[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     6ad31711c339f1dfba4c3594388aa3ed10bfea43
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 15 13:30:41 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 15 13:30:41 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6ad31711

Update on eclass, fail build when module fails to load, as per agreement on gentoo-hardened <AT> g.o

---
 eclass/selinux-policy-2.eclass |   92 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 92 insertions(+), 0 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
new file mode 100644
index 0000000..710c23a
--- /dev/null
+++ b/eclass/selinux-policy-2.eclass
@@ -0,0 +1,92 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.5 2011/02/05 11:28:10 blueness Exp $
+
+# Eclass for installing SELinux policy, and optionally
+# reloading the reference-policy based modules.
+
+inherit eutils
+
+IUSE=""
+
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+
+RDEPEND=">=sys-apps/policycoreutils-1.30.30
+	>=sec-policy/selinux-base-policy-${PV}"
+
+DEPEND="${RDEPEND}
+	sys-devel/m4
+	>=sys-apps/checkpolicy-1.30.12"
+
+selinux-policy-2_src_unpack() {
+	local modfiles
+	[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+
+	unpack ${A}
+
+	for i in ${MODS}; do
+		modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles"
+		modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		mkdir "${S}"/${i}
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile
+
+		cp ${modfiles} "${S}"/${i}
+
+		if [ -n "${POLICY_PATCH}" ]; then
+			for POLPATCH in "${POLICY_PATCH}";
+			do
+				cd "${S}"/${i}
+				einfo "Patching ${i}"
+				epatch "${POLPATCH}" || die "failed patch ${POLPATCH}"
+			done
+		fi
+
+	done
+}
+
+selinux-policy-2_src_compile() {
+	[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+
+	for i in ${POLICY_TYPES}; do
+		make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+	done
+}
+
+selinux-policy-2_src_install() {
+	[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+	local BASEDIR="/usr/share/selinux"
+
+	for i in ${POLICY_TYPES}; do
+		for j in ${MODS}; do
+			echo "Installing ${i} ${j} policy package"
+			insinto ${BASEDIR}/${i}
+			doins "${S}"/${i}/${j}.pp
+		done
+	done
+}
+
+selinux-policy-2_pkg_postinst() {
+	# build up the command in the case of multiple modules
+	local COMMAND
+	for i in ${MODS}; do
+		COMMAND="-i ${i}.pp ${COMMAND}"
+	done
+	[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+
+	for i in ${POLICY_TYPES}; do
+		einfo "Inserting the following modules into the $i module store: ${MODS}"
+
+		cd /usr/share/selinux/${i}
+		semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+	done
+}
+
+EXPORT_FUNCTIONS src_unpack src_compile src_install pkg_postinst

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     6c782ad7479b4e661a8c0616f7f3bff17d04b1b0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 08:28:32 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 08:28:32 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6c782ad7

Adding updated selinux-policy-2 eclass

---
 eclass/selinux-policy-2.eclass |  195 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 195 insertions(+), 0 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
new file mode 100644
index 0000000..3c42633
--- /dev/null
+++ b/eclass/selinux-policy-2.eclass
@@ -0,0 +1,195 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.6 2011/05/20 19:06:07 blueness Exp $
+
+# Eclass for installing SELinux policy, and optionally
+# reloading the reference-policy based modules.
+
+# @ECLASS: selinux-policy-2.eclass
+# @MAINTAINER: 
+# selinux@gentoo.org
+# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
+# @DESCRIPTION:
+# The selinux-policy-2.eclass supports deployment of the various SELinux modules
+# defined in the sec-policy category. It is responsible for extracting the
+# specific bits necessary for single-module deployment (instead of full-blown
+# policy rebuilds) and applying the necessary patches.
+# 
+# Also, it supports for bundling patches to make the whole thing just a bit more
+# manageable.
+
+# @ECLASS-VARIABLE: MODS
+# @DESCRIPTION: 
+# This variable contains the (upstream) module name for the SELinux module.
+# This name is only the module name, not the category!
+: ${MODS:="_illegal"}
+
+# @ECLASS-VARIABLE: BASEPOL
+# @DESCRIPTION:
+# This variable contains the version string of the selinux-base-policy package
+# that this module build depends on. It is used to patch with the appropriate
+# patch bundle(s) that are part of selinux-base-policy. 
+: ${BASEPOL:="0"}
+
+# @ECLASS-VARIABLE: POLICY_PATCH
+# @DESCRIPTION:
+# This variable contains the additional patch(es) that need to be applied on top
+# of the patchset already contained within the BASEPOL variable. 
+: ${POLICY_PATCH:=""}
+
+# @ECLASS-VARIABLE: POLICY_TYPES
+# @DESCRIPTION:
+# This variable informs the eclass for which SELinux policies the module should
+# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
+# This variable is the same POLICY_TYPES variable that we tell SELinux
+# users to set in /etc/make.conf. Therefor, it is not the module that should
+# override it, but the user.
+: ${POLICY_TYPES:="targeted strict mcs mls"}
+
+inherit eutils
+
+IUSE=""
+
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+if [[ "${BASEPOL}" == "0" ]];
+then
+	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
+else
+	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
+		http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+
+# Modules should always depend on at least the first release of the
+# selinux-base-policy for which they are generated.
+if [[ "${BASEPOL}" == "0" ]];
+then
+	RDEPEND=">=sys-apps/policycoreutils-2.0.82
+		>=sec-policy/selinux-base-policy-${PV}"
+else
+	RDEPEND=">=sys-apps/policycoreutils-2.0.82
+		>=sec-policy/selinux-base-policy-${BASEPOL}"
+fi
+DEPEND="${RDEPEND}
+	sys-devel/m4
+	>=sys-apps/checkpolicy-2.0.21"
+
+SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
+case "${EAPI:-0}" in
+	2|3|4) SELINUX_EXPF+=" src_prepare" ;;
+	*) ;;
+esac
+
+EXPORT_FUNCTIONS ${SELINUX_EXPF}
+
+# @FUNCTION: selinux-policy-2_src_unpack
+# @DESCRIPTION:
+# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
+# older than 2, call src_prepare too.
+selinux-policy-2_src_unpack() {
+	unpack ${A}
+
+	if [[ ${EAPI:-0} -le 1 ]];
+	then
+		# Call src_prepare explicitly for EAPI 0 or 1
+		selinux-policy-2_src_prepare
+	fi
+}
+
+# @FUNCTION: selinux-policy-2_src_prepare
+# @DESCRIPTION:
+# Patch the reference policy sources with our set of enhancements. Start with
+# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
+# then apply the additional patches as offered by the ebuild.
+# 
+# Next, extract only those files needed for this particular module (i.e. the .te
+# and .fc files for the given module in the MODS variable).
+# 
+# Finally, prepare the build environments for each of the supported SELinux
+# types (such as targeted or strict), depending on the POLICY_TYPES variable
+# content.
+selinux-policy-2_src_prepare() {
+	local modfiles
+
+	# Patch the sources with the base patchbundle
+	if [[ "${BASEPOL}" != "0" ]];
+	then
+		cd "${S}"
+		epatch "${PATCHBUNDLE}"
+	fi
+
+	# Apply the additional patches refered to by the module ebuild
+	if [ -n "${POLICY_PATCH}" ];
+	then
+		for POLPATCH in "${POLICY_PATCH}";
+		do
+			cd "${S}/refpolicy/policy/modules"
+			# Although epatch dies in EAPI=4 by itself, we support other EAPIs
+			# too for the time being, so we explicitly die on it.
+			epatch "${POLPATCH}" || die "Failed to apply patch ${POLPATCH}"
+		done
+	fi
+
+	# Collect only those files needed for this particular module
+	for i in ${MODS}; do
+		modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles"
+		modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		mkdir "${S}"/${i}
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile
+
+		cp ${modfiles} "${S}"/${i}
+	done
+}
+
+# @FUNCTION: selinux-policy-2_src_compile
+# @DESCRIPTION: 
+# Build the SELinux policy module (.pp file) for just the selected module, and
+# this for each SELinux policy mentioned in POLICY_TYPES
+selinux-policy-2_src_compile() {
+	for i in ${POLICY_TYPES}; do
+		make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+	done
+}
+
+# @FUNCTION: selinux-policy-2_src_install
+# @DESCRIPTION:
+# Install the built .pp files in the correct subdirectory within
+# /usr/share/selinux.
+selinux-policy-2_src_install() {
+	local BASEDIR="/usr/share/selinux"
+
+	for i in ${POLICY_TYPES}; do
+		for j in ${MODS}; do
+			echo "Installing ${i} ${j} policy package"
+			insinto ${BASEDIR}/${i}
+			doins "${S}"/${i}/${j}.pp
+		done
+	done
+}
+
+# @FUNCTION: selinux-policy-2_pkg_postinst
+# @DESCRIPTION:
+# Install the built .pp files in the SELinux policy stores, effectively
+# activating the policy on the system.
+selinux-policy-2_pkg_postinst() {
+	# build up the command in the case of multiple modules
+	local COMMAND
+	for i in ${MODS}; do
+		COMMAND="-i ${i}.pp ${COMMAND}"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		einfo "Inserting the following modules into the $i module store: ${MODS}"
+
+		cd /usr/share/selinux/${i}
+		semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+	done
+}
+

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     0162eaf09d639ea29b088b569ca1cdf147c2b370
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:05:56 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:05:56 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0162eaf0

Make BASEPOL checks consistent with POLICY_PATCH checks, thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 3c42633..6ae1046 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -29,7 +29,7 @@
 # This variable contains the version string of the selinux-base-policy package
 # that this module build depends on. It is used to patch with the appropriate
 # patch bundle(s) that are part of selinux-base-policy. 
-: ${BASEPOL:="0"}
+: ${BASEPOL:=""}
 
 # @ECLASS-VARIABLE: POLICY_PATCH
 # @DESCRIPTION:
@@ -51,7 +51,7 @@ inherit eutils
 IUSE=""
 
 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ "${BASEPOL}" == "0" ]];
+if [[ -n "${BASEPOL}" ]];
 then
 	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
 else
@@ -66,7 +66,7 @@ PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
 
 # Modules should always depend on at least the first release of the
 # selinux-base-policy for which they are generated.
-if [[ "${BASEPOL}" == "0" ]];
+if [[ -n "${BASEPOL}" ]];
 then
 	RDEPEND=">=sys-apps/policycoreutils-2.0.82
 		>=sec-policy/selinux-base-policy-${PV}"
@@ -116,7 +116,7 @@ selinux-policy-2_src_prepare() {
 	local modfiles
 
 	# Patch the sources with the base patchbundle
-	if [[ "${BASEPOL}" != "0" ]];
+	if [[ -n "${BASEPOL}" ]];
 	then
 		cd "${S}"
 		epatch "${PATCHBUNDLE}"

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     0223c058850ff90c8d6495f3408c0e0445198d9e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:12:43 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:12:43 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0223c058

EAPI is a string, not a number. Use has function. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 6ae1046..61a67b5 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -93,11 +93,8 @@ EXPORT_FUNCTIONS ${SELINUX_EXPF}
 selinux-policy-2_src_unpack() {
 	unpack ${A}
 
-	if [[ ${EAPI:-0} -le 1 ]];
-	then
-		# Call src_prepare explicitly for EAPI 0 or 1
-		selinux-policy-2_src_prepare
-	fi
+	# Call src_prepare explicitly for EAPI 0 or 1
+	has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
 }
 
 # @FUNCTION: selinux-policy-2_src_prepare

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     56283a111f9abeeb4bceb9a7d3adf371cfa2a35a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:14:45 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:14:45 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=56283a11

Use bash tests. Do not use quotation when we are confident that the variable is declared properly and does not contain spaces or escaped characters. POLICY_PATCH requires quotation as it can contain spaces. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 61a67b5..9808fab 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -51,7 +51,7 @@ inherit eutils
 IUSE=""
 
 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ -n "${BASEPOL}" ]];
+if [[ -n ${BASEPOL} ]];
 then
 	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
 else
@@ -66,7 +66,7 @@ PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
 
 # Modules should always depend on at least the first release of the
 # selinux-base-policy for which they are generated.
-if [[ -n "${BASEPOL}" ]];
+if [[ -n ${BASEPOL} ]];
 then
 	RDEPEND=">=sys-apps/policycoreutils-2.0.82
 		>=sec-policy/selinux-base-policy-${PV}"
@@ -113,14 +113,14 @@ selinux-policy-2_src_prepare() {
 	local modfiles
 
 	# Patch the sources with the base patchbundle
-	if [[ -n "${BASEPOL}" ]];
+	if [[ -n ${BASEPOL} ]];
 	then
 		cd "${S}"
 		epatch "${PATCHBUNDLE}"
 	fi
 
 	# Apply the additional patches refered to by the module ebuild
-	if [ -n "${POLICY_PATCH}" ];
+	if [[ -n "${POLICY_PATCH}" ]];
 	then
 		for POLPATCH in "${POLICY_PATCH}";
 		do

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     3c5f2f67bbb75895798b3efb0fd7811d2447bf15
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:23:23 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:23:23 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3c5f2f67

Add die statements where appropriate. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 83ac176..423553a 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -136,10 +136,12 @@ selinux-policy-2_src_prepare() {
 	done
 
 	for i in ${POLICY_TYPES}; do
-		mkdir "${S}"/${i}
-		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile
+		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
 
-		cp ${modfiles} "${S}"/${i}
+		cp ${modfiles} "${S}"/${i} \
+			|| die "Failed to copy the module files to ${S}/${i}"
 	done
 }
 
@@ -183,7 +185,7 @@ selinux-policy-2_pkg_postinst() {
 	for i in ${POLICY_TYPES}; do
 		einfo "Inserting the following modules into the $i module store: ${MODS}"
 
-		cd /usr/share/selinux/${i}
+		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
 		semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
 	done
 }

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     b5eaa0acf1f5497cdbc5fe41329e8a510dc19284
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:18:16 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:18:16 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=b5eaa0ac

Use $(...) instead of backticks. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 5b92514..83ac176 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -131,8 +131,8 @@ selinux-policy-2_src_prepare() {
 
 	# Collect only those files needed for this particular module
 	for i in ${MODS}; do
-		modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles"
-		modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles"
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
 	done
 
 	for i in ${POLICY_TYPES}; do

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     9fad4b94864b862d60ca24a0dac34e65b35d4000
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:15:47 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:15:47 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=9fad4b94

epatch always dies (not related to any EAPI). Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 9808fab..5b92514 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -125,9 +125,7 @@ selinux-policy-2_src_prepare() {
 		for POLPATCH in "${POLICY_PATCH}";
 		do
 			cd "${S}/refpolicy/policy/modules"
-			# Although epatch dies in EAPI=4 by itself, we support other EAPIs
-			# too for the time being, so we explicitly die on it.
-			epatch "${POLPATCH}" || die "Failed to apply patch ${POLPATCH}"
+			epatch "${POLPATCH}"
 		done
 	fi
 

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     2f23308160e9aab96410721249df4534b26bb087
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:55:54 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:55:54 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=2f233081

Use emake instead of make. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 423553a..0229ad4 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -151,7 +151,7 @@ selinux-policy-2_src_prepare() {
 # this for each SELinux policy mentioned in POLICY_TYPES
 selinux-policy-2_src_compile() {
 	for i in ${POLICY_TYPES}; do
-		make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+		emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
 	done
 }
 

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     5d5e738bf014a81a9d558204de486d188dc8afd3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:58:20 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:58:20 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=5d5e738b

Use die on doins (needed for EAPI < 4). Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index ed3f5af..c953a36 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -166,7 +166,7 @@ selinux-policy-2_src_install() {
 		for j in ${MODS}; do
 			einfo "Installing ${i} ${j} policy package"
 			insinto ${BASEDIR}/${i}
-			doins "${S}"/${i}/${j}.pp
+			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
 		done
 	done
 }

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     0d82dd29d5e286586d4776746d12f66f6f517357
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 11:56:23 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 11:56:23 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0d82dd29

Use einfo for showing progress information. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 0229ad4..ed3f5af 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -164,7 +164,7 @@ selinux-policy-2_src_install() {
 
 	for i in ${POLICY_TYPES}; do
 		for j in ${MODS}; do
-			echo "Installing ${i} ${j} policy package"
+			einfo "Installing ${i} ${j} policy package"
 			insinto ${BASEDIR}/${i}
 			doins "${S}"/${i}/${j}.pp
 		done

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     b73399d26ce05e9c82d38e5cb1af11f7203cad55
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 13:13:41 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 13:13:41 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=b73399d2

