* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2016-04-23 18:23 Magnus Granberg
0 siblings, 0 replies; 41+ messages in thread
From: Magnus Granberg @ 2016-04-23 18:23 UTC (permalink / raw
To: gentoo-commits
commit: 8ab745bdff4b392d56bfb27823eec5501827aa3f
Author: Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sat Apr 23 17:27:01 2016 +0000
Commit: Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sat Apr 23 17:27:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=8ab745bd
add more gcc 6 support to toolchain.eclass
eclass/toolchain.eclass | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index ececcdc..c9520a9 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -626,6 +626,22 @@ do_gcc_PIE_patches() {
# configure to build with the hardened GCC specs as the default
make_gcc_hard() {
+
+ # Gcc >= 6.X we don't need to sed in Makefile
+ # It have configurations options to turn pie/ssp on as default
+ if tc_version_is_at_least 6.0 ; then
+ if use hardened ; then
+ # rebrand to make bug reports easier
+ BRANDING_GCC_PKGVERSION=${BRANDING_GCC_PKGVERSION/Gentoo/Gentoo Hardened}
+ if use pie ; then
+ einfo "Updating gcc to use automatic PIE building ..."
+ fi
+ if use ssp ; then
+ einfo "Updating gcc to use automatic SSP building ..."
+ fi
+ return 1
+ fi
+
# we want to be able to control the pie patch logic via something other
# than ALL_CFLAGS...
sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \
@@ -2264,6 +2280,10 @@ hardened_gcc_is_stable() {
}
want_minispecs() {
+ # on gcc 6 we don't need minispecs
+ if tc_version_is_at_least 6.0 ; then
+ return 0
+ fi
if tc_version_is_at_least 4.3.2 && use hardened ; then
if ! want_pie ; then
ewarn "PIE_VER or SPECS_VER is not defined in the GCC ebuild."
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2016-05-01 23:52 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2016-05-01 23:52 UTC (permalink / raw
To: gentoo-commits
commit: 8da39130c7e90e06481a6606d798c1ff65291e46
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun May 1 23:52:09 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May 1 23:52:09 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=8da39130
Revert "toolchain.eclass: sanely check if there are spec files to be installed"
This reverts commit c5c2daa6ff0970a37747c58328df38b4ce57207f.
Zorry already addressed this issue in the previous commit.
eclass/toolchain.eclass | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index 40b2cf9..247dcee 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1954,11 +1954,7 @@ copy_minispecs_gcc_specs() {
fi
create_gcc_env_entry vanilla
insinto ${LIBPATH}
- # Only doins if there are actually spec files in "${WORKDIR}"/specs/
- local SPECSDIR="${WORKDIR}"/specs/
- if [[ "$(ls -A ${SPECSDIR})" ]]; then
- doins "${SPECSDIR}"/*.specs || die "failed to install specs"
- fi
+ doins "${WORKDIR}"/specs/*.specs || die "failed to install specs"
# Build system specs file which, if it exists, must be a complete set of
# specs as it completely and unconditionally overrides the builtin specs.
if ! tc_version_is_at_least 4.4 ; then
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2016-05-01 19:51 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2016-05-01 19:51 UTC (permalink / raw
To: gentoo-commits
commit: c5c2daa6ff0970a37747c58328df38b4ce57207f
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun May 1 19:51:05 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May 1 19:51:46 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=c5c2daa6
toolchain.eclass: sanely check if there are spec files to be installed
eclass/toolchain.eclass | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index 247dcee..40b2cf9 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1954,7 +1954,11 @@ copy_minispecs_gcc_specs() {
fi
create_gcc_env_entry vanilla
insinto ${LIBPATH}
- doins "${WORKDIR}"/specs/*.specs || die "failed to install specs"
+ # Only doins if there are actually spec files in "${WORKDIR}"/specs/
+ local SPECSDIR="${WORKDIR}"/specs/
+ if [[ "$(ls -A ${SPECSDIR})" ]]; then
+ doins "${SPECSDIR}"/*.specs || die "failed to install specs"
+ fi
# Build system specs file which, if it exists, must be a complete set of
# specs as it completely and unconditionally overrides the builtin specs.
if ! tc_version_is_at_least 4.4 ; then
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2016-05-01 19:42 Magnus Granberg
0 siblings, 0 replies; 41+ messages in thread
From: Magnus Granberg @ 2016-05-01 19:42 UTC (permalink / raw
To: gentoo-commits
commit: d45e7e6148a392e3200a7c6c17ff2888cbf26b64
Author: Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sun May 1 19:24:34 2016 +0000
Commit: Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sun May 1 19:24:34 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=d45e7e61
dont use .specs files when install
eclass/toolchain.eclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index 3106641..247dcee 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1937,6 +1937,11 @@ create_gcc_env_entry() {
