/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2017-08-20 14:14:14 UTC
  • Revision ID: teddy@recompile.se-20170820141414-m034xuebg7ccaeui
Add some more restrictions to the systemd service file.

* mandos.service ([Service]/ProtectKernelTunables): New; set to "yes".
  ([Service]/ProtectControlGroups): - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
#DEBUG=-ggdb3
 
13
#DEBUG=-ggdb3 -fsanitize=address 
14
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
 
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
17
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
 
# The sanitizing options are available in GCC 4.9 and above.
19
 
ifeq ($(shell test $(shell $(CC) -dumpversion) \> 4.9-; echo $$?),0)
20
 
SANITIZE:=-fsanitize=address -fsanitize=undefined -fsanitize=shift \
21
 
        -fsanitize=integer-divide-by-zero -fsanitize=unreachable \
22
 
        -fsanitize=vla-bound -fsanitize=null -fsanitize=return \
23
 
        -fsanitize=signed-integer-overflow
24
 
# GCC 5.3 has some more sanitizing options
25
 
ifeq ($(shell test $(shell $(CC) -dumpversion) \> 5.3-; echo $$?),0)
26
 
SANITIZE+=-fsanitize=bounds -fsanitize=alignment \
27
 
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
28
 
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
29
 
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
30
 
        -fsanitize=enum
31
 
endif
32
 
else
33
 
SANITIZE:=
34
 
endif
 
18
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
 
19
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
 
20
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
 
21
        -fsanitize=return -fsanitize=signed-integer-overflow \
 
22
        -fsanitize=bounds -fsanitize=alignment \
 
23
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
 
24
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
 
25
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
 
26
        -fsanitize=enum
 
27
# Check which sanitizing options can be used
 
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
 
29
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
 
30
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
35
31
LINK_FORTIFY_LD=-z relro -z now
36
32
LINK_FORTIFY=
37
33
 
44
40
OPTIMIZE=-Os -fno-strict-aliasing
45
41
LANGUAGE=-std=gnu11
46
42
htmldir=man
47
 
version=1.7.2
 
43
version=1.7.15
48
44
SED=sed
49
45
 
50
46
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
51
 
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
 
47
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
52
48
 
53
49
## Use these settings for a traditional /usr/local install
54
50
# PREFIX=$(DESTDIR)/usr/local
79
75
##
80
76
 
81
77
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
 
78
TMPFILES=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
82
79
 
83
80
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
84
81
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
286
283
run-client: all keydir/seckey.txt keydir/pubkey.txt
287
284
        @echo "###################################################################"
288
285
        @echo "# The following error messages are harmless and can be safely     #"
289
 
        @echo "# ignored.  The messages are caused by not running as root, but   #"
290
 
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
291
 
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
 
286
        @echo "# ignored:                                                        #"
292
287
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
293
288
        @echo "#                     setuid: Operation not permitted             #"
294
289
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
295
290
        @echo "# From mandos-client:                                             #"
296
291
        @echo "#             Failed to raise privileges: Operation not permitted #"
297
292
        @echo "#             Warning: network hook \"*\" exited with status *      #"
 
293
        @echo "#                                                                 #"
 
294
        @echo "# (The messages are caused by not running as root, but you should #"
 
295
        @echo "# NOT run \"make run-client\" as root unless you also unpacked and  #"
 
296
        @echo "# compiled Mandos as root, which is also NOT recommended.)        #"
298
297
        @echo "###################################################################"
299
298
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
300
299
        ./plugin-runner --plugin-dir=plugins.d \
341
340
        elif install --directory --mode=u=rwx $(STATEDIR); then \
342
341
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
343
342
        fi
 
343
        if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
 
344
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
 
345
                        $(TMPFILES)/mandos.conf; \
 
346
        fi
344
347
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
345
348
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
346
349
                mandos-ctl
382
385
                $(LIBDIR)/mandos/plugin-helpers
383
386
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
384
387
                install --mode=u=rwx \
385
 
                        --directory "$(CONFDIR)/plugins.d"; \
386
 
                install --directory "$(CONFDIR)/plugin-helpers"; \
 
388
                        --directory "$(CONFDIR)/plugins.d" \
 
389
                        "$(CONFDIR)/plugin-helpers"; \
387
390
        fi
388
391
        install --mode=u=rwx,go=rx --directory \
389
392
                "$(CONFDIR)/network-hooks.d"
409
412
        install --mode=u=rwxs,go=rx \
410
413
                --target-directory=$(LIBDIR)/mandos/plugins.d \
411
414
                plugins.d/plymouth
412
 
        install --mode=u=rwxs,go=rx \
 
415
        install --mode=u=rwx,go=rx \
413
416
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
414
417
                plugin-helpers/mandos-client-iprouteadddel
415
418
        install initramfs-tools-hook \