/mandos/trunk : revision 1111

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2019-07-14 22:39:15 UTC
Revision ID: teddy@recompile.se-20190714223915-aqjkms3t3taa6tye

Only use sanitizing options when debugging

The C compiler's sanitizing options introduce code in the output
binary which is fragile and not very security conscious.  It has
become clear that sanitizing is only really meant for use while
debugging.

As a side effect, this makes compilation faster, as the Makefile, for
production builds, no longer runs the compiler repeatedly to find all
its currently supported sanitizing options.

* Makefile (DEBUG): Add "$(SANITIZE)".
  (SANITIZE): Comment out.
  (CFLAGS): Remove "$(SANITIZE)".
  (plugins.d/mandos-client): Revert back to use plain $(LINK.c), since
                             we no longer need to remove the leak
                             sanitizer by overriding CFLAGS.

files removed:
debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

initramfs-unpack

intro.xml

mandos

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.xml

plugin-runner.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

Makefile

-fsanitize=object-size -fsanitize=float-divide-by-zero \

-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \

-fsanitize=returns-nonnull-attribute -fsanitize=bool \

-fsanitize=enum -fsanitize-address-use-after-scope

-fsanitize=enum

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

#COVERAGE=--coverage

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

FEATURES:=-D_FILE_OFFSET_BITS=64

htmldir:=man

version:=1.8.9

version:=1.8.4

SED:=sed

PKG_CONFIG?=pkg-config

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \

|| getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \

|| getent group nogroup || echo 65534)))

LINUXVERSION:=$(shell uname --kernel-release)

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))

## Use these settings for a traditional /usr/local install

# PREFIX:=$(DESTDIR)/usr/local

# KEYDIR:=$(DESTDIR)/etc/mandos/keys

# MANDIR:=$(PREFIX)/man

# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools

# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

# STATEDIR:=$(DESTDIR)/var/lib/mandos

# LIBDIR:=$(PREFIX)/lib

KEYDIR:=$(DESTDIR)/etc/keys/mandos

MANDIR:=$(PREFIX)/share/man

INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools

DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

STATEDIR:=$(DESTDIR)/var/lib/mandos

LIBDIR:=$(shell \

for d in \

"/usr/lib/`dpkg-architecture \

-qDEB_HOST_MULTIARCH 2>/dev/null`" \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \

if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \

echo "$(DESTDIR)$$d"; \

done)

SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=tmpfilesdir)

SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=sysusersdir)

SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)

GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)

AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)

GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

100

GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \

101

getconf LFS_LDFLAGS)

102

LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)

103

LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)

104

GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)

105

GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)

LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)

LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)

106

107

# Do not change these two

108

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \

109

$(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'

110

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \

111

) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \

$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

112

113

# Commands to format a DocBook <refentry> document into a manual page

114

DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \

120

104

/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \

121

105

$(notdir $<); \

122

106

if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \

123

&& command -v man >/dev/null; then LANG=en_US.UTF-8 \

124

MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \

125

$(notdir $@); fi >/dev/null)

107

&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \

108

man --warnings --encoding=UTF-8 --local-file $(notdir $@); \

109

fi >/dev/null)

126

110

127

111

DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \

128

112

--param make.year.ranges 1 \

141

125

plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \

142

126

plugins.d/plymouth

143

127

PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel

144

CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \

145

$(PLUGIN_HELPERS)

128

CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)

146

129

PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

147

130

DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

148

131

mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \

149

dracut-module/password-agent.8mandos \

150

132

plugins.d/mandos-client.8mandos \

151

133

plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \

152

134

plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \

156

138

157

139

objects:=$(addsuffix .o,$(CPROGS))

158

140

159

.PHONY: all

160

141

all: $(PROGS) mandos.lsm

161

142

162

.PHONY: doc

163

143

doc: $(DOCS)

164

144

165

.PHONY: html

166

145

html: $(htmldocs)

167

146

168

147

%.5: %.xml common.ent legalnotice.xml

227

206

overview.xml legalnotice.xml

228

207

$(DOCBOOKTOHTML)

229

208

230

dracut-module/password-agent.8mandos: \

231

dracut-module/password-agent.xml common.ent \

232

overview.xml legalnotice.xml

233

$(DOCBOOKTOMAN)

234

dracut-module/password-agent.8mandos.xhtml: \

235

dracut-module/password-agent.xml common.ent \

236

overview.xml legalnotice.xml

237

$(DOCBOOKTOHTML)

238

239

209

plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \

240

210

common.ent \

241

211

mandos-options.xml \

285

255

$@)

286

256

287

257

# Need to add the GnuTLS, Avahi and GPGME libraries

288

plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \

289

) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)

290

plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \

291

) $(AVAHI_LIBS) $(GPGME_LIBS)

292

293

# Need to add the libnl-route library

294

plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)

295

plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)

296

297

# Need to add the GLib and pthread libraries

298

dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)

