To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to Makefile
- browse files at revision 951
- compare with another revision
- download diff
- download tarball
- view history from revision 951
- Committer: Teddy Hogeborn
- Date: 2018-08-15 09:26:02 UTC
- Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u
mandos-client: Set system clock if necessary
* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
clock is not set, or set to january 1970, set the system clock to
the more plausible value that is the mtime of the key file. This is
required by GnuPG to be able to import the keys. (We can't pass the
--ignore-time-conflict or the --ignore-valid-from options though
GPGME.)
* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
clock is not set, or set to january 1970, set the system clock to
the more plausible value that is the mtime of the key file. This is
required by GnuPG to be able to import the keys. (We can't pass the
--ignore-time-conflict or the --ignore-valid-from options though
GPGME.)
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
Makefile
10
10
-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
-Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
-Wvolatile-register-var -Woverlength-strings
13
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
## Check which sanitizing options can be used
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
# echo 'int main(){}' | $(CC) --language=c $(option) \
18
# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
13
#DEBUG:=-ggdb3 -fsanitize=address
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
19
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
20
18
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
21
19
-fsanitize=shift -fsanitize=integer-divide-by-zero \
25
23
-fsanitize=object-size -fsanitize=float-divide-by-zero \
26
24
-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
25
-fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
-fsanitize=enum -fsanitize-address-use-after-scope
29
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
26
-fsanitize=enum
27
# Check which sanitizing options can be used
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
-o /dev/null >/dev/null 2>&1 && echo $(option)))
33
31
LINK_FORTIFY_LD:=-z relro -z now
34
32
LINK_FORTIFY:=
35
33
42
40
OPTIMIZE:=-Os -fno-strict-aliasing
43
41
LANGUAGE:=-std=gnu11
44
42
htmldir:=man
45
version:=1.8.5
43
version:=1.7.19
46
44
SED:=sed
47
PKG_CONFIG?=pkg-config
48
49
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
50
|| getent passwd nobody || echo 65534)))
51
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
52
|| getent group nogroup || echo 65534)))
53
54
LINUXVERSION:=$(shell uname --kernel-release)
45
46
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
55
48
56
49
## Use these settings for a traditional /usr/local install
57
50
# PREFIX:=$(DESTDIR)/usr/local
59
52
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
60
53
# MANDIR:=$(PREFIX)/man
61
54
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
62
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
63
55
# STATEDIR:=$(DESTDIR)/var/lib/mandos
64
56
# LIBDIR:=$(PREFIX)/lib
65
57
##
70
62
KEYDIR:=$(DESTDIR)/etc/keys/mandos
71
63
MANDIR:=$(PREFIX)/share/man
72
64
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
73
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
74
65
STATEDIR:=$(DESTDIR)/var/lib/mandos
75
66
LIBDIR:=$(shell \
76
67
for d in \
77
"/usr/lib/`dpkg-architecture \
78
-qDEB_HOST_MULTIARCH 2>/dev/null`" \
68
"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
79
69
"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
80
70
if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
81
71
echo "$(DESTDIR)$$d"; \
84
74
done)
85
75
##
86
76
87
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
88
--variable=systemdsystemunitdir)
89
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
90
--variable=tmpfilesdir)
77
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
78
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
91
79
92
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
93
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
94
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
95
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
80
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
81
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
82
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
83
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
96
84
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
97
85
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
98
86
getconf LFS_LDFLAGS)
99
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
100
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
101
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
102
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
87
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
103
89
104
90
# Do not change these two
105
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
106
92
$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
107
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
108
) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
93
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
109
94
110
95
# Commands to format a DocBook <refentry> document into a manual page
111
96
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
117
102
/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
118
103
$(notdir $<); \
119
104
if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
120
&& command -v man >/dev/null; then LANG=en_US.UTF-8 \
121
MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
122
$(notdir $@); fi >/dev/null)
105
&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
106
man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
107
fi >/dev/null)
123
108
124
109
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
125
110
--param make.year.ranges 1 \
138
123
plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
139
124
plugins.d/plymouth
140
125
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
141
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
142
$(PLUGIN_HELPERS)
126
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
143
127
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
144
128
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
145
129
mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
146
dracut-module/password-agent.8mandos \
147
130
plugins.d/mandos-client.8mandos \
148
131
plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
149
132
plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
221
204
overview.xml legalnotice.xml
222
205
$(DOCBOOKTOHTML)
223
206
224
dracut-module/password-agent.8mandos: \
225
dracut-module/password-agent.xml common.ent \
226
overview.xml legalnotice.xml
227
$(DOCBOOKTOMAN)
228
dracut-module/password-agent.8mandos.xhtml: \
229
dracut-module/password-agent.xml common.ent \
230
overview.xml legalnotice.xml
231
$(DOCBOOKTOHTML)
232
233
207
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
234
208
common.ent \
235
209
mandos-options.xml \
278
252
--expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
279
253
$@)
