10
10
-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
-Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
-Wvolatile-register-var -Woverlength-strings
13
#DEBUG:=-ggdb3 -fsanitize=address
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
## Check which sanitizing options can be used
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
# echo 'int main(){}' | $(CC) --language=c $(option) \
18
# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
17
19
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
20
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
19
21
-fsanitize=shift -fsanitize=integer-divide-by-zero \
23
25
-fsanitize=object-size -fsanitize=float-divide-by-zero \
24
26
-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
25
27
-fsanitize=returns-nonnull-attribute -fsanitize=bool \
27
# Check which sanitizing options can be used
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
-o /dev/null >/dev/null 2>&1 && echo $(option)))
28
-fsanitize=enum -fsanitize-address-use-after-scope
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
31
33
LINK_FORTIFY_LD:=-z relro -z now
40
42
OPTIMIZE:=-Os -fno-strict-aliasing
41
43
LANGUAGE:=-std=gnu11
46
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
47
PKG_CONFIG?=pkg-config
49
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
50
|| getent passwd nobody || echo 65534)))
51
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
52
|| getent group nogroup || echo 65534)))
54
LINUXVERSION:=$(shell uname --kernel-release)
49
56
## Use these settings for a traditional /usr/local install
50
57
# PREFIX:=$(DESTDIR)/usr/local
62
70
KEYDIR:=$(DESTDIR)/etc/keys/mandos
63
71
MANDIR:=$(PREFIX)/share/man
64
72
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
73
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
65
74
STATEDIR:=$(DESTDIR)/var/lib/mandos
68
"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
77
"/usr/lib/`dpkg-architecture \
78
-qDEB_HOST_MULTIARCH 2>/dev/null`" \
69
79
"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
70
80
if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
71
81
echo "$(DESTDIR)$$d"; \
77
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
78
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
87
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
88
--variable=systemdsystemunitdir)
89
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
90
--variable=tmpfilesdir)
80
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
81
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
82
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
83
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
92
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
93
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
94
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
95
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
84
96
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
85
97
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
86
98
getconf LFS_LDFLAGS)
87
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
99
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
100
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
101
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
102
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
90
104
# Do not change these two
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
92
$(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
93
$(GPGME_CFLAGS) -DVERSION='"$(version)"'
94
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
105
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \
106
$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
107
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
108
) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
96
110
# Commands to format a DocBook <refentry> document into a manual page
97
111
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
103
117
/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
105
119
if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
106
&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
107
man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
120
&& command -v man >/dev/null; then LANG=en_US.UTF-8 \
121
MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
122
$(notdir $@); fi >/dev/null)
110
124
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
111
125
--param make.year.ranges 1 \
124
138
plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
125
139
plugins.d/plymouth
126
140
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
127
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
141
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
128
143
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
129
144
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
130
145
mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
146
dracut-module/password-agent.8mandos \
131
147
plugins.d/mandos-client.8mandos \
132
148
plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
133
149
plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
253
278
--expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
281
# Need to add the GnuTLS, Avahi and GPGME libraries
256
282
plugins.d/mandos-client: plugins.d/mandos-client.c
257
$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
258
) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
283
$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
284
) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\
285
) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
288
# Need to add the libnl-route library
260
289
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
261
290
$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
262
291
) $(LOADLIBES) $(LDLIBS) -o $@
293
# Need to add the GLib and pthread libraries
294
dracut-module/password-agent: dracut-module/password-agent.c
295
$(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\
296
) $(LOADLIBES) $(LDLIBS) -o $@
264
298
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
265
299
check run-client run-server install install-html \
266
300
install-server install-client-nokey install-client uninstall \
275
309
maintainer-clean: clean
276
310
-rm --force --recursive keydir confdir statedir
280
314
./mandos-ctl --check
315
./mandos-keygen --version
316
