/mandos/trunk

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to initramfs-tools-conf

Committer: Teddy Hogeborn
Date: 2019-07-14 22:39:15 UTC
Revision ID: teddy@recompile.se-20190714223915-aqjkms3t3taa6tye

Only use sanitizing options when debugging

The C compiler's sanitizing options introduce code in the output
binary which is fragile and not very security conscious.  It has
become clear that sanitizing is only really meant for use while
debugging.

As a side effect, this makes compilation faster, as the Makefile, for
production builds, no longer runs the compiler repeatedly to find all
its currently supported sanitizing options.

* Makefile (DEBUG): Add "$(SANITIZE)".
  (SANITIZE): Comment out.
  (CFLAGS): Remove "$(SANITIZE)".
  (plugins.d/mandos-client): Revert back to use plain $(LINK.c), since
                             we no longer need to remove the leak
                             sanitizer by overriding CFLAGS.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

initramfs-tools-conf

1

# -*- shell-script -*-

2

3

# Since the initramfs image will contain key files, we need to

4

# restrict permissions on it by setting UMASK here.

5

#

6

# The proper place to set UMASK is (according to

7

# /etc/cryptsetup-initramfs/conf-hook), in

8

# /etc/initramfs-tools/initramfs.conf, which we shouldn't edit. The

9

# corresponding directory for drop-in files from packages is

10

# /usr/share/initramfs-tools/conf.d, and this file will be installed

11

# there as "mandos-conf".

12

#

13

# This setting of UMASK will have unfortunate unintended side effects

14

# on the files *inside* the initramfs, but these are later fixed by

15

# "initramfs-tools-hook", installed as

16

# "/usr/share/initramfs-tools/hooks/mandos".

17

UMASK=0027

Older »