/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2024-09-09 04:24:39 UTC
  • Revision ID: teddy@recompile.se-20240909042439-j85mr20uli2hnyis
Eliminate compiler warnings

Many programs use nested functions, which now result in a linker
warning about executable stack.  Hide this warning.  Also, rewrite a
loop in the plymouth plugin to avoid warning about signed overflow.
This change also makes the plugin pick the alphabetically first
process entry instead of the last, in case many plymouth processes are
found (which should be unlikely).

* Makefile (plugin-runner, dracut-module/password-agent,
  plugins.d/password-prompt, plugins.d/mandos-client,
  plugins.d/plymouth): New target; set LDFLAGS to add "-Xlinker
  --no-warn-execstack".
* plugins.d/plymouth.c (get_pid): When no pid files are found, and we
  are looking through the process list, go though it from the start
  instead of from the end, i.e. in normal alphabetical order and not
  in reverse order.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
1
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
#DEBUG=-ggdb3 -fsanitize=address 
14
 
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
 
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
13
 
 
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
 
15
## Check which sanitizing options can be used
 
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
 
17
#       echo 'int main(){}' | $(CC) --language=c $(option) \
 
18
#       /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
17
19
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
20
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
19
21
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
23
25
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
24
26
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
25
27
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
26
 
        -fsanitize=enum
27
 
# Check which sanitizing options can be used
28
 
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
 
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
 
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
31
 
LINK_FORTIFY_LD=-z relro -z now
32
 
LINK_FORTIFY=
 
28
        -fsanitize=enum -fsanitize-address-use-after-scope
 
29
 
 
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
 
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
32
FORTIFY:=-fstack-protector-all -fPIC
 
33
CPPFLAGS+=-D_FORTIFY_SOURCE=3
 
34
LINK_FORTIFY_LD:=-z relro -z now
 
35
LINK_FORTIFY:=
33
36
 
34
37
# If BROKEN_PIE is set, do not build with -pie
35
38
ifndef BROKEN_PIE
37
40
LINK_FORTIFY += -pie
38
41
endif
39
42
#COVERAGE=--coverage
40
 
OPTIMIZE=-Os -fno-strict-aliasing
41
 
LANGUAGE=-std=gnu11
42
 
htmldir=man
43
 
version=1.7.13
44
 
SED=sed
45
 
 
46
 
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
 
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
 
43
OPTIMIZE:=-Os -fno-strict-aliasing
 
44
LANGUAGE:=-std=gnu11
 
45
CPPFLAGS+=-D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64
 
46
htmldir:=man
 
47
version:=1.8.16
 
48
SED:=sed
 
49
PKG_CONFIG?=pkg-config
 
50
 
 
51
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
 
52
        || getent passwd nobody || echo 65534)))
 
53
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
 
54
        || getent group nogroup || echo 65534)))
 
