Fix Gentoo hardened support

This checks the profile, if it has hardened in it's name it needs xattr support unfortunately xattr support cannot yet be relied on everywhere, so it needs to be disabled for hardened profile builds to correctly pax-mark. Change-Id: I7fb855249a9e6c9b6497ab5061b4ea3c014f5081 Closes-Bug: 1537177
2016-01-28 16:24:12 -06:00 · 2016-01-28 16:24:12 -06:00 · 01fce7b70c
parent c31a59a2c9
commit 01fce7b70c
10 changed files with 90 additions and 6 deletions
--- a/bin/disk-image-create
+++ b/bin/disk-image-create
@ -217,6 +217,15 @@ if [ -z "$DIB_ROOT_LABEL" ]; then
    fi
 fi

+# xattr support cannot be relied upon with tmpfs builds
+# some kernels supoprt it, some don't
+if [[ -n "${GENTOO_PROFILE}" ]]; then
+    if [[ "${GENTOO_PROFILE}" =~ "hardened" ]]; then
+        echo 'disabling tmpfs for gentoo hardened build'
+        export DIB_NO_TMPFS=1
+    fi
+fi
+
 mk_build_dir
 create_base
 # This variable needs to be propagated into the chroot
--- a/elements/base/pkg-map
+++ b/elements/base/pkg-map
@ -5,6 +5,28 @@
    },
    "suse": {
      "dkms_package": ""
+    },
+    "gentoo": {
+      "ccache_package": "dev-util/ccache",
+      "curl": "net-misc/curl",
+      "dhcp_client": "net-misc/dhcp",
+      "dkms_package": "",
+      "extlinux": "sys-boot/syslinux",
+      "git": "dev-vcs/git",
+      "grub_bios": "sys-boot/grub",
+      "grub-pc": "sys-boot/grub",
+      "ironic-python-agent": "",
+      "iscsi_package": "sys-block/open-iscsi",
+      "isc-dhcp-client": "net-misc/dhcp",
+      "isolinux": "",
+      "ncat": "net-analyzer/netcat",
+      "qemu-utils": "app-emulation/qemu",
+      "python-dev": "",
+      "PyYAML": "dev-python/pyyaml",
+      "syslinux": "sys-boot/syslinux",
+      "syslinux-common": "",
+      "tftp": "net-ftp/tftp-hpa",
+      "tgt": "sys-block/tgt"
    }
  },
  "default": {
--- a/elements/gentoo/bin/install-packages
+++ b/elements/gentoo/bin/install-packages
@ -34,6 +34,12 @@ function show_options {

 function fix_shm {
    if [[ "${RUN_ONCE_SHM}" == '1' ]]; then
+        if [[ -L /dev/shm.orig ]]; then
+            rm /dev/shm.orig
+        fi
+        if [[ -d /dev/shm.orig ]]; then
+            rm -Rf /dev/shm.orig
+        fi
        mv /dev/shm /dev/shm.orig
        mkdir /dev/shm
        mount -t tmpfs none /dev/shm
@ -53,7 +59,7 @@ function unfix_shm {
 function install_gentoo_packages {
    RUN_ONCE_SHM='1'
    fix_shm
-    emerge "$@"
+    emerge $@
    unfix_shm
 }

--- a/elements/gentoo/element-deps
+++ b/elements/gentoo/element-deps
@ -1,2 +1,3 @@
 cache-url
 dib-run-parts
+package-installs
--- a/elements/gentoo/environment.d/00-gentoo-distro-name.bash
+++ b/elements/gentoo/environment.d/00-gentoo-distro-name.bash
@ -0,0 +1,2 @@
+export DISTRO_NAME=gentoo
+export GENTOO_PROFILE=$(eselect profile show | tail -n 1)
--- a/elements/gentoo/environment.d/10-gentoo-distro-name.bash
+++ b/elements/gentoo/environment.d/10-gentoo-distro-name.bash
@ -1 +0,0 @@
-export DISTRO_NAME=gentoo
--- a/elements/gentoo/package-installs.yaml
+++ b/elements/gentoo/package-installs.yaml
@ -0,0 +1 @@
+sys-fs/dosfstools:
--- a/elements/gentoo/post-install.d/99-cleanup
+++ b/elements/gentoo/post-install.d/99-cleanup
@ -0,0 +1,39 @@
+#!/bin/bash
+
+if [[ ${DIB_DEBUG_TRACE:-0} -gt 0 ]]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# make sure system is in a consistant state
+USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world
+USE="-build" emerge --verbose=n --depclean
+USE="-build" emerge -v --usepkg=n @preserved-rebuild
+
+# update config files
+etc-update --automode -5
+
+# clean up portage files
+emerge --verbose=n --depclean
+emaint all -f
+eselect news read all
+eclean-dist --destructive
+
+# clean up files that may have been changed during build
+shopt -s extglob
+rm -Rf /tmp/!(ccache|in_target*|profiledir*)
+shopt -u extglob
+
+rm -Rf /root/.ccache/* /usr/portage/* /usr/src/* /var/cache/edb/dep/* /var/cache/genkernel/* /var/empty/* /var/run/* /var/state/* /var/tmp/* /var/cache/portage/distfiles
+rm -Rf /etc/*- /etc/*.old /etc/ssh/ssh_host_* /root/.*history /root/.lesshst /root/.ssh/known_hosts /root/.viminfo /usr/share/genkernel /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
+
+# shrink a bit
+for i in $(find /var/log -type f); do echo > $i; done
+find /usr/share/man/ -mindepth 1  -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
+
+# make it so we don't have to reinstall grub
+if [[ -a /usr/sbin/grub2-install ]]; then
+    mkdir -p /tmp/grub
+    touch /tmp/grub/install
+fi
--- a/elements/gentoo/pre-install.d/01-gentoo-install
+++ b/elements/gentoo/pre-install.d/01-gentoo-install
@ -7,3 +7,8 @@ set -eu
 set -o pipefail

 install -m 0755 -o root -g root $(dirname $0)/../bin/* /usr/local/bin
+
+# migrate pt_pax flags to xt_pax
+if [[ -a /usr/sbin/migrate-pax ]]; then
+    /usr/sbin/migrate-pax -m
+fi
--- a/elements/gentoo/root.d/10-gentoo-image
+++ b/elements/gentoo/root.d/10-gentoo-image
@ -42,16 +42,16 @@ ELEMENT_DIR=${ELEMENT_DIR:-"${ELEMENTS_PATH}/gentoo"}
 GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/13.0'}
 if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0" ]]; then
    FILENAME_BASE='gentoo-stage4'
-    SIGNED_SOURCE_SUFFIX='cloud'
+    SIGNED_SOURCE_SUFFIX='minimal'
 elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0/no-multilib" ]]; then
    FILENAME_BASE='gentoo-stage4-nomultilib'
-    SIGNED_SOURCE_SUFFIX='cloud-nomultilib'
+    SIGNED_SOURCE_SUFFIX='minimal-nomultilib'
 elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64" ]]; then
    FILENAME_BASE='gentoo-stage4-hardened'
-    SIGNED_SOURCE_SUFFIX='hardened+cloud'
+    SIGNED_SOURCE_SUFFIX='hardened+minimal'
 elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64/no-multilib" ]]; then
    FILENAME_BASE='gentoo-stage4-hardened-nomultilib'
-    SIGNED_SOURCE_SUFFIX='hardened+cloud-nomultilib'
+    SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib'
 else
    echo 'invalid profile, please select from the following profiles'
    echo 'default/linux/amd64/13.0'