/mandos/release : revision 237.7.659

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2019-07-14 22:39:15 UTC
mto: This revision was merged to the branch mainline in revision 384.
Revision ID: teddy@recompile.se-20190714223915-aqjkms3t3taa6tye

Only use sanitizing options when debugging

The C compiler's sanitizing options introduce code in the output
binary which is fragile and not very security conscious.  It has
become clear that sanitizing is only really meant for use while
debugging.

As a side effect, this makes compilation faster, as the Makefile, for
production builds, no longer runs the compiler repeatedly to find all
its currently supported sanitizing options.

* Makefile (DEBUG): Add "$(SANITIZE)".
  (SANITIZE): Comment out.
  (CFLAGS): Remove "$(SANITIZE)".
  (plugins.d/mandos-client): Revert back to use plain $(LINK.c), since
                             we no longer need to remove the leak
                             sanitizer by overriding CFLAGS.

files removed:
debian/po/POTFILES.in

debian/po/en_US.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

files modified:
.bzrignore

INSTALL

Makefile

NEWS

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

initramfs-unpack

intro.xml

mandos

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.xml

plugin-runner.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

Makefile

-fsanitize=object-size -fsanitize=float-divide-by-zero \

-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \

-fsanitize=returns-nonnull-attribute -fsanitize=bool \

-fsanitize=enum -fsanitize-address-use-after-scope

-fsanitize=enum

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

#COVERAGE=--coverage

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

FEATURES:=-D_FILE_OFFSET_BITS=64

htmldir:=man

version:=1.8.7

version:=1.8.4

SED:=sed

PKG_CONFIG?=pkg-config

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \

|| getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \

|| getent group nogroup || echo 65534)))

LINUXVERSION:=$(shell uname --kernel-release)

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))

## Use these settings for a traditional /usr/local install

# PREFIX:=$(DESTDIR)/usr/local

# KEYDIR:=$(DESTDIR)/etc/mandos/keys

# MANDIR:=$(PREFIX)/man

# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools

# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

# STATEDIR:=$(DESTDIR)/var/lib/mandos

# LIBDIR:=$(PREFIX)/lib

KEYDIR:=$(DESTDIR)/etc/keys/mandos

MANDIR:=$(PREFIX)/share/man

INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools

DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

STATEDIR:=$(DESTDIR)/var/lib/mandos

LIBDIR:=$(shell \

for d in \

"/usr/lib/`dpkg-architecture \

-qDEB_HOST_MULTIARCH 2>/dev/null`" \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \

if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \

echo "$(DESTDIR)$$d"; \

done)

SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=tmpfilesdir)

SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)

GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)

AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)

GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \

getconf LFS_LDFLAGS)

100

LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)

101

LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)

102

GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)

103

GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)

LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)

LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)

104

105

# Do not change these two

106

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \

107

$(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'

108

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \

109

) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \

$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

110

111

# Commands to format a DocBook <refentry> document into a manual page

112

DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \

118

104

/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \

119

105

$(notdir $<); \

120

106

if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \

121

&& command -v man >/dev/null; then LANG=en_US.UTF-8 \

122

MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \

123

$(notdir $@); fi >/dev/null)

107

&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \

108

man --warnings --encoding=UTF-8 --local-file $(notdir $@); \

109

fi >/dev/null)

124

110

125

111

DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \

126

112

--param make.year.ranges 1 \

139

125

plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \

140

126

plugins.d/plymouth

141

127

PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel

142

CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \

143

$(PLUGIN_HELPERS)

128

CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)

144

129

PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

145

130

DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

146

131

mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \

147

dracut-module/password-agent.8mandos \

148

132

plugins.d/mandos-client.8mandos \

149

133

plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \

150

134

plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \

222

206

overview.xml legalnotice.xml

223

207

$(DOCBOOKTOHTML)