55
 
 
56
LINUXVERSION:=$(shell uname --kernel-release)
48
57
 
49
58
## Use these settings for a traditional /usr/local install
50
 
# PREFIX=$(DESTDIR)/usr/local
51
 
# CONFDIR=$(DESTDIR)/etc/mandos
52
 
# KEYDIR=$(DESTDIR)/etc/mandos/keys
53
 
# MANDIR=$(PREFIX)/man
54
 
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
55
 
# STATEDIR=$(DESTDIR)/var/lib/mandos
56
 
# LIBDIR=$(PREFIX)/lib
 
59
# PREFIX:=$(DESTDIR)/usr/local
 
60
# CONFDIR:=$(DESTDIR)/etc/mandos
 
61
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
 
62
# MANDIR:=$(PREFIX)/man
 
63
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
 
64
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
 
65
# STATEDIR:=$(DESTDIR)/var/lib/mandos
 
66
# LIBDIR:=$(PREFIX)/lib
 
67
# DBUSPOLICYDIR:=$(DESTDIR)/etc/dbus-1/system.d
57
68
##
58
69
 
59
70
## These settings are for a package-type install
60
 
PREFIX=$(DESTDIR)/usr
61
 
CONFDIR=$(DESTDIR)/etc/mandos
62
 
KEYDIR=$(DESTDIR)/etc/keys/mandos
63
 
MANDIR=$(PREFIX)/share/man
64
 
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
65
 
STATEDIR=$(DESTDIR)/var/lib/mandos
66
 
LIBDIR=$(shell \
 
71
PREFIX:=$(DESTDIR)/usr
 
72
CONFDIR:=$(DESTDIR)/etc/mandos
 
73
KEYDIR:=$(DESTDIR)/etc/keys/mandos
 
74
MANDIR:=$(PREFIX)/share/man
 
75
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
 
76
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
 
77
STATEDIR:=$(DESTDIR)/var/lib/mandos
 
78
LIBDIR:=$(shell \
67
79
        for d in \
68
 
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
80
        "/usr/lib/`dpkg-architecture \
 
81
                        -qDEB_HOST_MULTIARCH 2>/dev/null`" \
69
82
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
70
83
                if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
71
84
                        echo "$(DESTDIR)$$d"; \
72
85
                        break; \
73
86
                fi; \
74
87
        done)
 
88
DBUSPOLICYDIR:=$(DESTDIR)/usr/share/dbus-1/system.d
75
89
##
76
90
 
77
 
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
78
 
TMPFILES=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
 
91
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
 
92
                        --variable=systemdsystemunitdir)
 
93
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
 
94
                        --variable=tmpfilesdir)
 
95
SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
 
96
                        --variable=sysusersdir)
79
97
 
80
 
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
81
 
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
82
 
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
83
 
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
84
 
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
85
 
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
98
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
 
99
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
 
100
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
 
101
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
 
102
GPGME_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gpgme 2>/dev/null \
 
103
        || gpgme-config --cflags; getconf LFS_CFLAGS)
 
104
GPGME_LIBS:=$(shell $(PKG_CONFIG) --libs gpgme 2>/dev/null \
 
105
        || gpgme-config --libs; getconf LFS_LIBS; \
86
106
        getconf LFS_LDFLAGS)
87
 
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
 
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
 
107
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
 
108
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
 
109
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
 
110
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
89
111
 
90
112
# Do not change these two
91
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
92
 
        $(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
93
 
        $(GPGME_CFLAGS) -DVERSION='"$(version)"'
94
 
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
113
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
 
114
        $(LANGUAGE) -DVERSION='"$(version)"'
 
115
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
 
116
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
95
117
 
96
118
# Commands to format a DocBook <refentry> document into a manual page
97
119
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
103
125
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
104
126
        $(notdir $<); \
105
127
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
106
 
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
107
 
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
108
 
        fi >/dev/null)
 
128
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
 
129
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
 
130
        $(notdir $@); fi >/dev/null)
109
131
 
110
132
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
111
133
        --param make.year.ranges                1 \
117
139
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
118
140
        $<; $(HTMLPOST) $@)
119
141
# Fix citerefentry links
120
 
HTMLPOST=$(SED) --in-place \
 
142
HTMLPOST:=$(SED) --in-place \
121
143
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
122
144
 
123
 
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
 
145
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
124
146
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
125
147
        plugins.d/plymouth
126
 
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
127
 
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
128
 
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
129
 
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
148
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
 
149
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
 
150
        $(PLUGIN_HELPERS)
 
151
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
152
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
130
153
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
 
154
        dracut-module/password-agent.8mandos \
131
155
        plugins.d/mandos-client.8mandos \
132
156
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
133
157
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
134
158
        plugins.d/plymouth.8mandos intro.8mandos
135
159
 
136
 
htmldocs=$(addsuffix .xhtml,$(DOCS))
137
 
 
138
 
objects=$(addsuffix .o,$(CPROGS))
139
 
 
 
160
htmldocs:=$(addsuffix .xhtml,$(DOCS))
 
161
 
 
162
objects:=$(addsuffix .o,$(CPROGS))
 
163
 
 
164
.PHONY: all
140
165
all: $(PROGS) mandos.lsm
141
166
 
 
167
.PHONY: doc
142
168
doc: $(DOCS)
143
169
 
 
170
.PHONY: html
144
171
html: $(htmldocs)
145
172
 
146
173
%.5: %.xml common.ent legalnotice.xml
205
232
                overview.xml legalnotice.xml
206
233
        $(DOCBOOKTOHTML)
207
234
 