./plugin-runner --version
317
./plugin-helpers/mandos-client-iprouteadddel --version
318
./dracut-module/password-agent --test
282
320
# Run the client with a local config and key
283
run-client: all keydir/seckey.txt keydir/pubkey.txt
284
@echo "###################################################################"
285
@echo "# The following error messages are harmless and can be safely #"
287
@echo "# From plugin-runner: setgid: Operation not permitted #"
288
@echo "# setuid: Operation not permitted #"
289
@echo "# From askpass-fifo: mkfifo: Permission denied #"
290
@echo "# From mandos-client: #"
291
@echo "# Failed to raise privileges: Operation not permitted #"
292
@echo "# Warning: network hook \"*\" exited with status * #"
294
@echo "# (The messages are caused by not running as root, but you should #"
295
@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"
296
@echo "# compiled Mandos as root, which is also NOT recommended.) #"
297
@echo "###################################################################"
321
run-client: all keydir/seckey.txt keydir/pubkey.txt \
322
keydir/tls-privkey.pem keydir/tls-pubkey.pem
323
@echo '######################################################'
324
@echo '# The following error messages are harmless and can #'
325
@echo '# be safely ignored: #'
326
@echo '## From plugin-runner: #'
327
@echo '# setgid: Operation not permitted #'
328
@echo '# setuid: Operation not permitted #'
329
@echo '## From askpass-fifo: #'
330
@echo '# mkfifo: Permission denied #'
331
@echo '## From mandos-client: #'
332
@echo '# Failed to raise privileges: Operation not permi... #'
333
@echo '# Warning: network hook "*" exited with status * #'
334
@echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
335
@echo '# Failed to bring up interface "*": Operation not... #'
337
@echo '# (The messages are caused by not running as root, #'
338
@echo '# but you should NOT run "make run-client" as root #'
339
@echo '# unless you also unpacked and compiled Mandos as #'
340
@echo '# root, which is also NOT recommended.) #'
341
@echo '######################################################'
298
342
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
299
343
./plugin-runner --plugin-dir=plugins.d \
300
344
--plugin-helper-dir=plugin-helpers \
301
345
--config-file=plugin-runner.conf \
302
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
346
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
303
347
--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
306
350
# Used by run-client
307
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
351
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
308
352
install --directory keydir
309
353
./mandos-keygen --dir keydir --force
392
437
"$(CONFDIR)/network-hooks.d"
393
438
install --mode=u=rwx,go=rx \
394
439
--target-directory=$(LIBDIR)/mandos plugin-runner
440
install --mode=u=rwx,go=rx \
441
--target-directory=$(LIBDIR)/mandos \
442
mandos-to-cryptroot-unlock
395
443
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
397
445
install --mode=u=rwx,go=rx \
417
465
plugin-helpers/mandos-client-iprouteadddel
418
466
install initramfs-tools-hook \
419
467
$(INITRAMFSTOOLS)/hooks/mandos
420
install --mode=u=rw,go=r initramfs-tools-hook-conf \
421
$(INITRAMFSTOOLS)/conf-hooks.d/mandos
468
install --mode=u=rw,go=r initramfs-tools-conf \
469
$(INITRAMFSTOOLS)/conf.d/mandos-conf
470
install --mode=u=rw,go=r initramfs-tools-conf-hook \
471
$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
422
472
install initramfs-tools-script \
423
473
$(INITRAMFSTOOLS)/scripts/init-premount/mandos
474
install initramfs-tools-script-stop \
475
$(INITRAMFSTOOLS)/scripts/local-premount/mandos
476
install --directory $(DRACUTMODULE)
477
install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
478
dracut-module/ask-password-mandos.path \
479
dracut-module/ask-password-mandos.service
480
install --mode=u=rwxs,go=rx \
481
--target-directory=$(DRACUTMODULE) \
482
dracut-module/module-setup.sh \
483
dracut-module/cmdline-mandos.sh \
484
dracut-module/password-agent
424
485
install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
425
486
gzip --best --to-stdout mandos-keygen.8 \
426
487
> $(MANDIR)/man8/mandos-keygen.8.gz
438
499
> $(MANDIR)/man8/askpass-fifo.8mandos.gz
439
500
gzip --best --to-stdout plugins.d/plymouth.8mandos \
440
501
> $(MANDIR)/man8/plymouth.8mandos.gz
502
gzip --best --to-stdout dracut-module/password-agent.8mandos \
503
> $(MANDIR)/man8/password-agent.8mandos.gz
442
505
install-client: install-client-nokey
443
506
# Post-installation stuff
444
507
-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
445
update-initramfs -k all -u
508
if command -v update-initramfs >/dev/null; then \
509
update-initramfs -k all -u; \
510
elif command -v dracut >/dev/null; then \
511
for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
512
if [ -w "$$initrd" ]; then \
513
chmod go-r "$$initrd"; \
514
dracut --force "$$initrd"; \
446
518
echo "Now run mandos-keygen --password --dir $(KEYDIR)"
448
520
uninstall: uninstall-server uninstall-client
475
547
$(INITRAMFSTOOLS)/hooks/mandos \
476
548
$(INITRAMFSTOOLS)/conf-hooks.d/mandos \
477
549
$(INITRAMFSTOOLS)/scripts/init-premount/mandos \
550
$(INITRAMFSTOOLS)/scripts/local-premount/mandos \
551
$(DRACUTMODULE)/ask-password-mandos.path \
552
$(DRACUTMODULE)/ask-password-mandos.service \
553
$(DRACUTMODULE)/module-setup.sh \
554
$(DRACUTMODULE)/cmdline-mandos.sh \
555
$(DRACUTMODULE)/password-agent \
478
556
$(MANDIR)/man8/mandos-keygen.8.gz \
479
557
$(MANDIR)/man8/plugin-runner.8mandos.gz \
480
558
$(MANDIR)/man8/mandos-client.8mandos.gz
483
561
$(MANDIR)/man8/splashy.8mandos.gz \
484
562
$(MANDIR)/man8/askpass-fifo.8mandos.gz \
485
563
$(MANDIR)/man8/plymouth.8mandos.gz \
564
$(MANDIR)/man8/password-agent.8mandos.gz \
486
565
-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
487
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
488
update-initramfs -k all -u
566
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
567
if command -v update-initramfs >/dev/null; then \
568
update-initramfs -k all -u; \
569
elif command -v dracut >/dev/null; then \
570
for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
571
test -w "$$initrd" && dracut --force "$$initrd"; \
490
575
purge: purge-server purge-client
added
removed
Makefile
