/mandos/trunk : revision 1111

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2019-07-14 22:39:15 UTC
Revision ID: teddy@recompile.se-20190714223915-aqjkms3t3taa6tye

Only use sanitizing options when debugging

The C compiler's sanitizing options introduce code in the output
binary which is fragile and not very security conscious.  It has
become clear that sanitizing is only really meant for use while
debugging.

As a side effect, this makes compilation faster, as the Makefile, for
production builds, no longer runs the compiler repeatedly to find all
its currently supported sanitizing options.

* Makefile (DEBUG): Add "$(SANITIZE)".
  (SANITIZE): Comment out.
  (CFLAGS): Remove "$(SANITIZE)".
  (plugins.d/mandos-client): Revert back to use plain $(LINK.c), since
                             we no longer need to remove the leak
                             sanitizer by overriding CFLAGS.

files added:
debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

Makefile

-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \

-Wredundant-decls -Wnested-externs -Winline -Wvla \

-Wvolatile-register-var -Woverlength-strings

#DEBUG:=-ggdb3 -fsanitize=address

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)

## Check which sanitizing options can be used

#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \

# echo 'int main(){}' | $(CC) --language=c $(option) \

# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))

# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>

ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \

-fsanitize=shift -fsanitize=integer-divide-by-zero \

-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \

-fsanitize=returns-nonnull-attribute -fsanitize=bool \

-fsanitize=enum

# Check which sanitizing options can be used

SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \

echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \

-o /dev/null >/dev/null 2>&1 && echo $(option)))

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD:=-z relro -z now

LINK_FORTIFY:=

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

htmldir:=man

version:=1.7.16

version:=1.8.4

SED:=sed

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)

# Do not change these two

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \

$(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \

$(GPGME_CFLAGS) -DVERSION='"$(version)"'

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \

$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

# Commands to format a DocBook <refentry> document into a manual page

253

254

--expression='s/$mandos_$[0-9.]\+$\.orig\.tar\.gz$/\1$(version)\2/' \

254

255

$@)

255

256

257

# Need to add the GnuTLS, Avahi and GPGME libraries

256

258

plugins.d/mandos-client: plugins.d/mandos-client.c

257

$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\

258

) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@

259

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

260

) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\

261

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

262

) $(LDLIBS) -o $@

259

263

260

264

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

261

265

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

280

284

./mandos-ctl --check

281

285

282

286

# Run the client with a local config and key

283

run-client: all keydir/seckey.txt keydir/pubkey.txt

287

run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem

284

288

@echo "###################################################################"

285

289

@echo "# The following error messages are harmless and can be safely #"

286

290

@echo "# ignored: #"

299

303

./plugin-runner --plugin-dir=plugins.d \

300

304

--plugin-helper-dir=plugin-helpers \

301

305

--config-file=plugin-runner.conf \

302

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \

306

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \

303

307

--env-for=mandos-client:GNOME_KEYRING_CONTROL= \

304

308

$(CLIENTARGS)

305

309

306

310

# Used by run-client

307

keydir/seckey.txt keydir/pubkey.txt: mandos-keygen

311

keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen

308

312

install --directory keydir

309

313

./mandos-keygen --dir keydir --force

310

314

317

321

confdir/mandos.conf: mandos.conf

318

322

install --directory confdir

319

323

install --mode=u=rw,go=r $^ $@

320

confdir/clients.conf: clients.conf keydir/seckey.txt

324

confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem

321

325

install --directory confdir

322

326

install --mode=u=rw $< $@

323

327

# Add a client password

392

396

"$(CONFDIR)/network-hooks.d"

393

397

install --mode=u=rwx,go=rx \

394

398

--target-directory=$(LIBDIR)/mandos plugin-runner

399

install --mode=u=rwx,go=rx \

400

--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock

395

401

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

396

402

mandos-keygen

397

403

install --mode=u=rwx,go=rx \

417

423

plugin-helpers/mandos-client-iprouteadddel

418

424

install initramfs-tools-hook \

419

425

$(INITRAMFSTOOLS)/hooks/mandos

420

install --mode=u=rw,go=r initramfs-tools-hook-conf \

421

$(INITRAMFSTOOLS)/conf-hooks.d/mandos

426

install --mode=u=rw,go=r initramfs-tools-conf \

427

$(INITRAMFSTOOLS)/conf.d/mandos-conf

428

install --mode=u=rw,go=r initramfs-tools-conf-hook \

429

$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos

422

430

install initramfs-tools-script \

423

431

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

432

install initramfs-tools-script-stop \

433

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

424

434

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

425

435

gzip --best --to-stdout mandos-keygen.8 \

426

436

> $(MANDIR)/man8/mandos-keygen.8.gz

500

510

-rmdir $(CONFDIR)

501

511

502

512

purge-client: uninstall-client

503

-shred --remove $(KEYDIR)/seckey.txt

513

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

504

514

-rm --force $(CONFDIR)/plugin-runner.conf \

505

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt

515

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \

516

$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt

506

517

-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)

Older »