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g'
92
108
 
93
109
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
94
110
        --param make.year.ranges                1 \
100
116
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
101
117
        $<; $(HTMLPOST) $@)
102
118
# Fix citerefentry links
103
 
HTMLPOST=$(SED) --in-place \
 
119
HTMLPOST:=$(SED) --in-place \
104
120
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
105
121
 
106
 
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
 
122
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
107
123
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
108
124
        plugins.d/plymouth
109
 
CPROGS=plugin-runner $(PLUGINS)
110
 
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
111
 
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
125
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
 
126
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
 
127
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
128
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
112
129
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
113
130
        plugins.d/mandos-client.8mandos \
114
131
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
115
132
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
116
133
        plugins.d/plymouth.8mandos intro.8mandos
117
134
 
118
 
htmldocs=$(addsuffix .xhtml,$(DOCS))
 
135
htmldocs:=$(addsuffix .xhtml,$(DOCS))
119
136
 
120
 
objects=$(addsuffix .o,$(CPROGS))
 
137
objects:=$(addsuffix .o,$(CPROGS))
121
138
 
122
139
all: $(PROGS) mandos.lsm
123
140
 
235
252
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
236
253
                $@)
237
254
 
 
255
# Need to add the GnuTLS, Avahi and GPGME libraries, and can't use
 
256
# -fsanitize=leak because GnuTLS and GPGME both leak memory.
238
257
plugins.d/mandos-client: plugins.d/mandos-client.c
239
 
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
 
258
        $(CC) $(filter-out -fsanitize=leak,$(CFLAGS)) $(strip\
 
259
        ) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) $(strip\
 
260
                ) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH) $^ $(strip\
 
261
                ) -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
240
262
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
241
263
 
242
 
.PHONY : all doc html clean distclean run-client run-server install \
243
 
        install-server install-client uninstall uninstall-server \
244
 
        uninstall-client purge purge-server purge-client
 
264
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
 
265
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
 
266
                ) $(LOADLIBES) $(LDLIBS) -o $@
 
267
 
 
268
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
 
269
        check run-client run-server install install-html \
 
270
        install-server install-client-nokey install-client uninstall \
 
271
        uninstall-server uninstall-client purge purge-server \
 
272
        purge-client
245
273
 
246
274
clean:
247
275
        -rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
259
287
run-client: all keydir/seckey.txt keydir/pubkey.txt
260
288
        @echo "###################################################################"
261
289
        @echo "# The following error messages are harmless and can be safely     #"
262
 
        @echo "# ignored.  The messages are caused by not running as root, but   #"
263
 
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
264
 
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
265
 
        @echo "# From plugin-runner: setuid: Operation not permitted             #"
 
290
        @echo "# ignored:                                                        #"
 
291
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
292
        @echo "#                     setuid: Operation not permitted             #"
266
293
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
267
 
        @echo "# From mandos-client: setuid: Operation not permitted             #"
268
 
        @echo "#                     seteuid: Operation not permitted            #"
269
 
        @echo "#                     klogctl: Operation not permitted            #"
 
294
        @echo "# From mandos-client:                                             #"
 
295
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
296
        @echo "#             Warning: network hook \"*\" exited with status *      #"
 
297
        @echo "#                                                                 #"
 
298
        @echo "# (The messages are caused by not running as root, but you should #"
 
299
        @echo "# NOT run \"make run-client\" as root unless you also unpacked and  #"
 
300
        @echo "# compiled Mandos as root, which is also NOT recommended.)        #"
270
301
        @echo "###################################################################"
 
302
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
271
303
        ./plugin-runner --plugin-dir=plugins.d \
 
304
                --plugin-helper-dir=plugin-helpers \
272
305
                --config-file=plugin-runner.conf \
273
306
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
 
307
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
274
308
                $(CLIENTARGS)
275
309
 
276
310
# Used by run-client
291
325
        install --directory confdir
292
326
        install --mode=u=rw $< $@
293
327
# Add a client password
294
 
        ./mandos-keygen --dir keydir --password >> $@
 
328
        ./mandos-keygen --dir keydir --password --no-ssh >> $@
295
329
statedir:
296
330
        install --directory statedir
297
331
 
310
344
        elif install --directory --mode=u=rwx $(STATEDIR); then \
311
345
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
312
346
        fi
 
347
        if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
 
348
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
 
349
                        $(TMPFILES)/mandos.conf; \
 
350
        fi
313
351
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
314
352
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
315
353
                mandos-ctl
347
385
install-client-nokey: all doc
348
386
        install --directory $(LIBDIR)/mandos $(CONFDIR)
349
387
        install --directory --mode=u=rwx $(KEYDIR) \
350
 
                $(LIBDIR)/mandos/plugins.d
 
388
                $(LIBDIR)/mandos/plugins.d \
 
389
                $(LIBDIR)/mandos/plugin-helpers
351
390
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
352
391
                install --mode=u=rwx \
353
 
                        --directory "$(CONFDIR)/plugins.d"; \
 
392
                        --directory "$(CONFDIR)/plugins.d" \
 
393
                        "$(CONFDIR)/plugin-helpers"; \
354
394
        fi
355
395
        install --mode=u=rwx,go=rx --directory \
356
396
                "$(CONFDIR)/network-hooks.d"
376
416
        install --mode=u=rwxs,go=rx \
377
417
                --target-directory=$(LIBDIR)/mandos/plugins.d \
378
418
                plugins.d/plymouth
 
419
        install --mode=u=rwx,go=rx \
 
420
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
 
421
                plugin-helpers/mandos-client-iprouteadddel
379
422
        install initramfs-tools-hook \
380
423
                $(INITRAMFSTOOLS)/hooks/mandos
381
424
        install --mode=u=rw,go=r initramfs-tools-hook-conf \