From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6FEC2138A1F for ; Tue, 8 Apr 2014 19:59:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9F22CE0AD1; Tue, 8 Apr 2014 19:59:20 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1C95AE0AD1 for ; Tue, 8 Apr 2014 19:59:20 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E2EB733FF51 for ; Tue, 8 Apr 2014 19:59:18 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 8E03218873 for ; Tue, 8 Apr 2014 19:59:17 +0000 (UTC) From: "Devan Franchini" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Devan Franchini" Message-ID: <1396987060.e4393f651576637ce32d85264261144e6c82eb71.twitch153@gentoo> Subject: [gentoo-commits] proj/releng:master commit in: tools-hardened/desktop/ X-VCS-Repository: proj/releng X-VCS-Files: tools-hardened/desktop/fluxbox-run.sh tools-hardened/desktop/gnome3-run.sh tools-hardened/desktop/make.sh tools-hardened/desktop/run-base.sh tools-hardened/desktop/xfce4-run.sh X-VCS-Directories: tools-hardened/desktop/ X-VCS-Committer: twitch153 X-VCS-Committer-Name: Devan Franchini X-VCS-Revision: e4393f651576637ce32d85264261144e6c82eb71 X-VCS-Branch: master Date: Tue, 8 Apr 2014 19:59:17 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c82854c5-65fa-442c-a983-bcdc15e8f49f X-Archives-Hash: 4dba82176194495e052a13b723da3a3a commit: e4393f651576637ce32d85264261144e6c82eb71 Author: Devan Franchini gentoo org> AuthorDate: Tue Apr 8 19:57:40 2014 +0000 Commit: Devan Franchini gentoo org> CommitDate: Tue Apr 8 19:57:40 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/releng.git;a=commit;h=e4393f65 tools-hardened/desktop: centralizes common code for build scripts --- tools-hardened/desktop/fluxbox-run.sh | 135 ++--------------------------- tools-hardened/desktop/gnome3-run.sh | 126 ++------------------------- tools-hardened/desktop/make.sh | 4 +- tools-hardened/desktop/run-base.sh | 142 +++++++++++++++++++++++++++++++ tools-hardened/desktop/xfce4-run.sh | 155 +++++----------------------------- 5 files changed, 179 insertions(+), 383 deletions(-) diff --git a/tools-hardened/desktop/fluxbox-run.sh b/tools-hardened/desktop/fluxbox-run.sh index 1be294d..82a7669 100755 --- a/tools-hardened/desktop/fluxbox-run.sh +++ b/tools-hardened/desktop/fluxbox-run.sh @@ -8,102 +8,12 @@ STAGE3="/var/tmp/catalyst/builds/hardened/${ARCH}/stage3-${ARCH}-hardened-latest LAYMAN="/var/lib/layman" KERNEL_SOURCE="/usr/src/linux-tinhat" +MAKE_BASE="xfce4" +KEYWORDS_BASE="gnome" +USE_BASE="xfce4" +WORLD_BASE="fluxbox" -unpack_stage3() { - mkdir "${ROOTFS}" - tar -x -C "${ROOTFS}" -f "${STAGE3}" -} - -mount_dirs() { - mkdir "${ROOTFS}"/usr/portage/ - mount --bind /usr/portage/ "${ROOTFS}"/usr/portage/ - mount --bind /proc/ "${ROOTFS}"/proc/ - mount --bind /dev/ "${ROOTFS}"/dev/ - mount --bind /dev/pts "${ROOTFS}"/dev/pts/ - mount -t tmpfs shm "${ROOTFS}"/dev/shm - mount --bind /sys/ "${ROOTFS}"/sys/ -} - -populate_etc() { - cp -f files/fstab "${ROOTFS}"/etc/fstab - cp -f files/resolv.conf "${ROOTFS}"/etc/resolv.conf - - rm -f "${ROOTFS}"/etc/portage/make.conf.catalyst - cp -f files/portage/make.xfce4.1 "${ROOTFS}"/etc/portage/make.conf - cp -f files/portage/package.gnome.accept_keywords "${ROOTFS}"/etc/portage/package.accept_keywords - cp -f files/portage/package.xfce4.use "${ROOTFS}"/etc/portage/package.use - cp -af files/portage/profile "${ROOTFS}"/etc/portage/profile - cp -af files/portage/repos.conf "${ROOTFS}"/etc/portage/repos.conf -} - -rebuild_toolchain() { - cp -f toolchain.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/toolchain.sh - rm -f "${ROOTFS}"/tmp/toolchain.sh -} - -rebuild_world() { - cp -f files/portage/make.xfce4.1 "${ROOTFS}"/etc/portage/make.conf - cp -f files/fluxbox-world "${ROOTFS}"/var/lib/portage/world - cp -f rebuild.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/rebuild.sh - rm -f "${ROOTFS}"/tmp/rebuild.sh -} - - -update_world() { - cp -f files/portage/make.xfce4.2 "${ROOTFS}"/etc/portage/make.conf - cp -f update.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/update.sh - rm -f "${ROOTFS}"/tmp/update.sh -} - -build_kernel() { - local TH_BOOT="http://dev.gentoo.org/~twitch153/tinhat/th-boot.tar.gz" - mkdir -p "${ROOTFS}"/boot - - genkernel \ - --kernel-config=files/kernel-config \ - --makeopts=-j9 \ - --static \ - --symlink \ - --no-mountboot \ - --kerneldir="${KERNEL_SOURCE}" \ - --bootdir="${PWD}"/"${ROOTFS}"/boot/ \ - all - - #for i in $(find "${PWD}"/"${ROOTFS}"/lib/modules -iname *ko); do - # objcopy --strip-unneeded $i - #done - rm -rf "${PWD}"/"${ROOTFS}"/boot/initramfs* - wget -O "${PWD}"/th-boot.tar.gz "${TH_BOOT}" - tar -x -C "${PWD}"/files -f th-boot.tar.gz - cp -Rf files/th-boot/grub "${ROOTFS}"/boot - rm -f "${PWD}"/th-boot.tar.gz -} - -setup_initrc() { - ln -sf net.lo "${ROOTFS}"/etc/init.d/net.eth0 - chroot "${ROOTFS}"/ rc-update add acpid boot - chroot "${ROOTFS}"/ rc-update add alsasound boot - chroot "${ROOTFS}"/ rc-update add cpufrequtils boot - chroot "${ROOTFS}"/ rc-update add device-mapper boot - chroot "${ROOTFS}"/ rc-update add lvm boot - chroot "${ROOTFS}"/ rc-update add udev boot - chroot "${ROOTFS}"/ rc-update add cupsd default - chroot "${ROOTFS}"/ rc-update add cronie default - chroot "${ROOTFS}"/ rc-update add net.eth0 default - chroot "${ROOTFS}"/ rc-update add postfix default - chroot "${ROOTFS}"/ rc-update add sshd default - chroot "${ROOTFS}"/ rc-update add xdm default - chroot "${ROOTFS}"/ rc-update add avahi-daemon default - chroot "${ROOTFS}"/ rc-update add dbus default - chroot "${ROOTFS}"/ rc-update add samba default - chroot "${ROOTFS}"/ rc-update add syslog-ng default - chroot "${ROOTFS}"/ rc-update add udev-postmount default - chroot "${ROOTFS}"/ rc-update add kmod-static-nodes sysinit - chroot "${ROOTFS}"/ rc-update add udev-mount sysinit -} +source run-base.sh setup_usergroups() { local DCONF_LOCAL="http://dev.gentoo.org/~blueness/lilblue/user" @@ -124,8 +34,7 @@ setup_usergroups() { rm -rf "${ROOTFS}"/home/thuser cp -a thuser "${ROOTFS}"/home/thuser - sed -i -e 's/^\/usr\/*.