From 01fce7b70cb749606e8529a9059ad078557639a7 Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Thu, 28 Jan 2016 16:24:12 -0600 Subject: [PATCH] Fix Gentoo hardened support This checks the profile, if it has hardened in it's name it needs xattr support unfortunately xattr support cannot yet be relied on everywhere, so it needs to be disabled for hardened profile builds to correctly pax-mark. Change-Id: I7fb855249a9e6c9b6497ab5061b4ea3c014f5081 Closes-Bug: 1537177 --- bin/disk-image-create | 9 +++++ elements/base/pkg-map | 22 +++++++++++ elements/gentoo/bin/install-packages | 8 +++- elements/gentoo/element-deps | 1 + .../environment.d/00-gentoo-distro-name.bash | 2 + .../environment.d/10-gentoo-distro-name.bash | 1 - elements/gentoo/package-installs.yaml | 1 + elements/gentoo/post-install.d/99-cleanup | 39 +++++++++++++++++++ .../gentoo/pre-install.d/01-gentoo-install | 5 +++ elements/gentoo/root.d/10-gentoo-image | 8 ++-- 10 files changed, 90 insertions(+), 6 deletions(-) create mode 100755 elements/gentoo/environment.d/00-gentoo-distro-name.bash delete mode 100644 elements/gentoo/environment.d/10-gentoo-distro-name.bash create mode 100644 elements/gentoo/package-installs.yaml create mode 100755 elements/gentoo/post-install.d/99-cleanup diff --git a/bin/disk-image-create b/bin/disk-image-create index 8862155ba..2dff8de77 100755 --- a/bin/disk-image-create +++ b/bin/disk-image-create @@ -217,6 +217,15 @@ if [ -z "$DIB_ROOT_LABEL" ]; then fi fi +# xattr support cannot be relied upon with tmpfs builds +# some kernels supoprt it, some don't +if [[ -n "${GENTOO_PROFILE}" ]]; then + if [[ "${GENTOO_PROFILE}" =~ "hardened" ]]; then + echo 'disabling tmpfs for gentoo hardened build' + export DIB_NO_TMPFS=1 + fi +fi + mk_build_dir create_base # This variable needs to be propagated into the chroot diff --git a/elements/base/pkg-map b/elements/base/pkg-map index b09852deb..9164060b3 100644 --- a/elements/base/pkg-map +++ b/elements/base/pkg-map @@ -5,6 +5,28 @@ }, "suse": { "dkms_package": "" + }, + "gentoo": { + "ccache_package": "dev-util/ccache", + "curl": "net-misc/curl", + "dhcp_client": "net-misc/dhcp", + "dkms_package": "", + "extlinux": "sys-boot/syslinux", + "git": "dev-vcs/git", + "grub_bios": "sys-boot/grub", + "grub-pc": "sys-boot/grub", + "ironic-python-agent": "", + "iscsi_package": "sys-block/open-iscsi", + "isc-dhcp-client": "net-misc/dhcp", + "isolinux": "", + "ncat": "net-analyzer/netcat", + "qemu-utils": "app-emulation/qemu", + "python-dev": "", + "PyYAML": "dev-python/pyyaml", + "syslinux": "sys-boot/syslinux", + "syslinux-common": "", + "tftp": "net-ftp/tftp-hpa", + "tgt": "sys-block/tgt" } }, "default": { diff --git a/elements/gentoo/bin/install-packages b/elements/gentoo/bin/install-packages index 968f9b037..4051657e2 100755 --- a/elements/gentoo/bin/install-packages +++ b/elements/gentoo/bin/install-packages @@ -34,6 +34,12 @@ function show_options { function fix_shm { if [[ "${RUN_ONCE_SHM}" == '1' ]]; then + if [[ -L /dev/shm.orig ]]; then + rm /dev/shm.orig + fi + if [[ -d /dev/shm.orig ]]; then + rm -Rf /dev/shm.orig + fi mv /dev/shm /dev/shm.orig mkdir /dev/shm mount -t tmpfs none /dev/shm @@ -53,7 +59,7 @@ function unfix_shm { function install_gentoo_packages { RUN_ONCE_SHM='1' fix_shm - emerge "$@" + emerge $@ unfix_shm } diff --git a/elements/gentoo/element-deps b/elements/gentoo/element-deps index 5c6d5779f..25604c8e9 100644 --- a/elements/gentoo/element-deps +++ b/elements/gentoo/element-deps @@ -1,2 +1,3 @@ cache-url dib-run-parts +package-installs diff --git a/elements/gentoo/environment.d/00-gentoo-distro-name.bash b/elements/gentoo/environment.d/00-gentoo-distro-name.bash new file mode 100755 index 000000000..91e5606bc --- /dev/null +++ b/elements/gentoo/environment.d/00-gentoo-distro-name.bash @@ -0,0 +1,2 @@ +export DISTRO_NAME=gentoo +export GENTOO_PROFILE=$(eselect profile show | tail -n 1) diff --git a/elements/gentoo/environment.d/10-gentoo-distro-name.bash b/elements/gentoo/environment.d/10-gentoo-distro-name.bash deleted file mode 100644 index 61ad3573c..000000000 --- a/elements/gentoo/environment.d/10-gentoo-distro-name.bash +++ /dev/null @@ -1 +0,0 @@ -export DISTRO_NAME=gentoo diff --git a/elements/gentoo/package-installs.yaml b/elements/gentoo/package-installs.yaml new file mode 100644 index 000000000..16b2f418b --- /dev/null +++ b/elements/gentoo/package-installs.yaml @@ -0,0 +1 @@ +sys-fs/dosfstools: diff --git a/elements/gentoo/post-install.d/99-cleanup b/elements/gentoo/post-install.d/99-cleanup new file mode 100755 index 000000000..7a6e772df --- /dev/null +++ b/elements/gentoo/post-install.d/99-cleanup @@ -0,0 +1,39 @@ +#!/bin/bash + +if [[ ${DIB_DEBUG_TRACE:-0} -gt 0 ]]; then + set -x +fi +set -eu +set -o pipefail + +# make sure system is in a consistant state +USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world +USE="-build" emerge --verbose=n --depclean +USE="-build" emerge -v --usepkg=n @preserved-rebuild + +# update config files +etc-update --automode -5 + +# clean up portage files +emerge --verbose=n --depclean +emaint all -f +eselect news read all +eclean-dist --destructive + +# clean up files that may have been changed during build +shopt -s extglob +rm -Rf /tmp/!(ccache|in_target*|profiledir*) +shopt -u extglob + +rm -Rf /root/.ccache/* /usr/portage/* /usr/src/* /var/cache/edb/dep/* /var/cache/genkernel/* /var/empty/* /var/run/* /var/state/* /var/tmp/* /var/cache/portage/distfiles +rm -Rf /etc/*- /etc/*.old /etc/ssh/ssh_host_* /root/.*history /root/.lesshst /root/.ssh/known_hosts /root/.viminfo /usr/share/genkernel /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz + +# shrink a bit +for i in $(find /var/log -type f); do echo > $i; done +find /usr/share/man/ -mindepth 1 -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \; + +# make it so we don't have to reinstall grub +if [[ -a /usr/sbin/grub2-install ]]; then + mkdir -p /tmp/grub + touch /tmp/grub/install +fi diff --git a/elements/gentoo/pre-install.d/01-gentoo-install b/elements/gentoo/pre-install.d/01-gentoo-install index 59b38a01e..f632aaab7 100755 --- a/elements/gentoo/pre-install.d/01-gentoo-install +++ b/elements/gentoo/pre-install.d/01-gentoo-install @@ -7,3 +7,8 @@ set -eu set -o pipefail install -m 0755 -o root -g root $(dirname $0)/../bin/* /usr/local/bin + +# migrate pt_pax flags to xt_pax +if [[ -a /usr/sbin/migrate-pax ]]; then + /usr/sbin/migrate-pax -m +fi diff --git a/elements/gentoo/root.d/10-gentoo-image b/elements/gentoo/root.d/10-gentoo-image index 27b31dd4a..ff258b54e 100755 --- a/elements/gentoo/root.d/10-gentoo-image +++ b/elements/gentoo/root.d/10-gentoo-image @@ -42,16 +42,16 @@ ELEMENT_DIR=${ELEMENT_DIR:-"${ELEMENTS_PATH}/gentoo"} GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/13.0'} if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0" ]]; then FILENAME_BASE='gentoo-stage4' - SIGNED_SOURCE_SUFFIX='cloud' + SIGNED_SOURCE_SUFFIX='minimal' elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0/no-multilib" ]]; then FILENAME_BASE='gentoo-stage4-nomultilib' - SIGNED_SOURCE_SUFFIX='cloud-nomultilib' + SIGNED_SOURCE_SUFFIX='minimal-nomultilib' elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64" ]]; then FILENAME_BASE='gentoo-stage4-hardened' - SIGNED_SOURCE_SUFFIX='hardened+cloud' + SIGNED_SOURCE_SUFFIX='hardened+minimal' elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64/no-multilib" ]]; then FILENAME_BASE='gentoo-stage4-hardened-nomultilib' - SIGNED_SOURCE_SUFFIX='hardened+cloud-nomultilib' + SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib' else echo 'invalid profile, please select from the following profiles' echo 'default/linux/amd64/13.0'