1# Common version number defines for libcap 2LIBTITLE=libcap 3VERSION=2 4MINOR=69 5 6# 7## Optional prefixes: 8# 9 10# common 'packaging' directory 11 12FAKEROOT=$(DESTDIR) 13 14# Autoconf-style prefixes are activated when $(prefix) is defined. 15# Otherwise binaries and libraries are installed in /{lib,sbin}/, 16# header files in /usr/include/ and documentation in /usr/man/man?/. 17# These choices are motivated by the fact that getcap and setcap are 18# administrative operations that could be needed to recover a system. 19 20ifndef lib 21lib=$(shell ldd /usr/bin/ld|grep -E "ld-linux|ld.so"|cut -d/ -f2) 22endif 23 24ifndef sbin 25sbin=sbin 26endif 27 28ifdef sbindir 29sbin=$(sbindir) 30endif 31 32ifdef prefix 33exec_prefix=$(prefix) 34lib_prefix=$(exec_prefix) 35inc_prefix=$(lib_prefix) 36man_prefix=$(prefix)/share 37else 38prefix=/usr 39exec_prefix= 40lib_prefix=$(exec_prefix) 41inc_prefix=$(prefix) 42man_prefix=$(prefix)/share 43endif 44 45# Target directories 46 47MANDIR=$(man_prefix)/man 48SBINDIR=$(exec_prefix)/$(sbin) 49INCDIR=$(inc_prefix)/include 50LIBDIR=$(lib_prefix)/$(lib) 51PKGCONFIGDIR=$(LIBDIR)/pkgconfig 52GOPKGDIR=$(prefix)/share/gocode/src 53 54# From here on out, the Go module packages should always remain 55# backwardly compatible. I will only resort to using major version 2 56# etc if Go's syntax dramatically changes in a backwards incompatible 57# manner. (Let's hope not. If that happens, I'll also drop deprecated 58# API functions.) 59GOMAJOR=1 60 61# Compilation specifics 62 63KERNEL_HEADERS := $(topdir)/libcap/include/uapi 64LIBCAP_INCLUDES = -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include 65DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 66SYSTEM_HEADERS = /usr/include 67 68SUDO := sudo 69CC := $(CROSS_COMPILE)gcc 70LD := $(CC) -Wl,-x -shared 71AR := $(CROSS_COMPILE)ar 72RANLIB := $(CROSS_COMPILE)ranlib 73OBJCOPY := $(CROSS_COMPILE)objcopy 74 75# Reference: 76# CPPFLAGS used for building .o files from .c & .h files 77# CFLAGS used when building libraries from .o, .c and .h files 78 79DEBUG = # -g -DDEBUG 80WARNINGS=-Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align \ 81 -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs \ 82 -Winline -Wshadow -Wunreachable-code 83COPTS ?= -O2 84CFLAGS ?= $(COPTS) $(DEBUG) 85CFLAGS += $(WARNINGS) 86CPPFLAGS += -Dlinux $(DEFINES) $(LIBCAP_INCLUDES) 87LDFLAGS ?= # -g 88 89BUILD_CC ?= $(CC) 90BUILD_LD ?= $(BUILD_CC) -Wl,-x -shared 91BUILD_COPTS ?= $(COPTS) 92BUILD_CFLAGS ?= $(BUILD_COPTS) 93BUILD_CPPFLAGS += -Dlinux $(WARNINGS) $(DEBUG) $(DEFINES) $(LIBCAP_INCLUDES) 94BUILD_LDFLAGS ?= $(LDFLAGS) 95BUILD_SED ?= sed 96BUILD_GREP ?= grep 97BUILD_EGREP ?= $(BUILD_GREP) -E 98BUILD_FGREP ?= $(BUILD_GREP) -F 99 100# Plan to eventually redefine BUILD_GPERF to be the actual gperf tool 101# alias as per above. Typical distributions are upto a year behind 102# HEAD so we'll not do that before 2023-01-01. 103ifdef BUILD_GPERF 104$(error BUILD_GPERF is now reserved, please use USE_GPERF=yes or no instead) 105endif 106 107USE_GPERF ?= $(shell which gperf >/dev/null 2>/dev/null && echo yes) 108 109LIBCAPLIB := -L$(topdir)/libcap -lcap 110PSXLINKFLAGS := -lpthread -Wl,-wrap,pthread_create 111LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS) 112 113INCS=$(topdir)/libcap/include/sys/capability.h 114INDENT := $(shell if [ -n "$$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi) 115 116# SHARED tracks whether or not the SHARED libraries (libcap.so, 117# libpsx.so and pam_cap.so) are built. (Some environments don't 118# support shared libraries.) 