Make.Rules

#
## Optional prefixes:
#

# common 'packaging' directory

FAKEROOT=$(DESTDIR)

# Autoconf-style prefixes are activated when $(prefix) is defined.
# Otherwise binaries and libraries are installed in /{lib,sbin}/,
# header files in /usr/include/ and documentation in /usr/man/man?/.
# These choices are motivated by the fact that getcap and setcap are
# administrative operations that could be needed to recover a system.

ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif

ifdef prefix
exec_prefix=$(prefix)
lib_prefix=$(exec_prefix)
inc_prefix=$(lib_prefix)
man_prefix=$(prefix)/share
else
prefix=/usr
exec_prefix=
lib_prefix=$(exec_prefix)
inc_prefix=$(prefix)
man_prefix=$(prefix)/share
endif

# Target directories

MANDIR=$(man_prefix)/man
SBINDIR=$(exec_prefix)/sbin
INCDIR=$(inc_prefix)/include
LIBDIR=$(lib_prefix)/$(lib)
PKGCONFIGDIR=$(LIBDIR)/pkgconfig
GOPKGDIR=$(prefix)/share/gocode/src

# Common version number defines for libcap
LIBTITLE=libcap
VERSION=2
MINOR=41

# Go modules have their own semantics. I plan to leave this value at 0
# and keep it there. The Go packages should always remain backwardly
# compatible, but I may have to up it if Go's syntax changes in a
# backwards incompatible manner. (Let's hope not.)
GOMAJOR=0

# Compilation specifics

KERNEL_HEADERS := $(topdir)/libcap/include/uapi
IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include

CC := $(CROSS_COMPILE)gcc
DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CFLAGS := -O2 $(DEFINES)
BUILD_CC := $(CC)
BUILD_CFLAGS := -O2 $(DEFINES) $(IPATH)
AR := $(CROSS_COMPILE)ar
RANLIB := $(CROSS_COMPILE)ranlib
DEBUG = -g #-DDEBUG
WARNINGS=-Wall -Wwrite-strings \
        -Wpointer-arith -Wcast-qual -Wcast-align \
        -Wstrict-prototypes -Wmissing-prototypes \
        -Wnested-externs -Winline -Wshadow
LD=$(CC) -Wl,-x -shared
LDFLAGS := #-g
LIBCAPLIB := -L$(topdir)/libcap -lcap
LIBPSXLIB := -L$(topdir)/libcap -lpsx -lpthread

BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)

SYSTEM_HEADERS = /usr/include
INCS=$(topdir)/libcap/include/sys/capability.h
LDFLAGS += -L$(topdir)/libcap
CFLAGS += -Dlinux $(WARNINGS) $(DEBUG)
PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi)
INDENT := $(shell if [ -n "$$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)

GO := go
GOLANG := $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
ifeq ($(GOLANG),yes)
GOROOT := $(shell $(GO) env GOROOT)
GOCGO := $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)
GOOSARCH := $(shell $(GO) env GOHOSTOS)_$(shell $(GO) env GOHOSTARCH)
CGO_CFLAGS := -I$(topdir)/libcap/include
CGO_LDFLAGS := -L$(topdir)/libcap
CGO_LDFLAGS_ALLOW := -Wl,-?-wrap[=,][^-.@][^,]*
CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh)
ifeq ($(CGO_REQUIRED),0)
# Hopefully this will not be needed at some point.
GOBUILDTAG=-tags allthreadssyscall
endif
endif

# If you want capsh to launch with something other than /bin/bash
# build like this:
#
#   make CAPSH_SHELL='-DSHELL=\"/bin/sh\"'
#
# or undefine the following:
#CAPSH_SHELL := '-DSHELL="/bin/sh"'

# When installing setcap, you can arrange for the installation process
# to set its inheritable bit to be able to place capabilities on files.
# It can be used in conjunction with pam_cap (associated with su and
# certain users say) to make it useful for specially blessed users.
#
#    make RAISE_SETFCAP=yes install
#
# This is now defaulted to no because some distributions have started
# shipping with all users blessed with full inheritable sets which makes
# no sense whatsoever!
#
# Indeed, it looks alarmingly like these distributions are recreating
# the environment for what became known as the sendmail-capabilities
# bug from 2000:
#
#  https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue
#
# they are also nullifying the difference between a p-bit and an i-bit.
#
# Folk really should read this document, which explains there is a really
# important difference being lost here:
#
#  https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf
#
# In the context of this tree, on such such systems, a yes setting will
# guarantee that every user, by default, is able to bless any binary with
# any capability - a ready made local exploit machanism.
RAISE_SETFCAP := no

# If set to yes, this will cause the go "web" demo app to force the needed p
# bit to be able to bind to port 80 without running as root.
RAISE_GO_FILECAP := no

# Global cleanup stuff

LOCALCLEAN=rm -f *~ core
DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f