/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2019-07-14 22:39:15 UTC
  • Revision ID: teddy@recompile.se-20190714223915-aqjkms3t3taa6tye
Only use sanitizing options when debugging

The C compiler's sanitizing options introduce code in the output
binary which is fragile and not very security conscious.  It has
become clear that sanitizing is only really meant for use while
debugging.

As a side effect, this makes compilation faster, as the Makefile, for
production builds, no longer runs the compiler repeatedly to find all
its currently supported sanitizing options.

* Makefile (DEBUG): Add "$(SANITIZE)".
  (SANITIZE): Comment out.
  (CFLAGS): Remove "$(SANITIZE)".
  (plugins.d/mandos-client): Revert back to use plain $(LINK.c), since
                             we no longer need to remove the leak
                             sanitizer by overriding CFLAGS.

Show diffs side-by-side

added added

removed removed

Lines of Context:
25
25
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
26
26
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
27
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
 
        -fsanitize=enum -fsanitize-address-use-after-scope
 
28
        -fsanitize=enum
29
29
 
30
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
41
41
#COVERAGE=--coverage
42
42
OPTIMIZE:=-Os -fno-strict-aliasing
43
43
LANGUAGE:=-std=gnu11
44
 
FEATURES:=-D_FILE_OFFSET_BITS=64
45
44
htmldir:=man
46
 
version:=1.8.8
 
45
version:=1.8.4
47
46
SED:=sed
48
 
PKG_CONFIG?=pkg-config
49
 
 
50
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
51
 
        || getent passwd nobody || echo 65534)))
52
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
53
 
        || getent group nogroup || echo 65534)))
54
 
 
55
 
LINUXVERSION:=$(shell uname --kernel-release)
 
47
 
 
48
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
49
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
56
50
 
57
51
## Use these settings for a traditional /usr/local install
58
52
# PREFIX:=$(DESTDIR)/usr/local
60
54
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
61
55
# MANDIR:=$(PREFIX)/man
62
56
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
63
 
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
64
57
# STATEDIR:=$(DESTDIR)/var/lib/mandos
65
58
# LIBDIR:=$(PREFIX)/lib
66
59
##
71
64
KEYDIR:=$(DESTDIR)/etc/keys/mandos
72
65
MANDIR:=$(PREFIX)/share/man
73
66
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
74
 
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
75
67
STATEDIR:=$(DESTDIR)/var/lib/mandos
76
68
LIBDIR:=$(shell \
77
69
        for d in \
78
 
        "/usr/lib/`dpkg-architecture \
79
 
                        -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
70
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
80
71
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
81
72
                if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
82
73
                        echo "$(DESTDIR)$$d"; \
85
76
        done)
86
77
##
87
78
 
88
 
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
89
 
                        --variable=systemdsystemunitdir)
90
 
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
91
 
                        --variable=tmpfilesdir)
92
 
SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
93
 
                        --variable=sysusersdir)
 
79
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
 
80
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
94
81
 
95
 
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
96
 
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
97
 
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
98
 
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
 
82
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
 
83
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
 
84
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
 
85
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
99
86
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
100
87
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
101
88
        getconf LFS_LDFLAGS)
102
 
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
103
 
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
104
 
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
105
 
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
 
89
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
90
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
106
91
 
107
92
# Do not change these two
108
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
109
 
        $(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
110
 
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
111
 
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
93
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \
 
94
        $(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
 
95
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
112
96
 
113
97
# Commands to format a DocBook <refentry> document into a manual page
114
98
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
120
104
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
121
105
        $(notdir $<); \
122
106
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
123
 
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
124
 
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
125
 
        $(notdir $@); fi >/dev/null)
 
107
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
 
108
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
 
109
        fi >/dev/null)
126
110
 
127
111
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
128
112
        --param make.year.ranges                1 \
141
125
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
142
126
        plugins.d/plymouth
143
127
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
144
 
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
145
 
        $(PLUGIN_HELPERS)
 
128
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
146
129
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
147
130
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
148
131
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
149
 
        dracut-module/password-agent.8mandos \
150
132
        plugins.d/mandos-client.8mandos \
151
133
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
152
134
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
224
206
                overview.xml legalnotice.xml
225
207
        $(DOCBOOKTOHTML)
226
208
 
