/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2016-03-17 20:40:55 UTC
  • Revision ID: teddy@recompile.se-20160317204055-bhsh5xsidq7w5cxu
Client: Fix plymouth agent; broken since 1.7.2.

Fix an very old memory bug in the plymouth agent (which has been
present since its apperance in version 1.2), but which was only
recently detected at run time due to the new -fsanitize=address
compile- time flag, which has been used since version 1.7.2.  This
detection of a memory access violation causes the program to abort,
making the Plymouth graphical boot system unable to accept interactive
input of passwords when using the Mandos client.

* plugins.d/plymouth.c (exec_and_wait): Fix memory allocation bug when
  allocating new_argv.  Also tolerate a zero-length argv.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
#DEBUG:=-ggdb3 -fsanitize=address 
 
13
#DEBUG=-ggdb3
14
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
 
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
17
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
 
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
 
18
ALL_SANITIZE_OPTIONS:=-fsanitize=address -fsanitize=undefined \
19
19
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
20
20
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
21
21
        -fsanitize=return -fsanitize=signed-integer-overflow \
28
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
29
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
30
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
31
 
LINK_FORTIFY_LD:=-z relro -z now
32
 
LINK_FORTIFY:=
 
31
LINK_FORTIFY_LD=-z relro -z now
 
32
LINK_FORTIFY=
33
33
 
34
34
# If BROKEN_PIE is set, do not build with -pie
35
35
ifndef BROKEN_PIE
37
37
LINK_FORTIFY += -pie
38
38
endif
39
39
#COVERAGE=--coverage
40
 
OPTIMIZE:=-Os -fno-strict-aliasing
41
 
LANGUAGE:=-std=gnu11
42
 
htmldir:=man
43
 
version:=1.7.16
44
 
SED:=sed
 
40
OPTIMIZE=-Os -fno-strict-aliasing
 
41
LANGUAGE=-std=gnu11
 
42
htmldir=man
 
43
version=1.7.6
 
44
SED=sed
45
45
 
46
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
 
46
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
47
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
48
48
 
49
49
## Use these settings for a traditional /usr/local install
50
 
# PREFIX:=$(DESTDIR)/usr/local
51
 
# CONFDIR:=$(DESTDIR)/etc/mandos
52
 
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
53
 
# MANDIR:=$(PREFIX)/man
54
 
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
55
 
# STATEDIR:=$(DESTDIR)/var/lib/mandos
56
 
# LIBDIR:=$(PREFIX)/lib
 
50
# PREFIX=$(DESTDIR)/usr/local
 
51
# CONFDIR=$(DESTDIR)/etc/mandos
 
52
# KEYDIR=$(DESTDIR)/etc/mandos/keys
 
53
# MANDIR=$(PREFIX)/man
 
54
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
 
55
# STATEDIR=$(DESTDIR)/var/lib/mandos
 
56
# LIBDIR=$(PREFIX)/lib
57
57
##
58
58
 
59
59
## These settings are for a package-type install
60
 
PREFIX:=$(DESTDIR)/usr
61
 
CONFDIR:=$(DESTDIR)/etc/mandos
62
 
KEYDIR:=$(DESTDIR)/etc/keys/mandos
63
 
MANDIR:=$(PREFIX)/share/man
64
 
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
65
 
STATEDIR:=$(DESTDIR)/var/lib/mandos
66
 
LIBDIR:=$(shell \
 
60
PREFIX=$(DESTDIR)/usr
 
61
CONFDIR=$(DESTDIR)/etc/mandos
 
62
KEYDIR=$(DESTDIR)/etc/keys/mandos
 
63
MANDIR=$(PREFIX)/share/man
 
64
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
 
65
STATEDIR=$(DESTDIR)/var/lib/mandos
 
66
LIBDIR=$(shell \
67
67
        for d in \
68
68
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
69
69
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
74
74
        done)
75
75
##
76
76
 
77
 
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
78
 
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
 
77
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
79
78
 
80
 
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
81
 
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
82
 
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
83
 
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
84
 
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
85
 
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
79
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
 
80
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
 
81
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
 
82
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
 
83
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
84
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
86
85
        getconf LFS_LDFLAGS)
87
 
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
 
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
 
86
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
87
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
89
88
 
90
89
# Do not change these two
91
90
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
117
116
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
118
117
        $<; $(HTMLPOST) $@)
119
118
# Fix citerefentry links
120
 
HTMLPOST:=$(SED) --in-place \
 
119
HTMLPOST=$(SED) --in-place \
121
120
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
122
121
 
123
 
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
 
122
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
124
123
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
125
124
        plugins.d/plymouth
126
 
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
127
 
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
128
 
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
129
 
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
125
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
 
126
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
 
127
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
128
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
130
129
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
131
130
        plugins.d/mandos-client.8mandos \
132
131
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
133
132
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
134
133
        plugins.d/plymouth.8mandos intro.8mandos
135
134
 
136
 
htmldocs:=$(addsuffix .xhtml,$(DOCS))
 
135
htmldocs=$(addsuffix .xhtml,$(DOCS))
137
136
 
138
 
objects:=$(addsuffix .o,$(CPROGS))
 
137
objects=$(addsuffix .o,$(CPROGS))
139
138
 
140
139
all: $(PROGS) mandos.lsm
141
140
 
283
282
run-client: all keydir/seckey.txt keydir/pubkey.txt
284
283
        @echo "###################################################################"
285
284
        @echo "# The following error messages are harmless and can be safely     #"
286
 
        @echo "# ignored:                                                        #"
 
285
        @echo "# ignored.  The messages are caused by not running as root, but   #"
 
286
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
 
287
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
287
288
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
288
289
        @echo "#                     setuid: Operation not permitted             #"
289
290
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
290
291
        @echo "# From mandos-client:                                             #"
291
292
        @echo "#             Failed to raise privileges: Operation not permitted #"
292
293
        @echo "#             Warning: network hook \"*\" exited with status *      #"
293
 
        @echo "#                                                                 #"
294
 
        @echo "# (The messages are caused by not running as root, but you should #"
295
 
        @echo "# NOT run \"make run-client\" as root unless you also unpacked and  #"
296
 
        @echo "# compiled Mandos as root, which is also NOT recommended.)        #"
297
294
        @echo "###################################################################"
298
295
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
299
296
        ./plugin-runner --plugin-dir=plugins.d \
340
337
        elif install --directory --mode=u=rwx $(STATEDIR); then \
341
338
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
342
339
        fi
343
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
344
 
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
345
 
                        $(TMPFILES)/mandos.conf; \
346
 
        fi
347
340
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
348
341
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
349
342
                mandos-ctl
385
378
                $(LIBDIR)/mandos/plugin-helpers
386
379
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
387
380
                install --mode=u=rwx \
388
 
                        --directory "$(CONFDIR)/plugins.d" \
389
 
                        "$(CONFDIR)/plugin-helpers"; \
 
381
                        --directory "$(CONFDIR)/plugins.d"; \
 
382
                install --directory "$(CONFDIR)/plugin-helpers"; \
390
383
        fi
391
384
        install --mode=u=rwx,go=rx --directory \
392
385
                "$(CONFDIR)/network-hooks.d"
412
405
        install --mode=u=rwxs,go=rx \
413
406
                --target-directory=$(LIBDIR)/mandos/plugins.d \
414
407
                plugins.d/plymouth
415
 
        install --mode=u=rwx,go=rx \
 
408
        install --mode=u=rwxs,go=rx \
416
409
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
417
410
                plugin-helpers/mandos-client-iprouteadddel
418
411
        install initramfs-tools-hook \