Awch, messed around -n and -z

---
 eclass/selinux-policy-2.eclass |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index c953a36..75b20ba 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -53,10 +53,10 @@ IUSE=""
 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
 if [[ -n ${BASEPOL} ]];
 then
-	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
-else
 	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
 		http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+else
+	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
 fi
 
 LICENSE="GPL-2"
@@ -69,10 +69,10 @@ PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
 if [[ -n ${BASEPOL} ]];
 then
 	RDEPEND=">=sys-apps/policycoreutils-2.0.82
-		>=sec-policy/selinux-base-policy-${PV}"
+		>=sec-policy/selinux-base-policy-${BASEPOL}"
 else
 	RDEPEND=">=sys-apps/policycoreutils-2.0.82
-		>=sec-policy/selinux-base-policy-${BASEPOL}"
+		>=sec-policy/selinux-base-policy-${PV}"
 fi
 DEPEND="${RDEPEND}
 	sys-devel/m4

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     8d254c9a2cb65463e5a639207c5874d05bdb6990
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 19:00:25 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 19:00:25 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=8d254c9a

Use emake instead of make. Force -j1 since parallel builds are broken. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 2c9fac0..086d835 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -151,7 +151,8 @@ selinux-policy-2_src_prepare() {
 # this for each SELinux policy mentioned in POLICY_TYPES
 selinux-policy-2_src_compile() {
 	for i in ${POLICY_TYPES}; do
-		make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+		# Parallel builds are broken, so we need to force -j1 here
+		emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
 	done
 }
 

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     9b650758a5b4d4353b9c759cb566161f3a1402f6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 13:23:26 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 13:23:26 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=9b650758

Emake fails here with weird errors about missing files that should be generated during the make session

---
 eclass/selinux-policy-2.eclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 75b20ba..2c9fac0 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -151,7 +151,7 @@ selinux-policy-2_src_prepare() {
 # this for each SELinux policy mentioned in POLICY_TYPES
 selinux-policy-2_src_compile() {
 	for i in ${POLICY_TYPES}; do
-		emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+		make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
 	done
 }
 

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     a5a72f5b16fc711977cd8798cb6bcb16769d7e8f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 19:15:36 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 19:15:36 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=a5a72f5b

Support bash arrays for POLICY_PATCH. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |   21 ++++++++++++++++-----
 1 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 400abb7..3b75c1f 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -34,7 +34,8 @@
 # @ECLASS-VARIABLE: POLICY_PATCH
 # @DESCRIPTION:
 # This variable contains the additional patch(es) that need to be applied on top
-# of the patchset already contained within the BASEPOL variable. 
+# of the patchset already contained within the BASEPOL variable. The variable
+# can be both a simple string (space-separated) or a bash array.
 : ${POLICY_PATCH:=""}
 
 # @ECLASS-VARIABLE: POLICY_TYPES
@@ -119,14 +120,24 @@ selinux-policy-2_src_prepare() {
 		epatch "${PATCHBUNDLE}"
 	fi
 
-	# Apply the additional patches refered to by the module ebuild
-	if [[ -n ${POLICY_PATCH} ]];
+	# Apply the additional patches refered to by the module ebuild.
+	# But first some magic to differentiate between bash arrays and strings
+	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
 	then
-		for POLPATCH in ${POLICY_PATCH};
+		cd "${S}/refpolicy/policy/modules"
+		for POLPATCH in "${POLICY_PATCH[@]}";
 		do
-			cd "${S}/refpolicy/policy/modules"
 			epatch "${POLPATCH}"
 		done
+	else
+		if [[ -n ${POLICY_PATCH} ]];
+		then
+			cd "${S}/refpolicy/policy/modules"
+			for POLPATCH in ${POLICY_PATCH};
+			do
+				epatch "${POLPATCH}"
+			done
+		fi
 	fi
 
 	# Collect only those files needed for this particular module

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     0e949f45a78986a1779e22f297e221ebc1569dcd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  3 19:02:18 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  3 19:02:18 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0e949f45

Quotation within bash test statements are not needed. Thanks to Peter Volkov (pva <AT> g.o)

---
 eclass/selinux-policy-2.eclass |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 086d835..400abb7 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -120,9 +120,9 @@ selinux-policy-2_src_prepare() {
 	fi
 
 	# Apply the additional patches refered to by the module ebuild
-	if [[ -n "${POLICY_PATCH}" ]];
+	if [[ -n ${POLICY_PATCH} ]];
 	then
-		for POLPATCH in "${POLICY_PATCH}";
+		for POLPATCH in ${POLICY_PATCH};
 		do
 			cd "${S}/refpolicy/policy/modules"
 			epatch "${POLPATCH}"

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     0fc8c9095feaf0c14ed3ae3300ccda5e8326fbec
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Aug  7 10:47:39 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Aug  7 10:47:39 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0fc8c909

eclass/selinux-policy-2.eclass: moved to tree

---
 eclass/selinux-policy-2.eclass |  204 ----------------------------------------
 1 files changed, 0 insertions(+), 204 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
deleted file mode 100644
index 3b75c1f..0000000
--- a/eclass/selinux-policy-2.eclass
+++ /dev/null
@@ -1,204 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.6 2011/05/20 19:06:07 blueness Exp $
-
-# Eclass for installing SELinux policy, and optionally
-# reloading the reference-policy based modules.
-
-# @ECLASS: selinux-policy-2.eclass
-# @MAINTAINER: 
-# selinux@gentoo.org
-# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
-# @DESCRIPTION:
-# The selinux-policy-2.eclass supports deployment of the various SELinux modules
-# defined in the sec-policy category. It is responsible for extracting the
-# specific bits necessary for single-module deployment (instead of full-blown
-# policy rebuilds) and applying the necessary patches.
-# 
-# Also, it supports for bundling patches to make the whole thing just a bit more
-# manageable.
-
-# @ECLASS-VARIABLE: MODS
-# @DESCRIPTION: 
-# This variable contains the (upstream) module name for the SELinux module.
-# This name is only the module name, not the category!
-: ${MODS:="_illegal"}
-
-# @ECLASS-VARIABLE: BASEPOL
-# @DESCRIPTION:
-# This variable contains the version string of the selinux-base-policy package
-# that this module build depends on. It is used to patch with the appropriate
-# patch bundle(s) that are part of selinux-base-policy. 
-: ${BASEPOL:=""}
-
-# @ECLASS-VARIABLE: POLICY_PATCH
-# @DESCRIPTION:
-# This variable contains the additional patch(es) that need to be applied on top
-# of the patchset already contained within the BASEPOL variable. The variable
-# can be both a simple string (space-separated) or a bash array.
-: ${POLICY_PATCH:=""}
-
-# @ECLASS-VARIABLE: POLICY_TYPES
-# @DESCRIPTION:
-# This variable informs the eclass for which SELinux policies the module should
-# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
-# This variable is the same POLICY_TYPES variable that we tell SELinux
-# users to set in /etc/make.conf. Therefor, it is not the module that should
-# override it, but the user.
-: ${POLICY_TYPES:="targeted strict mcs mls"}
-
-inherit eutils
-
-IUSE=""
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ -n ${BASEPOL} ]];
-then
-	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
-		http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-else
-	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-S="${WORKDIR}/"
-PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-
-# Modules should always depend on at least the first release of the
-# selinux-base-policy for which they are generated.
-if [[ -n ${BASEPOL} ]];
-then
-	RDEPEND=">=sys-apps/policycoreutils-2.0.82
-		>=sec-policy/selinux-base-policy-${BASEPOL}"
-else
-	RDEPEND=">=sys-apps/policycoreutils-2.0.82
-		>=sec-policy/selinux-base-policy-${PV}"
-fi
-DEPEND="${RDEPEND}
-	sys-devel/m4
-	>=sys-apps/checkpolicy-2.0.21"
-
-SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
-case "${EAPI:-0}" in
-	2|3|4) SELINUX_EXPF+=" src_prepare" ;;
-	*) ;;
-esac
-
-EXPORT_FUNCTIONS ${SELINUX_EXPF}
-
-# @FUNCTION: selinux-policy-2_src_unpack
-# @DESCRIPTION:
-# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
-# older than 2, call src_prepare too.
-selinux-policy-2_src_unpack() {
-	unpack ${A}
-
-	# Call src_prepare explicitly for EAPI 0 or 1
-	has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
-}
-
-# @FUNCTION: selinux-policy-2_src_prepare
-# @DESCRIPTION:
-# Patch the reference policy sources with our set of enhancements. Start with
-# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
-# then apply the additional patches as offered by the ebuild.
-# 
-# Next, extract only those files needed for this particular module (i.e. the .te
-# and .fc files for the given module in the MODS variable).
-# 
-# Finally, prepare the build environments for each of the supported SELinux
-# types (such as targeted or strict), depending on the POLICY_TYPES variable
-# content.
-selinux-policy-2_src_prepare() {
-	local modfiles
-
-	# Patch the sources with the base patchbundle
-	if [[ -n ${BASEPOL} ]];
-	then
-		cd "${S}"
-		epatch "${PATCHBUNDLE}"
-	fi
-
-	# Apply the additional patches refered to by the module ebuild.
-	# But first some magic to differentiate between bash arrays and strings
-	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
-	then
-		cd "${S}/refpolicy/policy/modules"
-		for POLPATCH in "${POLICY_PATCH[@]}";
-		do
-			epatch "${POLPATCH}"
-		done
-	else
-		if [[ -n ${POLICY_PATCH} ]];
-		then
-			cd "${S}/refpolicy/policy/modules"
-			for POLPATCH in ${POLICY_PATCH};
-			do
-				epatch "${POLPATCH}"
-			done
-		fi
-	fi
-
-	# Collect only those files needed for this particular module
-	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
-	done
-
-	for i in ${POLICY_TYPES}; do
-		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
-		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
-			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
-
-		cp ${modfiles} "${S}"/${i} \
-			|| die "Failed to copy the module files to ${S}/${i}"
-	done
-}
-
-# @FUNCTION: selinux-policy-2_src_compile
-# @DESCRIPTION: 
-# Build the SELinux policy module (.pp file) for just the selected module, and
-# this for each SELinux policy mentioned in POLICY_TYPES
-selinux-policy-2_src_compile() {
-	for i in ${POLICY_TYPES}; do
-		# Parallel builds are broken, so we need to force -j1 here
-		emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
-	done
-}
-
-# @FUNCTION: selinux-policy-2_src_install
-# @DESCRIPTION:
-# Install the built .pp files in the correct subdirectory within
-# /usr/share/selinux.
-selinux-policy-2_src_install() {
-	local BASEDIR="/usr/share/selinux"
-
-	for i in ${POLICY_TYPES}; do
-		for j in ${MODS}; do
-			einfo "Installing ${i} ${j} policy package"
-			insinto ${BASEDIR}/${i}
-			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
-		done
-	done
-}
-
-# @FUNCTION: selinux-policy-2_pkg_postinst
-# @DESCRIPTION:
-# Install the built .pp files in the SELinux policy stores, effectively
-# activating the policy on the system.
-selinux-policy-2_pkg_postinst() {
-	# build up the command in the case of multiple modules
-	local COMMAND
-	for i in ${MODS}; do
-		COMMAND="-i ${i}.pp ${COMMAND}"
-	done
-
-	for i in ${POLICY_TYPES}; do
-		einfo "Inserting the following modules into the $i module store: ${MODS}"
-
-		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
-		semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
-	done
-}
-

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     c9c0824e1e0ac98a651a991f7266d25783ab542d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 17:59:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 17:59:48 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c9c0824e

Adding (as-is) selinux policy eclass

---
 eclass/selinux-policy-2.eclass |  208 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 208 insertions(+), 0 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
new file mode 100644
index 0000000..a20d3e9
--- /dev/null
+++ b/eclass/selinux-policy-2.eclass
@@ -0,0 +1,208 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.11 2011/08/29 01:28:10 vapier Exp $
+
+# Eclass for installing SELinux policy, and optionally
+# reloading the reference-policy based modules.
+
+# @ECLASS: selinux-policy-2.eclass
+# @MAINTAINER:
+# selinux@gentoo.org
+# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
+# @DESCRIPTION:
+# The selinux-policy-2.eclass supports deployment of the various SELinux modules
+# defined in the sec-policy category. It is responsible for extracting the
+# specific bits necessary for single-module deployment (instead of full-blown
+# policy rebuilds) and applying the necessary patches.
+#
+# Also, it supports for bundling patches to make the whole thing just a bit more
+# manageable.
+
+# @ECLASS-VARIABLE: MODS
+# @DESCRIPTION:
+# This variable contains the (upstream) module name for the SELinux module.
+# This name is only the module name, not the category!
+: ${MODS:="_illegal"}
+
+# @ECLASS-VARIABLE: BASEPOL
+# @DESCRIPTION:
+# This variable contains the version string of the selinux-base-policy package
+# that this module build depends on. It is used to patch with the appropriate
+# patch bundle(s) that are part of selinux-base-policy.
+: ${BASEPOL:=""}
+
+# @ECLASS-VARIABLE: POLICY_PATCH
+# @DESCRIPTION:
+# This variable contains the additional patch(es) that need to be applied on top
+# of the patchset already contained within the BASEPOL variable. The variable
+# can be both a simple string (space-separated) or a bash array.
+: ${POLICY_PATCH:=""}
+
+# @ECLASS-VARIABLE: POLICY_TYPES
+# @DESCRIPTION:
+# This variable informs the eclass for which SELinux policies the module should
+# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
+# This variable is the same POLICY_TYPES variable that we tell SELinux
+# users to set in /etc/make.conf. Therefor, it is not the module that should
+# override it, but the user.
+: ${POLICY_TYPES:="targeted strict mcs mls"}
+
+inherit eutils
+
+IUSE=""
+
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+if [[ -n ${BASEPOL} ]];
+then
+	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
+		http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+else
+	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+
+# Modules should always depend on at least the first release of the
+# selinux-base-policy for which they are generated.
+if [[ -n ${BASEPOL} ]];
+then
+	RDEPEND=">=sys-apps/policycoreutils-2.0.82
+		>=sec-policy/selinux-base-policy-${BASEPOL}"
+else
+	RDEPEND=">=sys-apps/policycoreutils-2.0.82
+		>=sec-policy/selinux-base-policy-${PV}"
+fi
+DEPEND="${RDEPEND}
+	sys-devel/m4
+	>=sys-apps/checkpolicy-2.0.21"
+
+SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
+case "${EAPI:-0}" in
+	2|3|4) SELINUX_EXPF+=" src_prepare" ;;
+	*) ;;
+esac
+
+EXPORT_FUNCTIONS ${SELINUX_EXPF}
+
+# @FUNCTION: selinux-policy-2_src_unpack
+# @DESCRIPTION:
+# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
+# older than 2, call src_prepare too.
+selinux-policy-2_src_unpack() {
+	unpack ${A}
+
+	# Call src_prepare explicitly for EAPI 0 or 1
+	has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
+}
+
+# @FUNCTION: selinux-policy-2_src_prepare
+# @DESCRIPTION:
+# Patch the reference policy sources with our set of enhancements. Start with
+# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
+# then apply the additional patches as offered by the ebuild.
+#
+# Next, extract only those files needed for this particular module (i.e. the .te
+# and .fc files for the given module in the MODS variable).
+#
+# Finally, prepare the build environments for each of the supported SELinux
+# types (such as targeted or strict), depending on the POLICY_TYPES variable
+# content.
+selinux-policy-2_src_prepare() {
+	local modfiles
+
+	# Patch the sources with the base patchbundle
+	if [[ -n ${BASEPOL} ]];
+	then
+		cd "${S}"
+		EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
+		EPATCH_SUFFIX="patch" \
+		EPATCH_SOURCE="${WORKDIR}" \
+		EPATCH_FORCE="yes" \
+		epatch
+	fi
+
+	# Apply the additional patches refered to by the module ebuild.
+	# But first some magic to differentiate between bash arrays and strings
+	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
+	then
+		cd "${S}/refpolicy/policy/modules"
+		for POLPATCH in "${POLICY_PATCH[@]}";
+		do
+			epatch "${POLPATCH}"
+		done
+	else
+		if [[ -n ${POLICY_PATCH} ]];
+		then
+			cd "${S}/refpolicy/policy/modules"
+			for POLPATCH in ${POLICY_PATCH};
+			do
+				epatch "${POLPATCH}"
+			done
+		fi
+	fi
+
+	# Collect only those files needed for this particular module
+	for i in ${MODS}; do
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
+
+		cp ${modfiles} "${S}"/${i} \
+			|| die "Failed to copy the module files to ${S}/${i}"
+	done
+}
+
+# @FUNCTION: selinux-policy-2_src_compile
+# @DESCRIPTION:
+# Build the SELinux policy module (.pp file) for just the selected module, and
+# this for each SELinux policy mentioned in POLICY_TYPES
+selinux-policy-2_src_compile() {
+	for i in ${POLICY_TYPES}; do
+		# Parallel builds are broken, so we need to force -j1 here
+		emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+	done
+}
+
+# @FUNCTION: selinux-policy-2_src_install
+# @DESCRIPTION:
+# Install the built .pp files in the correct subdirectory within
+# /usr/share/selinux.
+selinux-policy-2_src_install() {
+	local BASEDIR="/usr/share/selinux"
+
+	for i in ${POLICY_TYPES}; do
+		for j in ${MODS}; do
+			einfo "Installing ${i} ${j} policy package"
+			insinto ${BASEDIR}/${i}
+			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
+		done
+	done
+}
+
+# @FUNCTION: selinux-policy-2_pkg_postinst
+# @DESCRIPTION:
+# Install the built .pp files in the SELinux policy stores, effectively
+# activating the policy on the system.
+selinux-policy-2_pkg_postinst() {
+	# build up the command in the case of multiple modules
+	local COMMAND
+	for i in ${MODS}; do
+		COMMAND="-i ${i}.pp ${COMMAND}"
+	done
+
+	for i in ${POLICY_TYPES}; do
+		einfo "Inserting the following modules into the $i module store: ${MODS}"
+
+		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
+		semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+	done
+}
+