 
235
dracut-module/password-agent.8mandos: \
 
236
                dracut-module/password-agent.xml common.ent \
 
237
                overview.xml legalnotice.xml
 
238
        $(DOCBOOKTOMAN)
 
239
dracut-module/password-agent.8mandos.xhtml: \
 
240
                dracut-module/password-agent.xml common.ent \
 
241
                overview.xml legalnotice.xml
 
242
        $(DOCBOOKTOHTML)
 
243
 
208
244
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
209
245
                                        common.ent \
210
246
                                        mandos-options.xml \
253
289
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
254
290
                $@)
255
291
 
256
 
plugins.d/mandos-client: plugins.d/mandos-client.c
257
 
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
258
 
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
259
 
 
260
 
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
261
 
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
262
 
                ) $(LOADLIBES) $(LDLIBS) -o $@
263
 
 
264
 
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
265
 
        check run-client run-server install install-html \
266
 
        install-server install-client-nokey install-client uninstall \
267
 
        uninstall-server uninstall-client purge purge-server \
268
 
        purge-client
269
 
 
 
292
# Uses nested functions
 
293
plugin-runner: LDFLAGS += -Xlinker --no-warn-execstack
 
294
dracut-module/password-agent: LDFLAGS += -Xlinker --no-warn-execstack
 
295
plugins.d/password-prompt: LDFLAGS += -Xlinker --no-warn-execstack
 
296
plugins.d/mandos-client: LDFLAGS += -Xlinker --no-warn-execstack
 
297
plugins.d/plymouth: LDFLAGS += -Xlinker --no-warn-execstack
 
298
 
 
299
# Need to add the GnuTLS, Avahi and GPGME libraries
 
300
plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \
 
301
        ) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
 
302
plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \
 
303
        ) $(AVAHI_LIBS) $(GPGME_LIBS)
 
304
 
 
305
# Need to add the libnl-route library
 
306
plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)
 
307
plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)
 
308
 
 
309
# Need to add the GLib and pthread libraries
 
310
dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)
 
311
# Note: -lpthread is unnecessary with the GNU C library 2.34 or later
 
312
dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread
 
313
 
 
314
.PHONY: clean
270
315
clean:
271
316
        -rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
272
317
 
 
318
.PHONY: distclean
273
319
distclean: clean
 
320
.PHONY: mostlyclean
274
321
mostlyclean: clean
 
322
.PHONY: maintainer-clean
275
323
maintainer-clean: clean
276
324
        -rm --force --recursive keydir confdir statedir
277
325
 
278
 
check:  all
 
326
.PHONY: check
 
327
check: all
279
328
        ./mandos --check
280
329
        ./mandos-ctl --check
 
330
        ./mandos-keygen --version
 
331
        ./plugin-runner --version
 
332
        ./plugin-helpers/mandos-client-iprouteadddel --version
 
333
        ./dracut-module/password-agent --test
281
334
 
282
335
# Run the client with a local config and key
283
 
run-client: all keydir/seckey.txt keydir/pubkey.txt
284
 
        @echo "###################################################################"
285
 
        @echo "# The following error messages are harmless and can be safely     #"
286
 
        @echo "# ignored.  The messages are caused by not running as root, but   #"
287
 
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
288
 
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
289
 
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
290
 
        @echo "#                     setuid: Operation not permitted             #"
291
 
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
292
 
        @echo "# From mandos-client:                                             #"
293
 
        @echo "#             Failed to raise privileges: Operation not permitted #"
294
 
        @echo "#             Warning: network hook \"*\" exited with status *      #"
295
 
        @echo "###################################################################"
 
336
.PHONY: run-client
 
337
run-client: all keydir/seckey.txt keydir/pubkey.txt \
 
338
                        keydir/tls-privkey.pem keydir/tls-pubkey.pem
 
339
        @echo '######################################################'
 
340
        @echo '# The following error messages are harmless and can  #'
 
341
        @echo '#  be safely ignored:                                #'
 
342
        @echo '## From plugin-runner:                               #'
 
343
        @echo '# setgid: Operation not permitted                    #'
 
344
        @echo '# setuid: Operation not permitted                    #'
 
345
        @echo '## From askpass-fifo:                                #'
 
346
        @echo '# mkfifo: Permission denied                          #'
 
347
        @echo '## From mandos-client:                               #'
 
