1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
# Common version number defines for libcap
LIBTITLE=libcap
VERSION=2
MINOR=45
#
## Optional prefixes:
#
# common 'packaging' directory
FAKEROOT=$(DESTDIR)
# Autoconf-style prefixes are activated when $(prefix) is defined.
# Otherwise binaries and libraries are installed in /{lib,sbin}/,
# header files in /usr/include/ and documentation in /usr/man/man?/.
# These choices are motivated by the fact that getcap and setcap are
# administrative operations that could be needed to recover a system.
ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif
ifdef prefix
exec_prefix=$(prefix)
lib_prefix=$(exec_prefix)
inc_prefix=$(lib_prefix)
man_prefix=$(prefix)/share
else
prefix=/usr
exec_prefix=
lib_prefix=$(exec_prefix)
inc_prefix=$(prefix)
man_prefix=$(prefix)/share
endif
# Target directories
MANDIR=$(man_prefix)/man
SBINDIR=$(exec_prefix)/sbin
INCDIR=$(inc_prefix)/include
LIBDIR=$(lib_prefix)/$(lib)
PKGCONFIGDIR=$(LIBDIR)/pkgconfig
GOPKGDIR=$(prefix)/share/gocode/src
# Go modules have their own semantics. I plan to leave this value at 0
# and keep it there. The Go packages should always remain backwardly
# compatible, but I may have to up it if Go's syntax changes in a
# backwards incompatible manner. (Let's hope not.)
GOMAJOR=0
# Compilation specifics
KERNEL_HEADERS := $(topdir)/libcap/include/uapi
IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
CC := $(CROSS_COMPILE)gcc
DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
COPTS ?= -O2
CFLAGS ?= $(COPTS) $(DEFINES)
BUILD_CC ?= $(CC)
BUILD_COPTS ?= -O2
BUILD_CFLAGS ?= $(BUILD_COPTS) $(DEFINES) $(IPATH)
AR := $(CROSS_COMPILE)ar
RANLIB := $(CROSS_COMPILE)ranlib
DEBUG = -g #-DDEBUG
WARNINGS=-Wall -Wwrite-strings \
-Wpointer-arith -Wcast-qual -Wcast-align \
-Wstrict-prototypes -Wmissing-prototypes \
-Wnested-externs -Winline -Wshadow
LD=$(CC) -Wl,-x -shared
LDFLAGS ?= #-g
LIBCAPLIB := -L$(topdir)/libcap -lcap
PSXLINKFLAGS := -lpthread -Wl,-wrap,pthread_create
LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS)
BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)
SYSTEM_HEADERS = /usr/include
INCS=$(topdir)/libcap/include/sys/capability.h
LDFLAGS += -L$(topdir)/libcap
CFLAGS += -Dlinux $(WARNINGS) $(DEBUG)
INDENT := $(shell if [ -n "$$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
# SHARED tracks whether or not the SHARED libraries (libcap.so,
# libpsx.so and pam_cap.so) are built. (Some environments don't
# support shared libraries.)
SHARED ?= yes
# DYNAMIC controls how capsh etc are linked - to shared or static libraries
DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo $(SHARED); else echo no ; fi)
PAM_CAP ?= $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo $(SHARED) ; else echo no ; fi)
# If your system does not support pthreads, override this as "no".
#
# make PTHREADS=no ...
#
# This implies no Go support and no C/C++ libpsx build. Why might you
# need libpsx for non-Go use? Tl;dr for POSIX semantics security:
#
# https://sites.google.com/site/fullycapable/who-ordered-libpsx
#
PTHREADS ?= yes
ifeq ($(PTHREADS),yes)
GO := go
GOLANG := $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
ifeq ($(GOLANG),yes)
GOROOT := $(shell $(GO) env GOROOT)
GOCGO := $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)
GOOSARCH := $(shell $(GO) env GOHOSTOS)_$(shell $(GO) env GOHOSTARCH)
CGO_CFLAGS := -I$(topdir)/libcap/include
CGO_LDFLAGS := -L$(topdir)/libcap
CGO_LDFLAGS_ALLOW := -Wl,-?-wrap[=,][^-.@][^,]*
CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh)
ifeq ($(CGO_REQUIRED),0)
# Hopefully this will not be needed at some point.
GOBUILDTAG=-tags allthreadssyscall
endif
endif
endif
# If you want capsh to launch with something other than /bin/bash
# build like this:
#
# make CAPSH_SHELL='-DSHELL=\"/bin/sh\"'
#
# or undefine the following:
#CAPSH_SHELL := '-DSHELL="/bin/sh"'
# When installing setcap, you can arrange for the installation process
# to set its inheritable bit to be able to place capabilities on files.
# It can be used in conjunction with pam_cap (associated with su and
# certain users say) to make it useful for specially blessed users.
#
# make RAISE_SETFCAP=yes install
#
# This is now defaulted to no because some distributions have started
# shipping with all users blessed with full inheritable sets which makes
# no sense whatsoever!
#
# Indeed, it looks alarmingly like these distributions are recreating
# the environment for what became known as the sendmail-capabilities
# bug from 2000:
#
# https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue
#
# they are also nullifying the difference between a p-bit and an i-bit.
#
# Folk really should read this document, which explains there is a really
# important difference being lost here:
#
# https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf
#
# In the context of this tree, on such such systems, a yes setting will
# guarantee that every user, by default, is able to bless any binary with
# any capability - a ready made local exploit machanism.
RAISE_SETFCAP := no
# If set to yes, this will cause the go "web" demo app to force the needed p
# bit to be able to bind to port 80 without running as root.
RAISE_GO_FILECAP := no
# Global cleanup stuff
LOCALCLEAN=rm -f *~ core
DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f
|