}
copy_minispecs_gcc_specs() {
+ # on gcc 6 we don't need minispecs
+ if tc_version_is_at_least 6.0 ; then
+ return 0
+ fi
+
# setup the hardenedno* specs files and the vanilla specs file.
if hardened_gcc_works ; then
create_gcc_env_entry hardenednopiessp
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2016-04-23 18:23 Magnus Granberg
0 siblings, 0 replies; 41+ messages in thread
From: Magnus Granberg @ 2016-04-23 18:23 UTC (permalink / raw
To: gentoo-commits
commit: 331f79b74debeac8f5d162e93f13a143365b2d4e
Author: Magnus Granberg <zorry <AT> gentoo <DOT> org>
AuthorDate: Sat Apr 23 16:16:59 2016 +0000
Commit: Magnus Granberg <zorry <AT> gentoo <DOT> org>
CommitDate: Sat Apr 23 16:16:59 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=331f79b7
update toolchin.eclass and use pch
eclass/toolchain.eclass | 517 +++++++++++++++++++++++++++++++++---------------
1 file changed, 361 insertions(+), 156 deletions(-)
diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass
index d340ae7..ececcdc 100644
--- a/eclass/toolchain.eclass
+++ b/eclass/toolchain.eclass
@@ -1,12 +1,11 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
# Maintainer: Toolchain Ninjas <toolchain@gentoo.org>
DESCRIPTION="The GNU Compiler Collection"
-HOMEPAGE="http://gcc.gnu.org/"
-LICENSE="GPL-2 LGPL-2.1"
+HOMEPAGE="https://gcc.gnu.org/"
RESTRICT="strip" # cross-compilers need controlled stripping
inherit eutils fixheadtails flag-o-matic gnuconfig libtool multilib pax-utils toolchain-funcs versionator
@@ -27,7 +26,7 @@ FEATURES=${FEATURES/multilib-strict/}
EXPORTED_FUNCTIONS="pkg_setup src_unpack src_compile src_test src_install pkg_postinst pkg_postrm"
case ${EAPI:-0} in
- 0|1) ;;
+ 0|1) die "Need to upgrade to at least EAPI=2";;
2|3) EXPORTED_FUNCTIONS+=" src_prepare src_configure" ;;
4*|5*) EXPORTED_FUNCTIONS+=" pkg_pretend src_prepare src_configure" ;;
*) die "I don't speak EAPI ${EAPI}."
@@ -38,8 +37,8 @@ EXPORT_FUNCTIONS ${EXPORTED_FUNCTIONS}
export CTARGET=${CTARGET:-${CHOST}}
if [[ ${CTARGET} = ${CHOST} ]] ; then
- if [[ ${CATEGORY/cross-} != ${CATEGORY} ]] ; then
- export CTARGET=${CATEGORY/cross-}
+ if [[ ${CATEGORY} == cross-* ]] ; then
+ export CTARGET=${CATEGORY#cross-}
fi
fi
: ${TARGET_ABI:=${ABI}}
@@ -51,7 +50,7 @@ is_crosscompile() {
}
# General purpose version check. Without a second arg matches up to minor version (x.x.x)
-tc_version_is_at_least() {
+tc_version_is_at_least() {
version_is_at_least "$1" "${2:-${GCC_RELEASE_VER}}"
}
@@ -77,12 +76,9 @@ GCCMICRO=$(get_version_component_range 3 ${GCC_PV})
GCC_CONFIG_VER=${GCC_CONFIG_VER:-$(replace_version_separator 3 '-' ${GCC_PV})}
# Pre-release support
-if [[ ${GCC_PV} != ${GCC_PV/_pre/-} ]] ; then
+if [[ ${GCC_PV} == *_pre* ]] ; then
PRERELEASE=${GCC_PV/_pre/-}
-fi
-
-# make _alpha and _beta ebuilds automatically use a snapshot
-if [[ ${GCC_PV} == *_alpha* ]] ; then
+elif [[ ${GCC_PV} == *_alpha* ]] ; then
SNAPSHOT=${GCC_BRANCH_VER}-${GCC_PV##*_alpha}
elif [[ ${GCC_PV} == *_beta* ]] ; then
SNAPSHOT=${GCC_BRANCH_VER}-${GCC_PV##*_beta}
@@ -90,6 +86,11 @@ elif [[ ${GCC_PV} == *_rc* ]] ; then
SNAPSHOT=${GCC_PV%_rc*}-RC-${GCC_PV##*_rc}
fi
+if [[ ${SNAPSHOT} == [56789].0-* ]] ; then
+ # The gcc-5+ releases have dropped the .0 for some reason.
+ SNAPSHOT=${SNAPSHOT/.0}
+fi
+
export GCC_FILESDIR=${GCC_FILESDIR:-${FILESDIR}}
PREFIX=${TOOLCHAIN_PREFIX:-/usr}
@@ -103,6 +104,7 @@ INCLUDEPATH=${TOOLCHAIN_INCLUDEPATH:-${LIBPATH}/include}
if is_crosscompile ; then
BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/${CHOST}/${CTARGET}/gcc-bin/${GCC_CONFIG_VER}}
+ HOSTLIBPATH=${PREFIX}/${CHOST}/${CTARGET}/lib/${GCC_CONFIG_VER}
else
BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/${CTARGET}/gcc-bin/${GCC_CONFIG_VER}}
fi
@@ -113,12 +115,28 @@ DATAPATH=${TOOLCHAIN_DATAPATH:-${PREFIX}/share/gcc-data/${CTARGET}/${GCC_CONFIG_