*/\/usr\/bin\/fluxbox/' "${ROOTFS}"/home/thuser/.xinitrc - cp -f files/usermenu "${ROOTFS}"/home/thuser/.fluxbox/my-menu + sed -i -e 's/^\/usr\/*.*/\/usr\/bin\/fluxbox/' "${ROOTFS}"/home/thuser/.xinitrc cp -a files/{Encrypt,Save,Utilities} "${ROOTFS}"/home/thuser rm -rf "${ROOTFS}"/home/thuser/Utilities/post_gnome3_install.sh mkdir -p "${ROOTFS}"/home/thuser/{Desktop,Documents,Downloads,Music,Pictures,Public,Templates,Videos,.ssh,.cache/dconf,.config/dconf} @@ -136,6 +45,7 @@ setup_usergroups() { chroot "${ROOTFS}"/ chown -R thuser:thuser /home/thuser sed -i 's/# \(%wheel.*NOPASSWD\)/\1/' "${ROOTFS}"/etc/sudoers sed -i 's/^\/usr\/*.*/\/usr\/bin\/fluxbox/' "${ROOTFS}"/etc/skel/.xinitrc + cp -f files/usermenu "${ROOTFS}"/home/thuser/.fluxbox/my-menu } setup_confs() { @@ -160,36 +70,7 @@ setup_confs() { chroot "${ROOTFS}"/ eselect locale set 3 cp -a files/locale/02locale "${ROOTFS}"/etc/conf.d/ # In kernels 3.9 and above, we must disallow-other-stacks because of SO_REUSEPORT - # NOTE: Current TinHat kernel uses kernel-3.7.5-hardened-r1 - #sed -i 's/^#\(disallow-other-stacks=\)no/\1yes/g' "${ROOTFS}"/etc/avahi/avahi-daemon.conf -} - -cleanup_dirs() { - rm -rf "${ROOTFS}"/tmp/* - rm -rf "${ROOTFS}"/var/cache/* - rm -rf "${ROOTFS}"/var/log/* - rm -rf "${ROOTFS}"/var/tmp/* - rm -rf "${ROOTFS}"/etc/resolv.conf - rm -rf "${ROOTFS}"/etc/ssh/*key* - rm -rf "${ROOTFS}"/root/.viminfo - for i in ${ROOTFS}/root/.bash_history ; do >$i; done - find ${ROOTFS}*/var/log -size +1c -type f -exec rm {} + -} - -unmount_dirs() { - umount "${ROOTFS}"/sys/ - umount "${ROOTFS}"/dev/shm - umount "${ROOTFS}"/dev/pts/ - umount "${ROOTFS}"/dev/ - umount "${ROOTFS}"/proc/ - umount "${ROOTFS}"/usr/portage/ - - mkdir "${ROOTFS}"/usr/portage/profiles/ - echo "gentoo" >> "${ROOTFS}"/usr/portage/profiles/repo_name -} - -make_iso() { - MYROOT="${ROOTFS}" ./make.sh + sed -i 's/^#\(disallow-other-stacks=\)no/\1yes/g' "${ROOTFS}"/etc/avahi/avahi-daemon.conf } main() { diff --git a/tools-hardened/desktop/gnome3-run.sh b/tools-hardened/desktop/gnome3-run.sh index 6b9b842..5dbf9e2 100755 --- a/tools-hardened/desktop/gnome3-run.sh +++ b/tools-hardened/desktop/gnome3-run.sh @@ -4,103 +4,17 @@ ARCH=${ARCH:-"amd64"} ROOTFS="th-${ARCH}-gnome" PWD="$(pwd)" -STAGE3="/var/tmp/catalyst/builds/hardened/amd64/stage3-amd64-hardened-latest.tar.bz2" +STAGE3="/var/tmp/catalyst/builds/hardened/${ARCH}/stage3-${ARCH}-hardened-latest.tar.bz2" LAYMAN="/var/lib/layman" KERNEL_SOURCE="/usr/src/linux-tinhat" +BASE="gnome" +MAKE_BASE="${BASE}" +KEYWORDS_BASE="${BASE}" +USE_BASE="${BASE}" +WORLD_BASE="${BASE}" -unpack_stage3() { - mkdir "${ROOTFS}" - tar -x -C "${ROOTFS}" -f "${STAGE3}" -} - -mount_dirs() { - mkdir "${ROOTFS}"/usr/portage/ - mount --bind /usr/portage/ "${ROOTFS}"/usr/portage/ - mount --bind /proc/ "${ROOTFS}"/proc/ - mount --bind /dev/ "${ROOTFS}"/dev/ - mount --bind /dev/pts "${ROOTFS}"/dev/pts/ - mount -t tmpfs shm "${ROOTFS}"/dev/shm - mount --bind /sys/ "${ROOTFS}"/sys/ -} - -populate_etc() { - cp -f files/fstab "${ROOTFS}"/etc/fstab - cp -f files/resolv.conf "${ROOTFS}"/etc/resolv.conf - - rm -f "${ROOTFS}"/etc/portage/make.conf.catalyst - cp -f files/portage/make.gnome.1 "${ROOTFS}"/etc/portage/make.conf - - cp -f files/portage/package.gnome.accept_keywords "${ROOTFS}"/etc/portage/package.accept_keywords - cp -f files/portage/package.gnome.use "${ROOTFS}"/etc/portage/package.use - cp -af files/portage/profile "${ROOTFS}"/etc/portage/profile - cp -af files/portage/repos.conf "${ROOTFS}"/etc/portage/repos.conf -} - -rebuild_toolchain() { - cp -f toolchain.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/toolchain.sh - rm -f "${ROOTFS}"/tmp/toolchain.sh -} - -rebuild_world() { - cp -f files/gnome-world "${ROOTFS}"/var/lib/portage/world - cp -f rebuild.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/rebuild.sh - rm -f "${ROOTFS}"/tmp/rebuild.sh -} - - -update_world() { - cp -f files/portage/make.gnome.2 "${ROOTFS}"/etc/portage/make.conf - - cp -f update.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/update.sh - rm -f "${ROOTFS}"/tmp/update.sh -} - -build_kernel() { - local TH_BOOT="http://dev.gentoo.org/~twitch153/tinhat/th-boot.tar.gz" - mkdir -p "${ROOTFS}"/boot - - genkernel \ - --kernel-config=files/kernel-config \ - --makeopts=-j9 \ - --static \ - --symlink \ - --no-mountboot \ - --kerneldir="${KERNEL_SOURCE}" \ - --bootdir="${PWD}"/"${ROOTFS}"/boot/ \ - all - - #for i in $(find "${PWD}"/"${ROOTFS}"/lib/modules -iname *ko); do - # objcopy --strip-unneeded $i - # done - rm -rf "${PWD}"/"${ROOTFS}"/boot/initramfs* - wget -O "${PWD}"/th-boot.tar.gz "${TH_BOOT}" - tar -x -C "${PWD}"/files -f th-boot.tar.gz - cp -Rf files/th-boot/grub "${ROOTFS}"/boot/ - rm -f "${PWD}"/th-boot.tar.gz -} - -setup_systemd() { - ln -sf /proc/self/mounts /etc/mtab - sed -i -e 's/# GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="init=\/usr\/lib\/systemd\/systemd"/' "${ROOTFS}"/etc/default/grub - chroot "${ROOTFS}"/ systemctl enable avahi-daemon.service - chroot "${ROOTFS}"/ systemctl enable bluetooth.service - chroot "${ROOTFS}"/ systemctl enable cups.service - chroot "${ROOTFS}"/ systemctl enable dhcpcd.service - chroot "${ROOTFS}"/ systemctl enable cronie.service - chroot "${ROOTFS}"/ systemctl enable gdm.service - chroot "${ROOTFS}"/ systemctl enable metalog.service - chroot "${ROOTFS}"/ systemctl enable NetworkManager.service - chroot "${ROOTFS}"/ systemctl enable postfix.service - chroot "${ROOTFS}"/ systemctl enable smbd.service - chroot "${ROOTFS}"/ systemctl enable sshd.service - #chroot "${ROOTFS}"/ systemctl enable udev.service - #chroot "${ROOTFS}"/ systemctl enable udev-settle.service - #chroot "${ROOTFS}"/ systemctl enable udev-trigger.service -} +source run-base.sh setup_usergroups() { local DCONF_LOCAL="http://dev.gentoo.org/~blueness/lilblue/user" @@ -147,31 +61,7 @@ setup_confs() { cp -a files/locale/02locale "${ROOTFS}"/etc/conf.d/ # In kernels 3.9 and above, we must disallow-other-stacks because of SO_REUSEPORT - # NOTE: Current TinHat kernel uses kernel-3.7.5-hardened-r1 - #sed -i 's/^#\(disallow-other-stacks=\)no/\1yes/g' "${ROOTFS}"/etc/avahi/avahi-daemon.conf -} - -cleanup_dirs() { - rm -rf "${ROOTFS}"/tmp/* - rm -rf "${ROOTFS}"/var/log/* - rm -rf "${ROOTFS}"/var/tmp/* - rm -rf "${ROOTFS}"/etc/resolv.conf -} - -unmount_dirs() { - umount -l "${ROOTFS}"/sys/ - umount -l "${ROOTFS}"/dev/shm - umount -l "${ROOTFS}"/dev/pts/ - umount -l "${ROOTFS}"/dev/ - umount -l "${ROOTFS}"/proc/ - umount -l "${ROOTFS}"/usr/portage/ - - mkdir "${ROOTFS}"/usr/portage/profiles/ - echo "gentoo" >> "${ROOTFS}"/usr/portage/profiles/repo_name -} - -make_iso() { - MYROOT="${ROOTFS}" ./make.sh + sed -i 's/^#\(disallow-other-stacks=\)no/\1yes/g' "${ROOTFS}"/etc/avahi/avahi-daemon.conf } main() { diff --git a/tools-hardened/desktop/make.sh b/tools-hardened/desktop/make.sh index 1df4681..aae8565 100755 --- a/tools-hardened/desktop/make.sh +++ b/tools-hardened/desktop/make.sh @@ -2,7 +2,7 @@ WORKING=$(pwd) CHROOTS=${CHROOTS:-"${WORKING}"} -MYROOT=${MYROOT:-"desktop-amd64-hardened-ramdisk"} +MYROOT=${MYROOT:-""} cleanup() { @@ -60,7 +60,7 @@ mkiso() nameit() { DATE=$(date +%Y%m%d) - NAME="${MYROOT}-${DATE}.iso" + NAME="${MYROOT}-${DATE}.iso" [ -f ramdisk.iso ] && mv ramdisk.iso $NAME || echo "Can't name ramdisk.iso, I didn't find it." } diff --git a/tools-hardened/desktop/run-base.sh b/tools-hardened/desktop/run-base.sh new file mode 100755 index 0000000..b9178c8 --- /dev/null +++ b/tools-hardened/desktop/run-base.sh @@ -0,0 +1,142 @@ +#!/bin/bash + +unpack_stage3() { + mkdir "${ROOTFS}" + tar -x -C "${ROOTFS}" -f "${STAGE3}" +} + +mount_dirs() { + mkdir "${ROOTFS}"/usr/portage/ + mount --bind /usr/portage/ "${ROOTFS}"/usr/portage/ + mount --bind /proc/ "${ROOTFS}"/proc/ + mount --bind /dev/ "${ROOTFS}"/dev/ + mount --bind /dev/pts "${ROOTFS}"/dev/pts/ + mount -t tmpfs shm "${ROOTFS}"/dev/shm + mount --bind /sys/ "${ROOTFS}"/sys/ +} + +populate_etc() { + cp -f files/fstab "${ROOTFS}"/etc/fstab + cp -f files/resolv.conf "${ROOTFS}"/etc/resolv.conf + + rm -f "${ROOTFS}"/etc/portage/make.conf.catalyst + cp -f files/portage/make."${MAKE_BASE}".1 "${ROOTFS}"/etc/portage/make.conf + cp -f files/portage/package."${KEYWORDS_BASE}".accept_keywords "${ROOTFS}"/etc/portage/package.accept_keywords + cp -f files/portage/package."${USE_BASE}".use "${ROOTFS}"/etc/portage/package.use + cp -af files/portage/profile "${ROOTFS}"/etc/portage/profile + cp -af files/portage/repos.conf "${ROOTFS}"/etc/portage/repos.conf +} + +rebuild_toolchain() { + cp -f toolchain.sh "${ROOTFS}"/tmp/ + chroot "${ROOTFS}"/ /tmp/toolchain.sh + rm -f "${ROOTFS}"/tmp/toolchain.sh +} + +rebuild_world() { + cp -f files/"${WORLD_BASE}"-world "${ROOTFS}"/var/lib/portage/world + cp -f rebuild.sh "${ROOTFS}"/tmp/ + chroot "${ROOTFS}"/ /tmp/rebuild.sh + rm -f "${ROOTFS}"/tmp/rebuild.sh +} + +update_world() { + cp -f files/portage/make."