1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#
## Optional prefixes:
#
# common 'packaging' directory
FAKEROOT=$(DESTDIR)
# Autoconf-style prefixes are activated when $(prefix) is defined.
# Otherwise binaries and libraries are installed in /{lib,sbin}/,
# header files in /usr/include/ and documentation in /usr/man/man?/.
# These choices are motivated by the fact that getcap and setcap are
# administrative operations that could be needed to recover a system.
ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif
ifdef prefix
exec_prefix=$(prefix)
lib_prefix=$(exec_prefix)
inc_prefix=$(lib_prefix)
man_prefix=$(prefix)/share
else
prefix=/usr
exec_prefix=
lib_prefix=$(exec_prefix)
inc_prefix=$(prefix)
man_prefix=$(prefix)/share
endif
# Target directories
MANDIR=$(man_prefix)/man
SBINDIR=$(exec_prefix)/sbin
INCDIR=$(inc_prefix)/include
LIBDIR=$(lib_prefix)/$(lib)
PKGCONFIGDIR=$(LIBDIR)/pkgconfig
GOPKGDIR=$(prefix)/share/gocode/src
# common defines for libcap
LIBTITLE=libcap
VERSION=2
MINOR=33
#
# Compilation specifics
KERNEL_HEADERS := $(topdir)/libcap/include/uapi
IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
CC := gcc # -std=c99
CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
BUILD_CC := $(CC)
BUILD_CFLAGS := $(CFLAGS) $(IPATH)
AR := ar
RANLIB := ranlib
DEBUG = -g #-DDEBUG
WARNINGS=-Wall -Wwrite-strings \
-Wpointer-arith -Wcast-qual -Wcast-align \
-Wstrict-prototypes -Wmissing-prototypes \
-Wnested-externs -Winline -Wshadow
LD=$(CC) -Wl,-x -shared
LDFLAGS := #-g
LIBCAPLIB := -L$(topdir)/libcap -lcap
LIBPSXLIB := -L$(topdir)/libcap -lpsx -lpthread
BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)
SYSTEM_HEADERS = /usr/include
INCS=$(topdir)/libcap/include/sys/capability.h
LDFLAGS += -L$(topdir)/libcap
CFLAGS += -Dlinux $(WARNINGS) $(DEBUG)
PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi)
INDENT := $(shell if [ -n "$$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)
GOLANG := $(shell if [ -n "$(shell go version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
ifeq ($(GOLANG),yes)
GOROOT := $(shell go env GOROOT)
GOCGO := $(shell if [ "$(shell go env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)
GOOSARCH := $(shell go env GOHOSTOS)_$(shell go env GOHOSTARCH)
CGO_CFLAGS := -I$(topdir)/libcap/include
CGO_LDFLAGS := -L$(topdir)/libcap
CGO_LDFLAGS_ALLOW := -Wl,-wrap,.+
CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh)
endif
# When installing setcap, you can arrange for the installation process
# to set its inheritable bit to be able to place capabilities on files.
# It can be used in conjunction with pam_cap (associated with su and
# certain users say) to make it useful for specially blessed users.
#
# make RAISE_SETFCAP=yes install
#
# This is now defaulted to no because some distributions have started
# shipping with all users blessed with full inheritable sets which makes
# no sense whatsoever!
#
# Indeed, it looks alarmingly like these distributions are recreating
# the environment for what became known as the sendmail-capabilities
# bug from 2000:
#
# https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue
#
# they are also nullifying the difference between a p-bit and an i-bit.
#
# Folk really should read this document, which explains there is a really
# important difference being lost here:
#
# https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf
#
# In the context of this tree, on such such systems, a yes setting will
# guarantee that every user, by default, is able to bless any binary with
# any capability - a ready made local exploit machanism.
RAISE_SETFCAP := no
# If set to yes, this will cause the go "web" demo app to force the needed p
# bit to be able to bind to port 80 without running as root.
RAISE_GO_FILECAP := no
# Global cleanup stuff
LOCALCLEAN=rm -f *~ core
DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f
|