# We will handle /usr/include/g++-v3/ with gcc-config ...
STDCXX_INCDIR=${TOOLCHAIN_STDCXX_INCDIR:-${LIBPATH}/include/g++-v${GCC_BRANCH_VER/\.*/}}
-#---->> SLOT+IUSE logic <<----
+#---->> LICENSE+SLOT+IUSE logic <<----
+
+if tc_version_is_at_least 4.6 ; then
+ LICENSE="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.3+"
+elif tc_version_is_at_least 4.4 ; then
+ LICENSE="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.2+"
+elif tc_version_is_at_least 4.3 ; then
+ LICENSE="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ ) FDL-1.2+"
+elif tc_version_is_at_least 4.2 ; then
+ LICENSE="GPL-3+ LGPL-2.1+ || ( GPL-3+ libgcc libstdc++ ) FDL-1.2+"
+elif tc_version_is_at_least 3.3 ; then
+ LICENSE="GPL-2+ LGPL-2.1+ FDL-1.2+"
+else
+ LICENSE="GPL-2+ LGPL-2.1+ FDL-1.1+"
+fi
-IUSE="multislot nls nptl regression-test vanilla"
+IUSE="multislot regression-test vanilla"
+IUSE_DEF=( nls nptl )
if [[ ${PN} != "kgcc64" && ${PN} != gcc-* ]] ; then
- IUSE+=" altivec cxx fortran"
+ IUSE+=" altivec debug"
+ IUSE_DEF+=( cxx fortran )
[[ -n ${PIE_VER} ]] && IUSE+=" nopie"
[[ -n ${HTB_VER} ]] && IUSE+=" boundschecking"
[[ -n ${D_VER} ]] && IUSE+=" d"
@@ -127,28 +145,31 @@ if [[ ${PN} != "kgcc64" && ${PN} != gcc-* ]] ; then
tc_version_is_at_least 4.0 && IUSE+=" objc-gc"
tc_version_is_between 4.0 4.9 && IUSE+=" mudflap"
tc_version_is_at_least 4.1 && IUSE+=" libssp objc++"
- tc_version_is_at_least 4.2 && IUSE+=" openmp"
+ tc_version_is_at_least 4.2 && IUSE_DEF+=( openmp )
tc_version_is_at_least 4.3 && IUSE+=" fixed-point"
- tc_version_is_at_least 4.6 && IUSE+=" graphite"
tc_version_is_at_least 4.7 && IUSE+=" go"
+ # Note: while <=gcc-4.7 also supported graphite, it required forked ppl
+ # versions which we dropped. Since graphite was also experimental in
+ # the older versions, we don't want to bother supporting it. #448024
+ tc_version_is_at_least 4.8 && IUSE+=" graphite" IUSE_DEF+=( sanitize )
+ tc_version_is_at_least 4.9 && IUSE+=" cilk"
+ tc_version_is_at_least 5.0 && IUSE+=" jit pch"
+ tc_version_is_at_least 6.0 && IUSE+=" pie +ssp"
fi
-# Support upgrade paths here or people get pissed
-if use multislot ; then
- SLOT="${GCC_CONFIG_VER}"
-else
- SLOT="${GCC_BRANCH_VER}"
-fi
+IUSE+=" ${IUSE_DEF[*]/#/+}"
+
+SLOT="${GCC_CONFIG_VER}"
#---->> DEPEND <<----
RDEPEND="sys-libs/zlib
- nls? ( sys-devel/gettext )"
+ nls? ( virtual/libintl )"
tc_version_is_at_least 3 && RDEPEND+=" virtual/libiconv"
if tc_version_is_at_least 4 ; then
- GMP_MPFR_DEPS=">=dev-libs/gmp-4.3.2 >=dev-libs/mpfr-2.4.2"
+ GMP_MPFR_DEPS=">=dev-libs/gmp-4.3.2:0 >=dev-libs/mpfr-2.4.2:0"
if tc_version_is_at_least 4.3 ; then
RDEPEND+=" ${GMP_MPFR_DEPS}"
elif in_iuse fortran ; then
@@ -156,27 +177,24 @@ if tc_version_is_at_least 4 ; then
fi
fi
-tc_version_is_at_least 4.5 && RDEPEND+=" >=dev-libs/mpc-0.8.1"
+tc_version_is_at_least 4.5 && RDEPEND+=" >=dev-libs/mpc-0.8.1:0"
if in_iuse graphite ; then
- if tc_version_is_at_least 4.8 ; then
+ if tc_version_is_at_least 5.0 ; then
+ RDEPEND+=" graphite? ( >=dev-libs/isl-0.14 )"
+ elif tc_version_is_at_least 4.8 ; then
RDEPEND+="
graphite? (
>=dev-libs/cloog-0.18.0
>=dev-libs/isl-0.11.1
)"
- else
- RDEPEND+="
- graphite? (
- >=dev-libs/cloog-ppl-0.15.10
- >=dev-libs/ppl-0.11
- )"
fi
fi
DEPEND="${RDEPEND}
>=sys-devel/bison-1.875
>=sys-devel/flex-2.5.4
+ nls? ( sys-devel/gettext )
regression-test? (
>=dev-util/dejagnu-1.4.4
>=sys-devel/autogen-5.5.4
@@ -192,10 +210,6 @@ if in_iuse gcj ; then
x11-proto/xextproto
=x11-libs/gtk+-2*
virtual/pkgconfig
- amd64? ( multilib? (
- app-emulation/emul-linux-x86-gtklibs
- app-emulation/emul-linux-x86-xlibs
- ) )
"
tc_version_is_at_least 3.4 && GCJ_GTK_DEPS+=" x11-libs/pango"
tc_version_is_at_least 4.2 && GCJ_DEPS+=" app-arch/zip app-arch/unzip"
@@ -219,9 +233,9 @@ S=$(
)
gentoo_urls() {
- local devspace="HTTP~vapier/dist/URI HTTP~dirtyepic/dist/URI
- HTTP~halcy0n/patches/URI HTTP~zorry/patches/gcc/URI"
