1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
1
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
-Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
-Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
-Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
-Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
-Wvolatile-register-var -Woverlength-strings
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
## Check which sanitizing options can be used
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
# echo 'int main(){}' | $(CC) --language=c $(option) \
18
# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
17
19
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
ALL_SANITIZE_OPTIONS:=-fsanitize=address -fsanitize=undefined \
20
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
19
21
-fsanitize=shift -fsanitize=integer-divide-by-zero \
20
22
-fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
21
23
-fsanitize=return -fsanitize=signed-integer-overflow \
24
26
-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
25
27
-fsanitize=returns-nonnull-attribute -fsanitize=bool \
27
# Check which sanitizing options can be used
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
-o /dev/null >/dev/null 2>&1 && echo $(option)))
31
LINK_FORTIFY_LD=-z relro -z now
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
33
LINK_FORTIFY_LD:=-z relro -z now
34
36
# If BROKEN_PIE is set, do not build with -pie
37
39
LINK_FORTIFY += -pie
39
41
#COVERAGE=--coverage
40
OPTIMIZE=-Os -fno-strict-aliasing
42
OPTIMIZE:=-Os -fno-strict-aliasing
46
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
48
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
49
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
49
51
## Use these settings for a traditional /usr/local install
50
# PREFIX=$(DESTDIR)/usr/local
51
# CONFDIR=$(DESTDIR)/etc/mandos
52
# KEYDIR=$(DESTDIR)/etc/mandos/keys
53
# MANDIR=$(PREFIX)/man
54
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
55
# STATEDIR=$(DESTDIR)/var/lib/mandos
56
# LIBDIR=$(PREFIX)/lib
52
# PREFIX:=$(DESTDIR)/usr/local
53
# CONFDIR:=$(DESTDIR)/etc/mandos
54
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
55
# MANDIR:=$(PREFIX)/man
56
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
57
# STATEDIR:=$(DESTDIR)/var/lib/mandos
58
# LIBDIR:=$(PREFIX)/lib
59
61
## These settings are for a package-type install
61
CONFDIR=$(DESTDIR)/etc/mandos
62
KEYDIR=$(DESTDIR)/etc/keys/mandos
63
MANDIR=$(PREFIX)/share/man
64
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
65
STATEDIR=$(DESTDIR)/var/lib/mandos
62
PREFIX:=$(DESTDIR)/usr
63
CONFDIR:=$(DESTDIR)/etc/mandos
64
KEYDIR:=$(DESTDIR)/etc/keys/mandos
65
MANDIR:=$(PREFIX)/share/man
66
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
67
STATEDIR:=$(DESTDIR)/var/lib/mandos
68
70
"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
69
71
"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
77
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
78
TMPFILES=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
79
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
80
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
80
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
81
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
82
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
83
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
84
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
85
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
82
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
83
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
84
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
85
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
86
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
87
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
86
88
getconf LFS_LDFLAGS)
87
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
89
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
90
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
90
92
# Do not change these two
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
92
$(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
93
$(GPGME_CFLAGS) -DVERSION='"$(version)"'
93
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \
94
$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
94
95
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
96
97
# Commands to format a DocBook <refentry> document into a manual page
117
118
/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
118
119
$<; $(HTMLPOST) $@)
119
120
# Fix citerefentry links
120
HTMLPOST=$(SED) --in-place \
121
HTMLPOST:=$(SED) --in-place \
121
122
--expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
123
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
124
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
124
125
plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
125
126
plugins.d/plymouth
126
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
127
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
128
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
129
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
127
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
128
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
129
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
130
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
130
131
mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
131
132
plugins.d/mandos-client.8mandos \
132
133
plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
133
134
plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
134
135
plugins.d/plymouth.8mandos intro.8mandos
136
htmldocs=$(addsuffix .xhtml,$(DOCS))
137
htmldocs:=$(addsuffix .xhtml,$(DOCS))
138
objects=$(addsuffix .o,$(CPROGS))
139
objects:=$(addsuffix .o,$(CPROGS))
140
141
all: $(PROGS) mandos.lsm
253
254
--expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
257
# Need to add the GnuTLS, Avahi and GPGME libraries
256
258
plugins.d/mandos-client: plugins.d/mandos-client.c
257
$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
258
) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
259
$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
260
) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\
261
) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
260
264
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
261
265
$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
280
284
./mandos-ctl --check
282
286
# Run the client with a local config and key
283
run-client: all keydir/seckey.txt keydir/pubkey.txt
287
run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem
284
288
@echo "###################################################################"
285
289
@echo "# The following error messages are harmless and can be safely #"
286
@echo "# ignored. The messages are caused by not running as root, but #"
287
@echo "# you should NOT run \"make run-client\" as root unless you also #"
288
@echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
289
291
@echo "# From plugin-runner: setgid: Operation not permitted #"
290
292
@echo "# setuid: Operation not permitted #"
291
293
@echo "# From askpass-fifo: mkfifo: Permission denied #"
292
294
@echo "# From mandos-client: #"
293
295
@echo "# Failed to raise privileges: Operation not permitted #"
294
296
@echo "# Warning: network hook \"*\" exited with status * #"
298
@echo "# (The messages are caused by not running as root, but you should #"
299
@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"
300
@echo "# compiled Mandos as root, which is also NOT recommended.) #"
295
301
@echo "###################################################################"
296
302
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
297
303
./plugin-runner --plugin-dir=plugins.d \
298
304
--plugin-helper-dir=plugin-helpers \
299
305
--config-file=plugin-runner.conf \
300
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
306
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
301
307
--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
304
310
# Used by run-client
305
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
311
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
306
312
install --directory keydir
307
313
./mandos-keygen --dir keydir --force
315
321
confdir/mandos.conf: mandos.conf
316
322
install --directory confdir
317
323
install --mode=u=rw,go=r $^ $@
318
confdir/clients.conf: clients.conf keydir/seckey.txt
324
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
319
325
install --directory confdir
320
326
install --mode=u=rw $< $@
321
327
# Add a client password
390
396
"$(CONFDIR)/network-hooks.d"
391
397
install --mode=u=rwx,go=rx \
392
398
--target-directory=$(LIBDIR)/mandos plugin-runner
399
install --mode=u=rwx,go=rx \
400
--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock
393
401
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
395
403
install --mode=u=rwx,go=rx \
415
423
plugin-helpers/mandos-client-iprouteadddel
416
424
install initramfs-tools-hook \
417
425
$(INITRAMFSTOOLS)/hooks/mandos
418
install --mode=u=rw,go=r initramfs-tools-hook-conf \
419
$(INITRAMFSTOOLS)/conf-hooks.d/mandos
426
install --mode=u=rw,go=r initramfs-tools-conf \
427
$(INITRAMFSTOOLS)/conf.d/mandos-conf
428
install --mode=u=rw,go=r initramfs-tools-conf-hook \
429
$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
420
430
install initramfs-tools-script \
421
431
$(INITRAMFSTOOLS)/scripts/init-premount/mandos
432
install initramfs-tools-script-stop \
433
$(INITRAMFSTOOLS)/scripts/local-premount/mandos
422
434
install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
423
435
gzip --best --to-stdout mandos-keygen.8 \
424
436
> $(MANDIR)/man8/mandos-keygen.8.gz
498
510
-rmdir $(CONFDIR)
500
512
purge-client: uninstall-client
501
-shred --remove $(KEYDIR)/seckey.txt
513
-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
502
514
-rm --force $(CONFDIR)/plugin-runner.conf \
503
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
515
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
516
$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
504
517
-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)
added
removed
Makefile