224

208

225

dracut-module/password-agent.8mandos: \

226

dracut-module/password-agent.xml common.ent \

227

overview.xml legalnotice.xml

228

$(DOCBOOKTOMAN)

229

dracut-module/password-agent.8mandos.xhtml: \

230

dracut-module/password-agent.xml common.ent \

231

overview.xml legalnotice.xml

232

$(DOCBOOKTOHTML)

233

234

209

plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \

235

210

common.ent \

236

211

mandos-options.xml \

282

257

# Need to add the GnuTLS, Avahi and GPGME libraries

283

258

plugins.d/mandos-client: plugins.d/mandos-client.c

284

259

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

285

) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\

260

) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\

286

261

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

287

262

) $(LDLIBS) -o $@

288

263

289

# Need to add the libnl-route library

290

264

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

291

265

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

292

266

) $(LOADLIBES) $(LDLIBS) -o $@

293

267

294

# Need to add the GLib and pthread libraries

295

dracut-module/password-agent: dracut-module/password-agent.c

296

$(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\

297

) $(LOADLIBES) $(LDLIBS) -o $@

298

299

268

.PHONY : all doc html clean distclean mostlyclean maintainer-clean \

300

269

check run-client run-server install install-html \

301

270

install-server install-client-nokey install-client uninstall \

310

279

maintainer-clean: clean

311

280

-rm --force --recursive keydir confdir statedir

312

281

313

check: all

282

check: all

314

283

./mandos --check

315

284

./mandos-ctl --check

316

./mandos-keygen --version

317

./plugin-runner --version

318

./plugin-helpers/mandos-client-iprouteadddel --version

319

./dracut-module/password-agent --test

320

285

321

286

# Run the client with a local config and key

322

run-client: all keydir/seckey.txt keydir/pubkey.txt \

323

keydir/tls-privkey.pem keydir/tls-pubkey.pem

324

@echo '######################################################'

325

@echo '# The following error messages are harmless and can #'

326

@echo '# be safely ignored: #'

327

@echo '## From plugin-runner: #'

328

@echo '# setgid: Operation not permitted #'

329

@echo '# setuid: Operation not permitted #'

330

@echo '## From askpass-fifo: #'

331

@echo '# mkfifo: Permission denied #'

332

@echo '## From mandos-client: #'

333

@echo '# Failed to raise privileges: Operation not permi... #'

334

@echo '# Warning: network hook "*" exited with status * #'

335

@echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'

336

@echo '# Failed to bring up interface "*": Operation not... #'

337

@echo '# #'

338

@echo '# (The messages are caused by not running as root, #'

339

@echo '# but you should NOT run "make run-client" as root #'

340

@echo '# unless you also unpacked and compiled Mandos as #'

341

@echo '# root, which is also NOT recommended.) #'

342

@echo '######################################################'

287

run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem

288

@echo "###################################################################"

289

@echo "# The following error messages are harmless and can be safely #"

290

@echo "# ignored: #"

291

@echo "# From plugin-runner: setgid: Operation not permitted #"

292

@echo "# setuid: Operation not permitted #"

293

@echo "# From askpass-fifo: mkfifo: Permission denied #"

294

@echo "# From mandos-client: #"

295

@echo "# Failed to raise privileges: Operation not permitted #"

296

@echo "# Warning: network hook \"*\" exited with status * #"

297

@echo "# #"

298

@echo "# (The messages are caused by not running as root, but you should #"

299

@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"

300

@echo "# compiled Mandos as root, which is also NOT recommended.) #"

301

@echo "###################################################################"