- devspace=${devspace//HTTP/http:\/\/dev.gentoo.org\/}
+ local devspace="HTTP~vapier/dist/URI HTTP~rhill/dist/URI
+ HTTP~zorry/patches/gcc/URI HTTP~blueness/dist/URI"
+ devspace=${devspace//HTTP/https:\/\/dev.gentoo.org\/}
echo mirror://gentoo/$1 ${devspace//URI/$1}
}
@@ -292,11 +306,14 @@ get_gcc_src_uri() {
# Set where to download gcc itself depending on whether we're using a
# prerelease, snapshot, or release tarball.
- if [[ -n ${PRERELEASE} ]] ; then
+ if [[ ${PV} == *9999* ]] ; then
+ # Nothing to do w/git snapshots.
+ :
+ elif [[ -n ${PRERELEASE} ]] ; then
GCC_SRC_URI="ftp://gcc.gnu.org/pub/gcc/prerelease-${PRERELEASE}/gcc-${PRERELEASE}.tar.bz2"
elif [[ -n ${SNAPSHOT} ]] ; then
GCC_SRC_URI="ftp://gcc.gnu.org/pub/gcc/snapshots/${SNAPSHOT}/gcc-${SNAPSHOT}.tar.bz2"
- elif [[ ${PV} != *9999* ]] ; then
+ else
GCC_SRC_URI="mirror://gnu/gcc/gcc-${GCC_PV}/gcc-${GCC_RELEASE_VER}.tar.bz2"
# we want all branch updates to be against the main release
[[ -n ${BRANCH_UPDATE} ]] && \
@@ -367,8 +384,8 @@ toolchain_pkg_pretend() {
#---->> pkg_setup <<----
toolchain_pkg_setup() {
- case "${EAPI:-0}" in
- 0|1|2|3) toolchain_pkg_pretend ;;
+ case ${EAPI} in
+ 2|3) toolchain_pkg_pretend ;;
esac
# we dont want to use the installed compiler's specs to build gcc
@@ -384,10 +401,6 @@ toolchain_src_unpack() {
else
gcc_quick_unpack
fi
-
- case ${EAPI:-0} in
- 0|1) toolchain_src_prepare ;;
- esac
}
gcc_quick_unpack() {
@@ -473,7 +486,7 @@ toolchain_src_prepare() {
do_gcc_PIE_patches
epatch_user
- if ( tc_version_is_at_least 4.8 || use hardened ) && ! use vanilla ; then
+ if ( tc_version_is_at_least 4.8.2 || use hardened ) && ! use vanilla ; then
make_gcc_hard
fi
@@ -613,7 +626,6 @@ do_gcc_PIE_patches() {
# configure to build with the hardened GCC specs as the default
make_gcc_hard() {
-
# we want to be able to control the pie patch logic via something other
# than ALL_CFLAGS...
sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \
@@ -641,9 +653,8 @@ make_gcc_hard() {
ewarn "PIE has not been enabled by default"
gcc_hard_flags+=" -DEFAULT_SSP"
else
- # do nothing if hardened isnt supported, but dont die either
+ # do nothing if hardened isn't supported, but don't die either
ewarn "hardened is not supported for this arch in this gcc version"
- ebeep
return 0
fi
# rebrand to make bug reports easier
@@ -766,6 +777,7 @@ do_gcc_rename_java_bins() {
#---->> src_configure <<----
toolchain_src_configure() {
+ downgrade_arch_flags
gcc_do_filter_flags
einfo "CFLAGS=\"${CFLAGS}\""
@@ -823,6 +835,7 @@ toolchain_src_configure() {
is_d && GCC_LANG+=",d"
is_gcj && GCC_LANG+=",java"
is_go && GCC_LANG+=",go"
+ is_jit && GCC_LANG+=",jit"
if is_objc || is_objcxx ; then
GCC_LANG+=",objc"
if tc_version_is_at_least 4 ; then
@@ -830,7 +843,6 @@ toolchain_src_configure() {
fi
is_objcxx && GCC_LANG+=",obj-c++"
fi
- is_treelang && GCC_LANG+=",treelang"
# fortran support just got sillier! the lang value can be f77 for
# fortran77, f95 for fortran95, or just plain old fortran for the
@@ -863,10 +875,10 @@ toolchain_src_configure() {
# Use the default ("release") checking because upstream usually neglects
# to test "disabled" so it has a history of breaking. #317217
- if tc_version_is_at_least 4 || [[ -n ${GCC_CHECKS_LIST} ]] ; then
- confgcc+=( --enable-checking=${GCC_CHECKS_LIST:-release} )
- else
- confgcc+=( --disable-checking )
+ if tc_version_is_at_least 3.4 ; then
+ # The "release" keyword is new to 4.0. #551636
+ local off=$(tc_version_is_at_least 4.0 && echo release || echo no)
+ confgcc+=( --enable-checking="${GCC_CHECKS_LIST:-$(usex debug yes ${off})}" )
fi
# Branding
@@ -887,6 +899,24 @@ toolchain_src_configure() {
confgcc+=( --enable-libstdcxx-time )
fi
+ # Support to disable pch when building libstdcxx
+ if tc_version_is_at_least 5.0 && ! use pch ; then
+ confgcc+=( --disable-libstdcxx-pch )
+ fi
+
+ # The jit language requires this.