119SHARED ?= yes 120# DYNAMIC controls how capsh etc are linked - to shared or static libraries 121# Force enabled with "make DYNAMIC=yes ...". 122DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo $(SHARED); else echo no ; fi) 123 124PAM_CAP ?= $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo $(SHARED) ; else echo no ; fi) 125 126# If your system does not support pthreads, override this as "no". 127# 128# make PTHREADS=no ... 129# 130# This implies no Go support and no C/C++ libpsx build. Why might you 131# need libpsx for non-Go use? Tl;dr for POSIX semantics security: 132# 133# https://sites.google.com/site/fullycapable/who-ordered-libpsx 134# 135PTHREADS ?= yes 136 137ifeq ($(PTHREADS),yes) 138GO ?= go 139GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi) 140ifeq ($(GOLANG),yes) 141GOROOT ?= $(shell $(GO) env GOROOT) 142GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi) 143GOOSARCH ?= $(shell $(GO) env GOHOSTOS)_$(shell $(GO) env GOHOSTARCH) 144CGO_REQUIRED := $(shell $(topdir)/go/cgo-required.sh $(GO)) 145ifeq ($(CGO_REQUIRED),1) 146# Strictly speaking go1.15 doesn't need this, but 1.16 is when the 147# real golang support arrives for non-cgo support, so drop the last 148# vestige of legacy workarounds then. 149CGO_LDFLAGS_ALLOW := CGO_LDFLAGS_ALLOW="-Wl,-?-wrap[=,][^-.@][^,]*" 150endif 151CGO_CFLAGS := $(LIBCAP_INCLUDES) 152CGO_LDFLAGS := -L$(topdir)/libcap 153GO_BUILD_FLAGS := 154endif 155endif 156 157# If you want capsh to launch with something other than /bin/bash 158# build like this: 159# 160# make CAPSH_SHELL='-DSHELL=\"/bin/sh\"' 161# 162# or undefine the following: 163#CAPSH_SHELL := '-DSHELL="/bin/sh"' 164 165# When installing setcap, you can arrange for the installation process 166# to set its inheritable bit to be able to place capabilities on files. 167# It can be used in conjunction with pam_cap (associated with su and 168# certain users say) to make it useful for specially blessed users. 169# 170# make RAISE_SETFCAP=yes install 171# 172# This is now defaulted to no because some distributions started 173# shipping with all users blessed with full inheritable sets which 174# makes no sense whatsoever! 175# 176# Indeed, it looked alarmingly like these distributions were recreating 177# the environment for what became known as the sendmail-capabilities 178# bug from 2000: 179# 180# https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue 181# 182# they are also nullifying the difference between a p-bit and an i-bit. 183# 184# Folk really should read this document, which explains there is a really 185# important difference being lost here: 186# 187# https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf 188# 189# In the context of this tree, on such such systems, a yes setting will 190# guarantee that every user, by default, is able to bless any binary with 191# any capability - a ready made local exploit mechanism. 192RAISE_SETFCAP := no 193 194# If set to yes, this will cause the go "web" demo app to force the needed p 195# bit to be able to bind to port 80 without running as root. 196RAISE_GO_FILECAP := no 197 198# Global cleanup stuff 199 200LOCALCLEAN=rm -f *~ core 201DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f 202