348
        @echo '# Failed to raise privileges: Operation not permi... #'
 
349
        @echo '# Warning: network hook "*" exited with status *     #'
 
350
        @echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
 
351
        @echo '# Failed to bring up interface "*": Operation not... #'
 
352
        @echo '#                                                    #'
 
353
        @echo '# (The messages are caused by not running as root,   #'
 
354
        @echo '# but you should NOT run "make run-client" as root   #'
 
355
        @echo '# unless you also unpacked and compiled Mandos as    #'
 
356
        @echo '# root, which is also NOT recommended.)              #'
 
357
        @echo '######################################################'
296
358
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
297
359
        ./plugin-runner --plugin-dir=plugins.d \
298
360
                --plugin-helper-dir=plugin-helpers \
299
361
                --config-file=plugin-runner.conf \
300
 
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
 
362
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
301
363
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
302
364
                $(CLIENTARGS)
303
365
 
304
366
# Used by run-client
305
 
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
 
367
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
306
368
        install --directory keydir
307
369
        ./mandos-keygen --dir keydir --force
 
370
        if ! [ -e keydir/tls-privkey.pem ]; then \
 
371
                install --mode=u=rw /dev/null keydir/tls-privkey.pem; \
 
372
        fi
 
373
        if ! [ -e keydir/tls-pubkey.pem ]; then \
 
374
                install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \
 
375
        fi
308
376
 
309
377
# Run the server with a local config
 
378
.PHONY: run-server
310
379
run-server: confdir/mandos.conf confdir/clients.conf statedir
311
380
        ./mandos --debug --no-dbus --configdir=confdir \
312
381
                --statedir=statedir $(SERVERARGS)
313
382
 
314
383
# Used by run-server
315
384
confdir/mandos.conf: mandos.conf
316
 
        install --directory confdir
317
 
        install --mode=u=rw,go=r $^ $@
318
 
confdir/clients.conf: clients.conf keydir/seckey.txt
319
 
        install --directory confdir
320
 
        install --mode=u=rw $< $@
 
385
        install -D --mode=u=rw,go=r $^ $@
 
386
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
 
387
        install -D --mode=u=rw $< $@
321
388
# Add a client password
322
389
        ./mandos-keygen --dir keydir --password --no-ssh >> $@
323
390
statedir:
324
391
        install --directory statedir
325
392
 
 
393
.PHONY: install
326
394
install: install-server install-client-nokey
327
395
 
 
396
.PHONY: install-html
328
397
install-html: html
329
 
        install --directory $(htmldir)
330
 
        install --mode=u=rw,go=r --target-directory=$(htmldir) \
 
398
        install -D --mode=u=rw,go=r --target-directory=$(htmldir) \
331
399
                $(htmldocs)
332
400
 
 
401
.PHONY: install-server
333
402
install-server: doc
334
 
        install --directory $(CONFDIR)
335
403
        if install --directory --mode=u=rwx --owner=$(USER) \
336
404
                --group=$(GROUP) $(STATEDIR); then \
337
405
                :; \
338
406
        elif install --directory --mode=u=rwx $(STATEDIR); then \
339
407
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
340
408
        fi
341
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
342
 
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
 
409
        if [ "$(TMPFILES)" != "$(DESTDIR)" ]; then \
 
410
                install -D --mode=u=rw,go=r tmpfiles.d-mandos.conf \
343
411
                        $(TMPFILES)/mandos.conf; \
344
412
        fi
345
 
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
 
413
        if [ "$(SYSUSERS)" != "$(DESTDIR)" ]; then \
 
414
                install -D --mode=u=rw,go=r sysusers.d-mandos.conf \
 
415
                        $(SYSUSERS)/mandos.conf; \
 
416
        fi
 
417
        install --directory $(PREFIX)/sbin
 
418
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
 
419
                mandos
346
420
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
347
421
                mandos-ctl
348
422
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
349
423
                mandos-monitor
 