227
 
dracut-module/password-agent.8mandos: \
228
 
                dracut-module/password-agent.xml common.ent \
229
 
                overview.xml legalnotice.xml
230
 
        $(DOCBOOKTOMAN)
231
 
dracut-module/password-agent.8mandos.xhtml: \
232
 
                dracut-module/password-agent.xml common.ent \
233
 
                overview.xml legalnotice.xml
234
 
        $(DOCBOOKTOHTML)
235
 
 
236
209
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
237
210
                                        common.ent \
238
211
                                        mandos-options.xml \
284
257
# Need to add the GnuTLS, Avahi and GPGME libraries
285
258
plugins.d/mandos-client: plugins.d/mandos-client.c
286
259
        $(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
287
 
                ) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\
 
260
                ) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\
288
261
                ) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
289
262
                ) $(LDLIBS) -o $@
290
263
 
291
 
# Need to add the libnl-route library
292
264
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
293
265
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
294
266
                ) $(LOADLIBES) $(LDLIBS) -o $@
295
267
 
296
 
# Need to add the GLib and pthread libraries
297
 
dracut-module/password-agent: dracut-module/password-agent.c
298
 
        $(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\
299
 
                ) $(LOADLIBES) $(LDLIBS) -o $@
300
 
 
301
268
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
302
269
        check run-client run-server install install-html \
303
270
        install-server install-client-nokey install-client uninstall \
312
279
maintainer-clean: clean
313
280
        -rm --force --recursive keydir confdir statedir
314
281
 
315
 
check: all
 
282
check:  all
316
283
        ./mandos --check
317
284
        ./mandos-ctl --check
318
 
        ./mandos-keygen --version
319
 
        ./plugin-runner --version
320
 
        ./plugin-helpers/mandos-client-iprouteadddel --version
321
 
        ./dracut-module/password-agent --test
322
285
 
323
286
# Run the client with a local config and key
324
 
run-client: all keydir/seckey.txt keydir/pubkey.txt \
325
 
                        keydir/tls-privkey.pem keydir/tls-pubkey.pem
326
 
        @echo '######################################################'
327
 
        @echo '# The following error messages are harmless and can  #'
328
 
        @echo '#  be safely ignored:                                #'
329
 
        @echo '## From plugin-runner:                               #'
330
 
        @echo '# setgid: Operation not permitted                    #'
331
 
        @echo '# setuid: Operation not permitted                    #'
332
 
        @echo '## From askpass-fifo:                                #'
333
 
        @echo '# mkfifo: Permission denied                          #'
334
 
        @echo '## From mandos-client:                               #'
335
 
        @echo '# Failed to raise privileges: Operation not permi... #'
336
 
        @echo '# Warning: network hook "*" exited with status *     #'
337
 
        @echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
338
 
        @echo '# Failed to bring up interface "*": Operation not... #'
339
 
        @echo '#                                                    #'
340
 
        @echo '# (The messages are caused by not running as root,   #'
341
 
        @echo '# but you should NOT run "make run-client" as root   #'
342
 
        @echo '# unless you also unpacked and compiled Mandos as    #'
343
 
        @echo '# root, which is also NOT recommended.)              #'
344
 
        @echo '######################################################'
 
287
run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem
 
288
        @echo "###################################################################"
 
289
        @echo "# The following error messages are harmless and can be safely     #"
 
290
        @echo "# ignored:                                                        #"
 
291
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
292
        @echo "#                     setuid: Operation not permitted             #"
 
293
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
 
294
        @echo "# From mandos-client:                                             #"
 
295
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
296
        @echo "#             Warning: network hook \"*\" exited with status *      #"
 
297
        @echo "#                                                                 #"
 
298
        @echo "# (The messages are caused by not running as root, but you should #"
 
299
        @echo "# NOT run \"make run-client\" as root unless you also unpacked and  #"
 
300
        @echo "# compiled Mandos as root, which is also NOT recommended.)        #"
 
301
        @echo "###################################################################"
345
302
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
346
303
        ./plugin-runner --plugin-dir=plugins.d \
347
304
                --plugin-helper-dir=plugin-helpers \
387
344
        elif install --directory --mode=u=rwx $(STATEDIR); then \
388
345
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
389
346
        fi
390
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" \
391
 
