From 42211b24f45dbfdae9f2d421173847d523ed4acb Mon Sep 17 00:00:00 2001 From: "Demi M. Obenour" Date: Fri, 1 Feb 2019 10:52:11 -0500 Subject: [PATCH 1/2] Add more generated files to .gitignore --- .gitignore | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.gitignore b/.gitignore index 3d9a4ba1..9859d367 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,21 @@ qrexec/**/__pycache__ pkgs/ .mypy_cache/ .coverage +*.o +.*.sw[op] +/agent/qrexec-fork-server +/agent/qrexec-client-vm +/agent/qrexec-agent +/daemon/qrexec-client +/daemon/qrexec-daemon +/agent/qrexec-client-vm.1.gz +/qrexec.egg-info +*.patch +*.diff +*.orig +*.rej +*.so.[0-9] +*.so +*.o.dep +*~ +\#*# From b883dcb27e14d28ca09f516c25ad304a49fbeb9b Mon Sep 17 00:00:00 2001 From: "Demi M. Obenour" Date: Wed, 1 Jan 2020 22:03:43 -0500 Subject: [PATCH 2/2] Makefile improvements The makefiles now accurately track header dependencies, and do not try to build non-existent documentation. They also propogate parallelism to sub-makes correctly. This also makes building possible from a fresh checkout, without depending on the entire Qubes build system, and hardens against stack-clash attacks. Finally, some changes to the C source code were needed to allow modern C code to work in strict C11 mode. --- Documentation/Makefile | 2 +- Makefile | 30 ++++++++++++++++--------- agent/Makefile | 50 +++++++++++++++++++++++++++++++----------- daemon/Makefile | 31 +++++++++++++++----------- daemon/qrexec-client.c | 1 + libqrexec/Makefile | 42 ++++++++++++++++++++++------------- 6 files changed, 104 insertions(+), 52 deletions(-) diff --git a/Documentation/Makefile b/Documentation/Makefile index 5f692406..b064d0e0 100644 --- a/Documentation/Makefile +++ b/Documentation/Makefile @@ -17,4 +17,4 @@ help: # Catch-all target: route all unknown targets to Sphinx using the new # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). %: Makefile - @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) \ No newline at end of file + @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) diff --git a/Makefile b/Makefile index c1f22a6c..0c6f0cf9 100644 --- a/Makefile +++ b/Makefile @@ -1,17 +1,25 @@ +MAKEFLAGS=-r +CC ?= gcc PYTHON ?= python3 +export PYTHON GCC MAKEFLAGS help: : .PHONY: help +clean: + +$(MAKE) -C libqrexec clean + +$(MAKE) -C daemon clean + +$(MAKE) -C agent clean +.PHONY: clean all-base: - make all -C libqrexec + +$(MAKE) all -C libqrexec $(PYTHON) setup.py build .PHONY: all-base install-base: - make install -C libqrexec + +$(MAKE) install -C libqrexec $(PYTHON) setup.py install -O1 $(PYTHON_PREFIX_ARG) --skip-build --root $(DESTDIR) ln -s qrexec-policy-exec $(DESTDIR)/usr/bin/qrexec-policy install -d $(DESTDIR)/usr/lib/qubes -m 755 @@ -19,12 +27,12 @@ install-base: .PHONY: install-base -all-dom0: - $(MAKE) all -C daemon +all-dom0: all-base + +$(MAKE) all -C daemon .PHONY: all-dom0 -install-dom0: - $(MAKE) install -C daemon +install-dom0: all-dom0 + +$(MAKE) install -C daemon install -d $(DESTDIR)/etc/qubes-rpc -m 755 install -t $(DESTDIR)/etc/qubes-rpc -m 755 qubes-rpc-dom0/* install -d $(DESTDIR)/etc/qubes-rpc/policy -m 775 @@ -41,12 +49,12 @@ install-dom0: .PHONY: install-dom0 -all-vm: - $(MAKE) all -C agent +all-vm: all-base + +$(MAKE) all -C agent .PHONY: all-vm -install-vm: - $(MAKE) install -C agent +install-vm: all-vm + +$(MAKE) install -C agent install -d $(DESTDIR)/lib/systemd/system -m 755 install -t $(DESTDIR)/lib/systemd/system -m 644 systemd/* install -m 0644 -D qubes-rpc-config/README $(DESTDIR)/etc/qubes/rpc-config/README @@ -54,3 +62,5 @@ install-vm: # install -t $(DESTDIR)/etc/qubes-rpc -m 755 qubes-rpc/* .PHONY: install-vm +all: all-vm all-dom0 +.PHONY: all diff --git a/agent/Makefile b/agent/Makefile index 5a1f02a1..313f8f5f 100644 --- a/agent/Makefile +++ b/agent/Makefile @@ -1,22 +1,38 @@ +MAKEFLAGS=-r CC ?