299

dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread

300

301

.PHONY: clean

258

plugins.d/mandos-client: plugins.d/mandos-client.c

259

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

260

) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\

261

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

262

) $(LDLIBS) -o $@

263

264

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

265

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

266

) $(LOADLIBES) $(LDLIBS) -o $@

267

268

.PHONY : all doc html clean distclean mostlyclean maintainer-clean \

269

check run-client run-server install install-html \

270

install-server install-client-nokey install-client uninstall \

271

uninstall-server uninstall-client purge purge-server \

272

purge-client

273

302

274

clean:

303

275

-rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core

304

276

305

.PHONY: distclean

306

277

distclean: clean

307

.PHONY: mostlyclean

308

278

mostlyclean: clean

309

.PHONY: maintainer-clean

310

279

maintainer-clean: clean

311

280

-rm --force --recursive keydir confdir statedir

312

281

313

.PHONY: check

314

check: all

282

check: all

315

283

./mandos --check

316

284

./mandos-ctl --check

317

./mandos-keygen --version

318

./plugin-runner --version

319

./plugin-helpers/mandos-client-iprouteadddel --version

320

./dracut-module/password-agent --test

321

285

322

286

# Run the client with a local config and key

323

.PHONY: run-client

324

run-client: all keydir/seckey.txt keydir/pubkey.txt \

325

keydir/tls-privkey.pem keydir/tls-pubkey.pem

326

@echo '######################################################'

327

@echo '# The following error messages are harmless and can #'

328

@echo '# be safely ignored: #'

329

@echo '## From plugin-runner: #'

330

@echo '# setgid: Operation not permitted #'

331

@echo '# setuid: Operation not permitted #'

332

@echo '## From askpass-fifo: #'

333

@echo '# mkfifo: Permission denied #'

334

@echo '## From mandos-client: #'

335

@echo '# Failed to raise privileges: Operation not permi... #'

336

@echo '# Warning: network hook "*" exited with status * #'

337

@echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'

338

@echo '# Failed to bring up interface "*": Operation not... #'

339

@echo '# #'

340

@echo '# (The messages are caused by not running as root, #'

341

@echo '# but you should NOT run "make run-client" as root #'

342

@echo '# unless you also unpacked and compiled Mandos as #'

343

@echo '# root, which is also NOT recommended.) #'

344

@echo '######################################################'

287

run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem

288

@echo "###################################################################"

289

@echo "# The following error messages are harmless and can be safely #"

290

@echo "# ignored: #"

291

@echo "# From plugin-runner: setgid: Operation not permitted #"

292

@echo "# setuid: Operation not permitted #"

293

@echo "# From askpass-fifo: mkfifo: Permission denied #"

294

@echo "# From mandos-client: #"

295

@echo "# Failed to raise privileges: Operation not permitted #"

296

@echo "# Warning: network hook \"*\" exited with status * #"

297

@echo "# #"

298

@echo "# (The messages are caused by not running as root, but you should #"

299

@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"

300

@echo "# compiled Mandos as root, which is also NOT recommended.) #"

301

@echo "###################################################################"

345

302

# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring

346

303

./plugin-runner --plugin-dir=plugins.d \

347

304

--plugin-helper-dir=plugin-helpers \

356

313

./mandos-keygen --dir keydir --force

357

314

358

315

# Run the server with a local config

359

.PHONY: run-server

360

316

run-server: confdir/mandos.conf confdir/clients.conf statedir

361

317

./mandos --debug --no-dbus --configdir=confdir \

362

318

--statedir=statedir $(SERVERARGS)

373

329

statedir:

374

330

install --directory statedir

375

331

376

.PHONY: install

377

332

install: install-server install-client-nokey

378

333

379

.PHONY: install-html

380

334

install-html: html

381

335

install --directory $(htmldir)

382

336

install --mode=u=rw,go=r --target-directory=$(htmldir) \

383

337

$(htmldocs)

384

338

385

.PHONY: install-server

386

339

install-server: doc

387

340

install --directory $(CONFDIR)

388

341

if install --directory --mode=u=rwx --owner=$(USER) \

391

344

elif install --directory --mode=u=rwx $(STATEDIR); then \

392

345

chown -- $(USER):$(GROUP) $(STATEDIR) || :; \

393

346

394

if [ "$(TMPFILES)" != "$(DESTDIR)" \

395

-a -d "$(TMPFILES)" ]; then \

347

if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \

396

348

install --mode=u=rw,go=r tmpfiles.d-mandos.conf \

397

349

$(TMPFILES)/mandos.conf; \

398

350

399

if [ "$(SYSUSERS)" != "$(DESTDIR)" \

400

-a -d "$(SYSUSERS)" ]; then \

401

install --mode=u=rw,go=r sysusers.d-mandos.conf \

402

$(SYSUSERS)/mandos.conf; \

403

404

351

install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos

405

352

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

406

353

mandos-ctl

435

382

gzip --best --to-stdout intro.8mandos \

436

383

> $(MANDIR)/man8/intro.8mandos.gz

437

384

438

.PHONY: install-client-nokey

439

385

install-client-nokey: all doc

440

386

install --directory $(LIBDIR)/mandos $(CONFDIR)