                        -a -d "$(TMPFILES)" ]; then \
 
347
        if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
392
348
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
393
349
                        $(TMPFILES)/mandos.conf; \
394
350
        fi
395
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
396
 
                        -a -d "$(SYSUSERS)" ]; then \
397
 
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
398
 
                        $(SYSUSERS)/mandos.conf; \
399
 
        fi
400
351
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
401
352
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
402
353
                mandos-ctl
436
387
        install --directory --mode=u=rwx $(KEYDIR) \
437
388
                $(LIBDIR)/mandos/plugins.d \
438
389
                $(LIBDIR)/mandos/plugin-helpers
439
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
440
 
                        -a -d "$(SYSUSERS)" ]; then \
441
 
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
442
 
                        $(SYSUSERS)/mandos-client.conf; \
443
 
        fi
444
390
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
445
391
                install --mode=u=rwx \
446
392
                        --directory "$(CONFDIR)/plugins.d" \
451
397
        install --mode=u=rwx,go=rx \
452
398
                --target-directory=$(LIBDIR)/mandos plugin-runner
453
399
        install --mode=u=rwx,go=rx \
454
 
                --target-directory=$(LIBDIR)/mandos \
455
 
                mandos-to-cryptroot-unlock
 
400
                --target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock
456
401
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
457
402
                mandos-keygen
458
403
        install --mode=u=rwx,go=rx \
486
431
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
487
432
        install initramfs-tools-script-stop \
488
433
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
489
 
        install --directory $(DRACUTMODULE)
490
 
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
491
 
                dracut-module/ask-password-mandos.path \
492
 
                dracut-module/ask-password-mandos.service
493
 
        install --mode=u=rwxs,go=rx \
494
 
                --target-directory=$(DRACUTMODULE) \
495
 
                dracut-module/module-setup.sh \
496
 
                dracut-module/cmdline-mandos.sh \
497
 
                dracut-module/password-agent
498
434
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
499
435
        gzip --best --to-stdout mandos-keygen.8 \
500
436
                > $(MANDIR)/man8/mandos-keygen.8.gz
512
448
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
513
449
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
514
450
                > $(MANDIR)/man8/plymouth.8mandos.gz
515
 
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
516
 
                > $(MANDIR)/man8/password-agent.8mandos.gz
517
451
 
518
452
install-client: install-client-nokey
519
453
# Post-installation stuff
520
454
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
521
 
        if command -v update-initramfs >/dev/null; then \
522
 
            update-initramfs -k all -u; \
523
 
        elif command -v dracut >/dev/null; then \
524
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
525
 
                if [ -w "$$initrd" ]; then \
526
 
                    chmod go-r "$$initrd"; \
527
 
                    dracut --force "$$initrd"; \
528
 
                fi; \
529
 
            done; \
530
 
        fi
 
455
        update-initramfs -k all -u
531
456
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
532
457
 
533
458
uninstall: uninstall-server uninstall-client
560
485
                $(INITRAMFSTOOLS)/hooks/mandos \
561
486
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
562
487
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
563
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
564
 
                $(DRACUTMODULE)/ask-password-mandos.path \
565
 
                $(DRACUTMODULE)/ask-password-mandos.service \
566
 
                $(DRACUTMODULE)/module-setup.sh \
567
 
                $(DRACUTMODULE)/cmdline-mandos.sh \
568
 
                $(DRACUTMODULE)/password-agent \
569
488
                $(MANDIR)/man8/mandos-keygen.8.gz \
570
489
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
571
490
                $(MANDIR)/man8/mandos-client.8mandos.gz
574
493
                $(MANDIR)/man8/splashy.8mandos.gz \
575
494
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
576
495
                $(MANDIR)/man8/plymouth.8mandos.gz \
577
 
                $(MANDIR)/man8/password-agent.8mandos.gz \
578
496
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
579
 
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
580
 
        if command -v update-initramfs >/dev/null; then \
581
 
            update-initramfs -k all -u; \
582
 
        elif command -v dracut >/dev/null; then \
583
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
584
 
                test -w "$$initrd" && dracut --force "$$initrd"; \
585
 
            done; \
586
 
        fi
 
497
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
 
498
        update-initramfs -k all -u
587
499
 
588
500
purge: purge-server purge-client
589
501