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     6fa49b811f98a49d4c80929fbe4665e2aa398491
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 18:06:43 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 18:06:43 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6fa49b81

Adding support for POLICY_FILES (mark modules as contrib/ modules)

---
 eclass/selinux-policy-2.eclass |   28 ++++++++++++++++++++++++++++
 1 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index a20d3e9..6724067 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -38,6 +38,15 @@
 # can be both a simple string (space-separated) or a bash array.
 : ${POLICY_PATCH:=""}
 
+# @ECLASS-VARIABLE: POLICY_FILES
+# @DESCRIPTION:
+# When defined, this contains the files (located in the ebuilds' files/
+# directory) which should be copied as policy module files into the store.
+# Generally, users would want to include at least a .te and .fc file, but .if
+# files are supported as well. The variable can be both a simple string
+# (space-separated) or a bash array.
+: ${POLICY_FILES:=""}
+
 # @ECLASS-VARIABLE: POLICY_TYPES
 # @DESCRIPTION:
 # This variable informs the eclass for which SELinux policies the module should
@@ -124,6 +133,25 @@ selinux-policy-2_src_prepare() {
 		epatch
 	fi
 
+	# Copy additional files to the contrib/ location
+	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]];
+	then
+		cd "${S}/refpolicy/policy/modules"
+		for POLFILE in "${POLICY_FILES[@]}";
+		do
+			cp "${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
+		done
+	else
+		if [[ -n ${POLICY_FILES} ]];
+		then
+			cd "${S}/refpolicy/policy/modules"
+			for POLFILE in ${POLICY_FILES};
+			do
+				cp "${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
+			done
+		fi
+	fi
+
 	# Apply the additional patches refered to by the module ebuild.
 	# But first some magic to differentiate between bash arrays and strings
 	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     e331cd79231ea08fa39006640112c4c9f1de9b7f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 18:18:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 18:18:36 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=e331cd79

Policy files are meant to be in filesdir, so already use it

---
 eclass/selinux-policy-2.eclass |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 6724067..fb22dd1 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -139,7 +139,7 @@ selinux-policy-2_src_prepare() {
 		cd "${S}/refpolicy/policy/modules"
 		for POLFILE in "${POLICY_FILES[@]}";
 		do
-			cp "${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
+			cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
 		done
 	else
 		if [[ -n ${POLICY_FILES} ]];
@@ -147,7 +147,7 @@ selinux-policy-2_src_prepare() {
 			cd "${S}/refpolicy/policy/modules"
 			for POLFILE in ${POLICY_FILES};
 			do
-				cp "${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
+				cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
 			done
 		fi
 	fi

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     bdb3ea2d45ee16ef260e01725d7d448610395108
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 19:35:37 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 19:35:37 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=bdb3ea2d

Adding 3rd_party location, which involves installation of the interface files

---
 eclass/selinux-policy-2.eclass |   24 +++++++++++++++++++++---
 1 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index fb22dd1..c6f993a 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -121,6 +121,10 @@ selinux-policy-2_src_unpack() {
 # content.
 selinux-policy-2_src_prepare() {
 	local modfiles
+	local add_interfaces=0;
+
+	# Create 3rd_party location for user-contributed policies
+	cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
 
 	# Patch the sources with the base patchbundle
 	if [[ -n ${BASEPOL} ]];
@@ -133,21 +137,23 @@ selinux-policy-2_src_prepare() {
 		epatch
 	fi
 
-	# Copy additional files to the contrib/ location
+	# Copy additional files to the 3rd_party/ location
 	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]];
 	then
+		add_interfaces=1;
 		cd "${S}/refpolicy/policy/modules"
 		for POLFILE in "${POLICY_FILES[@]}";
 		do
-			cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
+			cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy over ${POLFILE} to 3rd_party/ location";
 		done
 	else
 		if [[ -n ${POLICY_FILES} ]];
 		then
+			add_interfaces=1;
 			cd "${S}/refpolicy/policy/modules"
 			for POLFILE in ${POLICY_FILES};
 			do
-				cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
+				cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} into 3rd_party/ location";
 			done
 		fi
 	fi
@@ -176,6 +182,10 @@ selinux-policy-2_src_prepare() {
 	for i in ${MODS}; do
 		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
 		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+		if [ ${add_interfaces} -eq 1 ];
+		then
+			modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
+		fi
 	done
 
 	for i in ${POLICY_TYPES}; do
@@ -185,6 +195,8 @@ selinux-policy-2_src_prepare() {
 
 		cp ${modfiles} "${S}"/${i} \
 			|| die "Failed to copy the module files to ${S}/${i}"
+
+		[ ${add_interfaces} -eq 1 ] && touch "${S}"/${i}/.install_interfaces;
 	done
 }
 
@@ -211,6 +223,12 @@ selinux-policy-2_src_install() {
 			einfo "Installing ${i} ${j} policy package"
 			insinto ${BASEDIR}/${i}
 			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
+
+			if [[ -f "${S}/${i}/.install_interfaces" ]];
+			then
+				insinto ${BASEDIR}/${i}/include/3rd_party
+				doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
+			fi
 		done
 	done
 }

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     36526e28cee3266ed5e62b56933fbc41e1ef3410
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  1 11:26:20 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  1 11:26:20 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=36526e28

Simplify eclass further, drop use of trigger file

---
 eclass/selinux-policy-2.eclass |   37 +++++++++----------------------------
 1 files changed, 9 insertions(+), 28 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index c6f993a..07ee6c2 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -138,44 +138,27 @@ selinux-policy-2_src_prepare() {
 	fi
 
 	# Copy additional files to the 3rd_party/ location
-	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]];
+	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
+	   [[ -n ${POLICY_FILES} ]];
 	then
-		add_interfaces=1;
+	    add_interfaces=1;
 		cd "${S}/refpolicy/policy/modules"
-		for POLFILE in "${POLICY_FILES[@]}";
+		for POLFILE in ${POLICY_FILES[@]};
 		do
-			cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy over ${POLFILE} to 3rd_party/ location";
+			cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
 		done
-	else
-		if [[ -n ${POLICY_FILES} ]];
-		then
-			add_interfaces=1;
-			cd "${S}/refpolicy/policy/modules"
-			for POLFILE in ${POLICY_FILES};
-			do
-				cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} into 3rd_party/ location";
-			done
-		fi
 	fi
 
 	# Apply the additional patches refered to by the module ebuild.
 	# But first some magic to differentiate between bash arrays and strings
-	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
+	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
+	   [[ -n ${POLICY_PATCH} ]];
 	then
 		cd "${S}/refpolicy/policy/modules"
-		for POLPATCH in "${POLICY_PATCH[@]}";
+		for POLPATCH in ${POLICY_PATCH[@]};
 		do
 			epatch "${POLPATCH}"
 		done
-	else
-		if [[ -n ${POLICY_PATCH} ]];
-		then
-			cd "${S}/refpolicy/policy/modules"
-			for POLPATCH in ${POLICY_PATCH};
-			do
-				epatch "${POLPATCH}"
-			done
-		fi
 	fi
 
 	# Collect only those files needed for this particular module
@@ -195,8 +178,6 @@ selinux-policy-2_src_prepare() {
 
 		cp ${modfiles} "${S}"/${i} \
 			|| die "Failed to copy the module files to ${S}/${i}"
-
-		[ ${add_interfaces} -eq 1 ] && touch "${S}"/${i}/.install_interfaces;
 	done
 }
 
@@ -224,7 +205,7 @@ selinux-policy-2_src_install() {
 			insinto ${BASEDIR}/${i}
 			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
 
-			if [[ -f "${S}/${i}/.install_interfaces" ]];
+			if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
 			then
 				insinto ${BASEDIR}/${i}/include/3rd_party
 				doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     49dfc884d659c756408987a4ce5e015a517ec83b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May  6 14:13:53 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May  6 14:13:53 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=49dfc884

Full load support

---
 eclass/selinux-policy-2.eclass |   27 ++++++++++++++++++++++++++-
 1 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 07ee6c2..ed1a685 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -229,7 +229,32 @@ selinux-policy-2_pkg_postinst() {
 		einfo "Inserting the following modules into the $i module store: ${MODS}"
 
 		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
-		semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+		semodule -s ${i} ${COMMAND}
+		if [ $? -ne 0 ];
+		then
+			ewarn "SELinux module load failed. Trying full reload...";
+			semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
+			if [ $? -ne 0 ];
+			then
+				eerror "Failed to reload SELinux policies."
+				eerror ""
+				eerror "If this is *not* the last SELinux module package being installed,"
+				eerror "then you can safely ignore this as the reloads will be retried"
+				eerror "with other, recent modules."
+				eerror ""
+				eerror "If it is the last SELinux module package being installed however,"
+				eerror "then it is advised to look at the error above and take appropriate"
+				eerror "action since the new SELinux policies are not loaded until the"
+				eerror "command finished succesfully."
+				eerror ""
+				eerror "To reload, run the following command from within /usr/share/selinux/${i}:"
+				eerror "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
+			else
+				einfo "SELinux modules reloaded succesfully."
+			fi
+		else
+			einfo "SELinux modules loaded succesfully."
+		fi
 	done
 }
 

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     8d09ddcf47d6fb207aff5c54f66521b6089bc259
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 15 17:57:30 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 15 17:57:30 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=8d09ddcf

Cannot use semodule -l all the time, initial setup also uses this function

---
 eclass/selinux-policy-2.eclass |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index ffa3913..747e0f4 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -233,7 +233,11 @@ selinux-policy-2_pkg_postinst() {
 		if [ $? -ne 0 ];
 		then
 			ewarn "SELinux module load failed. Trying full reload...";
-			semodule -s ${i} -b base.pp -i $(semodule -l | awk '{print $1".pp"}');
+			if [ "${i}" == "targeted" ];
+				semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
+			else
+				semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
+			fi
 			if [ $? -ne 0 ];
 			then
 				eerror "Failed to reload SELinux policies."
@@ -248,7 +252,10 @@ selinux-policy-2_pkg_postinst() {
 				eerror "command finished succesfully."
 				eerror ""
 				eerror "To reload, run the following command from within /usr/share/selinux/${i}:"
-				eerror "  semodule -b base.pp -i \$(semodule -l | awk '{print \$1\".pp\"}')"
+				eerror "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
+				eerror "or"
+				eerror "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
+				eerror "depending on if you need the unconfined domain loaded as well or not."
 			else
 				einfo "SELinux modules reloaded succesfully."
 			fi

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     57a3be5bb9765b813f1e63696833bb2f27e84497
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 15 18:10:54 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 15 18:10:54 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=57a3be5b

Meh

---
 eclass/selinux-policy-2.eclass |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 747e0f4..5989dd4 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -234,6 +234,7 @@ selinux-policy-2_pkg_postinst() {
 		then
 			ewarn "SELinux module load failed. Trying full reload...";
 			if [ "${i}" == "targeted" ];
+			then
 				semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
 			else
 				semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Sven Vermeulen]

commit:     6b8bd5927b7331c3f7b22a8171f1e68f2d576f3b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep  8 18:35:24 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Sep  8 18:35:24 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6b8bd592

Moved to main tree

---
 eclass/selinux-policy-2.eclass |  283 ----------------------------------------
 1 files changed, 0 insertions(+), 283 deletions(-)

diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
deleted file mode 100644
index 8e9929b..0000000
--- a/eclass/selinux-policy-2.eclass
+++ /dev/null
@@ -1,283 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.13 2012/07/26 12:53:01 swift Exp $
-
-# Eclass for installing SELinux policy, and optionally
-# reloading the reference-policy based modules.
-
-# @ECLASS: selinux-policy-2.eclass
-# @MAINTAINER:
-# selinux@gentoo.org
-# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
-# @DESCRIPTION:
-# The selinux-policy-2.eclass supports deployment of the various SELinux modules
-# defined in the sec-policy category. It is responsible for extracting the
-# specific bits necessary for single-module deployment (instead of full-blown
-# policy rebuilds) and applying the necessary patches.
-#
-# Also, it supports for bundling patches to make the whole thing just a bit more
-# manageable.
-
-# @ECLASS-VARIABLE: MODS
-# @DESCRIPTION:
-# This variable contains the (upstream) module name for the SELinux module.
-# This name is only the module name, not the category!
-: ${MODS:="_illegal"}
-
-# @ECLASS-VARIABLE: BASEPOL
-# @DESCRIPTION:
-# This variable contains the version string of the selinux-base-policy package
-# that this module build depends on. It is used to patch with the appropriate
-# patch bundle(s) that are part of selinux-base-policy.
-: ${BASEPOL:=""}
-
-# @ECLASS-VARIABLE: POLICY_PATCH
-# @DESCRIPTION:
-# This variable contains the additional patch(es) that need to be applied on top
-# of the patchset already contained within the BASEPOL variable. The variable
-# can be both a simple string (space-separated) or a bash array.
-: ${POLICY_PATCH:=""}
-
-# @ECLASS-VARIABLE: POLICY_FILES
-# @DESCRIPTION:
-# When defined, this contains the files (located in the ebuilds' files/
-# directory) which should be copied as policy module files into the store.
-# Generally, users would want to include at least a .te and .fc file, but .if
-# files are supported as well. The variable can be both a simple string
-# (space-separated) or a bash array.
-: ${POLICY_FILES:=""}
-
-# @ECLASS-VARIABLE: POLICY_TYPES
-# @DESCRIPTION:
-# This variable informs the eclass for which SELinux policies the module should
-# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
-# This variable is the same POLICY_TYPES variable that we tell SELinux
-# users to set in /etc/make.conf. Therefor, it is not the module that should
-# override it, but the user.
-: ${POLICY_TYPES:="targeted strict mcs mls"}
-
-extra_eclass=""
-case ${BASEPOL} in
-	9999)	extra_eclass="git-2";
-			EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git";
-			EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
-esac
-
-inherit eutils ${extra_eclass}
-
-IUSE=""
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
-then
-	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
-		http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-elif [[ "${BASEPOL}" != "9999" ]];
-then
-	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
-else
-	SRC_URI=""
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-S="${WORKDIR}/"
-PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-
-# Modules should always depend on at least the first release of the
-# selinux-base-policy for which they are generated.
-if [[ -n ${BASEPOL} ]];
-then
-	RDEPEND=">=sys-apps/policycoreutils-2.0.82
-		>=sec-policy/selinux-base-policy-${BASEPOL}"
-else
-	RDEPEND=">=sys-apps/policycoreutils-2.0.82
-		>=sec-policy/selinux-base-policy-${PV}"
-fi
-DEPEND="${RDEPEND}
-	sys-devel/m4
-	>=sys-apps/checkpolicy-2.0.21"
-
-SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
-case "${EAPI:-0}" in
-	2|3|4) SELINUX_EXPF+=" src_prepare" ;;
-	*) ;;
-esac
-
-EXPORT_FUNCTIONS ${SELINUX_EXPF}
-
-# @FUNCTION: selinux-policy-2_src_unpack
-# @DESCRIPTION:
-# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
-# older than 2, call src_prepare too.
-selinux-policy-2_src_unpack() {
-	if [[ "${BASEPOL}" != "9999" ]];
-	then
-		unpack ${A}
-	else
-		git-2_src_unpack
-	fi
-
-	# Call src_prepare explicitly for EAPI 0 or 1
-	has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
-}
-
-# @FUNCTION: selinux-policy-2_src_prepare
-# @DESCRIPTION:
-# Patch the reference policy sources with our set of enhancements. Start with
-# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
-# then apply the additional patches as offered by the ebuild.
-#
-# Next, extract only those files needed for this particular module (i.e. the .te
-# and .fc files for the given module in the MODS variable).
-#
-# Finally, prepare the build environments for each of the supported SELinux
-# types (such as targeted or strict), depending on the POLICY_TYPES variable
-# content.
-selinux-policy-2_src_prepare() {
-	local modfiles
-	local add_interfaces=0;
-
-	# Create 3rd_party location for user-contributed policies
-	cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
-
-	# Patch the sources with the base patchbundle
-	if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
-	then
-		cd "${S}"
-		EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
-		EPATCH_SUFFIX="patch" \
-		EPATCH_SOURCE="${WORKDIR}" \
-		EPATCH_FORCE="yes" \
-		epatch
-	fi
-
-	# Copy additional files to the 3rd_party/ location
-	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
-	   [[ -n ${POLICY_FILES} ]];
-	then
-	    add_interfaces=1;
-		cd "${S}/refpolicy/policy/modules"
-		for POLFILE in ${POLICY_FILES[@]};
-		do
-			cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
-		done
-	fi
-
-	# Apply the additional patches refered to by the module ebuild.
-	# But first some magic to differentiate between bash arrays and strings
-	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
-	   [[ -n ${POLICY_PATCH} ]];
-	then
-		cd "${S}/refpolicy/policy/modules"
-		for POLPATCH in ${POLICY_PATCH[@]};
-		do
-			epatch "${POLPATCH}"
-		done
-	fi
-
-	# Collect only those files needed for this particular module
-	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
-		if [ ${add_interfaces} -eq 1 ];
-		then
-			modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
-		fi
-	done
-
-	for i in ${POLICY_TYPES}; do
-		mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
-		cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
-			|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
-
-		cp ${modfiles} "${S}"/${i} \
-			|| die "Failed to copy the module files to ${S}/${i}"
-	done
-}
-
-# @FUNCTION: selinux-policy-2_src_compile
-# @DESCRIPTION:
-# Build the SELinux policy module (.pp file) for just the selected module, and
-# this for each SELinux policy mentioned in POLICY_TYPES
-selinux-policy-2_src_compile() {
-	for i in ${POLICY_TYPES}; do
-		# Parallel builds are broken, so we need to force -j1 here
-		emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
-	done
-}
-
-# @FUNCTION: selinux-policy-2_src_install
-# @DESCRIPTION:
-# Install the built .pp files in the correct subdirectory within
-# /usr/share/selinux.
-selinux-policy-2_src_install() {
-	local BASEDIR="/usr/share/selinux"
-
-	for i in ${POLICY_TYPES}; do
-		for j in ${MODS}; do
-			einfo "Installing ${i} ${j} policy package"
-			insinto ${BASEDIR}/${i}
-			doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
-
-			if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
-			then
-				insinto ${BASEDIR}/${i}/include/3rd_party
-				doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
-			fi
-		done
-	done
-}
-
-# @FUNCTION: selinux-policy-2_pkg_postinst
-# @DESCRIPTION:
-# Install the built .pp files in the SELinux policy stores, effectively
-# activating the policy on the system.
-selinux-policy-2_pkg_postinst() {
-	# build up the command in the case of multiple modules
-	local COMMAND
-	for i in ${MODS}; do
-		COMMAND="-i ${i}.pp ${COMMAND}"
-	done
-
-	for i in ${POLICY_TYPES}; do
-		einfo "Inserting the following modules into the $i module store: ${MODS}"
-
-		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
-		semodule -s ${i} ${COMMAND}
-		if [ $? -ne 0 ];
-		then
-			ewarn "SELinux module load failed. Trying full reload...";
-			if [ "${i}" == "targeted" ];
-			then
-				semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
-			else
-				semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
-			fi
-			if [ $? -ne 0 ];
-			then
-				ewarn "Failed to reload SELinux policies."
-				ewarn ""
-				ewarn "If this is *not* the last SELinux module package being installed,"
-				ewarn "then you can safely ignore this as the reloads will be retried"
-				ewarn "with other, recent modules."
-				ewarn ""
-				ewarn "If it is the last SELinux module package being installed however,"
-				ewarn "then it is advised to look at the error above and take appropriate"
-				ewarn "action since the new SELinux policies are not loaded until the"
-				ewarn "command finished succesfully."
-				ewarn ""
-				ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
-				ewarn "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
-				ewarn "or"
-				ewarn "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
-				ewarn "depending on if you need the unconfined domain loaded as well or not."
-			else
-				einfo "SELinux modules reloaded succesfully."
-			fi
-		else
-			einfo "SELinux modules loaded succesfully."
-		fi
-	done
-}
-

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     30566dc16112b2b0b2c1dc1eea2bc1806016d3f8
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 30 01:28:59 2012 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Dec 30 01:28:59 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=30566dc1

eclass/pax-utils.eclass: correct to test if PT_PAX or XATTR_PAX is supported, bug #447616

---
 eclass/pax-utils.eclass |   25 +++++++++++--------------
 1 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index e860d04..acd11a3 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2011 Gentoo Foundation
+# Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
 
@@ -11,17 +11,16 @@
 # Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
 # @BLURB: functions to provide pax markings
 # @DESCRIPTION:
+#
 # This eclass provides support for manipulating PaX markings on ELF binaries,
-# wrapping the use of the paxctl and scanelf utilities.  It decides which to
-# use depending on what is installed on the build host, preferring paxctl to
-# scanelf.  If paxctl is not installed, we fall back to scanelf since it is
-# always present.  However, currently scanelf doesn't do all that paxctl can.
+# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
+# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
+# deciding which to use depending on what's installed on the build host, and
+# whether we're working with PT_PAX, XATTR_PAX or both.
 #
 # To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
-# to contain either "PT", "XT" or "none".  If PAX_MARKINGS contains "PT", and
-# the necessary utility is installed, then PT_PAX_FLAGS markings will be made.
-# Similarly, if  PAX_MARKINGS contains "XT", then xattr markings will be made.
-# If PAX_MARKINGS is set to "none", no markings will be made.
+# to contain either "PT", "XT" or "none".  The default is to attempt both
+# PT_PAX and XATTR_PAX.
 
 if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
 ___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
@@ -35,8 +34,7 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 # @DESCRIPTION:
 # Marks <ELF files> with provided PaX <flags>
 #
-# Flags are passed directly to the utilities unchanged.  Possible flags at the
-# time of writing, taken from /sbin/paxctl, are:
+# Flags are passed directly to the utilities unchanged
 #
 #	p: disable PAGEEXEC		P: enable PAGEEXEC
 #	e: disable EMUTRMAP		E: enable EMUTRMAP
@@ -46,7 +44,6 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 #
 # Default flags are 'PeMRS', which are the most restrictive settings.  Refer
 # to http://pax.grsecurity.net/ for details on what these flags are all about.
-# Do not use the obsolete flag 'x'/'X' which has been deprecated.
 #
 # Please confirm any relaxation of restrictions with the Gentoo Hardened team.
 # Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
@@ -67,7 +64,7 @@ pax-mark() {
 	if has PT ${PAX_MARKINGS}; then
 
 		#First try paxctl-ng
-		if type -p paxctl-ng > /dev/null; then
+		if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
 			einfo "PT PaX marking -${flags}"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
@@ -113,7 +110,7 @@ pax-mark() {
 	if has XT ${PAX_MARKINGS}; then
 
 		#First try paxctl-ng
-		if type -p paxctl-ng > /dev/null; then
+		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
 			einfo "XT PaX marking -${flags}"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     3a2cbaec20cf614ec0dfbf7a6c0d3cedff412b5b
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Feb  9 20:30:17 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Feb  9 20:30:17 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3a2cbaec

eclass/pax-utils.eclass: address bad pax flag combos, bug #445948

---
 eclass/pax-utils.eclass |   80 ++++++++++++++++++++++++++++++++++++----------
 1 files changed, 62 insertions(+), 18 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index acd11a3..fdc7769 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -49,6 +49,42 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 # Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
 # the bug report.
 
+
+sanitize-flags() {
+		# Only the actual pax flags and z are accepted
+		#
+		# 1. The leading '-' is irrelevant since it is santized out
+		#
+		# 2. Cc only make sense for paxctl, and even there these are
+		#    not needed as we progressively try:
+		#        paxctl -q${flags}
+		#        paxctl -qc${flags}
+		#        paxctl -qC${flags}
+		#    So we sanitize them out.
+		#
+		# 3. z is allowed for the default
+		#
+
+        local flags="$1"
+        local clean=""
+
+        [[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z"
+
+        [[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P"
+        [[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p"
+        [[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E"
+        [[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e"
+        [[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M"
+        [[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m"
+        [[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R"
+        [[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r"
+        [[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S"
+        [[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s"
+
+        echo "$clean"
+}
+
+
 pax-mark() {
 
 	local f								# loop over paxables
@@ -57,25 +93,14 @@ pax-mark() {
 	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
 	local ret=0							# overal return code of this function
 
-	# You can call pax-mark with/out leading '-' on flags
-	flags=${1//-}
+	flags="$(sanitize-flags $1)"
 	shift
 
 	if has PT ${PAX_MARKINGS}; then
 
-		#First try paxctl-ng
-		if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
-			einfo "PT PaX marking -${flags}"
-			_pax_list_files einfo "$@"
-			for f in "$@"; do
-				paxctl-ng -L -${flags} "${f}" && continue
-				pt_fail=1
-				pt_failures="${pt_failures} ${f}"
-			done
-
-		#Next try paxctl
-		elif type -p paxctl > /dev/null; then
-			einfo "PT PaX marking -${flags}"
+		#First try paxctl -> this might try to create/convert program headers
+		if type -p paxctl > /dev/null; then
+			einfo "PT PaX marking -${flags} with paxctl"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
 				# First, try modifying the existing PAX_FLAGS header
@@ -88,9 +113,19 @@ pax-mark() {
 				pt_failures="${pt_failures} ${f}"
 			done
 
+		#Next try paxctl-ng -> this will not create/convert any program headers
+		elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
+			einfo "PT PaX marking -${flags} with paxctl-ng"
+			_pax_list_files einfo "$@"
+			for f in "$@"; do
+				paxctl-ng -L -${flags} "${f}" && continue
+				pt_fail=1
+				pt_failures="${pt_failures} ${f}"
+			done
+
 		#Finally fall back on scanelf
 		elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
-			einfo "Fallback PaX marking -${flags}"
+			einfo "Fallback PaX marking -${flags} with scanelf"
 			_pax_list_files einfo "$@"
 			scanelf -Xxz ${flags} "$@"
 
@@ -109,11 +144,19 @@ pax-mark() {
 
 	if has XT ${PAX_MARKINGS}; then
 
+		# z = default. For XATTR_PAX, the default is no xattr field at all
+		local dodefault=""
+		if [[ "${flags}" != "${flags/z/}" ]]; then
+			flags="${flags/z/}"
+			dodefault="yes"
+		fi
+
 		#First try paxctl-ng
 		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
-			einfo "XT PaX marking -${flags}"
+			einfo "XT PaX marking -${flags} with paxctl-ng"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
+				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
 				paxctl-ng -l -${flags} "${f}" && continue
 				xt_fail=1
 				xt_failures="${tx_failures} ${f}"
@@ -121,9 +164,10 @@ pax-mark() {
 
 		#Next try setfattr
 		elif type -p setfattr > /dev/null; then
-			einfo "XT PaX marking -${flags}"
+			einfo "XT PaX marking -${flags} with setfattr"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
+				[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
 				setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
 				xt_fail=1
 				xt_failures="${tx_failures} ${f}"

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     872bb4b2c4f56b12e14bb6b449a718ac31ae863f
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 10 01:56:13 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 01:56:13 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=872bb4b2

eclass/pax-utils.eclass: clean up sanitize-flags()

---
 eclass/pax-utils.eclass |   52 ++++++++++++++++++----------------------------
 1 files changed, 20 insertions(+), 32 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index fdc7769..74a5ec7 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -50,40 +50,28 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 # the bug report.
 
 
+# Only the actual pax flags and z are accepted
+#
+# 1. The leading '-' is irrelevant since it is santized out
+#
+# 2. Cc only make sense for paxctl, and even there these are
+#    not needed as we progressively try:
+#        paxctl -q${flags}
+#        paxctl -qc${flags}
+#        paxctl -qC${flags}
+#    So we sanitize them out.
+#
+# 3. z is allowed for the default
+#
 sanitize-flags() {
-		# Only the actual pax flags and z are accepted
-		#
-		# 1. The leading '-' is irrelevant since it is santized out
-		#
-		# 2. Cc only make sense for paxctl, and even there these are
-		#    not needed as we progressively try:
-		#        paxctl -q${flags}
-		#        paxctl -qc${flags}
-		#        paxctl -qC${flags}
-		#    So we sanitize them out.
-		#
-		# 3. z is allowed for the default
-		#
-
-        local flags="$1"
-        local clean=""
-
-        [[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z"
-
-        [[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P"
-        [[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p"
-        [[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E"
-        [[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e"
-        [[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M"
-        [[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m"
-        [[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R"
-        [[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r"
-        [[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S"
-        [[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s"
-
-        echo "$clean"
-}
+	local flags=$1
+	local clean=""
 
+	for f in z P p E e M m R r S s; do
+		[[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
+	done
+	echo "$clean"
+}
 
 pax-mark() {
 

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     67b6eb5c26d6ea23825d006ce5848bab4fd454fe
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 10 11:20:56 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 11:20:56 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=67b6eb5c

eclass/pax-utils.eclass: cleaned up sanitize-flags code more, thanks Alphat-PC

---
 eclass/pax-utils.eclass |   33 +++++++++------------------------
 1 files changed, 9 insertions(+), 24 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 74a5ec7..8ef06bd 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -50,29 +50,6 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 # the bug report.
 
 
-# Only the actual pax flags and z are accepted
-#
-# 1. The leading '-' is irrelevant since it is santized out
-#
-# 2. Cc only make sense for paxctl, and even there these are
-#    not needed as we progressively try:
-#        paxctl -q${flags}
-#        paxctl -qc${flags}
-#        paxctl -qC${flags}
-#    So we sanitize them out.
-#
-# 3. z is allowed for the default
-#
-sanitize-flags() {
-	local flags=$1
-	local clean=""
-
-	for f in z P p E e M m R r S s; do
-		[[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
-	done
-	echo "$clean"
-}
-
 pax-mark() {
 
 	local f								# loop over paxables
@@ -81,7 +58,14 @@ pax-mark() {
 	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
 	local ret=0							# overal return code of this function
 
-	flags="$(sanitize-flags $1)"
+	# Sanitize flags -- allow only actual PaX flags
+	# 1. The leading '-' is optional
+	# 2. -C -c only makes sense for paxctl.  But the user need not provide
+	#    it since we progressively do -q -qc and -qC
+	# 3. z is allowed for the defaults
+
+	flags="${1//[!zPpEeMmRrSs]}"
+	[ "${flags}" ] || return 0
 	shift
 
 	if has PT ${PAX_MARKINGS}; then
@@ -152,6 +136,7 @@ pax-mark() {
 
 		#Next try setfattr
 		elif type -p setfattr > /dev/null; then
+			[[ ${flags//[!Ee]} ]] || flags+="e" # bug 447150
 			einfo "XT PaX marking -${flags} with setfattr"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     4a7544ff141201ea952a62284e8cea0e0f5f0114
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 10 11:26:05 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 11:26:05 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=4a7544ff

eclass/pax-utils.eclass: cleaned up sanitize-flags code more, thanks Alphat-PC

---
 eclass/pax-utils.eclass |   48 +++++++++++++++++-----------------------------
 1 files changed, 18 insertions(+), 30 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 74a5ec7..b27d5e2 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -50,29 +50,6 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 # the bug report.
 
