From 01fce7b70cb749606e8529a9059ad078557639a7 Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Thu, 28 Jan 2016 16:24:12 -0600 Subject: [PATCH] Fix Gentoo hardened support This checks the profile, if it has hardened in it's name it needs xattr support unfortunately xattr support cannot yet be relied on everywhere, so it needs to be disabled for hardened profile builds to correctly pax-mark. Change-Id: I7fb855249a9e6c9b6497ab5061b4ea3c014f5081 Closes-Bug: 1537177 --- bin/disk-image-create | 9 +++++ elements/base/pkg-map | 22 +++++++++++ elements/gentoo/bin/install-packages | 8 +++- elements/gentoo/element-deps | 1 + .../environment.d/00-gentoo-distro-name.bash | 2 + .../environment.d/10-gentoo-distro-name.bash | 1 - elements/gentoo/package-installs.yaml | 1 + elements/gentoo/post-install.d/99-cleanup | 39 +++++++++++++++++++ .../gentoo/pre-install.d/01-gentoo-install | 5 +++ elements/gentoo/root.d/10-gentoo-image | 8 ++-- 10 files changed, 90 insertions(+), 6 deletions(-) create mode 100755 elements/gentoo/environment.d/00-gentoo-distro-name.bash delete mode 100644 elements/gentoo/environment.d/10-gentoo-distro-name.bash create mode 100644 elements/gentoo/package-installs.yaml create mode 100755 elements/gentoo/post-install.d/99-cleanup diff --git a/bin/disk-image-create b/bin/disk-image-create index 8862155b..2dff8de7 100755 --- a/bin/disk-image-create +++ b/bin/disk-image-create @@ -217,6 +217,15 @@ if [ -z "$DIB_ROOT_LABEL" ]; then fi fi +# xattr support cannot be relied upon with tmpfs builds +# some kernels supoprt it, some don't +if [[ -n "${GENTOO_PROFILE}" ]]; then + if [[ "${GENTOO_PROFILE}" =~ "hardened" ]]; then + echo 'disabling tmpfs for gentoo hardened build' + export DIB_NO_TMPFS=1 + fi +fi + mk_build_dir create_base # This variable needs to be propagated into the chroot diff --git a/elements/base/pkg-map b/elements/base/pkg-map index b09852de..9164060b 100644 --- a/elements/base/pkg-map +++ b/elements/base/pkg-map @@ -5,6 +5,28 @@ }, "suse": { "dkms_package": "" + }, + "gentoo": { + "ccache_package": "dev-util/ccache", + "curl": "net-misc/curl", + "dhcp_client": "net-misc/dhcp", + "dkms_package": "", + "extlinux": "sys-boot/syslinux", + "git": "dev-vcs/git", + "grub_bios": "sys-boot/grub", + "grub-pc": "sys-boot/grub", + "ironic-python-agent": "", + "iscsi_package": "sys-block/open-iscsi", + "isc-dhcp-client": "net-misc/dhcp", + "isolinux": "", + "ncat": "net-analyzer/netcat", + "qemu-utils": "app-emulation/qemu", + "python-dev": "", + "PyYAML": "dev-python/pyyaml", + "syslinux": "sys-boot/syslinux", + "syslinux-common": "", + "tftp": "net-ftp/tftp-hpa", + "tgt": "sys-block/tgt" } }, "default": { diff --git a/elements/gentoo/bin/install-packages b/elements/gentoo/bin/install-packages index 968f9b03..4051657e 100755 --- a/elements/gentoo/bin/install-packages +++ b/elements/gentoo/bin/install-packages @@ -34,6 +34,12 @@ function show_options { function fix_shm { if [[ "${RUN_ONCE_SHM}" == '1' ]]; then + if [[ -L /dev/shm.orig ]]; then + rm /dev/shm.orig + fi + if [[ -d /dev/shm.orig ]]; then + rm -Rf /dev/shm.orig + fi mv /dev/shm /dev/shm.orig mkdir /dev/shm mount -t tmpfs none /dev/shm @@ -53,7 +59,7 @@ function unfix_shm { function install_gentoo_packages { RUN_ONCE_SHM='1' fix_shm - emerge "$@" + emerge $@ unfix_shm } diff --git a/elements/gentoo/element-deps b/elements/gentoo/element-deps index 5c6d5779..25604c8e 100644 --- a/elements/gentoo/element-deps +++ b/elements/gentoo/element-deps @@ -1,2 +1,3 @@ cache-url dib-run-parts +package-installs diff --git a/elements/gentoo/environment.d/00-gentoo-distro-name.bash b/elements/gentoo/environment.d/00-gentoo-distro-name.bash new file mode 100755 index 00000000..91e5606b --- /dev/null +++ b/elements/gentoo/environment.d/00-gentoo-distro-name.bash @@ -0,0 +1,2 @@ +export DISTRO_NAME=gentoo +export GENTOO_PROFILE=$(eselect profile show | tail -n 1) diff --git a/elements/gentoo/environment.d/10-gentoo-distro-name.bash b/elements/gentoo/environment.d/10-gentoo-distro-name.bash deleted file mode 100644 index 61ad3573..00000000 --- a/elements/gentoo/environment.d/10-gentoo-distro-name.bash +++ /dev/null @@ -1 +0,0 @@ -export DISTRO_NAME=gentoo diff --git a/elements/gentoo/package-installs.yaml b/elements/gentoo/package-installs.yaml new file mode 100644 index 00000000..16b2f418 --- /dev/null +++ b/elements/gentoo/package-installs.yaml @@ -0,0 +1 @@ +sys-fs/dosfstools: diff --git a/elements/gentoo/post-install.d/99-cleanup b/elements/gentoo/post-install.d/99-cleanup new file mode 100755 index 00000000..7a6e772d --- /dev/null +++ b/elements/gentoo/post-install.d/99-cleanup @@ -0,0 +1,39 @@ +#!/bin/bash + +if [[ ${DIB_DEBUG_TRACE:-0} -gt 0 ]]; then + set -x +fi +set -eu +set -o pipefail + +# make sure system is in a consistant state +USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world +USE="-build" emerge --verbose=n --depclean +USE="-build" emerge -v --usepkg=n @preserved-rebuild + +# update config files +etc-update --automode -5 + +# clean up portage files +emerge --verbose=n --depclean +emaint all -f +eselect news read all +eclean-dist --destructive + +# clean up files that may have been changed during build +shopt -s extglob +rm -Rf /tmp/!(ccache|in_target*|profiledir*) +shopt -u extglob + +rm -Rf /root/.ccache/* /usr/portage/* /usr/src/* /var/cache/edb/dep/* /var/cache/genkernel/* /var/empty/* /var/run/* /var/state/* /var/tmp/* /var/cache/portage/distfiles +rm -Rf /etc/*- /etc/*.old /etc/ssh/ssh_host_* /root/.*history /root/.lesshst /root/.ssh/known_hosts /root/.viminfo /usr/share/genkernel /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz + +# shrink a bit +for i in $(find /var/log -type f); do echo > $i; done +find /usr/share/man/ -mindepth 1 -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \; + +# make it so we don't have to reinstall grub +if [[ -a /usr/sbin/grub2-install ]]; then + mkdir -p /tmp/grub + touch /tmp/grub/install +fi diff --git a/elements/gentoo/pre-install.d/01-gentoo-install b/elements/gentoo/pre-install.d/01-gentoo-install index 59b38a01..f632aaab 100755 --- a/elements/gentoo/pre-install.d/01-gentoo-install +++ b/elements/gentoo/pre-install.d/01-gentoo-install @@ -7,3 +7,8 @@ set -eu set -o pipefail install -m 0755 -o root -g root $(dirname $0)/../bin/* /usr/local/bin + +# migrate pt_pax flags to xt_pax +if [[ -a /usr/sbin/migrate-pax ]]; then + /usr/sbin/migrate-pax -m +fi diff --git a/elements/gentoo/root.d/10-gentoo-image b/elements/gentoo/root.d/10-gentoo-image index 27b31dd4..ff258b54 100755 --- a/elements/gentoo/root.d/10-gentoo-image +++ b/elements/gentoo/root.d/10-gentoo-image @@ -42,16 +42,16 @@ ELEMENT_DIR=${ELEMENT_DIR:-"${ELEMENTS_PATH}/gentoo"} GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/13.0'} if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0" ]]; then FILENAME_BASE='gentoo-stage4' - SIGNED_SOURCE_SUFFIX='cloud' + SIGNED_SOURCE_SUFFIX='minimal' elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0/no-multilib" ]]; then FILENAME_BASE='gentoo-stage4-nomultilib' - SIGNED_SOURCE_SUFFIX='cloud-nomultilib' + SIGNED_SOURCE_SUFFIX='minimal-nomultilib' elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64" ]]; then FILENAME_BASE='gentoo-stage4-hardened' - SIGNED_SOURCE_SUFFIX='hardened+cloud' + SIGNED_SOURCE_SUFFIX='hardened+minimal' elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64/no-multilib" ]]; then FILENAME_BASE='gentoo-stage4-hardened-nomultilib' - SIGNED_SOURCE_SUFFIX='hardened+cloud-nomultilib' + SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib' else echo 'invalid profile, please select from the following profiles' echo 'default/linux/amd64/13.0'