343

302

# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring

344

303

./plugin-runner --plugin-dir=plugins.d \

345

304

--plugin-helper-dir=plugin-helpers \

385

344

elif install --directory --mode=u=rwx $(STATEDIR); then \

386

345

chown -- $(USER):$(GROUP) $(STATEDIR) || :; \

387

346

388

if [ "$(TMPFILES)" != "$(DESTDIR)" \

389

-a -d "$(TMPFILES)" ]; then \

347

if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \

390

348

install --mode=u=rw,go=r tmpfiles.d-mandos.conf \

391

349

$(TMPFILES)/mandos.conf; \

392

350

439

397

install --mode=u=rwx,go=rx \

440

398

--target-directory=$(LIBDIR)/mandos plugin-runner

441

399

install --mode=u=rwx,go=rx \

442

--target-directory=$(LIBDIR)/mandos \

443

mandos-to-cryptroot-unlock

400

--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock

444

401

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

445

402

mandos-keygen

446

403

install --mode=u=rwx,go=rx \

474

431

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

475

432

install initramfs-tools-script-stop \

476

433

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

477

install --directory $(DRACUTMODULE)

478

install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \

479

dracut-module/ask-password-mandos.path \

480

dracut-module/ask-password-mandos.service

481

install --mode=u=rwxs,go=rx \

482

--target-directory=$(DRACUTMODULE) \

483

dracut-module/module-setup.sh \

484

dracut-module/cmdline-mandos.sh \

485

dracut-module/password-agent

486

434

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

487

435

gzip --best --to-stdout mandos-keygen.8 \

488

436

> $(MANDIR)/man8/mandos-keygen.8.gz

500

448

> $(MANDIR)/man8/askpass-fifo.8mandos.gz

501

449

gzip --best --to-stdout plugins.d/plymouth.8mandos \

502

450

> $(MANDIR)/man8/plymouth.8mandos.gz

503

gzip --best --to-stdout dracut-module/password-agent.8mandos \

504

> $(MANDIR)/man8/password-agent.8mandos.gz

505

451

506

452

install-client: install-client-nokey

507

453

# Post-installation stuff

508

454

-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"

509

if command -v update-initramfs >/dev/null; then \

510

update-initramfs -k all -u; \

511

elif command -v dracut >/dev/null; then \

512

for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \

513

if [ -w "$$initrd" ]; then \

514

chmod go-r "$$initrd"; \

515

dracut --force "$$initrd"; \

516

fi; \

517

done; \

518

455

update-initramfs -k all -u

519

456

echo "Now run mandos-keygen --password --dir $(KEYDIR)"

520

457

521

458

uninstall: uninstall-server uninstall-client

548

485

$(INITRAMFSTOOLS)/hooks/mandos \

549

486

$(INITRAMFSTOOLS)/conf-hooks.d/mandos \

550

487

$(INITRAMFSTOOLS)/scripts/init-premount/mandos \

551

$(INITRAMFSTOOLS)/scripts/local-premount/mandos \

552

$(DRACUTMODULE)/ask-password-mandos.path \

553

$(DRACUTMODULE)/ask-password-mandos.service \

554

$(DRACUTMODULE)/module-setup.sh \

555

$(DRACUTMODULE)/cmdline-mandos.sh \

556

$(DRACUTMODULE)/password-agent \

557

488

$(MANDIR)/man8/mandos-keygen.8.gz \

558

489

$(MANDIR)/man8/plugin-runner.8mandos.gz \

559

490

$(MANDIR)/man8/mandos-client.8mandos.gz

562

493

$(MANDIR)/man8/splashy.8mandos.gz \

563

494

$(MANDIR)/man8/askpass-fifo.8mandos.gz \

564

495

$(MANDIR)/man8/plymouth.8mandos.gz \

565

$(MANDIR)/man8/password-agent.8mandos.gz \

566

496

-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \

567

$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)

568

if command -v update-initramfs >/dev/null; then \

569

update-initramfs -k all -u; \

570

elif command -v dracut >/dev/null; then \

571

for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \

572

test -w "$$initrd" && dracut --force "$$initrd"; \

573

done; \

574

497

$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)

498

update-initramfs -k all -u

575

499

576

500

purge: purge-server purge-client

577

501

Older »