280
254
281
# Need to add the GnuTLS, Avahi and GPGME libraries
255
# Need to add the GnuTLS, Avahi and GPGME libraries, and can't use
256
# -fsanitize=leak because GnuTLS and GPGME both leak memory.
282
257
plugins.d/mandos-client: plugins.d/mandos-client.c
283
$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
284
) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\
285
) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
286
) $(LDLIBS) -o $@
258
$(CC) $(filter-out -fsanitize=leak,$(CFLAGS)) $(strip\
259
) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) $(strip\
260
) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH) $^ $(strip\
261
) -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
262
) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
287
263
288
# Need to add the libnl-route library
289
264
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
290
265
$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
291
266
) $(LOADLIBES) $(LDLIBS) -o $@
292
267
293
# Need to add the GLib and pthread libraries
294
dracut-module/password-agent: dracut-module/password-agent.c
295
$(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\
296
) $(LOADLIBES) $(LDLIBS) -o $@
297
298
268
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
299
269
check run-client run-server install install-html \
300
270
install-server install-client-nokey install-client uninstall \
309
279
maintainer-clean: clean
310
280
-rm --force --recursive keydir confdir statedir
311
281
312
check: all
282
check: all
313
283
./mandos --check
314
284
./mandos-ctl --check
315
./mandos-keygen --version
316
./plugin-runner --version
317
./plugin-helpers/mandos-client-iprouteadddel --version
318
./dracut-module/password-agent --test
319
285
320
286
# Run the client with a local config and key
321
run-client: all keydir/seckey.txt keydir/pubkey.txt \
322
keydir/tls-privkey.pem keydir/tls-pubkey.pem
323
@echo '######################################################'
324
@echo '# The following error messages are harmless and can #'
325
@echo '# be safely ignored: #'
326
@echo '## From plugin-runner: #'
327
@echo '# setgid: Operation not permitted #'
328
@echo '# setuid: Operation not permitted #'
329
@echo '## From askpass-fifo: #'
330
@echo '# mkfifo: Permission denied #'
331
@echo '## From mandos-client: #'
332
@echo '# Failed to raise privileges: Operation not permi... #'
333
@echo '# Warning: network hook "*" exited with status * #'
334
@echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
335
@echo '# Failed to bring up interface "*": Operation not... #'
336
@echo '# #'
337
@echo '# (The messages are caused by not running as root, #'
338
@echo '# but you should NOT run "make run-client" as root #'
339
@echo '# unless you also unpacked and compiled Mandos as #'
340
@echo '# root, which is also NOT recommended.) #'
341
@echo '######################################################'
287
run-client: all keydir/seckey.txt keydir/pubkey.txt
288
@echo "###################################################################"
289
@echo "# The following error messages are harmless and can be safely #"
290
@echo "# ignored: #"
291
@echo "# From plugin-runner: setgid: Operation not permitted #"
292
@echo "# setuid: Operation not permitted #"
293
@echo "# From askpass-fifo: mkfifo: Permission denied #"
294
@echo "# From mandos-client: #"
295
@echo "# Failed to raise privileges: Operation not permitted #"
296
@echo "# Warning: network hook \"*\" exited with status * #"
297
@echo "# #"
298
@echo "# (The messages are caused by not running as root, but you should #"
299
@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"
300
@echo "# compiled Mandos as root, which is also NOT recommended.) #"
301
@echo "###################################################################"
342
302
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
343
303
./plugin-runner --plugin-dir=plugins.d \
344
304
--plugin-helper-dir=plugin-helpers \
345
305
--config-file=plugin-runner.conf \
346
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
306
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
347
307
--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
348
308
$(CLIENTARGS)
349
309
350
310
# Used by run-client
351
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
311
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
352
312
install --directory keydir
353
313
./mandos-keygen --dir keydir --force
354
314
361
321
confdir/mandos.conf: mandos.conf
362
322
install --directory confdir
363
323
install --mode=u=rw,go=r $^ $@
364
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
324
confdir/clients.conf: clients.conf keydir/seckey.txt