 
-# Only the actual pax flags and z are accepted
-#
-# 1. The leading '-' is irrelevant since it is santized out
-#
-# 2. Cc only make sense for paxctl, and even there these are
-#    not needed as we progressively try:
-#        paxctl -q${flags}
-#        paxctl -qc${flags}
-#        paxctl -qC${flags}
-#    So we sanitize them out.
-#
-# 3. z is allowed for the default
-#
-sanitize-flags() {
-	local flags=$1
-	local clean=""
-
-	for f in z P p E e M m R r S s; do
-		[[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
-	done
-	echo "$clean"
-}
-
 pax-mark() {
 
 	local f								# loop over paxables
@@ -81,9 +58,20 @@ pax-mark() {
 	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
 	local ret=0							# overal return code of this function
 
-	flags="$(sanitize-flags $1)"
+	# Only the actual PaX flags and z are accepted
+	# 1. The leading '-' is optional
+	# 2. -C -c only make sense for paxctl, but are unnecessary
+	#    because we progressively do -q -qc -qC
+	# 3. z is allowed for the default
+
+	flags="${1//[!zPpEeMmRrSs]}"
+	[ "${flags}" ] || return 0
 	shift
 
+	# z = default. For XATTR_PAX, the default is no xattr field at all
+	local dodefault=""
+	[ "${flags//[!z]}" ] && dodefault="yes"
+
 	if has PT ${PAX_MARKINGS}; then
 
 		#First try paxctl -> this might try to create/convert program headers
@@ -104,8 +92,11 @@ pax-mark() {
 		#Next try paxctl-ng -> this will not create/convert any program headers
 		elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
 			einfo "PT PaX marking -${flags} with paxctl-ng"
+			flags="${flags//z}"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
+				[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
+				[ "${flags}" ] || continue
 				paxctl-ng -L -${flags} "${f}" && continue
 				pt_fail=1
 				pt_failures="${pt_failures} ${f}"
@@ -132,12 +123,7 @@ pax-mark() {
 
 	if has XT ${PAX_MARKINGS}; then
 
-		# z = default. For XATTR_PAX, the default is no xattr field at all
-		local dodefault=""
-		if [[ "${flags}" != "${flags/z/}" ]]; then
-			flags="${flags/z/}"
-			dodefault="yes"
-		fi
+		flags="${flags//z}"
 
 		#First try paxctl-ng
 		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
@@ -145,6 +131,7 @@ pax-mark() {
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
 				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
+				[ "${flags}" ] || continue
 				paxctl-ng -l -${flags} "${f}" && continue
 				xt_fail=1
 				xt_failures="${tx_failures} ${f}"
@@ -152,6 +139,7 @@ pax-mark() {
 
 		#Next try setfattr
 		elif type -p setfattr > /dev/null; then
+			[ "${flags//[!Ee]}" ] || flags+="e" # bug 447150
 			einfo "XT PaX marking -${flags} with setfattr"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     c7b456efa7554f3e30ef5f7f369d048282e4b7ec
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 18 03:20:40 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Mar 18 03:20:40 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c7b456ef

eclass/pax-utils.eclass: fix comment, thanks Arfrever

---
 eclass/pax-utils.eclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index b27d5e2..b7670c1 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -25,7 +25,7 @@
 if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
 ___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
 
-# Default to PT markings.
+# Default to both PT and XT markings.
 PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 
 # @FUNCTION: pax-mark

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     744986bfa2879d3857b199078df97933c8b968bd
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 18 21:14:21 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Mar 18 21:14:21 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=744986bf

eclass/pax-utils.eclass: fixed typo, bug #462238

Thanks Bryan Gardiner <bog <AT> khumba.net>

---
 eclass/pax-utils.eclass |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index b7670c1..9299c02 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -115,7 +115,7 @@ pax-mark() {
 		fi
 
 		if [[ ${pt_fail} == 1 ]]; then
-			ewarn "Failed to set XT_PAX markings -${flags} for:"
+			ewarn "Failed to set PT_PAX markings -${flags} for:"
 			_pax_list_files ewarn ${pt_failures}
 			ret=1
 		fi

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     01f6e550124b5c81be2565355558f59b7480645d
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 28 18:04:11 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Mar 28 18:04:11 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=01f6e550

pax-utils.eclass: incorporate suggestion from gentoo-dev@ list

---
 eclass/pax-utils.eclass |   21 +++++++++++++--------
 1 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 9299c02..ee7e6e3 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -25,6 +25,10 @@
 if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
 ___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
 
+# @ECLASS-VARIABLE: PAX_MARKINGS
+# @DESCRIPTION:
+# Control which markings are made:
+# PT = PT_PAX markings, XT = XATTR_PAX markings
 # Default to both PT and XT markings.
 PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 
@@ -65,12 +69,12 @@ pax-mark() {
 	# 3. z is allowed for the default
 
 	flags="${1//[!zPpEeMmRrSs]}"
-	[ "${flags}" ] || return 0
+	[[ "${flags}" ]] || return 0
 	shift
 
 	# z = default. For XATTR_PAX, the default is no xattr field at all
 	local dodefault=""
-	[ "${flags//[!z]}" ] && dodefault="yes"
+	[[ "${flags//[!z]}" ]] && dodefault="yes"
 
 	if has PT ${PAX_MARKINGS}; then
 
@@ -81,10 +85,11 @@ pax-mark() {
 			for f in "$@"; do
 				# First, try modifying the existing PAX_FLAGS header
 				paxctl -q${flags} "${f}" && continue
-				# Second, try stealing the (unused under PaX) PT_GNU_STACK header
-				paxctl -qc${flags} "${f}" && continue
-				# Third, creating a PT_PAX header (works on ET_EXEC)
+				# Second, try creating a PT_PAX header (works on ET_EXEC)
+				# Even though this is less safe, most exes need it, eg bug #463170
 				paxctl -qC${flags} "${f}" && continue
+				# Third, try stealing the (unused under PaX) PT_GNU_STACK header
+				paxctl -qc${flags} "${f}" && continue
 				pt_fail=1
 				pt_failures="${pt_failures} ${f}"
 			done
@@ -96,7 +101,7 @@ pax-mark() {
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
 				[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
-				[ "${flags}" ] || continue
+				[[ "${flags}" ]] || continue
 				paxctl-ng -L -${flags} "${f}" && continue
 				pt_fail=1
 				pt_failures="${pt_failures} ${f}"
@@ -131,7 +136,7 @@ pax-mark() {
 			_pax_list_files einfo "$@"
 			for f in "$@"; do
 				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
-				[ "${flags}" ] || continue
+				[[ "${flags}" ]] || continue
 				paxctl-ng -l -${flags} "${f}" && continue
 				xt_fail=1
 				xt_failures="${tx_failures} ${f}"
@@ -139,7 +144,7 @@ pax-mark() {
 
 		#Next try setfattr
 		elif type -p setfattr > /dev/null; then
-			[ "${flags//[!Ee]}" ] || flags+="e" # bug 447150
+			[[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150
 			einfo "XT PaX marking -${flags} with setfattr"
 			_pax_list_files einfo "$@"
 			for f in "$@"; do

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     90700eb9dd2c89310ea5600ddfb194749b0b594e
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Apr  2 11:30:04 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Apr  2 11:30:04 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=90700eb9

pax-utils.eclass: fix some typos

---
 eclass/pax-utils.eclass |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index ee7e6e3..9b9a5b9 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -154,14 +154,14 @@ pax-mark() {
 				xt_failures="${tx_failures} ${f}"
 			done
 
-		#We failed to set PT_PAX flags
+		#We failed to set XATTR_PAX flags
 		elif [[ ${PAX_MARKINGS} != "none" ]]; then
-			pt_failures="$*"
-			pt_fail=1
+			xt_failures="$*"
+			xt_fail=1
 		fi
 
 		if [[ ${xt_fail} == 1 ]]; then
-			ewarn "Failed to set XT_PAX markings -${flags} for:"
+			ewarn "Failed to set XATTR_PAX markings -${flags} for:"
 			_pax_list_files ewarn ${xt_failures}
 			ret=1
 		fi

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     a82ad0552d4a5c9f9f243bbb946ff978907f76bb
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Apr  5 02:12:47 2013 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Apr  5 02:12:47 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=a82ad055

eclass/pax-utils.eclass: moved to tree

---
 eclass/pax-utils.eclass |  220 -----------------------------------------------
 1 files changed, 0 insertions(+), 220 deletions(-)

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
deleted file mode 100644
index 9b9a5b9..0000000
--- a/eclass/pax-utils.eclass
+++ /dev/null
@@ -1,220 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
-
-# @ECLASS: pax-utils.eclass
-# @MAINTAINER:
-# The Gentoo Linux Hardened Team <hardened@gentoo.org>
-# @AUTHOR:
-# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
-# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
-# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
-# @BLURB: functions to provide pax markings
-# @DESCRIPTION:
-#
-# This eclass provides support for manipulating PaX markings on ELF binaries,
-# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
-# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
-# deciding which to use depending on what's installed on the build host, and
-# whether we're working with PT_PAX, XATTR_PAX or both.
-#
-# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
-# to contain either "PT", "XT" or "none".  The default is to attempt both
-# PT_PAX and XATTR_PAX.
-
-if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
-___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
-
-# @ECLASS-VARIABLE: PAX_MARKINGS
-# @DESCRIPTION:
-# Control which markings are made:
-# PT = PT_PAX markings, XT = XATTR_PAX markings
-# Default to both PT and XT markings.
-PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
-
-# @FUNCTION: pax-mark
-# @USAGE: <flags> {<ELF files>}
-# @RETURN: Shell true if we succeed, shell false otherwise
-# @DESCRIPTION:
-# Marks <ELF files> with provided PaX <flags>
-#
-# Flags are passed directly to the utilities unchanged
-#
-#	p: disable PAGEEXEC		P: enable PAGEEXEC
-#	e: disable EMUTRMAP		E: enable EMUTRMAP
-#	m: disable MPROTECT		M: enable MPROTECT
-#	r: disable RANDMMAP		R: enable RANDMMAP
-#	s: disable SEGMEXEC		S: enable SEGMEXEC
-#
-# Default flags are 'PeMRS', which are the most restrictive settings.  Refer
-# to http://pax.grsecurity.net/ for details on what these flags are all about.
-#
-# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
-# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
-# the bug report.
-
-
-pax-mark() {
-
-	local f								# loop over paxables
-	local flags							# pax flags
-	local pt_fail=0 pt_failures=""		# record PT_PAX failures
-	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
-	local ret=0							# overal return code of this function
-
-	# Only the actual PaX flags and z are accepted
-	# 1. The leading '-' is optional
-	# 2. -C -c only make sense for paxctl, but are unnecessary
-	#    because we progressively do -q -qc -qC
-	# 3. z is allowed for the default
-
-	flags="${1//[!zPpEeMmRrSs]}"
-	[[ "${flags}" ]] || return 0
-	shift
-
-	# z = default. For XATTR_PAX, the default is no xattr field at all
-	local dodefault=""
-	[[ "${flags//[!z]}" ]] && dodefault="yes"
-
-	if has PT ${PAX_MARKINGS}; then
-
-		#First try paxctl -> this might try to create/convert program headers
-		if type -p paxctl > /dev/null; then
-			einfo "PT PaX marking -${flags} with paxctl"
-			_pax_list_files einfo "$@"
-			for f in "$@"; do
-				# First, try modifying the existing PAX_FLAGS header
-				paxctl -q${flags} "${f}" && continue
-				# Second, try creating a PT_PAX header (works on ET_EXEC)
-				# Even though this is less safe, most exes need it, eg bug #463170
-				paxctl -qC${flags} "${f}" && continue
-				# Third, try stealing the (unused under PaX) PT_GNU_STACK header
-				paxctl -qc${flags} "${f}" && continue
-				pt_fail=1
-				pt_failures="${pt_failures} ${f}"
-			done
-
-		#Next try paxctl-ng -> this will not create/convert any program headers
-		elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
-			einfo "PT PaX marking -${flags} with paxctl-ng"
-			flags="${flags//z}"
-			_pax_list_files einfo "$@"
-			for f in "$@"; do
-				[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
-				[[ "${flags}" ]] || continue
-				paxctl-ng -L -${flags} "${f}" && continue
-				pt_fail=1
-				pt_failures="${pt_failures} ${f}"
-			done
-
-		#Finally fall back on scanelf
-		elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
-			einfo "Fallback PaX marking -${flags} with scanelf"
-			_pax_list_files einfo "$@"
-			scanelf -Xxz ${flags} "$@"
-
-		#We failed to set PT_PAX flags
-		elif [[ ${PAX_MARKINGS} != "none" ]]; then
-			pt_failures="$*"
-			pt_fail=1
-		fi
-
-		if [[ ${pt_fail} == 1 ]]; then
-			ewarn "Failed to set PT_PAX markings -${flags} for:"
-			_pax_list_files ewarn ${pt_failures}
-			ret=1
-		fi
-	fi
-
-	if has XT ${PAX_MARKINGS}; then
-
-		flags="${flags//z}"
-
-		#First try paxctl-ng
-		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
-			einfo "XT PaX marking -${flags} with paxctl-ng"
-			_pax_list_files einfo "$@"
-			for f in "$@"; do
-				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
-				[[ "${flags}" ]] || continue
-				paxctl-ng -l -${flags} "${f}" && continue
-				xt_fail=1
-				xt_failures="${tx_failures} ${f}"
-			done
-
-		#Next try setfattr
-		elif type -p setfattr > /dev/null; then
-			[[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150
-			einfo "XT PaX marking -${flags} with setfattr"
-			_pax_list_files einfo "$@"
-			for f in "$@"; do
-				[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
-				setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
-				xt_fail=1
-				xt_failures="${tx_failures} ${f}"
-			done
-
-		#We failed to set XATTR_PAX flags
-		elif [[ ${PAX_MARKINGS} != "none" ]]; then
-			xt_failures="$*"
-			xt_fail=1
-		fi
-
-		if [[ ${xt_fail} == 1 ]]; then
-			ewarn "Failed to set XATTR_PAX markings -${flags} for:"
-			_pax_list_files ewarn ${xt_failures}
-			ret=1
-		fi
-	fi
-
-	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."
-
-	return ${ret}
-}
-
-# @FUNCTION: list-paxables
-# @USAGE: {<files>}
-# @RETURN: Subset of {<files>} which are ELF executables or shared objects
-# @DESCRIPTION:
-# Print to stdout all of the <files> that are suitable to have PaX flag
-# markings, i.e., filter out the ELF executables or shared objects from a list
-# of files.  This is useful for passing wild-card lists to pax-mark, although
-# in general it is preferable for ebuilds to list precisely which ELFS are to
-# be marked.  Often not all the ELF installed by a package need remarking.
-# @EXAMPLE:
-# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)
-list-paxables() {
-	file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//'
-}
-
-# @FUNCTION: host-is-pax
-# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise
-# @DESCRIPTION:
-# This is intended for use where the build process must be modified conditionally
-# depending on whether the host is PaX enabled or not.  It is not intedened to
-# determine whether the final binaries need PaX markings.  Note: if procfs is
-# not mounted on /proc, this returns shell false (e.g. Gentoo/FBSD).
-host-is-pax() {
-	grep -qs ^PaX: /proc/self/status
-}
-
-
-# INTERNAL FUNCTIONS
-# ------------------
-#
-# These functions are for use internally by the eclass - do not use
-# them elsewhere as they are not supported (i.e. they may be removed
-# or their function may change arbitratily).
-
-# Display a list of things, one per line, indented a bit, using the
-# display command in $1.
-_pax_list_files() {
-	local f cmd
-	cmd=$1
-	shift
-	for f in "$@"; do
-		${cmd} "     ${f}"
-	done
-}
-
-fi

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Magnus Granberg]

commit:     331f79b74debeac8f5d162e93f13a143365b2d4e
Author:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sat Apr 23 16:16:59 2016 +0000
Commit:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sat Apr 23 16:16:59 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=331f79b7

update toolchin.eclass and use pch

 eclass/toolchain.eclass | 517 +++++++++++++++++++++++++++++++++---------------
 1 file changed, 361 insertions(+), 156 deletions(-)

diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index d340ae7..ececcdc 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1,12 +1,11 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
 # Maintainer: Toolchain Ninjas <toolchain@gentoo.org>
 
 DESCRIPTION="The GNU Compiler Collection"
-HOMEPAGE="http://gcc.gnu.org/"
-LICENSE="GPL-2 LGPL-2.1"
+HOMEPAGE="https://gcc.gnu.org/"
 RESTRICT="strip" # cross-compilers need controlled stripping
 
 inherit eutils fixheadtails flag-o-matic gnuconfig libtool multilib pax-utils toolchain-funcs versionator
@@ -27,7 +26,7 @@ FEATURES=${FEATURES/multilib-strict/}
 