+ is_jit && confgcc+=( --enable-host-shared )
+
+ # # Turn on the -Wl,--build-id flag by default for ELF targets. #525942
+ # # This helps with locating debug files.
+ # case ${CTARGET} in
+ # *-linux-*|*-elf|*-eabi)
+ # tc_version_is_at_least 4.5 && confgcc+=(
+ # --enable-linker-build-id
+ # )
+ # ;;
+ # esac
+
# newer gcc versions like to bootstrap themselves with C++,
# so we need to manually disable it ourselves
if tc_version_is_between 4.7 4.8 && ! is_cxx ; then
@@ -1007,9 +1037,9 @@ toolchain_src_configure() {
*)
# If they've explicitly opt-ed in, do hardfloat,
# otherwise let the gcc default kick in.
- [[ ${CTARGET//_/-} == *-hardfloat-* ]] \
- && confgcc+=( --with-float=hard )
- ;;
+ case ${CTARGET//_/-} in
+ *-hardfloat-*|*eabihf) confgcc+=( --with-float=hard ) ;;
+ esac
esac
local with_abi_map=()
@@ -1055,7 +1085,7 @@ toolchain_src_configure() {
amd64)
# drop the older/ABI checks once this get's merged into some
# version of gcc upstream
- if tc_version_is_at_least 4.7 && has x32 $(get_all_abis TARGET) ; then
+ if tc_version_is_at_least 4.8 && has x32 $(get_all_abis TARGET) ; then
confgcc+=( --with-abi=$(gcc-abi-map ${TARGET_DEFAULT_ABI}) )
fi
;;
@@ -1129,10 +1159,15 @@ toolchain_src_configure() {
if use_if_iuse libssp ; then
confgcc+=( --enable-libssp )
else
- export gcc_cv_libc_provides_ssp=yes
+ if hardened_gcc_is_stable ssp; then
+ export gcc_cv_libc_provides_ssp=yes
+ fi
confgcc+=( --disable-libssp )
fi
+ fi
+ if in_iuse cilk ; then
+ confgcc+=( $(use_enable cilk libcilkrts) )
fi
# newer gcc's come with libquadmath, but only fortran uses
@@ -1147,21 +1182,28 @@ toolchain_src_configure() {
confgcc+=( --disable-lto )
fi
- # graphite was added in 4.4 but we only support it in 4.6+ due to external
- # library issues. 4.6/4.7 uses cloog-ppl which is a fork of CLooG with a
- # PPL backend. 4.8+ uses upstream CLooG with the ISL backend. We install
- # cloog-ppl into a non-standard location to prevent collisions.
- if tc_version_is_at_least 4.8 ; then
- confgcc+=( $(use_with graphite cloog) )
+ # graphite was added in 4.4 but we only support it in 4.8+ due to external
+ # library issues. #448024
+ if tc_version_is_at_least 5.0 ; then
+ confgcc+=( $(use_with graphite isl) )
use graphite && confgcc+=( --disable-isl-version-check )
- elif tc_version_is_at_least 4.6 ; then
+ elif tc_version_is_at_least 4.8 ; then
confgcc+=( $(use_with graphite cloog) )
- confgcc+=( $(use_with graphite ppl) )
- use graphite && confgcc+=( --with-cloog-include=/usr/include/cloog-ppl )
- use graphite && confgcc+=( --disable-ppl-version-check )
+ use graphite && confgcc+=( --disable-isl-version-check )
elif tc_version_is_at_least 4.4 ; then
- confgcc+=( --without-cloog )
- confgcc+=( --without-ppl )
+ confgcc+=( --without-{cloog,ppl} )
+ fi
+
+ if tc_version_is_at_least 4.8 ; then
+ confgcc+=( $(use_enable sanitize libsanitizer) )
+ fi
+
+ if tc_version_is_at_least 6.0 ; then
+ confgcc+=(
+ $(use_enable pie default-pie)
+ # This defaults to -fstack-protector-strong.