365
325
install --directory confdir
366
326
install --mode=u=rw $< $@
367
327
# Add a client password
384
344
elif install --directory --mode=u=rwx $(STATEDIR); then \
385
345
chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
386
346
fi
387
if [ "$(TMPFILES)" != "$(DESTDIR)" \
388
-a -d "$(TMPFILES)" ]; then \
347
if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
389
348
install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
390
349
$(TMPFILES)/mandos.conf; \
391
350
fi
437
396
"$(CONFDIR)/network-hooks.d"
438
397
install --mode=u=rwx,go=rx \
439
398
--target-directory=$(LIBDIR)/mandos plugin-runner
440
install --mode=u=rwx,go=rx \
441
--target-directory=$(LIBDIR)/mandos \
442
mandos-to-cryptroot-unlock
443
399
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
444
400
mandos-keygen
445
401
install --mode=u=rwx,go=rx \
465
421
plugin-helpers/mandos-client-iprouteadddel
466
422
install initramfs-tools-hook \
467
423
$(INITRAMFSTOOLS)/hooks/mandos
468
install --mode=u=rw,go=r initramfs-tools-conf \
469
$(INITRAMFSTOOLS)/conf.d/mandos-conf
470
install --mode=u=rw,go=r initramfs-tools-conf-hook \
471
$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
424
install --mode=u=rw,go=r initramfs-tools-hook-conf \
425
$(INITRAMFSTOOLS)/conf-hooks.d/mandos
472
426
install initramfs-tools-script \
473
427
$(INITRAMFSTOOLS)/scripts/init-premount/mandos
474
install initramfs-tools-script-stop \
475
$(INITRAMFSTOOLS)/scripts/local-premount/mandos
476
install --directory $(DRACUTMODULE)
477
install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
478
dracut-module/ask-password-mandos.path \
479
dracut-module/ask-password-mandos.service
480
install --mode=u=rwxs,go=rx \
481
--target-directory=$(DRACUTMODULE) \
482
dracut-module/module-setup.sh \
483
dracut-module/cmdline-mandos.sh \
484
dracut-module/password-agent
485
428
install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
486
429
gzip --best --to-stdout mandos-keygen.8 \
487
430
> $(MANDIR)/man8/mandos-keygen.8.gz
499
442
> $(MANDIR)/man8/askpass-fifo.8mandos.gz
500
443
gzip --best --to-stdout plugins.d/plymouth.8mandos \
501
444
> $(MANDIR)/man8/plymouth.8mandos.gz
502
gzip --best --to-stdout dracut-module/password-agent.8mandos \
503
> $(MANDIR)/man8/password-agent.8mandos.gz
504
445
505
446
install-client: install-client-nokey
506
447
# Post-installation stuff
507
448
-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
508
if command -v update-initramfs >/dev/null; then \
509
update-initramfs -k all -u; \
510
elif command -v dracut >/dev/null; then \
511
for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
512
if [ -w "$$initrd" ]; then \
513
chmod go-r "$$initrd"; \
514
dracut --force "$$initrd"; \
515
fi; \
516
done; \
517
fi
449
update-initramfs -k all -u
518
450
echo "Now run mandos-keygen --password --dir $(KEYDIR)"
519
451
520
452
uninstall: uninstall-server uninstall-client
547
479
$(INITRAMFSTOOLS)/hooks/mandos \
548
480
$(INITRAMFSTOOLS)/conf-hooks.d/mandos \
549
481
$(INITRAMFSTOOLS)/scripts/init-premount/mandos \
550
$(INITRAMFSTOOLS)/scripts/local-premount/mandos \
551
$(DRACUTMODULE)/ask-password-mandos.path \
552
$(DRACUTMODULE)/ask-password-mandos.service \
553
$(DRACUTMODULE)/module-setup.sh \
554
$(DRACUTMODULE)/cmdline-mandos.sh \
555
$(DRACUTMODULE)/password-agent \
556
482
$(MANDIR)/man8/mandos-keygen.8.gz \
557
483
$(MANDIR)/man8/plugin-runner.8mandos.gz \
558
484
$(MANDIR)/man8/mandos-client.8mandos.gz
561
487
$(MANDIR)/man8/splashy.8mandos.gz \
562
488
$(MANDIR)/man8/askpass-fifo.8mandos.gz \
563
489
$(MANDIR)/man8/plymouth.8mandos.gz \
564
$(MANDIR)/man8/password-agent.8mandos.gz \
565
490
-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
566
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
567
if command -v update-initramfs >/dev/null; then \
568
update-initramfs -k all -u; \
569
elif command -v dracut >/dev/null; then \
570
for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
571
test -w "$$initrd" && dracut --force "$$initrd"; \
572
done; \
573
fi
491
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
492
update-initramfs -k all -u
574
493
575
494
purge: purge-server purge-client
576
495
585
504
-rmdir $(CONFDIR)
586
505
587
506
purge-client: uninstall-client
588
-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
507
-shred --remove $(KEYDIR)/seckey.txt
589
508
-rm --force $(CONFDIR)/plugin-runner.conf \
590
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
591
$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
509
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
592
510
-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0