 EXPORTED_FUNCTIONS="pkg_setup src_unpack src_compile src_test src_install pkg_postinst pkg_postrm"
 case ${EAPI:-0} in
-	0|1)	;;
+	0|1)    die "Need to upgrade to at least EAPI=2";;
 	2|3)    EXPORTED_FUNCTIONS+=" src_prepare src_configure" ;;
 	4*|5*)  EXPORTED_FUNCTIONS+=" pkg_pretend src_prepare src_configure" ;;
 	*)      die "I don't speak EAPI ${EAPI}."
@@ -38,8 +37,8 @@ EXPORT_FUNCTIONS ${EXPORTED_FUNCTIONS}
 
 export CTARGET=${CTARGET:-${CHOST}}
 if [[ ${CTARGET} = ${CHOST} ]] ; then
-	if [[ ${CATEGORY/cross-} != ${CATEGORY} ]] ; then
-		export CTARGET=${CATEGORY/cross-}
+	if [[ ${CATEGORY} == cross-* ]] ; then
+		export CTARGET=${CATEGORY#cross-}
 	fi
 fi
 : ${TARGET_ABI:=${ABI}}
@@ -51,7 +50,7 @@ is_crosscompile() {
 }
 
 # General purpose version check.  Without a second arg matches up to minor version (x.x.x)
-tc_version_is_at_least() { 
+tc_version_is_at_least() {
 	version_is_at_least "$1" "${2:-${GCC_RELEASE_VER}}"
 }
 
@@ -77,12 +76,9 @@ GCCMICRO=$(get_version_component_range 3 ${GCC_PV})
 GCC_CONFIG_VER=${GCC_CONFIG_VER:-$(replace_version_separator 3 '-' ${GCC_PV})}
 
 # Pre-release support
-if [[ ${GCC_PV} != ${GCC_PV/_pre/-} ]] ; then
+if [[ ${GCC_PV} == *_pre* ]] ; then
 	PRERELEASE=${GCC_PV/_pre/-}
-fi
-
-# make _alpha and _beta ebuilds automatically use a snapshot
-if [[ ${GCC_PV} == *_alpha* ]] ; then
+elif [[ ${GCC_PV} == *_alpha* ]] ; then
 	SNAPSHOT=${GCC_BRANCH_VER}-${GCC_PV##*_alpha}
 elif [[ ${GCC_PV} == *_beta* ]] ; then
 	SNAPSHOT=${GCC_BRANCH_VER}-${GCC_PV##*_beta}
@@ -90,6 +86,11 @@ elif [[ ${GCC_PV} == *_rc* ]] ; then
 	SNAPSHOT=${GCC_PV%_rc*}-RC-${GCC_PV##*_rc}
 fi
 
+if [[ ${SNAPSHOT} == [56789].0-* ]] ; then
+	# The gcc-5+ releases have dropped the .0 for some reason.
+	SNAPSHOT=${SNAPSHOT/.0}
+fi
+
 export GCC_FILESDIR=${GCC_FILESDIR:-${FILESDIR}}
 
 PREFIX=${TOOLCHAIN_PREFIX:-/usr}
@@ -103,6 +104,7 @@ INCLUDEPATH=${TOOLCHAIN_INCLUDEPATH:-${LIBPATH}/include}
 
 if is_crosscompile ; then
 	BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/${CHOST}/${CTARGET}/gcc-bin/${GCC_CONFIG_VER}}
+	HOSTLIBPATH=${PREFIX}/${CHOST}/${CTARGET}/lib/${GCC_CONFIG_VER}
 else
 	BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/${CTARGET}/gcc-bin/${GCC_CONFIG_VER}}
 fi
@@ -113,12 +115,28 @@ DATAPATH=${TOOLCHAIN_DATAPATH:-${PREFIX}/share/gcc-data/${CTARGET}/${GCC_CONFIG_
 # We will handle /usr/include/g++-v3/ with gcc-config ...
 STDCXX_INCDIR=${TOOLCHAIN_STDCXX_INCDIR:-${LIBPATH}/include/g++-v${GCC_BRANCH_VER/\.*/}}
 
-#---->> SLOT+IUSE logic <<----
+#---->> LICENSE+SLOT+IUSE logic <<----
+
+if tc_version_is_at_least 4.6 ; then
+	LICENSE="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.3+"
+elif tc_version_is_at_least 4.4 ; then
+	LICENSE="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.2+"
+elif tc_version_is_at_least 4.3 ; then
+	LICENSE="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ ) FDL-1.2+"
+elif tc_version_is_at_least 4.2 ; then
+	LICENSE="GPL-3+ LGPL-2.1+ || ( GPL-3+ libgcc libstdc++ ) FDL-1.2+"
+elif tc_version_is_at_least 3.3 ; then
+	LICENSE="GPL-2+ LGPL-2.1+ FDL-1.2+"
+else
+	LICENSE="GPL-2+ LGPL-2.1+ FDL-1.1+"
+fi
 
-IUSE="multislot nls nptl regression-test vanilla"
+IUSE="multislot regression-test vanilla"
+IUSE_DEF=( nls nptl )
 
 if [[ ${PN} != "kgcc64" && ${PN} != gcc-* ]] ; then
-	IUSE+=" altivec cxx fortran"
+	IUSE+=" altivec debug"
+	IUSE_DEF+=( cxx fortran )
 	[[ -n ${PIE_VER} ]] && IUSE+=" nopie"
 	[[ -n ${HTB_VER} ]] && IUSE+=" boundschecking"
 	[[ -n ${D_VER}   ]] && IUSE+=" d"
@@ -127,28 +145,31 @@ if [[ ${PN} != "kgcc64" && ${PN} != gcc-* ]] ; then
 	tc_version_is_at_least 4.0 && IUSE+=" objc-gc"
 	tc_version_is_between 4.0 4.9 && IUSE+=" mudflap"
 	tc_version_is_at_least 4.1 && IUSE+=" libssp objc++"
-	tc_version_is_at_least 4.2 && IUSE+=" openmp"
+	tc_version_is_at_least 4.2 && IUSE_DEF+=( openmp )
 	tc_version_is_at_least 4.3 && IUSE+=" fixed-point"
-	tc_version_is_at_least 4.6 && IUSE+=" graphite"
 	tc_version_is_at_least 4.7 && IUSE+=" go"
+	# Note: while <=gcc-4.7 also supported graphite, it required forked ppl
+	# versions which we dropped.  Since graphite was also experimental in
+	# the older versions, we don't want to bother supporting it.  #448024
+	tc_version_is_at_least 4.8 && IUSE+=" graphite" IUSE_DEF+=( sanitize )
+	tc_version_is_at_least 4.9 && IUSE+=" cilk"
+	tc_version_is_at_least 5.0 && IUSE+=" jit pch"
+	tc_version_is_at_least 6.0 && IUSE+=" pie +ssp"
 fi
 
-# Support upgrade paths here or people get pissed
-if use multislot ; then
-	SLOT="${GCC_CONFIG_VER}"
-else
-	SLOT="${GCC_BRANCH_VER}"
-fi
+IUSE+=" ${IUSE_DEF[*]/#/+}"
+
+SLOT="${GCC_CONFIG_VER}"
 
 #---->> DEPEND <<----
 
 RDEPEND="sys-libs/zlib
-	nls? ( sys-devel/gettext )"
+	nls? ( virtual/libintl )"
 
 tc_version_is_at_least 3 && RDEPEND+=" virtual/libiconv"
 
 if tc_version_is_at_least 4 ; then
-	GMP_MPFR_DEPS=">=dev-libs/gmp-4.3.2 >=dev-libs/mpfr-2.4.2"
+	GMP_MPFR_DEPS=">=dev-libs/gmp-4.3.2:0 >=dev-libs/mpfr-2.4.2:0"
 	if tc_version_is_at_least 4.3 ; then
 		RDEPEND+=" ${GMP_MPFR_DEPS}"
 	elif in_iuse fortran ; then
@@ -156,27 +177,24 @@ if tc_version_is_at_least 4 ; then
 	fi
 fi
 
-tc_version_is_at_least 4.5 && RDEPEND+=" >=dev-libs/mpc-0.8.1"
+tc_version_is_at_least 4.5 && RDEPEND+=" >=dev-libs/mpc-0.8.1:0"
 
 if in_iuse graphite ; then
-	if tc_version_is_at_least 4.8 ; then
+	if tc_version_is_at_least 5.0 ; then
+		RDEPEND+=" graphite? ( >=dev-libs/isl-0.14 )"
+	elif tc_version_is_at_least 4.8 ; then
 		RDEPEND+="
 			graphite? (
 				>=dev-libs/cloog-0.18.0
 				>=dev-libs/isl-0.11.1
 			)"
-	else
-		RDEPEND+="
-			graphite? (
-				>=dev-libs/cloog-ppl-0.15.10
-				>=dev-libs/ppl-0.11
-			)"
 	fi
 fi
 
 DEPEND="${RDEPEND}
 	>=sys-devel/bison-1.875
 	>=sys-devel/flex-2.5.4
+	nls? ( sys-devel/gettext )
 	regression-test? (
 		>=dev-util/dejagnu-1.4.4
 		>=sys-devel/autogen-5.5.4
@@ -192,10 +210,6 @@ if in_iuse gcj ; then
 		x11-proto/xextproto
 		=x11-libs/gtk+-2*
 		virtual/pkgconfig
-		amd64? ( multilib? (
-			app-emulation/emul-linux-x86-gtklibs
-			app-emulation/emul-linux-x86-xlibs
-		) )
 	"
 	tc_version_is_at_least 3.4 && GCJ_GTK_DEPS+=" x11-libs/pango"
 	tc_version_is_at_least 4.2 && GCJ_DEPS+=" app-arch/zip app-arch/unzip"
@@ -219,9 +233,9 @@ S=$(
 )
 
 gentoo_urls() {
-	local devspace="HTTP~vapier/dist/URI HTTP~dirtyepic/dist/URI
-	HTTP~halcy0n/patches/URI HTTP~zorry/patches/gcc/URI"
-	devspace=${devspace//HTTP/http:\/\/dev.gentoo.org\/}
+	local devspace="HTTP~vapier/dist/URI HTTP~rhill/dist/URI
+	HTTP~zorry/patches/gcc/URI HTTP~blueness/dist/URI"
+	devspace=${devspace//HTTP/https:\/\/dev.gentoo.org\/}
 	echo mirror://gentoo/$1 ${devspace//URI/$1}
 }
 
@@ -292,11 +306,14 @@ get_gcc_src_uri() {
 
 	# Set where to download gcc itself depending on whether we're using a
 	# prerelease, snapshot, or release tarball.
-	if [[ -n ${PRERELEASE} ]] ; then
+	if [[ ${PV} == *9999* ]] ; then
+		# Nothing to do w/git snapshots.
+		:
+	elif [[ -n ${PRERELEASE} ]] ; then
 		GCC_SRC_URI="ftp://gcc.gnu.org/pub/gcc/prerelease-${PRERELEASE}/gcc-${PRERELEASE}.tar.bz2"
 	elif [[ -n ${SNAPSHOT} ]] ; then
 		GCC_SRC_URI="ftp://gcc.gnu.org/pub/gcc/snapshots/${SNAPSHOT}/gcc-${SNAPSHOT}.tar.bz2"
-	elif [[ ${PV} != *9999* ]] ; then
+	else
 		GCC_SRC_URI="mirror://gnu/gcc/gcc-${GCC_PV}/gcc-${GCC_RELEASE_VER}.tar.bz2"
 		# we want all branch updates to be against the main release
 		[[ -n ${BRANCH_UPDATE} ]] && \
@@ -367,8 +384,8 @@ toolchain_pkg_pretend() {
 #---->> pkg_setup <<----
 
 toolchain_pkg_setup() {
-	case "${EAPI:-0}" in
-		0|1|2|3)    toolchain_pkg_pretend ;;
+	case ${EAPI} in
+	2|3) toolchain_pkg_pretend ;;
 	esac
 
 	# we dont want to use the installed compiler's specs to build gcc
@@ -384,10 +401,6 @@ toolchain_src_unpack() {
 	else
 		gcc_quick_unpack
 	fi
-
-	case ${EAPI:-0} in
-		0|1)   toolchain_src_prepare ;;
-	esac
 }
 
 gcc_quick_unpack() {
@@ -473,7 +486,7 @@ toolchain_src_prepare() {
 	do_gcc_PIE_patches
 	epatch_user
 
-	if ( tc_version_is_at_least 4.8 || use hardened ) && ! use vanilla ; then
+	if ( tc_version_is_at_least 4.8.2 || use hardened ) && ! use vanilla ; then
 		make_gcc_hard
 	fi
 
@@ -613,7 +626,6 @@ do_gcc_PIE_patches() {
 
 # configure to build with the hardened GCC specs as the default
 make_gcc_hard() {
-	
 	# we want to be able to control the pie patch logic via something other
 	# than ALL_CFLAGS...
 	sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \
@@ -641,9 +653,8 @@ make_gcc_hard() {
 			ewarn "PIE has not been enabled by default"
 			gcc_hard_flags+=" -DEFAULT_SSP"
 		else
-			# do nothing if hardened isnt supported, but dont die either
+			# do nothing if hardened isn't supported, but don't die either
 			ewarn "hardened is not supported for this arch in this gcc version"
-			ebeep
 			return 0
 		fi
 		# rebrand to make bug reports easier
@@ -766,6 +777,7 @@ do_gcc_rename_java_bins() {
 #---->> src_configure <<----
 
 toolchain_src_configure() {
+	downgrade_arch_flags
 	gcc_do_filter_flags
 
 	einfo "CFLAGS=\"${CFLAGS}\""
@@ -823,6 +835,7 @@ toolchain_src_configure() {
 	is_d   && GCC_LANG+=",d"
 	is_gcj && GCC_LANG+=",java"
 	is_go  && GCC_LANG+=",go"
+	is_jit && GCC_LANG+=",jit"
 	if is_objc || is_objcxx ; then
 		GCC_LANG+=",objc"
 		if tc_version_is_at_least 4 ; then
@@ -830,7 +843,6 @@ toolchain_src_configure() {
 		fi
 		is_objcxx && GCC_LANG+=",obj-c++"
 	fi
-	is_treelang && GCC_LANG+=",treelang"
 
 	# fortran support just got sillier! the lang value can be f77 for
 	# fortran77, f95 for fortran95, or just plain old fortran for the
@@ -863,10 +875,10 @@ toolchain_src_configure() {
 
 	# Use the default ("release") checking because upstream usually neglects
 	# to test "disabled" so it has a history of breaking. #317217
-	if tc_version_is_at_least 4 || [[ -n ${GCC_CHECKS_LIST} ]] ; then
-		confgcc+=( --enable-checking=${GCC_CHECKS_LIST:-release} )
-	else
-		confgcc+=( --disable-checking )
+	if tc_version_is_at_least 3.4 ; then
+		# The "release" keyword is new to 4.0. #551636
+		local off=$(tc_version_is_at_least 4.0 && echo release || echo no)
+		confgcc+=( --enable-checking="${GCC_CHECKS_LIST:-$(usex debug yes ${off})}" )
 	fi
 
 	# Branding
@@ -887,6 +899,24 @@ toolchain_src_configure() {
 		confgcc+=( --enable-libstdcxx-time )
 	fi
 
+	# Support to disable pch when building libstdcxx
+	if tc_version_is_at_least 5.0 && ! use pch ; then
+		confgcc+=( --disable-libstdcxx-pch )
+	fi
+
+	# The jit language requires this.
+	is_jit && confgcc+=( --enable-host-shared )
+
+	# # Turn on the -Wl,--build-id flag by default for ELF targets. #525942
+	# # This helps with locating debug files.
+	# case ${CTARGET} in
+	# *-linux-*|*-elf|*-eabi)
+	# 	tc_version_is_at_least 4.5 && confgcc+=(
+	# 		--enable-linker-build-id
+	# 	)
+	# 	;;
+	# esac
+
 	# newer gcc versions like to bootstrap themselves with C++,
 	# so we need to manually disable it ourselves
 	if tc_version_is_between 4.7 4.8 && ! is_cxx ; then
@@ -1007,9 +1037,9 @@ toolchain_src_configure() {
 	*)
 		# If they've explicitly opt-ed in, do hardfloat,
 		# otherwise let the gcc default kick in.
-		[[ ${CTARGET//_/-} == *-hardfloat-* ]] \
-			&& confgcc+=( --with-float=hard )
-		;;
+		case ${CTARGET//_/-} in
+		*-hardfloat-*|*eabihf) confgcc+=( --with-float=hard ) ;;
+		esac
 	esac
 
 	local with_abi_map=()
@@ -1055,7 +1085,7 @@ toolchain_src_configure() {
 	amd64)
 		# drop the older/ABI checks once this get's merged into some
 		# version of gcc upstream
-		if tc_version_is_at_least 4.7 && has x32 $(get_all_abis TARGET) ; then
+		if tc_version_is_at_least 4.8 && has x32 $(get_all_abis TARGET) ; then
 			confgcc+=( --with-abi=$(gcc-abi-map ${TARGET_DEFAULT_ABI}) )
 		fi
 		;;
@@ -1129,10 +1159,15 @@ toolchain_src_configure() {
 		if use_if_iuse libssp ; then
 			confgcc+=( --enable-libssp )
 		else
-			export gcc_cv_libc_provides_ssp=yes
+			if hardened_gcc_is_stable ssp; then
+				export gcc_cv_libc_provides_ssp=yes
+			fi
 			confgcc+=( --disable-libssp )
 		fi
+	fi
 