+ $(use_enable ssp default-ssp)
+ )
fi
# Disable gcc info regeneration -- it ships with generated info pages
@@ -1196,12 +1238,143 @@ toolchain_src_configure() {
# and now to do the actual configuration
addwrite /dev/zero
echo "${S}"/configure "${confgcc[@]}"
- "${S}"/configure "${confgcc[@]}" || die "failed to run configure"
+ # Older gcc versions did not detect bash and re-exec itself, so force the
+ # use of bash. Newer ones will auto-detect, but this is not harmeful.
+ CONFIG_SHELL="/bin/bash" \
+ bash "${S}"/configure "${confgcc[@]}" || die "failed to run configure"
# return to whatever directory we were in before
popd > /dev/null
}
+# Replace -m flags unsupported by the version being built with the best
+# available equivalent
+downgrade_arch_flags() {
+ local arch bver i isa myarch mytune rep ver
+
+ bver=${1:-${GCC_BRANCH_VER}}
+ [[ $(gcc-version) < ${bver} ]] && return 0
+ [[ $(tc-arch) != amd64 && $(tc-arch) != x86 ]] && return 0
+
+ myarch=$(get-flag march)
+ mytune=$(get-flag mtune)
+
+ # If -march=native isn't supported we have to tease out the actual arch
+ if [[ ${myarch} == native || ${mytune} == native ]] ; then
+ if [[ ${bver} < 4.2 ]] ; then
+ arch=$($(tc-getCC) -march=native -v -E -P - </dev/null 2>&1 \
+ | sed -rn "/cc1.*-march/s:.*-march=([^ ']*).*:\1:p")
+ replace-cpu-flags native ${arch}
+ fi
+ fi
+
+ # Handle special -mtune flags
+ [[ ${mytune} == intel && ${bver} < 4.9 ]] && replace-cpu-flags intel generic
+ [[ ${mytune} == generic && ${bver} < 4.2 ]] && filter-flags '-mtune=*'
+ [[ ${mytune} == x86-64 ]] && filter-flags '-mtune=*'
+ [[ ${bver} < 3.4 ]] && filter-flags '-mtune=*'
+
+ # "added" "arch" "replacement"
+ local archlist=(
+ 4.9 bdver4 bdver3
+ 4.9 bonnell atom
+ 4.9 broadwell core-avx2
+ 4.9 haswell core-avx2
+ 4.9 ivybridge core-avx-i
+ 4.9 nehalem corei7
+ 4.9 sandybridge corei7-avx
+ 4.9 silvermont corei7
+ 4.9 westmere corei7
+ 4.8 bdver3 bdver2
+ 4.8 btver2 btver1
+ 4.7 bdver2 bdver1
+ 4.7 core-avx2 core-avx-i
+ 4.6 bdver1 amdfam10
+ 4.6 btver1 amdfam10
+ 4.6 core-avx-i core2
+ 4.6 corei7 core2
+ 4.6 corei7-avx core2
+ 4.5 atom core2
+ 4.3 amdfam10 k8
+ 4.3 athlon64-sse3 k8
+ 4.3 barcelona k8
+ 4.3 core2 nocona
+ 4.3 geode k6-2 # gcc.gnu.org/PR41989#c22
+ 4.3 k8-sse3 k8
+ 4.3 opteron-sse3 k8
+ 3.4 athlon-fx x86-64
+ 3.4 athlon64 x86-64
+ 3.4 c3-2 c3
+ 3.4 k8 x86-64
+ 3.4 opteron x86-64
+ 3.4 pentium-m pentium3
+ 3.4 pentium3m pentium3
+ 3.4 pentium4m pentium4
+ )
+
+ for ((i = 0; i < ${#archlist[@]}; i += 3)) ; do
+ myarch=$(get-flag march)
+ mytune=$(get-flag mtune)
+
+ ver=${archlist[i]}
+ arch=${archlist[i + 1]}
+ rep=${archlist[i + 2]}
+
+ [[ ${myarch} != ${arch} && ${mytune} != ${arch} ]] && continue
+
+ if [[ ${ver} > ${bver} ]] ; then
+ einfo "Replacing ${myarch} (added in gcc ${ver}) with ${rep}..."
