/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2016-03-17 20:40:55 UTC
  • Revision ID: teddy@recompile.se-20160317204055-bhsh5xsidq7w5cxu
Client: Fix plymouth agent; broken since 1.7.2.

Fix an very old memory bug in the plymouth agent (which has been
present since its apperance in version 1.2), but which was only
recently detected at run time due to the new -fsanitize=address
compile- time flag, which has been used since version 1.7.2.  This
detection of a memory access violation causes the program to abort,
making the Plymouth graphical boot system unable to accept interactive
input of passwords when using the Mandos client.

* plugins.d/plymouth.c (exec_and_wait): Fix memory allocation bug when
  allocating new_argv.  Also tolerate a zero-length argv.

Show diffs side-by-side

added added

removed removed

Lines of Context:
14
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
 
18
ALL_SANITIZE_OPTIONS:=-fsanitize=address -fsanitize=undefined \
 
19
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
 
20
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
 
21
        -fsanitize=return -fsanitize=signed-integer-overflow \
 
22
        -fsanitize=bounds -fsanitize=alignment \
 
23
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
 
24
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
 
25
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
 
26
        -fsanitize=enum
 
27
# Check which sanitizing options can be used
 
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
 
29
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
 
30
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
17
31
LINK_FORTIFY_LD=-z relro -z now
18
32
LINK_FORTIFY=
19
33
 
24
38
endif
25
39
#COVERAGE=--coverage
26
40
OPTIMIZE=-Os -fno-strict-aliasing
27
 
LANGUAGE=-std=gnu99
 
41
LANGUAGE=-std=gnu11
28
42
htmldir=man
29
 
version=1.6.4
 
43
version=1.7.6
30
44
SED=sed
31
45
 
32
46
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
33
 
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
 
47
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
34
48
 
35
49
## Use these settings for a traditional /usr/local install
36
50
# PREFIX=$(DESTDIR)/usr/local
69
83
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
70
84
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
71
85
        getconf LFS_LDFLAGS)
 
86
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
87
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
72
88
 
73
89
# Do not change these two
74
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
75
 
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
76
 
        -DVERSION='"$(version)"'
 
90
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
 
91
        $(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
 
92
        $(GPGME_CFLAGS) -DVERSION='"$(version)"'
77
93
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
78
94
 
79
95
# Commands to format a DocBook <refentry> document into a manual page
106
122
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
107
123
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
108
124
        plugins.d/plymouth
109
 
CPROGS=plugin-runner $(PLUGINS)
 
125
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
 
126
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
110
127
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
111
128
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
112
129
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
239
256
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
240
257
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
241
258
 
 
259
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
 
260
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
 
261
                ) $(LOADLIBES) $(LDLIBS) -o $@
 
262
 
242
263
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
243
264
        check run-client run-server install install-html \
244
265
        install-server install-client-nokey install-client uninstall \
264
285
        @echo "# ignored.  The messages are caused by not running as root, but   #"
265
286
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
266
287
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
267
 
        @echo "# From plugin-runner: setuid: Operation not permitted             #"
 
288
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
289
        @echo "#                     setuid: Operation not permitted             #"
268
290
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
269
 
        @echo "# From mandos-client: setuid: Operation not permitted             #"
270
 
        @echo "#                     seteuid: Operation not permitted            #"
271
 
        @echo "#                     klogctl: Operation not permitted            #"
 
291
        @echo "# From mandos-client:                                             #"
 
292
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
293
        @echo "#             Warning: network hook \"*\" exited with status *      #"
272
294
        @echo "###################################################################"
 
295
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
273
296
        ./plugin-runner --plugin-dir=plugins.d \
 
297
                --plugin-helper-dir=plugin-helpers \
274
298
                --config-file=plugin-runner.conf \
275
299
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
 
300
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
276
301
                $(CLIENTARGS)
277
302
 
278
303
# Used by run-client
293
318
        install --directory confdir
294
319
        install --mode=u=rw $< $@
295
320
# Add a client password
296
 
        ./mandos-keygen --dir keydir --password >> $@
 
321
        ./mandos-keygen --dir keydir --password --no-ssh >> $@
297
322
statedir:
298
323
        install --directory statedir
299
324
 
349
374
install-client-nokey: all doc
350
375
        install --directory $(LIBDIR)/mandos $(CONFDIR)
351
376
        install --directory --mode=u=rwx $(KEYDIR) \
352
 
                $(LIBDIR)/mandos/plugins.d
 
377
                $(LIBDIR)/mandos/plugins.d \
 
378
                $(LIBDIR)/mandos/plugin-helpers
353
379
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
354
380
                install --mode=u=rwx \
355
381
                        --directory "$(CONFDIR)/plugins.d"; \
 
382
                install --directory "$(CONFDIR)/plugin-helpers"; \
356
383
        fi
357
384
        install --mode=u=rwx,go=rx --directory \
358
385
                "$(CONFDIR)/network-hooks.d"
378
405
        install --mode=u=rwxs,go=rx \
379
406
                --target-directory=$(LIBDIR)/mandos/plugins.d \
380
407
                plugins.d/plymouth
 
408
        install --mode=u=rwxs,go=rx \
 
409
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
 
410
                plugin-helpers/mandos-client-iprouteadddel
381
411
        install initramfs-tools-hook \
382
412
                $(INITRAMFSTOOLS)/hooks/mandos
383
413
        install --mode=u=rw,go=r initramfs-tools-hook-conf \