+	if in_iuse cilk ; then
+		confgcc+=( $(use_enable cilk libcilkrts) )
 	fi
 
 	# newer gcc's come with libquadmath, but only fortran uses
@@ -1147,21 +1182,28 @@ toolchain_src_configure() {
 		confgcc+=( --disable-lto )
 	fi
 
-	# graphite was added in 4.4 but we only support it in 4.6+ due to external
-	# library issues.  4.6/4.7 uses cloog-ppl which is a fork of CLooG with a
-	# PPL backend.  4.8+ uses upstream CLooG with the ISL backend.  We install
-	# cloog-ppl into a non-standard location to prevent collisions.
-	if tc_version_is_at_least 4.8 ; then
-		confgcc+=( $(use_with graphite cloog) )
+	# graphite was added in 4.4 but we only support it in 4.8+ due to external
+	# library issues.  #448024
+	if tc_version_is_at_least 5.0 ; then
+		confgcc+=( $(use_with graphite isl) )
 		use graphite && confgcc+=( --disable-isl-version-check )
-	elif tc_version_is_at_least 4.6 ; then
+	elif tc_version_is_at_least 4.8 ; then
 		confgcc+=( $(use_with graphite cloog) )
-		confgcc+=( $(use_with graphite ppl) )
-		use graphite && confgcc+=( --with-cloog-include=/usr/include/cloog-ppl )
-		use graphite && confgcc+=( --disable-ppl-version-check )
+		use graphite && confgcc+=( --disable-isl-version-check )
 	elif tc_version_is_at_least 4.4 ; then
-		confgcc+=( --without-cloog )
-		confgcc+=( --without-ppl )
+		confgcc+=( --without-{cloog,ppl} )
+	fi
+
+	if tc_version_is_at_least 4.8 ; then
+		confgcc+=( $(use_enable sanitize libsanitizer) )
+	fi
+
+	if tc_version_is_at_least 6.0 ; then
+		confgcc+=(
+			$(use_enable pie default-pie)
+			# This defaults to -fstack-protector-strong.
+			$(use_enable ssp default-ssp)
+		)
 	fi
 
 	# Disable gcc info regeneration -- it ships with generated info pages
@@ -1196,12 +1238,143 @@ toolchain_src_configure() {
 	# and now to do the actual configuration
 	addwrite /dev/zero
 	echo "${S}"/configure "${confgcc[@]}"
-	"${S}"/configure "${confgcc[@]}" || die "failed to run configure"
+	# Older gcc versions did not detect bash and re-exec itself, so force the
+	# use of bash.  Newer ones will auto-detect, but this is not harmeful.
+	CONFIG_SHELL="/bin/bash" \
+	bash "${S}"/configure "${confgcc[@]}" || die "failed to run configure"
 
 	# return to whatever directory we were in before
 	popd > /dev/null
 }
 
+# Replace -m flags unsupported by the version being built with the best
+# available equivalent
+downgrade_arch_flags() {
+	local arch bver i isa myarch mytune rep ver
+
+	bver=${1:-${GCC_BRANCH_VER}}
+	[[ $(gcc-version) < ${bver} ]] && return 0
+	[[ $(tc-arch) != amd64 && $(tc-arch) != x86 ]] && return 0
+
+	myarch=$(get-flag march)
+	mytune=$(get-flag mtune)
+
+	# If -march=native isn't supported we have to tease out the actual arch
+	if [[ ${myarch} == native || ${mytune} == native ]] ; then
+		if [[ ${bver} < 4.2 ]] ; then
+			arch=$($(tc-getCC) -march=native -v -E -P - </dev/null 2>&1 \
+				| sed -rn "/cc1.*-march/s:.*-march=([^ ']*).*:\1:p")
+			replace-cpu-flags native ${arch}
+		fi
+	fi
+
+	# Handle special -mtune flags
+	[[ ${mytune} == intel && ${bver} < 4.9 ]] && replace-cpu-flags intel generic
+	[[ ${mytune} == generic && ${bver} < 4.2 ]] && filter-flags '-mtune=*'
+	[[ ${mytune} == x86-64 ]] && filter-flags '-mtune=*'
+	[[ ${bver} < 3.4 ]] && filter-flags '-mtune=*'
+
+	# "added" "arch" "replacement"
+	local archlist=(
+		4.9 bdver4 bdver3
+		4.9 bonnell atom
+		4.9 broadwell core-avx2
+		4.9 haswell core-avx2
+		4.9 ivybridge core-avx-i
+		4.9 nehalem corei7
+		4.9 sandybridge corei7-avx
+		4.9 silvermont corei7
+		4.9 westmere corei7
+		4.8 bdver3 bdver2
+		4.8 btver2 btver1
+		4.7 bdver2 bdver1
+		4.7 core-avx2 core-avx-i
+		4.6 bdver1 amdfam10
+		4.6 btver1 amdfam10
+		4.6 core-avx-i core2
+		4.6 corei7 core2
+		4.6 corei7-avx core2
+		4.5 atom core2
+		4.3 amdfam10 k8
+		4.3 athlon64-sse3 k8
+		4.3 barcelona k8
+		4.3 core2 nocona
+		4.3 geode k6-2 # gcc.gnu.org/PR41989#c22
+		4.3 k8-sse3 k8
+		4.3 opteron-sse3 k8
+		3.4 athlon-fx x86-64
+		3.4 athlon64 x86-64
+		3.4 c3-2 c3
+		3.4 k8 x86-64
+		3.4 opteron x86-64
+		3.4 pentium-m pentium3
+		3.4 pentium3m pentium3
+		3.4 pentium4m pentium4
+	)
+
+	for ((i = 0; i < ${#archlist[@]}; i += 3)) ; do
+		myarch=$(get-flag march)
+		mytune=$(get-flag mtune)
+
+		ver=${archlist[i]}
+		arch=${archlist[i + 1]}
+		rep=${archlist[i + 2]}
+
+		[[ ${myarch} != ${arch} && ${mytune} != ${arch} ]] && continue
+
+		if [[ ${ver} > ${bver} ]] ; then
+			einfo "Replacing ${myarch} (added in gcc ${ver}) with ${rep}..."
+			[[ ${myarch} == ${arch} ]] && replace-cpu-flags ${myarch} ${rep}
+			[[ ${mytune} == ${arch} ]] && replace-cpu-flags ${mytune} ${rep}
+			continue
+		else
+			break
+		fi
+	done
+
+	# we only check -mno* here since -m* get removed by strip-flags later on
+	local isalist=(
+		4.9 -mno-sha
+		4.9 -mno-avx512pf
+		4.9 -mno-avx512f
+		4.9 -mno-avx512er
+		4.9 -mno-avx512cd
+		4.8 -mno-xsaveopt
+		4.8 -mno-xsave
+		4.8 -mno-rtm
+		4.8 -mno-fxsr
+		4.7 -mno-lzcnt
+		4.7 -mno-bmi2
+		4.7 -mno-avx2
+		4.6 -mno-tbm
+		4.6 -mno-rdrnd
+		4.6 -mno-fsgsbase
+		4.6 -mno-f16c
+		4.6 -mno-bmi
+		4.5 -mno-xop
+		4.5 -mno-movbe
+		4.5 -mno-lwp
+		4.5 -mno-fma4
+		4.4 -mno-pclmul
+		4.4 -mno-fma
+		4.4 -mno-avx
+		4.4 -mno-aes
+		4.3 -mno-ssse3
+		4.3 -mno-sse4a
+		4.3 -mno-sse4
+		4.3 -mno-sse4.2
+		4.3 -mno-sse4.1
+		4.3 -mno-popcnt
+		4.3 -mno-abm
+	)
+
+	for ((i = 0; i < ${#isalist[@]}; i += 2)) ; do
+		ver=${isalist[i]}
+		isa=${isalist[i + 1]}
+		[[ ${ver} > ${bver} ]] && filter-flags ${isa} ${isa/-m/-mno-}
+	done
+}
+
 gcc_do_filter_flags() {
 	strip-flags
 	replace-flags -O? -O2
@@ -1209,26 +1382,14 @@ gcc_do_filter_flags() {
 	# dont want to funk ourselves
 	filter-flags '-mabi*' -m31 -m32 -m64
 
-	filter-flags '-frecord-gcc-switches' # 490738
+	filter-flags -frecord-gcc-switches # 490738
+	filter-flags -mno-rtm -mno-htm # 506202
 
 	if tc_version_is_between 3.2 3.4 ; then
 		# XXX: this is so outdated it's barely useful, but it don't hurt...
-		replace-cpu-flags k8 athlon64 opteron x86-64
-		replace-cpu-flags pentium-m pentium3m pentium3
 		replace-cpu-flags G3 750
 		replace-cpu-flags G4 7400
 		replace-cpu-flags G5 7400
-	
-		case $(tc-arch) in
-			amd64)
-				replace-cpu-flags core2 nocona
-				filter-flags '-mtune=*'
-				;;
-			x86)
-				replace-cpu-flags core2 prescott
-				filter-flags '-mtune=*'
-				;;
-		esac
 
 		# XXX: should add a sed or something to query all supported flags
 		#      from the gcc source and trim everything else ...
@@ -1241,6 +1402,9 @@ gcc_do_filter_flags() {
 		case $(tc-arch) in
 			amd64|x86)
 				filter-flags '-mcpu=*'
+
+				tc_version_is_between 4.4 4.5 && append-flags -mno-avx # 357287
+
 				if tc_version_is_between 4.6 4.7 ; then
 					# https://bugs.gentoo.org/411333
 					# https://bugs.gentoo.org/466454
@@ -1316,7 +1480,7 @@ gcc-multilib-configure() {
 	if [[ -n ${list} ]] ; then
 		case ${CTARGET} in
 		x86_64*)
-			tc_version_is_at_least 4.7 && confgcc+=( --with-multilib-list=${list:1} )
+			tc_version_is_at_least 4.8 && confgcc+=( --with-multilib-list=${list:1} )
 			;;
 		esac
 	fi
@@ -1340,30 +1504,25 @@ gcc-abi-map() {
 #----> src_compile <----
 
 toolchain_src_compile() {
-	case ${EAPI:-0} in
-		0|1)   toolchain_src_configure ;;
-	esac
-
 	touch "${S}"/gcc/c-gperf.h
 
 	# Do not make manpages if we do not have perl ...
 	[[ ! -x /usr/bin/perl ]] \
-		&& find "${WORKDIR}"/build -name '*.[17]' | xargs touch
+		&& find "${WORKDIR}"/build -name '*.[17]' -exec touch {} +
 
-	einfo "Compiling ${PN} ..."
 	gcc_do_make ${GCC_MAKE_TARGET}
 }
 
 gcc_do_make() {
 	# This function accepts one optional argument, the make target to be used.
 	# If omitted, gcc_do_make will try to guess whether it should use all,
-	# profiledbootstrap, or bootstrap-lean depending on CTARGET and arch. An
-	# example of how to use this function:
+	# or bootstrap-lean depending on CTARGET and arch.
+	# An example of how to use this function:
 	#
 	#	gcc_do_make all-target-libstdc++-v3
-	#
-	# Set make target to $1 if passed
+
 	[[ -n ${1} ]] && GCC_MAKE_TARGET=${1}
+
 	# default target
 	if is_crosscompile || tc-is-cross-compiler ; then
 		# 3 stage bootstrapping doesnt quite work when you cant run the
@@ -1373,13 +1532,11 @@ gcc_do_make() {
 		GCC_MAKE_TARGET=${GCC_MAKE_TARGET-bootstrap-lean}
 	fi
 
-	# the gcc docs state that parallel make isnt supported for the
-	# profiledbootstrap target, as collisions in profile collecting may occur.
+	# Older versions of GCC could not do profiledbootstrap in parallel due to
+	# collisions with profiling info.
 	# boundschecking also seems to introduce parallel build issues.
-	if [[ ${GCC_MAKE_TARGET} == "profiledbootstrap" ]] ||
-	   use_if_iuse boundschecking
-	then
-		export MAKEOPTS="${MAKEOPTS} -j1"
+	if [[ ${GCC_MAKE_TARGET} == "profiledbootstrap" ]] || use_if_iuse boundschecking ; then
+		! tc_version_is_at_least 4.6 && export MAKEOPTS="${MAKEOPTS} -j1"
 	fi
 
 	if [[ ${GCC_MAKE_TARGET} == "all" ]] ; then
@@ -1400,6 +1557,8 @@ gcc_do_make() {
 		BOOT_CFLAGS=${BOOT_CFLAGS-"$(get_abi_CFLAGS ${TARGET_DEFAULT_ABI}) ${CFLAGS}"}
 	fi
 
+	einfo "Compiling ${PN} (${GCC_MAKE_TARGET})..."
+
 	pushd "${WORKDIR}"/build >/dev/null
 
 	emake \
@@ -1419,6 +1578,13 @@ gcc_do_make() {
 				cd "${CTARGET}"/libstdc++-v3
 				emake doxygen-man || ewarn "failed to make docs"
 			fi
+			# Clean bogus manpages.  #113902
+			find -name '*_build_*' -delete
+			# Blow away generated directory references.  Newer versions of gcc
+			# have gotten better at this, but not perfect.  This is easier than
+			# backporting all of the various doxygen patches.  #486754
+			find -name '*_.3' -exec grep -l ' Directory Reference ' {} + | \
+				xargs rm -f
 		else
 			ewarn "Skipping libstdc++ manpage generation since you don't have doxygen installed"
 		fi
@@ -1454,8 +1620,12 @@ toolchain_src_install() {
 		fi
 	done
 
-	# Remove generated headers, as they can cause things to break
-	# (ncurses, openssl, etc).
+	# We remove the generated fixincludes, as they can cause things to break
+	# (ncurses, openssl, etc).  We do not prevent them from being built, as
+	# in the following commit which we revert:
+	# https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/toolchain.eclass?r1=1.647&r2=1.648
+	# This is because bsd userland needs fixedincludes to build gcc, while
+	# linux does not.  Both can dispose of them afterwards.
 	while read x ; do
 		grep -q 'It has been auto-edited by fixincludes from' "${x}" \
 			&& rm -f "${x}"
@@ -1496,7 +1666,12 @@ toolchain_src_install() {
 	for x in cpp gcc g++ c++ gcov g77 gcj gcjh gfortran gccgo ; do
 		# For some reason, g77 gets made instead of ${CTARGET}-g77...
 		# this should take care of that
-		[[ -f ${x} ]] && mv ${x} ${CTARGET}-${x}
+		if [[ -f ${x} ]] ; then
+			# In case they're hardlinks, clear out the target first
+			# otherwise the mv below will complain.
+			rm -f ${CTARGET}-${x}
+			mv ${x} ${CTARGET}-${x}
+		fi
 
 		if [[ -f ${CTARGET}-${x} ]] ; then
 			if ! is_crosscompile ; then
@@ -1514,9 +1689,18 @@ toolchain_src_install() {
 			ln -sf ${CTARGET}-${x} ${CTARGET}-${x}-${GCC_CONFIG_VER}
 		fi
 	done
+	# Rename the main go binaries as we don't want to clobber dev-lang/go
+	# when gcc-config runs. #567806
+	if tc_version_is_at_least 5 && is_go ; then
+		for x in go gofmt; do
+			mv ${x} ${x}-${GCCMAJOR} || die
+		done
+	fi
 