= gcc -CFLAGS += -I. -g -O2 -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` -CFLAGS += -I../libqrexec -LDFLAGS += -pie -LDLIBS = -L../libqrexec -LDLIBS += `pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils -lpam PANDOC ?= pandoc +BACKEND_VMM ?= xen +DESTDIR ?= / +.SUFFIXES: +override os := $(shell lsb_release -is) +override QUBES_CFLAGS := -I. -I../libqrexec -g -O2 -Wall -Wextra -Werror \ + $(shell pkg-config --cflags vchan-$(BACKEND_VMM)) -fstack-protector \ + -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fPIC -std=c11 -D_POSIX_C_SOURCE=200809L \ + -D_DEFAULT_SOURCE $(CFLAGS) +override LDFLAGS += -pie -Wl,-z,relro,-z,now -L../libqrexec +override LDLIBS=-lqrexec-utils $(shell pkg-config --libs vchan-$(BACKEND_VMM)) -lpam + +.PHONY: all clean install + +override remove_generated := \ + rm -f -- *.o *~ qrexec-agent qrexec-client-vm *.o.dep all: qrexec-agent qrexec-client-vm qrexec-fork-server qrexec-client-vm.1.gz +.PHONY: all clean install .PHONY qrexec-agent: qrexec-agent.o qrexec-agent-data.o qrexec-fork-server: qrexec-fork-server.o qrexec-agent-data.o qrexec-client-vm: qrexec-client-vm.o qrexec-agent-data.o clean: - rm -f *.o *~ qrexec-agent qrexec-client-vm +ifeq ($(BUILDDIR),) + $(remove_generated) +else + cd -P -- $(BUILDDIR) && $(remove_generated) +endif -install: - install -d $(DESTDIR)/etc/qubes-rpc - install -d $(DESTDIR)/usr/lib/qubes $(DESTDIR)/usr/bin - install -d $(DESTDIR)/usr/share/man/man1 + +install: all + install -d $(DESTDIR)/etc/qubes-rpc $(DESTDIR)/usr/lib/qubes \ + $(DESTDIR)/usr/bin $(DESTDIR)/usr/share/man/man1 install qrexec-agent $(DESTDIR)/usr/lib/qubes install qrexec-client-vm $(DESTDIR)/usr/bin install -d $(DESTDIR)/usr/share/man/man1 @@ -24,11 +40,11 @@ install: ln -s ../../bin/qrexec-client-vm $(DESTDIR)/usr/lib/qubes/qrexec-client-vm ln -s ../../bin/qrexec-client-vm $(DESTDIR)/usr/lib/qubes/qrexec_client_vm install qrexec-fork-server $(DESTDIR)/usr/bin -ifeq ($(shell lsb_release -is), Debian) +ifeq ($(os), Debian) install -D -m 0644 qrexec.pam.debian $(DESTDIR)/etc/pam.d/qrexec -else ifeq ($(shell lsb_release -is), Ubuntu) +else ifeq ($(os), Ubuntu) install -D -m 0644 qrexec.pam.debian $(DESTDIR)/etc/pam.d/qrexec -else ifeq ($(shell lsb_release -is), Arch) +else ifeq ($(os), Arch) install -D -m 0644 qrexec.pam.archlinux $(DESTDIR)/etc/pam.d/qrexec else install -D -m 0644 qrexec.pam $(DESTDIR)/etc/pam.d/qrexec @@ -39,3 +55,11 @@ endif %.1.gz: %.1 gzip -f $< + +%: %.o + $(CC) $(LDFLAGS) -pie -g -o $@ $^ $(LDLIBS) + +%.o: %.c + $(CC) $< -c -o $@ $(QUBES_CFLAGS) $(CFLAGS) -MD -MP -MF $@.dep + +-include *.o.dep diff --git a/daemon/Makefile b/daemon/Makefile index db8d9b04..09bf940d 100644 --- a/daemon/Makefile +++ b/daemon/Makefile @@ -1,24 +1,29 @@ -CC=gcc -CFLAGS+=-I. -g -O2 -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` -CFLAGS += -I../libqrexec -LIBS = -L../libqrexec -LIBS=`pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils +CC ?