441

387

install --directory --mode=u=rwx $(KEYDIR) \

442

388

$(LIBDIR)/mandos/plugins.d \

443

389

$(LIBDIR)/mandos/plugin-helpers

444

if [ "$(SYSUSERS)" != "$(DESTDIR)" \

445

-a -d "$(SYSUSERS)" ]; then \

446

install --mode=u=rw,go=r sysusers.d-mandos.conf \

447

$(SYSUSERS)/mandos-client.conf; \

448

449

390

if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \

450

391

install --mode=u=rwx \

451

392

--directory "$(CONFDIR)/plugins.d" \

456

397

install --mode=u=rwx,go=rx \

457

398

--target-directory=$(LIBDIR)/mandos plugin-runner

458

399

install --mode=u=rwx,go=rx \

459

--target-directory=$(LIBDIR)/mandos \

460

mandos-to-cryptroot-unlock

400

--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock

461

401

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

462

402

mandos-keygen

463

403

install --mode=u=rwx,go=rx \

491

431

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

492

432

install initramfs-tools-script-stop \

493

433

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

494

install --directory $(DRACUTMODULE)

495

install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \

496

dracut-module/ask-password-mandos.path \

497

dracut-module/ask-password-mandos.service

498

install --mode=u=rwxs,go=rx \

499

--target-directory=$(DRACUTMODULE) \

500

dracut-module/module-setup.sh \

501

dracut-module/cmdline-mandos.sh \

502

dracut-module/password-agent

503

434

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

504

435

gzip --best --to-stdout mandos-keygen.8 \

505

436

> $(MANDIR)/man8/mandos-keygen.8.gz

517

448

> $(MANDIR)/man8/askpass-fifo.8mandos.gz

518

449

gzip --best --to-stdout plugins.d/plymouth.8mandos \

519

450

> $(MANDIR)/man8/plymouth.8mandos.gz

520

gzip --best --to-stdout dracut-module/password-agent.8mandos \

521

> $(MANDIR)/man8/password-agent.8mandos.gz

522

451

523

.PHONY: install-client

524

452

install-client: install-client-nokey

525

453

# Post-installation stuff

526

454

-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"

527

if command -v update-initramfs >/dev/null; then \

528

update-initramfs -k all -u; \

529

elif command -v dracut >/dev/null; then \

530

for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \

531

if [ -w "$$initrd" ]; then \

532

chmod go-r "$$initrd"; \

533

dracut --force "$$initrd"; \

534

fi; \

535

done; \

536

455

update-initramfs -k all -u

537

456

echo "Now run mandos-keygen --password --dir $(KEYDIR)"

538

457

539

.PHONY: uninstall

540

458

uninstall: uninstall-server uninstall-client

541

459

542

.PHONY: uninstall-server

543

460

uninstall-server:

544

461

-rm --force $(PREFIX)/sbin/mandos \

545

462

$(PREFIX)/sbin/mandos-ctl \

552

469

update-rc.d -f mandos remove

553

470

-rmdir $(CONFDIR)

554

471

555

.PHONY: uninstall-client

556

472

uninstall-client:

557

473

# Refuse to uninstall client if /etc/crypttab is explicitly configured

558

474

# to use it.

569

485

$(INITRAMFSTOOLS)/hooks/mandos \

570

486

$(INITRAMFSTOOLS)/conf-hooks.d/mandos \

571

487

$(INITRAMFSTOOLS)/scripts/init-premount/mandos \

572

$(INITRAMFSTOOLS)/scripts/local-premount/mandos \

573

$(DRACUTMODULE)/ask-password-mandos.path \

574

$(DRACUTMODULE)/ask-password-mandos.service \

575

$(DRACUTMODULE)/module-setup.sh \

576

$(DRACUTMODULE)/cmdline-mandos.sh \

577

$(DRACUTMODULE)/password-agent \

578

488

$(MANDIR)/man8/mandos-keygen.8.gz \

579

489

$(MANDIR)/man8/plugin-runner.8mandos.gz \

580

490

$(MANDIR)/man8/mandos-client.8mandos.gz

583

493

$(MANDIR)/man8/splashy.8mandos.gz \

584

494

$(MANDIR)/man8/askpass-fifo.8mandos.gz \

585

495

$(MANDIR)/man8/plymouth.8mandos.gz \

586

$(MANDIR)/man8/password-agent.8mandos.gz \

587

496

-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \

588

$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)

589

if command -v update-initramfs >/dev/null; then \

590

update-initramfs -k all -u; \

591

elif command -v dracut >/dev/null; then \

592

for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \

593

test -w "$$initrd" && dracut --force "$$initrd"; \

594

done; \

595

497

$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)

498

update-initramfs -k all -u

596

499

597

.PHONY: purge

598

500

purge: purge-server purge-client

599

501

600

.PHONY: purge-server

601

502

purge-server: uninstall-server

602

503

-rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \

603

504

$(DESTDIR)/etc/dbus-1/system.d/mandos.conf

608

509

$(DESTDIR)/var/run/mandos.pid

609

510

-rmdir $(CONFDIR)

610

511

611

.PHONY: purge-client

612

512

purge-client: uninstall-client

613

513

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

614

514

-rm --force $(CONFDIR)/plugin-runner.conf \

Older »