${MAKE_BASE}".2 "${ROOTFS}"/etc/portage/make.conf + cp -f update.sh "${ROOTFS}"/tmp/ + chroot "${ROOTFS}"/ /tmp/update.sh + rm -f "${ROOTFS}"/tmp/update.sh +} + +build_kernel() { + local TH_BOOT="http://dev.gentoo.org/~twitch153/tinhat/th-boot.tar.gz" + mkdir -p "${ROOTFS}"/boot + + genkernel \ + --kernel-config=files/kernel-config \ + --makeopts=-j9 \ + --static \ + --symlink \ + --no-mountboot \ + --kerneldir="${KERNEL_SOURCE}" \ + --bootdir="${PWD}"/"${ROOTFS}"/boot/ \ + all + + #for i in $(find "${PWD}"/"${ROOTFS}"/lib/modules -iname *ko); do + # objcopy --strip-unneeded $i + #done + rm -rf "${PWD}"/"${ROOTFS}"/boot/initramfs* + wget -O "${PWD}"/th-boot.tar.gz "${TH_BOOT}" + tar -x -C "${PWD}"/files -f th-boot.tar.gz + cp -Rf files/th-boot/grub "${ROOTFS}"/boot/ + rm -f "${PWD}"/th-boot.tar.gz +} + +setup_initrc() { + ln -sf net.lo "${ROOTFS}"/etc/init.d/net.eth0 + chroot "${ROOTFS}"/ rc-update add acpid boot + chroot "${ROOTFS}"/ rc-update add alsasound boot + chroot "${ROOTFS}"/ rc-update add cpufrequtils boot + chroot "${ROOTFS}"/ rc-update add device-mapper boot + chroot "${ROOTFS}"/ rc-update add lvm boot + chroot "${ROOTFS}"/ rc-update add udev boot + chroot "${ROOTFS}"/ rc-update add cupsd default + chroot "${ROOTFS}"/ rc-update add cronie default + chroot "${ROOTFS}"/ rc-update add net.eth0 default + chroot "${ROOTFS}"/ rc-update add postfix default + chroot "${ROOTFS}"/ rc-update add sshd default + chroot "${ROOTFS}"/ rc-update add xdm default + chroot "${ROOTFS}"/ rc-update add avahi-daemon default + chroot "${ROOTFS}"/ rc-update add dbus default + chroot "${ROOTFS}"/ rc-update add samba default + chroot "${ROOTFS}"/ rc-update add syslog-ng default + chroot "${ROOTFS}"/ rc-update add udev-postmount default + chroot "${ROOTFS}"/ rc-update add kmod-static-nodes sysinit + chroot "${ROOTFS}"/ rc-update add udev-mount sysinit +} + +setup_systemd() { + ln -sf /proc/self/mounts /etc/mtab + sed -i -e 's/# GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="init=\/usr\/lib\/systemd\/systemd"/' "${ROOTFS}"/etc/default/grub + chroot "${ROOTFS}"/ systemctl enable avahi-daemon.service + chroot "${ROOTFS}"/ systemctl enable bluetooth.service + chroot "${ROOTFS}"/ systemctl enable cups.service + chroot "${ROOTFS}"/ systemctl enable dhcpcd.service + chroot "${ROOTFS}"/ systemctl enable cronie.service + chroot "${ROOTFS}"/ systemctl enable gdm.service + chroot "${ROOTFS}"/ systemctl enable metalog.service + chroot "${ROOTFS}"/ systemctl enable NetworkManager.service + chroot "${ROOTFS}"/ systemctl enable postfix.service + chroot "${ROOTFS}"/ systemctl enable smbd.service + chroot "${ROOTFS}"/ systemctl enable sshd.service + #chroot "${ROOTFS}"/ systemctl enable udev.service + #chroot "${ROOTFS}"/ systemctl enable udev-settle.service + #chroot "${ROOTFS}"/ systemctl enable udev-trigger.service +} + +cleanup_dirs() { + rm -rf "${ROOTFS}"/tmp/* + rm -rf "${ROOTFS}"/var/cache/* + rm -rf "${ROOTFS}"/var/log/* + rm -rf "${ROOTFS}"/var/tmp/* + rm -rf "${ROOTFS}"/etc/resolv.conf + rm -rf "${ROOTFS}"/etc/ssh/*key* + rm -rf "${ROOTFS}"/root/.viminfo + for i in ${ROOTFS}/root/.bash_history ; do >$i; done + find ${ROOTFS}*/var/log -size +1c -type f -exec rm {} + +} + +unmount_dirs() { + umount "${ROOTFS}"/sys/ + umount "${ROOTFS}"/dev/shm + umount "${ROOTFS}"/dev/pts/ + umount "${ROOTFS}"/dev/ + umount "${ROOTFS}"/proc/ + umount "${ROOTFS}"/usr/portage/ + + mkdir "${ROOTFS}"/usr/portage/profiles/ + echo "gentoo" >> "${ROOTFS}"/usr/portage/profiles/repo_name +} + +make_iso() { + MYROOT="${ROOTFS}" ./make.sh +} diff --git a/tools-hardened/desktop/xfce4-run.sh b/tools-hardened/desktop/xfce4-run.sh index 80ea87e..0d5bafc 100755 --- a/tools-hardened/desktop/xfce4-run.sh +++ b/tools-hardened/desktop/xfce4-run.sh @@ -8,101 +8,13 @@ STAGE3="/var/tmp/catalyst/builds/hardened/${ARCH}/stage3-${ARCH}-hardened-latest LAYMAN="/var/lib/layman" KERNEL_SOURCE="/usr/src/linux-tinhat" +BASE="xfce4" +MAKE_BASE="${BASE}" +KEYWORDS_BASE="${BASE}" +USE_BASE="${BASE}" +WORLD_BASE="${BASE}" -unpack_stage3() { - mkdir "${ROOTFS}" - tar -x -C "${ROOTFS}" -f "${STAGE3}" -} - -mount_dirs() { - mkdir "${ROOTFS}"/usr/portage/ - mount --bind /usr/portage/ "${ROOTFS}"/usr/portage/ - mount --bind /proc/ "${ROOTFS}"/proc/ - mount --bind /dev/ "${ROOTFS}"/dev/ - mount --bind /dev/pts "${ROOTFS}"/dev/pts/ - mount -t tmpfs shm "${ROOTFS}"/dev/shm - mount --bind /sys/ "${ROOTFS}"/sys/ -} - -populate_etc() { - cp -f files/fstab "${ROOTFS}"/etc/fstab - cp -f files/resolv.conf "${ROOTFS}"/etc/resolv.conf - - rm -f "${ROOTFS}"/etc/portage/make.conf.catalyst - cp -f files/portage/make.xfce4.1 "${ROOTFS}"/etc/portage/make.conf - cp -f files/portage/package.xfce4.accept_keywords "${ROOTFS}"/etc/portage/package.accept_keywords - cp -f files/portage/package.xfce4.use "${ROOTFS}"/etc/portage/package.use - cp -af files/portage/profile "${ROOTFS}"/etc/portage/profile - cp -af files/portage/repos.conf "${ROOTFS}"/etc/portage/repos.conf -} - -rebuild_toolchain() { - cp -f toolchain.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/toolchain.sh - rm -f "${ROOTFS}"/tmp/toolchain.sh -} - -rebuild_world() { - cp -f files/xfce4-world "${ROOTFS}"/var/lib/portage/world - cp -f rebuild.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/rebuild.sh - rm -f "${ROOTFS}"/tmp/rebuild.sh -} - - -update_world() { - cp -f files/portage/make.xfce4.2 "${ROOTFS}"/etc/portage/make.conf - cp -f update.sh "${ROOTFS}"/tmp/ - chroot "${ROOTFS}"/ /tmp/update.sh - rm -f "${ROOTFS}"/tmp/update.sh -} - -build_kernel() { - local TH_BOOT="http://dev.gentoo.org/~twitch153/tinhat/th-boot.tar.gz" - mkdir -p "${ROOTFS}"/boot - - genkernel \ - --kernel-config=files/kernel-config \ - --makeopts=-j9 \ - --static \ - --symlink \ - --no-mountboot \ - --kerneldir="${KERNEL_SOURCE}" \ - --bootdir="${PWD}"/"${ROOTFS}"/boot/ \ - all - - #for i in $(find "${PWD}"/"${ROOTFS}"/lib/modules -iname *ko); do - # objcopy --strip-unneeded $i - #done - rm -rf "${PWD}"/"${ROOTFS}"/boot/initramfs* - wget -O "${PWD}"/th-boot.tar.gz "${TH_BOOT}" - tar -x -C "${PWD}"/files -f th-boot.tar.gz - cp -Rf files/th-boot/grub "${ROOTFS}"/boot/ - rm -f "${PWD}"/th-boot.tar.gz -} - -setup_initrc() { - ln -sf net.lo "${ROOTFS}"/etc/init.d/net.eth0 - chroot "${ROOTFS}"/ rc-update add acpid boot - chroot "${ROOTFS}"/ rc-update add alsasound boot - chroot "${ROOTFS}"/ rc-update add cpufrequtils boot - chroot "${ROOTFS}"/ rc-update add device-mapper boot - chroot "${ROOTFS}"/ rc-update add lvm boot - chroot "${ROOTFS}"/ rc-update add udev boot - chroot "${ROOTFS}"/ rc-update add cupsd default - chroot "${ROOTFS}"/ rc-update add cronie default - chroot "${ROOTFS}"/ rc-update add net.eth0 default - chroot "${ROOTFS}"/ rc-update add postfix default - chroot "${ROOTFS}"/ rc-update add sshd default - chroot "${ROOTFS}"/ rc-update add xdm default - chroot "${ROOTFS}"/ rc-update add avahi-daemon default - chroot "${ROOTFS}"/ rc-update add dbus default - chroot "${ROOTFS}"/ rc-update add samba default - chroot "${ROOTFS}"/ rc-update add syslog-ng default - chroot "${ROOTFS}"/ rc-update add udev-postmount default - chroot "${ROOTFS}"/ rc-update add kmod-static-nodes sysinit - chroot "${ROOTFS}"/ rc-update add udev-mount sysinit -} +source run-base.sh setup_usergroups() { local DCONF_LOCAL="http://dev.gentoo.org/~blueness/lilblue/user" @@ -156,52 +68,23 @@ setup_confs() { chroot "${ROOTFS}"/ eselect locale set 3 cp -a files/locale/02locale "${ROOTFS}"/etc/conf.d/ # In kernels 3.9 and above, we must disallow-other-stacks because of SO_REUSEPORT - # NOTE: Current TinHat kernel uses kernel-3.7.5-hardened-r1 - #sed -i 's/^#\(disallow-other-stacks=\)no/\1yes/g' "${ROOTFS}"/etc/avahi/avahi-daemon.conf -} - -cleanup_dirs() { - rm -rf "${ROOTFS}"/tmp/* - rm -rf "${ROOTFS}"/var/cache/* - rm -rf "${ROOTFS}"/var/log/* - rm -rf "${ROOTFS}"/var/tmp/* - rm -rf "${ROOTFS}"/etc/resolv.conf - rm -rf "${ROOTFS}"/etc/ssh/*key* - rm -rf "${ROOTFS}"/root/.viminfo - for i in ${ROOTFS}/root/.bash_history ; do >$i; done - find ${ROOTFS}*/var/log -size +1c -type f -exec rm {} + -} - -unmount_dirs() { - umount "${ROOTFS}"/sys/ - umount "${ROOTFS}"/dev/shm - umount "${ROOTFS}"/dev/pts/ - umount "${ROOTFS}"/dev/ - umount "${ROOTFS}"/proc/ - umount "${ROOTFS}"/usr/portage/ - - mkdir "${ROOTFS}"/usr/portage/profiles/ - echo "gentoo" >> "${ROOTFS}"/usr/portage/profiles/repo_name -} - -make_iso() { - MYROOT="${ROOTFS}" ./make.sh + sed -i 's/^#\(disallow-other-stacks=\)no/\1yes/g' "${ROOTFS}"/etc/avahi/avahi-daemon.conf } main() { - #unpack_stage3 - #mount_dirs - #populate_etc - #rebuild_toolchain - #rebuild_world - #update_world + unpack_stage3 + mount_dirs + populate_etc + rebuild_toolchain + rebuild_world + update_world build_kernel - #setup_initrc - #setup_usergroups - #setup_confs - #cleanup_dirs - #unmount_dirs - #make_iso + setup_initrc + setup_usergroups + setup_confs + cleanup_dirs + unmount_dirs + make_iso } main > xfce4-"${ARCH}"-build.log 2>&1 &