=gcc +override QUBES_CFLAGS:=-I../libqrexec -g -O2 -Wall -Wextra -Werror -pie -fPIC \ + $(shell pkg-config --cflags vchan-$(BACKEND_VMM)) -fstack-protector \ + -D_FORTIFY_SOURCE=2 -fstack-protector-strong -std=c11 -D_POSIX_C_SOURCE=200809L \ + -D_DEFAULT_SOURCE $(CFLAGS) +override LDFLAGS += -pie -Wl,-z,relro,-z,now -L../libqrexec +override LDLIBS=$(shell pkg-config --libs vchan-$(BACKEND_VMM)) -lqrexec-utils +MAKEFLAGS := -r +.SUFFIXES: all: qrexec-daemon qrexec-client clean: - rm -f *.o *~ qrexec-daemon qrexec-client -install: - install -d $(DESTDIR)/usr/sbin + rm -f *.o *~ qrexec-daemon qrexec-client *.o.dep +install: all + install -d $(DESTDIR)/usr/sbin $(DESTDIR)/usr/bin install -t $(DESTDIR)/usr/sbin -m 755 qrexec-daemon - install -d $(DESTDIR)/usr/bin install -t $(DESTDIR)/usr/bin -m 755 qrexec-client install -d $(DESTDIR)/usr/lib/qubes ln -s ../../bin/qrexec-client $(DESTDIR)/usr/lib/qubes/qrexec-client .PHONY: all clean install -qrexec-daemon: qrexec-daemon.o - $(CC) -pie -g -o qrexec-daemon qrexec-daemon.o $(LIBS) -qrexec-client: qrexec-client.o - $(CC) -pie -g -o qrexec-client qrexec-client.o $(LIBS) +%: %.o + $(CC) $(LDFLAGS) -pie -g -o $@ $< $(LDLIBS) +%.o: %.c + $(CC) $< -c -o $@ $(QUBES_CFLAGS) -MD -MP -MF $@.dep + +-include *.o.dep diff --git a/daemon/qrexec-client.c b/daemon/qrexec-client.c index ccf9314d..09c7cc47 100644 --- a/daemon/qrexec-client.c +++ b/daemon/qrexec-client.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include diff --git a/libqrexec/Makefile b/libqrexec/Makefile index 0a6749f9..fd318828 100644 --- a/libqrexec/Makefile +++ b/libqrexec/Makefile @@ -1,30 +1,42 @@ +CC=gcc +override QUBES_CFLAGS := -I. -I../libqrexec -g -O2 -Wall -Wextra -Werror \ + $(shell pkg-config --cflags vchan-$(BACKEND_VMM)) -fstack-protector \ + -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fPIC -std=c11 -D_POSIX_C_SOURCE=200809L \ + -D_DEFAULT_SOURCE $(CFLAGS) +override LDFLAGS += -pie -Wl,-z,relro,-z,now -shared + +override SO_VER=2 +override VCHANLIBS := $(shell pkg-config --libs vchan-$(BACKEND_VMM)) LIBDIR ?= /usr/lib INCLUDEDIR ?= /usr/include -CC=gcc -CFLAGS+=-I. -g -O2 -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` -COMMONIOALL=ioall.o -SO_VER=2 -LDFLAGS+=-shared -VCHANLIBS = `pkg-config --libs vchan-$(BACKEND_VMM)` +_XENSTORE_H=$(shell ls /usr/include/xenstore.h 2>/dev/null) +ifneq "$(_XENSTORE_H)" "" +QUBES_CFLAGS += -DUSE_XENSTORE_H +endif -all: libqrexec-utils.so libqrexec-utils.so.$(SO_VER) + +all: libqrexec-utils.so libqrexec-utils.so.$(SO_VER): unix-server.o ioall.o buffer.o exec.o txrx-vchan.o write-stdin.o $(CC) $(LDFLAGS) -Wl,-soname,$@ -o $@ $^ $(VCHANLIBS) libqrexec-utils.so: libqrexec-utils.so.$(SO_VER) - ln -s libqrexec-utils.so.$(SO_VER) libqrexec-utils.so + ln -sf $@.$(SO_VER) $@ %.a: $(AR) rcs $@ $^ clean: - rm -f *.o *~ *.a *.so.* + rm -f *.o *~ *.a *.so.* *.o.dep install: - mkdir -p $(DESTDIR)$(LIBDIR) - cp libqrexec-utils.so.$(SO_VER) $(DESTDIR)$(LIBDIR) - ln -s libqrexec-utils.so.$(SO_VER) $(DESTDIR)$(LIBDIR)/libqrexec-utils.so - mkdir -p $(DESTDIR)$(INCLUDEDIR) - cp libqrexec-utils.h $(DESTDIR)$(INCLUDEDIR) - cp qrexec.h $(DESTDIR)$(INCLUDEDIR) + install -d -m 0755 $(DESTDIR)$(LIBDIR) + install libqrexec-utils.so.$(SO_VER) $(DESTDIR)$(LIBDIR) + ln -sf libqrexec-utils.so.$(SO_VER) $(DESTDIR)$(LIBDIR)/libqrexec-utils.so + install -d -m 0755 $(DESTDIR)$(INCLUDEDIR) + install -m 0644 libqrexec-utils.h $(DESTDIR)$(INCLUDEDIR) + install -m 0644 qrexec.h $(DESTDIR)$(INCLUDEDIR) + +%.o: %.c + $(CC) $< -c -o $@ $(QUBES_CFLAGS) $(CFLAGS) -MD -MP -MF $@.dep +-include *.o.dep