 	# Now do the fun stripping stuff
 	env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${BINPATH}"
+	is_crosscompile && \
+		env RESTRICT="" CHOST=${CHOST} prepstrip "${D}/${HOSTLIBPATH}"
 	env RESTRICT="" CHOST=${CTARGET} prepstrip "${D}${LIBPATH}"
 	# gcc used to install helper binaries in lib/ but then moved to libexec/
 	[[ -d ${D}${PREFIX}/libexec/gcc ]] && \
@@ -1530,8 +1714,6 @@ toolchain_src_install() {
 		if tc_version_is_at_least 3.0 ; then
 			local cxx_mandir=$(find "${WORKDIR}/build/${CTARGET}/libstdc++-v3" -name man)
 			if [[ -d ${cxx_mandir} ]] ; then
-				# clean bogus manpages #113902
-				find "${cxx_mandir}" -name '*_build_*' -exec rm {} \;
 				cp -r "${cxx_mandir}"/man? "${D}/${DATAPATH}"/man/
 			fi
 		fi
@@ -1548,22 +1730,17 @@ toolchain_src_install() {
 	# install testsuite results
 	if use regression-test; then
 		docinto testsuite
-		find "${WORKDIR}"/build -type f -name "*.sum" -print0 | xargs -0 dodoc
-		find "${WORKDIR}"/build -type f -path "*/testsuite/*.log" -print0 \
-			| xargs -0 dodoc
+		find "${WORKDIR}"/build -type f -name "*.sum" -exec dodoc {} +
+		find "${WORKDIR}"/build -type f -path "*/testsuite/*.log" -exec dodoc {} +
 	fi
 
 	# Rather install the script, else portage with changing $FILESDIR
 	# between binary and source package borks things ....
 	if ! is_crosscompile ; then
 		insinto "${DATAPATH}"
-		if tc_version_is_at_least 4.0 ; then
-			newins "${GCC_FILESDIR}"/awk/fixlafiles.awk-no_gcc_la fixlafiles.awk || die
-			find "${D}/${LIBPATH}" -name libstdc++.la -type f -exec rm "{}" \;
-			find "${D}/${LIBPATH}" -name "lib?san.la" -type f -exec rm "{}" \; # 487550
-		else
-			doins "${GCC_FILESDIR}"/awk/fixlafiles.awk || die
-		fi
+		newins "${GCC_FILESDIR}"/awk/fixlafiles.awk-no_gcc_la fixlafiles.awk || die
+		find "${D}/${LIBPATH}" -name libstdc++.la -type f -delete
+		find "${D}/${LIBPATH}" -name 'lib*san.la' -type f -delete #487550 #546700
 		exeinto "${DATAPATH}"
 		doexe "${GCC_FILESDIR}"/fix_libtool_files.sh || die
 		doexe "${GCC_FILESDIR}"/c{89,99} || die
@@ -1604,6 +1781,17 @@ gcc_movelibs() {
 	# older versions of gcc did not support --print-multi-os-directory
 	tc_version_is_at_least 3.2 || return 0
 
+	# For non-target libs which are for CHOST and not CTARGET, we want to
+	# move them to the compiler-specific CHOST internal dir.  This is stuff
+	# that you want to link against when building tools rather than building
+	# code to run on the target.
+	if tc_version_is_at_least 5 && is_crosscompile ; then
+		dodir "${HOSTLIBPATH}"
+		mv "${D}"/usr/$(get_libdir)/libcc1* "${D}${HOSTLIBPATH}" || die
+	fi
+
+	# For all the libs that are built for CTARGET, move them into the
+	# compiler-specific CTARGET internal dir.
 	local x multiarg removedirs=""
 	for multiarg in $($(XGCC) -print-multi-lib) ; do
 		multiarg=${multiarg#*;}
@@ -1627,7 +1815,7 @@ gcc_movelibs() {
 			if [[ ${FROMDIR} != "${TODIR}" && -d ${FROMDIR} ]] ; then
 				local files=$(find "${FROMDIR}" -maxdepth 1 ! -type d 2>/dev/null)
 				if [[ -n ${files} ]] ; then
-					mv ${files} "${TODIR}"
+					mv ${files} "${TODIR}" || die
 				fi
 			fi
 		done
@@ -1637,7 +1825,7 @@ gcc_movelibs() {
 		FROMDIR="${PREFIX}/lib/${OS_MULTIDIR}"
 		for x in "${D}${FROMDIR}"/pkgconfig/libgcj*.pc ; do
 			[[ -f ${x} ]] || continue
-			sed -i "/^libdir=/s:=.*:=${LIBPATH}/${MULTIDIR}:" "${x}"
+			sed -i "/^libdir=/s:=.*:=${LIBPATH}/${MULTIDIR}:" "${x}" || die
 			mv "${x}" "${D}${FROMDIR}"/pkgconfig/libgcj-${GCC_PV}.pc || die
 		done
 	done
@@ -1649,28 +1837,32 @@ gcc_movelibs() {
 	for FROMDIR in ${removedirs} ; do
 		rmdir "${D}"${FROMDIR} >& /dev/null
 	done
-	find "${D}" -type d | xargs rmdir >& /dev/null
+	find -depth "${D}" -type d -exec rmdir {} + >& /dev/null
 }
 
 # make sure the libtool archives have libdir set to where they actually
 # -are-, and not where they -used- to be.  also, any dependencies we have
 # on our own .la files need to be updated.
 fix_libtool_libdir_paths() {
+	local libpath="$1"
+
 	pushd "${D}" >/dev/null
 
-	pushd "./${1}" >/dev/null
+	pushd "./${libpath}" >/dev/null
 	local dir="${PWD#${D%/}}"
 	local allarchives=$(echo *.la)
 	allarchives="\(${allarchives// /\\|}\)"
 	popd >/dev/null
 
-	sed -i \
-		-e "/^libdir=/s:=.*:='${dir}':" \
-		./${dir}/*.la
-	sed -i \
-		-e "/^dependency_libs=/s:/[^ ]*/${allarchives}:${LIBPATH}/\1:g" \
-		$(find ./${PREFIX}/lib* -maxdepth 3 -name '*.la') \
-		./${dir}/*.la
+	# The libdir might not have any .la files. #548782
+	find "./${dir}" -maxdepth 1 -name '*.la' \
+		-exec sed -i -e "/^libdir=/s:=.*:='${dir}':" {} + || die
+	# Would be nice to combine these, but -maxdepth can not be specified
+	# on sub-expressions.
+	find "./${PREFIX}"/lib* -maxdepth 3 -name '*.la' \
+		-exec sed -i -e "/^dependency_libs=/s:/[^ ]*/${allarchives}:${libpath}/\1:g" {} + || die
+	find "./${dir}/" -maxdepth 1 -name '*.la' \
+		-exec sed -i -e "/^dependency_libs=/s:/[^ ]*/${allarchives}:${libpath}/\1:g" {} + || die
 
 	popd >/dev/null
 }
@@ -1795,7 +1987,7 @@ toolchain_pkg_postinst() {
 		echo
 		ewarn "You might want to review the GCC upgrade guide when moving between"
 		ewarn "major versions (like 4.2 to 4.3):"
-		ewarn "http://www.gentoo.org/doc/en/gcc-upgrading.xml"
+		ewarn "https://wiki.gentoo.org/wiki/Upgrading_GCC"
 		echo
 
 		# Clean up old paths
@@ -1815,6 +2007,12 @@ toolchain_pkg_postinst() {
 		elog "Testsuite results have been installed into /usr/share/doc/${PF}/testsuite"
 		echo
 	fi
+
+	if [[ -n ${PRERELEASE}${SNAPSHOT} ]] ; then
+		einfo "This GCC ebuild is provided for your convenience, and the use"
+		einfo "of this compiler is not supported by the Gentoo Developers."
+		einfo "Please report bugs to upstream at http://gcc.gnu.org/bugzilla/"
+	fi
 }
 
 toolchain_pkg_postrm() {
@@ -1857,26 +2055,36 @@ do_gcc_config() {
 		return 0
 	fi
 
-	local current_gcc_config="" current_specs="" use_specs=""
+	local current_gcc_config target
 
 	current_gcc_config=$(env -i ROOT="${ROOT}" gcc-config -c ${CTARGET} 2>/dev/null)
 	if [[ -n ${current_gcc_config} ]] ; then
+		local current_specs use_specs
 		# figure out which specs-specific config is active
 		current_specs=$(gcc-config -S ${current_gcc_config} | awk '{print $3}')
 		[[ -n ${current_specs} ]] && use_specs=-${current_specs}
-	fi
-	if [[ -n ${use_specs} ]] && \
-	   [[ ! -e ${ROOT}/etc/env.d/gcc/${CTARGET}-${GCC_CONFIG_VER}${use_specs} ]]
-	then
-		ewarn "The currently selected specs-specific gcc config,"
-		ewarn "${current_specs}, doesn't exist anymore. This is usually"
-		ewarn "due to enabling/disabling hardened or switching to a version"
-		ewarn "of gcc that doesnt create multiple specs files. The default"
-		ewarn "config will be used, and the previous preference forgotten."
-		use_specs=""
+
+		if [[ -n ${use_specs} ]] && \
+		   [[ ! -e ${ROOT}/etc/env.d/gcc/${CTARGET}-${GCC_CONFIG_VER}${use_specs} ]]
+		then
+			ewarn "The currently selected specs-specific gcc config,"
+			ewarn "${current_specs}, doesn't exist anymore. This is usually"
+			ewarn "due to enabling/disabling hardened or switching to a version"
+			ewarn "of gcc that doesnt create multiple specs files. The default"
+			ewarn "config will be used, and the previous preference forgotten."
+			use_specs=""
+		fi
+
+		target="${CTARGET}-${GCC_CONFIG_VER}${use_specs}"
+	else
+		# The curent target is invalid.  Attempt to switch to a valid one.
+		# Blindly pick the latest version.  #529608
+		# TODO: Should update gcc-config to accept `-l ${CTARGET}` rather than
+		# doing a partial grep like this.
+		target=$(gcc-config -l 2>/dev/null | grep " ${CTARGET}-[0-9]" | tail -1 | awk '{print $2}')
 	fi
 
-	gcc-config ${CTARGET}-${GCC_CONFIG_VER}${use_specs}
+	gcc-config "${target}"
 }
 
 should_we_gcc_config() {
@@ -1941,7 +2149,7 @@ is_ada() {
 
 is_cxx() {
 	gcc-lang-supported 'c++' || return 1
-	tc_version_is_at_least 4.8 && return 0
+	! is_crosscompile && tc_version_is_at_least 4.8 && return 0
 	use cxx
 }
 
@@ -1975,6 +2183,11 @@ is_go() {
 	use cxx && use_if_iuse go
 }
 
+is_jit() {
+	gcc-lang-supported jit || return 1
+	use_if_iuse jit
+}
+
 is_multilib() {
 	tc_version_is_at_least 3 || return 1
 	use multilib
@@ -1990,14 +2203,6 @@ is_objcxx() {
 	use cxx && use_if_iuse objc++
 }
 
-is_treelang() {
-	use_if_iuse boundschecking && return 1 #260532
-	is_crosscompile && return 1 #199924
-	gcc-lang-supported treelang || return 1
-	#use treelang
-	return 0
-}
-
 # Grab a variable from the build system (taken from linux-info.eclass)
 get_make_var() {
 	local var=$1 makefile=${2:-${WORKDIR}/build/Makefile}
@@ -2047,7 +2252,7 @@ hardened_gcc_is_stable() {
 	elif [[ $1 == "ssp" ]] ; then
 		if [[ ${CTARGET} == *-uclibc* ]] ; then
 			tocheck=${SSP_UCLIBC_STABLE}
-		else
+		elif  [[ ${CTARGET} == *-gnu* ]] ; then
 			tocheck=${SSP_STABLE}
 		fi
 	else
@@ -2088,7 +2293,7 @@ want_pie() {
 
 has toolchain_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" toolchain_death_notice"
 toolchain_death_notice() {
-	if [[ -e "${WORKDIR}"/build ]] ; then 
+	if [[ -e "${WORKDIR}"/build ]] ; then
 		pushd "${WORKDIR}"/build >/dev/null
 		(echo '' | $(tc-getCC ${CTARGET}) ${CFLAGS} -v -E - 2>&1) > gccinfo.log
 		[[ -e "${T}"/build.log ]] && cp "${T}"/build.log .

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Magnus Granberg]

commit:     8ab745bdff4b392d56bfb27823eec5501827aa3f
Author:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sat Apr 23 17:27:01 2016 +0000
Commit:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sat Apr 23 17:27:01 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=8ab745bd

add more gcc 6 support to toolchain.eclass

 eclass/toolchain.eclass | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index ececcdc..c9520a9 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -626,6 +626,22 @@ do_gcc_PIE_patches() {
 
 # configure to build with the hardened GCC specs as the default
 make_gcc_hard() {
+
+	# Gcc >= 6.X we don't need to sed in Makefile
+	# It have configurations options to turn pie/ssp on as default
+	if tc_version_is_at_least 6.0 ; then
+		if use hardened ; then
+			# rebrand to make bug reports easier
+			BRANDING_GCC_PKGVERSION=${BRANDING_GCC_PKGVERSION/Gentoo/Gentoo Hardened}
+		if use pie ; then
+			einfo "Updating gcc to use automatic PIE building ..."
+		fi
+		if use ssp ; then
+			einfo "Updating gcc to use automatic SSP building ..."
+		fi
+		return 1
+	fi
+
 	# we want to be able to control the pie patch logic via something other
 	# than ALL_CFLAGS...
 	sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \
@@ -2264,6 +2280,10 @@ hardened_gcc_is_stable() {
 }
 
 want_minispecs() {
+	# on gcc 6 we don't need minispecs
+	if tc_version_is_at_least 6.0 ; then
+		return 0
+	fi
 	if tc_version_is_at_least 4.3.2 && use hardened ; then
 		if ! want_pie ; then
 			ewarn "PIE_VER or SPECS_VER is not defined in the GCC ebuild."

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Magnus Granberg]

commit:     d45e7e6148a392e3200a7c6c17ff2888cbf26b64
Author:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sun May  1 19:24:34 2016 +0000
Commit:     Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sun May  1 19:24:34 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=d45e7e61

dont use .specs files when install

 eclass/toolchain.eclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index 3106641..247dcee 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1937,6 +1937,11 @@ create_gcc_env_entry() {
 }
 
 copy_minispecs_gcc_specs() {
+	# on gcc 6 we don't need minispecs
+	if tc_version_is_at_least 6.0 ; then
+		return 0
+	fi
+
 	# setup the hardenedno* specs files and the vanilla specs file.
 	if hardened_gcc_works ; then
 		create_gcc_env_entry hardenednopiessp

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     c5c2daa6ff0970a37747c58328df38b4ce57207f
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun May  1 19:51:05 2016 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May  1 19:51:46 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=c5c2daa6

toolchain.eclass: sanely check if there are spec files to be installed

 eclass/toolchain.eclass | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index 247dcee..40b2cf9 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1954,7 +1954,11 @@ copy_minispecs_gcc_specs() {
 	fi
 	create_gcc_env_entry vanilla
 	insinto ${LIBPATH}
-	doins "${WORKDIR}"/specs/*.specs || die "failed to install specs"
+	# Only doins if there are actually spec files in "${WORKDIR}"/specs/
+	local SPECSDIR="${WORKDIR}"/specs/
+	if [[ "$(ls -A ${SPECSDIR})" ]]; then
+		doins "${SPECSDIR}"/*.specs || die "failed to install specs"
+	fi
 	# Build system specs file which, if it exists, must be a complete set of
 	# specs as it completely and unconditionally overrides the builtin specs.
 	if ! tc_version_is_at_least 4.4 ; then

[gentoo-commits] proj/hardened-dev:master commit in: eclass/

[Anthony G. Basile]

commit:     8da39130c7e90e06481a6606d798c1ff65291e46
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun May  1 23:52:09 2016 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May  1 23:52:09 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=8da39130

Revert "toolchain.eclass: sanely check if there are spec files to be installed"

This reverts commit c5c2daa6ff0970a37747c58328df38b4ce57207f.

Zorry already addressed this issue in the previous commit.

 eclass/toolchain.eclass | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index 40b2cf9..247dcee 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1954,11 +1954,7 @@ copy_minispecs_gcc_specs() {
 	fi
 	create_gcc_env_entry vanilla
 	insinto ${LIBPATH}
-	# Only doins if there are actually spec files in "${WORKDIR}"/specs/
-	local SPECSDIR="${WORKDIR}"/specs/
-	if [[ "$(ls -A ${SPECSDIR})" ]]; then
-		doins "${SPECSDIR}"/*.specs || die "failed to install specs"
-	fi
+	doins "${WORKDIR}"/specs/*.specs || die "failed to install specs"
 	# Build system specs file which, if it exists, must be a complete set of
 	# specs as it completely and unconditionally overrides the builtin specs.
 	if ! tc_version_is_at_least 4.4 ; then