+ [[ ${myarch} == ${arch} ]] && replace-cpu-flags ${myarch} ${rep}
+ [[ ${mytune} == ${arch} ]] && replace-cpu-flags ${mytune} ${rep}
+ continue
+ else
+ break
+ fi
+ done
+
+ # we only check -mno* here since -m* get removed by strip-flags later on
+ local isalist=(
+ 4.9 -mno-sha
+ 4.9 -mno-avx512pf
+ 4.9 -mno-avx512f
+ 4.9 -mno-avx512er
+ 4.9 -mno-avx512cd
+ 4.8 -mno-xsaveopt
+ 4.8 -mno-xsave
+ 4.8 -mno-rtm
+ 4.8 -mno-fxsr
+ 4.7 -mno-lzcnt
+ 4.7 -mno-bmi2
+ 4.7 -mno-avx2
+ 4.6 -mno-tbm
+ 4.6 -mno-rdrnd
+ 4.6 -mno-fsgsbase
+ 4.6 -mno-f16c
+ 4.6 -mno-bmi
+ 4.5 -mno-xop
+ 4.5 -mno-movbe
+ 4.5 -mno-lwp
+ 4.5 -mno-fma4
+ 4.4 -mno-pclmul
+ 4.4 -mno-fma
+ 4.4 -mno-avx
+ 4.4 -mno-aes
+ 4.3 -mno-ssse3
+ 4.3 -mno-sse4a
+ 4.3 -mno-sse4
+ 4.3 -mno-sse4.2
+ 4.3 -mno-sse4.1
+ 4.3 -mno-popcnt
+ 4.3 -mno-abm
+ )
+
+ for ((i = 0; i < ${#isalist[@]}; i += 2)) ; do
+ ver=${isalist[i]}
+ isa=${isalist[i + 1]}
+ [[ ${ver} > ${bver} ]] && filter-flags ${isa} ${isa/-m/-mno-}
+ done
+}
+
gcc_do_filter_flags() {
strip-flags
replace-flags -O? -O2
@@ -1209,26 +1382,14 @@ gcc_do_filter_flags() {
# dont want to funk ourselves
filter-flags '-mabi*' -m31 -m32 -m64
- filter-flags '-frecord-gcc-switches' # 490738
+ filter-flags -frecord-gcc-switches # 490738
+ filter-flags -mno-rtm -mno-htm # 506202
if tc_version_is_between 3.2 3.4 ; then
# XXX: this is so outdated it's barely useful, but it don't hurt...
- replace-cpu-flags k8 athlon64 opteron x86-64
- replace-cpu-flags pentium-m pentium3m pentium3
replace-cpu-flags G3 750
replace-cpu-flags G4 7400
replace-cpu-flags G5 7400
-
- case $(tc-arch) in
- amd64)
- replace-cpu-flags core2 nocona
- filter-flags '-mtune=*'
- ;;
- x86)
- replace-cpu-flags core2 prescott
- filter-flags '-mtune=*'
- ;;
- esac
# XXX: should add a sed or something to query all supported flags
# from the gcc source and trim everything else ...
@@ -1241,6 +1402,9 @@ gcc_do_filter_flags() {
case $(tc-arch) in
amd64|x86)
filter-flags '-mcpu=*'
+
+ tc_version_is_between 4.4 4.5 && append-flags -mno-avx # 357287
+
if tc_version_is_between 4.6 4.7 ; then
# https://bugs.gentoo.org/411333
# https://bugs.gentoo.org/466454
@@ -1316,7 +1480,7 @@ gcc-multilib-configure() {
if [[ -n ${list} ]] ; then
case ${CTARGET} in
x86_64*)
- tc_version_is_at_least 4.7 && confgcc+=( --with-multilib-list=${list:1} )
+ tc_version_is_at_least 4.8 && confgcc+=( --with-multilib-list=${list:1} )
;;
esac
fi
@@ -1340,30 +1504,25 @@ gcc-abi-map() {
#----> src_compile <----
toolchain_src_compile() {
- case ${EAPI:-0} in
- 0|1) toolchain_src_configure ;;
- esac
-
touch "${S}"/gcc/c-gperf.h
# Do not make manpages if we do not have perl ...
[[ ! -x /usr/bin/perl ]] \
- && find "${WORKDIR}"/build -name '*.[17]' | xargs touch
+ && find "${WORKDIR}"/build -name '*.[17]' -exec touch {} +
- einfo "Compiling ${PN} ..."
gcc_do_make ${GCC_MAKE_TARGET}
}
gcc_do_make() {
# This function accepts one optional argument, the make target to be used.
# If omitted, gcc_do_make will try to guess whether it should use all,
- # profiledbootstrap, or bootstrap-lean depending on CTARGET and arch. An
- # example of how to use this function:
+ # or bootstrap-lean depending on CTARGET and arch.
+ # An example of how to use this function:
#
# gcc_do_make all-target-libstdc++-v3
- #
- # Set make target to $1 if passed
+
[[ -n ${1} ]] && GCC_MAKE_TARGET=${1}
+
# default target
if is_crosscompile || tc-is-cross-compiler ; then
# 3 stage bootstrapping doesnt quite work when you cant run the
@@ -1373,13 +1532,11 @@ gcc_do_make() {
GCC_MAKE_TARGET=${GCC_MAKE_TARGET-bootstrap-lean}
fi
- # the gcc docs state that parallel make isnt supported for the
- # profiledbootstrap target, as collisions in profile collecting may occur.
+ # Older versions of GCC could not do profiledbootstrap in parallel due to
+ # collisions with profiling info.
# boundschecking also seems to introduce parallel build issues.
- if [[ ${GCC_MAKE_TARGET} == "profiledbootstrap" ]] ||
- use_if_iuse boundschecking
- then
- export MAKEOPTS="${MAKEOPTS} -j1"
+ if [[ ${GCC_MAKE_TARGET} == "profiledbootstrap" ]] || use_if_iuse boundschecking ; then
+ ! tc_version_is_at_least 4.6 && export MAKEOPTS="${MAKEOPTS} -j1"
fi
if [[ ${GCC_MAKE_TARGET} == "all" ]] ; then
@@ -1400,6 +1557,8 @@ gcc_do_make() {
BOOT_CFLAGS=${BOOT_CFLAGS-"$(get_abi_CFLAGS ${TARGET_DEFAULT_ABI}) ${CFLAGS}"}
fi
+ einfo "Compiling ${PN} (${GCC_MAKE_TARGET})..."