424
        install --directory $(CONFDIR)
350
425
        install --mode=u=rw,go=r --target-directory=$(CONFDIR) \
351
426
                mandos.conf
352
427
        install --mode=u=rw --target-directory=$(CONFDIR) \
353
428
                clients.conf
354
 
        install --mode=u=rw,go=r dbus-mandos.conf \
355
 
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
356
 
        install --mode=u=rwx,go=rx init.d-mandos \
 
429
        install -D --mode=u=rw,go=r dbus-mandos.conf \
 
430
                $(DBUSPOLICYDIR)/mandos.conf
 
431
        install -D --mode=u=rwx,go=rx init.d-mandos \
357
432
                $(DESTDIR)/etc/init.d/mandos
358
 
        if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \
359
 
                install --mode=u=rw,go=r mandos.service $(SYSTEMD); \
 
433
        if [ "$(SYSTEMD)" != "$(DESTDIR)" ]; then \
 
434
                install -D --mode=u=rw,go=r mandos.service \
 
435
                        $(SYSTEMD); \
360
436
        fi
361
 
        install --mode=u=rw,go=r default-mandos \
 
437
        install -D --mode=u=rw,go=r default-mandos \
362
438
                $(DESTDIR)/etc/default/mandos
363
439
        if [ -z $(DESTDIR) ]; then \
364
440
                update-rc.d mandos defaults 25 15;\
365
441
        fi
 
442
        install --directory $(MANDIR)/man8 $(MANDIR)/man5
366
443
        gzip --best --to-stdout mandos.8 \
367
444
                > $(MANDIR)/man8/mandos.8.gz
368
445
        gzip --best --to-stdout mandos-monitor.8 \
376
453
        gzip --best --to-stdout intro.8mandos \
377
454
                > $(MANDIR)/man8/intro.8mandos.gz
378
455
 
 
456
.PHONY: install-client-nokey
379
457
install-client-nokey: all doc
380
 
        install --directory $(LIBDIR)/mandos $(CONFDIR)
381
458
        install --directory --mode=u=rwx $(KEYDIR) \
382
459
                $(LIBDIR)/mandos/plugins.d \
383
460
                $(LIBDIR)/mandos/plugin-helpers
 
461
        if [ "$(SYSUSERS)" != "$(DESTDIR)" ]; then \
 
462
                install -D --mode=u=rw,go=r sysusers.d-mandos.conf \
 
463
                        $(SYSUSERS)/mandos-client.conf; \
 
464
        fi
384
465
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
385
 
                install --mode=u=rwx \
386
 
                        --directory "$(CONFDIR)/plugins.d" \
 
466
                install --directory \
 
467
                        --mode=u=rwx "$(CONFDIR)/plugins.d" \
387
468
                        "$(CONFDIR)/plugin-helpers"; \
388
469
        fi
389
 
        install --mode=u=rwx,go=rx --directory \
 
470
        install --directory --mode=u=rwx,go=rx \
390
471
                "$(CONFDIR)/network-hooks.d"
391
472
        install --mode=u=rwx,go=rx \
392
473
                --target-directory=$(LIBDIR)/mandos plugin-runner
 
474
        install --mode=u=rwx,go=rx \
 
475
                --target-directory=$(LIBDIR)/mandos \
 
476
                mandos-to-cryptroot-unlock
 
477
        install --directory $(PREFIX)/sbin
393
478
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
394
479
                mandos-keygen
395
480
        install --mode=u=rwx,go=rx \
413
498
        install --mode=u=rwx,go=rx \
414
499
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
415
500
                plugin-helpers/mandos-client-iprouteadddel
416
 
        install initramfs-tools-hook \
 
501
        install -D initramfs-tools-hook \
417
502
                $(INITRAMFSTOOLS)/hooks/mandos
418
 
        install --mode=u=rw,go=r initramfs-tools-hook-conf \
419
 
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos
420
 
        install initramfs-tools-script \
 
503
        install -D --mode=u=rw,go=r initramfs-tools-conf \
 
504
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
 
505
        install -D --mode=u=rw,go=r initramfs-tools-conf-hook \
 
506
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
 
507
        install -D initramfs-tools-script \
421
508
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
 
509
        install -D initramfs-tools-script-stop \
 
510
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
 
511
        install -D --mode=u=rw,go=r \
 
512
                --target-directory=$(DRACUTMODULE) \
 
513
                dracut-module/ask-password-mandos.path \
 
514
                dracut-module/ask-password-mandos.service
 
515
        install --mode=u=rwxs,go=rx \
 
516
                --target-directory=$(DRACUTMODULE) \
 
517
                dracut-module/module-setup.sh \
 
518
                dracut-module/cmdline-mandos.sh \
 
519
                dracut-module/password-agent
422
520
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
 
