1
WARN=-O -Wall -Wformat=2 -Winit-self -Wmissing-include-dirs \
2
-Wswitch-default -Wswitch-enum -Wunused-parameter \
3
-Wstrict-aliasing=1 -Wextra -Wfloat-equal -Wundef -Wshadow \
1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
-Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
-Wunused -Wuninitialized -Wstrict-overflow=5 \
4
-Wsuggest-attribute=pure -Wsuggest-attribute=const \
5
-Wsuggest-attribute=noreturn -Wfloat-equal -Wundef -Wshadow \
4
6
-Wunsafe-loop-optimizations -Wpointer-arith \
5
7
-Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \
6
-Wconversion -Wstrict-prototypes -Wold-style-definition \
7
-Wpacked -Wnested-externs -Winline -Wvolatile-register-var
8
-Wconversion -Wlogical-op -Waggregate-return \
9
-Wstrict-prototypes -Wold-style-definition \
10
-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
-Wredundant-decls -Wnested-externs -Winline -Wvla \
12
-Wvolatile-register-var -Woverlength-strings
10
# For info about _FORTIFY_SOURCE, see
11
# <http://www.kernel.org/doc/man-pages/online/pages/man7/feature_test_macros.7.html>
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
12
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
13
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
ALL_SANITIZE_OPTIONS:=-fsanitize=address -fsanitize=undefined \
19
-fsanitize=shift -fsanitize=integer-divide-by-zero \
20
-fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
21
-fsanitize=return -fsanitize=signed-integer-overflow \
22
-fsanitize=bounds -fsanitize=alignment \
23
-fsanitize=object-size -fsanitize=float-divide-by-zero \
24
-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
25
-fsanitize=returns-nonnull-attribute -fsanitize=bool \
27
# Check which sanitizing options can be used
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
-o /dev/null >/dev/null 2>&1 && echo $(option)))
14
31
LINK_FORTIFY_LD=-z relro -z now
20
37
LINK_FORTIFY += -pie
22
39
#COVERAGE=--coverage
40
OPTIMIZE=-Os -fno-strict-aliasing
29
46
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
30
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
47
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
32
49
## Use these settings for a traditional /usr/local install
33
50
# PREFIX=$(DESTDIR)/usr/local
66
84
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
67
85
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
68
86
getconf LFS_LDFLAGS)
87
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
70
90
# Do not change these two
71
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
72
$(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
73
-DVERSION='"$(version)"'
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
92
$(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
93
$(GPGME_CFLAGS) -DVERSION='"$(version)"'
74
94
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
76
96
# Commands to format a DocBook <refentry> document into a manual page
82
102
--param man.authors.section.enabled 0 \
83
103
/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
85
$(MANPOST) $(notdir $@);\
86
105
if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
87
106
&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
88
107
man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
90
# DocBook-to-man post-processing to fix a '\n' escape bug
91
MANPOST=$(SED) --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g'
93
110
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
94
111
--param make.year.ranges 1 \
106
123
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
107
124
plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
108
125
plugins.d/plymouth
109
CPROGS=plugin-runner $(PLUGINS)
126
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
127
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
110
128
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
111
129
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
112
130
mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
239
257
$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
240
258
) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
242
.PHONY : all doc html clean distclean run-client run-server install \
243
install-server install-client uninstall uninstall-server \
244
uninstall-client purge purge-server purge-client
260
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
261
$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
262
) $(LOADLIBES) $(LDLIBS) -o $@
264
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
265
check run-client run-server install install-html \
266
install-server install-client-nokey install-client uninstall \
267
uninstall-server uninstall-client purge purge-server \
247
271
-rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
262
286
@echo "# ignored. The messages are caused by not running as root, but #"
263
287
@echo "# you should NOT run \"make run-client\" as root unless you also #"
264
288
@echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
265
@echo "# From plugin-runner: setuid: Operation not permitted #"
289
@echo "# From plugin-runner: setgid: Operation not permitted #"
290
@echo "# setuid: Operation not permitted #"
266
291
@echo "# From askpass-fifo: mkfifo: Permission denied #"
267
@echo "# From mandos-client: setuid: Operation not permitted #"
268
@echo "# seteuid: Operation not permitted #"
269
@echo "# klogctl: Operation not permitted #"
292
@echo "# From mandos-client: #"
293
@echo "# Failed to raise privileges: Operation not permitted #"
294
@echo "# Warning: network hook \"*\" exited with status * #"
270
295
@echo "###################################################################"
296
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
271
297
./plugin-runner --plugin-dir=plugins.d \
298
--plugin-helper-dir=plugin-helpers \
272
299
--config-file=plugin-runner.conf \
273
300
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
301
--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
276
304
# Used by run-client
291
319
install --directory confdir
292
320
install --mode=u=rw $< $@
293
321
# Add a client password
294
./mandos-keygen --dir keydir --password >> $@
322
./mandos-keygen --dir keydir --password --no-ssh >> $@
296
324
install --directory statedir
310
338
elif install --directory --mode=u=rwx $(STATEDIR); then \
311
339
chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
341
if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
342
install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
343
$(TMPFILES)/mandos.conf; \
313
345
install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
314
346
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
347
379
install-client-nokey: all doc
348
380
install --directory $(LIBDIR)/mandos $(CONFDIR)
349
381
install --directory --mode=u=rwx $(KEYDIR) \
350
$(LIBDIR)/mandos/plugins.d
382
$(LIBDIR)/mandos/plugins.d \
383
$(LIBDIR)/mandos/plugin-helpers
351
384
if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
352
385
install --mode=u=rwx \
353
--directory "$(CONFDIR)/plugins.d"; \
386
--directory "$(CONFDIR)/plugins.d" \
387
"$(CONFDIR)/plugin-helpers"; \
355
389
install --mode=u=rwx,go=rx --directory \
356
390
"$(CONFDIR)/network-hooks.d"
376
410
install --mode=u=rwxs,go=rx \
377
411
--target-directory=$(LIBDIR)/mandos/plugins.d \
378
412
plugins.d/plymouth
413
install --mode=u=rwx,go=rx \
414
--target-directory=$(LIBDIR)/mandos/plugin-helpers \
415
plugin-helpers/mandos-client-iprouteadddel
379
416
install initramfs-tools-hook \
380
417
$(INITRAMFSTOOLS)/hooks/mandos
381
418
install --mode=u=rw,go=r initramfs-tools-hook-conf \
399
436
> $(MANDIR)/man8/askpass-fifo.8mandos.gz
400
437
gzip --best --to-stdout plugins.d/plymouth.8mandos \
401
438
> $(MANDIR)/man8/plymouth.8mandos.gz
439
gzip --best --to-stdout intro.8mandos \
440
> $(MANDIR)/man8/intro.8mandos.gz
403
442
install-client: install-client-nokey
404
443
# Post-installation stuff
added
removed
Makefile
