Make.Rules

# Common version number defines for libcap
LIBTITLE=libcap
VERSION=2
MINOR=48

#
## Optional prefixes:
#

# common 'packaging' directory

FAKEROOT=$(DESTDIR)

# Autoconf-style prefixes are activated when $(prefix) is defined.
# Otherwise binaries and libraries are installed in /{lib,sbin}/,
# header files in /usr/include/ and documentation in /usr/man/man?/.
# These choices are motivated by the fact that getcap and setcap are
# administrative operations that could be needed to recover a system.

ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif

ifdef prefix
exec_prefix=$(prefix)
lib_prefix=$(exec_prefix)
inc_prefix=$(lib_prefix)
man_prefix=$(prefix)/share
else
prefix=/usr
exec_prefix=
lib_prefix=$(exec_prefix)
inc_prefix=$(prefix)
man_prefix=$(prefix)/share
endif

# Target directories

MANDIR=$(man_prefix)/man
SBINDIR=$(exec_prefix)/sbin
INCDIR=$(inc_prefix)/include
LIBDIR=$(lib_prefix)/$(lib)
PKGCONFIGDIR=$(LIBDIR)/pkgconfig
GOPKGDIR=$(prefix)/share/gocode/src

# Once go1.16 is released, I plan to set this value to 1 and keep it
# there. The Go packages should always remain backwardly compatible,
# but I may have to up it if Go's syntax dramatically changes in a
# backwards incompatible manner. (Let's hope not.)
GOMAJOR=0

# Compilation specifics

KERNEL_HEADERS := $(topdir)/libcap/include/uapi
IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include

CC := $(CROSS_COMPILE)gcc
DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
COPTS ?= -O2
CFLAGS ?= $(COPTS) $(DEFINES)
BUILD_CC ?= $(CC)
BUILD_COPTS ?= -O2
BUILD_CFLAGS ?= $(BUILD_COPTS) $(DEFINES) $(IPATH)
AR := $(CROSS_COMPILE)ar
RANLIB := $(CROSS_COMPILE)ranlib
DEBUG = -g #-DDEBUG
WARNINGS=-Wall -Wwrite-strings \
        -Wpointer-arith -Wcast-qual -Wcast-align \
        -Wstrict-prototypes -Wmissing-prototypes \
        -Wnested-externs -Winline -Wshadow
LD=$(CC) -Wl,-x -shared
LDFLAGS ?= #-g
LIBCAPLIB := -L$(topdir)/libcap -lcap
PSXLINKFLAGS :=  -lpthread -Wl,-wrap,pthread_create
LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS)

BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)

SYSTEM_HEADERS = /usr/include
INCS=$(topdir)/libcap/include/sys/capability.h
LDFLAGS += -L$(topdir)/libcap
CFLAGS += -Dlinux $(WARNINGS) $(DEBUG)
INDENT := $(shell if [ -n "$$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)

# SHARED tracks whether or not the SHARED libraries (libcap.so,
# libpsx.so and pam_cap.so) are built. (Some environments don't
# support shared libraries.)
SHARED ?= yes
# DYNAMIC controls how capsh etc are linked - to shared or static libraries
DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo $(SHARED); else echo no ; fi)

PAM_CAP ?= $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo $(SHARED) ; else echo no ; fi)

# If your system does not support pthreads, override this as "no".
#
#    make PTHREADS=no ...
#
# This implies no Go support and no C/C++ libpsx build. Why might you
# need libpsx for non-Go use? Tl;dr for POSIX semantics security:
#
#    https://sites.google.com/site/fullycapable/who-ordered-libpsx
#
PTHREADS ?= yes

ifeq ($(PTHREADS),yes)
GO ?= go
GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
ifeq ($(GOLANG),yes)
GOROOT ?= $(shell $(GO) env GOROOT)
GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)
GOOSARCH ?= $(shell $(GO) env GOHOSTOS)_$(shell $(GO) env GOHOSTARCH)
CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh $(GO))
ifeq ($(CGO_REQUIRED),1)
# Strictly speaking go1.15 doesn't need this, but 1.16 is when the
# real golang support arrives for non-cgo support, so drop the last
# vestige of legacy workarounds then.
CGO_LDFLAGS_ALLOW := -Wl,-?-wrap[=,][^-.@][^,]*
endif
CGO_CFLAGS := -I$(topdir)/libcap/include
CGO_LDFLAGS := -L$(topdir)/libcap
endif
endif

# If you want capsh to launch with something other than /bin/bash
# build like this:
#
#   make CAPSH_SHELL='-DSHELL=\"/bin/sh\"'
#
# or undefine the following:
#CAPSH_SHELL := '-DSHELL="/bin/sh"'

# When installing setcap, you can arrange for the installation process
# to set its inheritable bit to be able to place capabilities on files.
# It can be used in conjunction with pam_cap (associated with su and
# certain users say) to make it useful for specially blessed users.
#
#    make RAISE_SETFCAP=yes install
#
# This is now defaulted to no because some distributions have started
# shipping with all users blessed with full inheritable sets which makes
# no sense whatsoever!
#
# Indeed, it looks alarmingly like these distributions are recreating
# the environment for what became known as the sendmail-capabilities
# bug from 2000:
#
#  https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue
#
# they are also nullifying the difference between a p-bit and an i-bit.
#
# Folk really should read this document, which explains there is a really
# important difference being lost here:
#
#  https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf
#
# In the context of this tree, on such such systems, a yes setting will
# guarantee that every user, by default, is able to bless any binary with
# any capability - a ready made local exploit machanism.
RAISE_SETFCAP := no

# If set to yes, this will cause the go "web" demo app to force the needed p
# bit to be able to bind to port 80 without running as root.
RAISE_GO_FILECAP := no

# Global cleanup stuff

LOCALCLEAN=rm -f *~ core
DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f