521
        install --directory $(MANDIR)/man8
423
522
        gzip --best --to-stdout mandos-keygen.8 \
424
523
                > $(MANDIR)/man8/mandos-keygen.8.gz
425
524
        gzip --best --to-stdout plugin-runner.8mandos \
436
535
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
437
536
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
438
537
                > $(MANDIR)/man8/plymouth.8mandos.gz
 
538
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
 
539
                > $(MANDIR)/man8/password-agent.8mandos.gz
439
540
 
 
541
.PHONY: install-client
440
542
install-client: install-client-nokey
441
543
# Post-installation stuff
442
544
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
443
 
        update-initramfs -k all -u
 
545
        if command -v update-initramfs >/dev/null; then \
 
546
            update-initramfs -k all -u; \
 
547
        elif command -v dracut >/dev/null; then \
 
548
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
 
549
                if [ -w "$$initrd" ]; then \
 
550
                    chmod go-r "$$initrd"; \
 
551
                    dracut --force "$$initrd"; \
 
552
                fi; \
 
553
            done; \
 
554
        fi
444
555
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
445
556
 
 
557
.PHONY: uninstall
446
558
uninstall: uninstall-server uninstall-client
447
559
 
 
560
.PHONY: uninstall-server
448
561
uninstall-server:
449
562
        -rm --force $(PREFIX)/sbin/mandos \
450
563
                $(PREFIX)/sbin/mandos-ctl \
457
570
        update-rc.d -f mandos remove
458
571
        -rmdir $(CONFDIR)
459
572
 
 
573
.PHONY: uninstall-client
460
574
uninstall-client:
461
575
# Refuse to uninstall client if /etc/crypttab is explicitly configured
462
576
# to use it.
473
587
                $(INITRAMFSTOOLS)/hooks/mandos \
474
588
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
475
589
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
 
590
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
 
591
                $(DRACUTMODULE)/ask-password-mandos.path \
 
592
                $(DRACUTMODULE)/ask-password-mandos.service \
 
593
                $(DRACUTMODULE)/module-setup.sh \
 
594
                $(DRACUTMODULE)/cmdline-mandos.sh \
 
595
                $(DRACUTMODULE)/password-agent \
476
596
                $(MANDIR)/man8/mandos-keygen.8.gz \
477
597
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
478
598
                $(MANDIR)/man8/mandos-client.8mandos.gz
481
601
                $(MANDIR)/man8/splashy.8mandos.gz \
482
602
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
483
603
                $(MANDIR)/man8/plymouth.8mandos.gz \
 
604
                $(MANDIR)/man8/password-agent.8mandos.gz \
484
605
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
485
 
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
486
 
        update-initramfs -k all -u
 
606
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
 
607
        if command -v update-initramfs >/dev/null; then \
 
608
            update-initramfs -k all -u; \
 
609
        elif command -v dracut >/dev/null; then \
 
610
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
 
611
                test -w "$$initrd" && dracut --force "$$initrd"; \
 
612
            done; \
 
613
        fi
487
614
 
 
615
.PHONY: purge
488
616
purge: purge-server purge-client
489
617
 
 
618
.PHONY: purge-server
490
619
purge-server: uninstall-server
491
620
        -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \
492
621
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
493
622
                $(DESTDIR)/etc/default/mandos \
494
623
                $(DESTDIR)/etc/init.d/mandos \
495
 
                $(SYSTEMD)/mandos.service \
496
624
                $(DESTDIR)/run/mandos.pid \
497
625
                $(DESTDIR)/var/run/mandos.pid
 
626
        if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \
 
627
                -rm --force -- $(SYSTEMD)/mandos.service; \
 
628
        fi
498
629
        -rmdir $(CONFDIR)
499
630
 
 
631
.PHONY: purge-client
500
632
purge-client: uninstall-client
501
 
        -shred --remove $(KEYDIR)/seckey.txt
 
633
        -shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
502
634
        -rm --force $(CONFDIR)/plugin-runner.conf \
503
 
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
 
635
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
 
636
                $(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
504
637
        -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)