+
pushd "${WORKDIR}"/build >/dev/null
emake \
@@ -1419,6 +1578,13 @@ gcc_do_make() {
cd "${CTARGET}"/libstdc++-v3
emake doxygen-man || ewarn "failed to make docs"
fi
+ # Clean bogus manpages. #113902
+ find -name '*_build_*' -delete
+ # Blow away generated directory references. Newer versions of gcc
+ # have gotten better at this, but not perfect. This is easier than
+ # backporting all of the various doxygen patches. #486754
+ find -name '*_.3' -exec grep -l ' Directory Reference ' {} + | \
+ xargs rm -f
else
ewarn "Skipping libstdc++ manpage generation since you don't have doxygen installed"
fi
@@ -1454,8 +1620,12 @@ toolchain_src_install() {
fi
done
- # Remove generated headers, as they can cause things to break
- # (ncurses, openssl, etc).
+ # We remove the generated fixincludes, as they can cause things to break
+ # (ncurses, openssl, etc). We do not prevent them from being built, as
+ # in the following commit which we revert:
+ # https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/toolchain.eclass?r1=1.647&r2=1.648
+ # This is because bsd userland needs fixedincludes to build gcc, while
+ # linux does not. Both can dispose of them afterwards.
while read x ; do
grep -q 'It has been auto-edited by fixincludes from' "${x}" \
&& rm -f "${x}"
@@ -1496,7 +1666,12 @@ toolchain_src_install() {
for x in cpp gcc g++ c++ gcov g77 gcj gcjh gfortran gccgo ; do
# For some reason, g77 gets made instead of ${CTARGET}-g77...
# this should take care of that
- [[ -f ${x} ]] && mv ${x} ${CTARGET}-${x}
+ if [[ -f ${x} ]] ; then
+ # In case they're hardlinks, clear out the target first
+ # otherwise the mv below will complain.
+ rm -f ${CTARGET}-${x}
+ mv ${x} ${CTARGET}-${x}
+ fi
if [[ -f ${CTARGET}-${x} ]] ; then
if ! is_crosscompile ; then
@@ -1514,9 +1689,18 @@ toolchain_src_install() {
ln -sf ${CTARGET}-${x} ${CTARGET}-${x}-${GCC_CONFIG_VER}
fi
done
+ # Rename the main go binaries as we don't want to clobber dev-lang/go
+ # when gcc-config runs. #567806
+ if tc_version_is_at_least 5 && is_go ; then
+ for x in go gofmt; do
+ mv ${x} ${x}-${GCCMAJOR} || die
+ done
+ fi
# Now do the fun stripping stuff
env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${BINPATH}"
+ is_crosscompile && \
+ env RESTRICT="" CHOST=${CHOST} prepstrip "${D}/${HOSTLIBPATH}"
env RESTRICT="" CHOST=${CTARGET} prepstrip "${D}${LIBPATH}"
# gcc used to install helper binaries in lib/ but then moved to libexec/
[[ -d ${D}${PREFIX}/libexec/gcc ]] && \
@@ -1530,8 +1714,6 @@ toolchain_src_install() {
if tc_version_is_at_least 3.0 ; then
local cxx_mandir=$(find "${WORKDIR}/build/${CTARGET}/libstdc++-v3" -name man)
if [[ -d ${cxx_mandir} ]] ; then
- # clean bogus manpages #113902
- find "${cxx_mandir}" -name '*_build_*' -exec rm {} \;
cp -r "${cxx_mandir}"/man? "${D}/${DATAPATH}"/man/
fi
fi
@@ -1548,22 +1730,17 @@ toolchain_src_install() {
# install testsuite results
if use regression-test; then
docinto testsuite
- find "${WORKDIR}"/build -type f -name "*.sum" -print0 | xargs -0 dodoc
- find "${WORKDIR}"/build -type f -path "*/testsuite/*.log" -print0 \
- | xargs -0 dodoc
+ find "${WORKDIR}"/build -type f -name "*.sum" -exec dodoc {} +
+ find "${WORKDIR}"/build -type f -path "*/testsuite/*.log" -exec dodoc {} +
fi
# Rather install the script, else portage with changing $FILESDIR
# between binary and source package borks things ....
if ! is_crosscompile ; then
insinto "${DATAPATH}"
- if tc_version_is_at_least 4.0 ; then
- newins "${GCC_FILESDIR}"/awk/fixlafiles.awk-no_gcc_la fixlafiles.awk || die
- find "${D}/${LIBPATH}" -name libstdc++.la -type f -exec rm "{}" \;
- find "${D}/${LIBPATH}" -name "lib?san.la" -type f -exec rm "{}" \; # 487550
- else
- doins "${GCC_FILESDIR}"/awk/fixlafiles.awk || die
- fi
+ newins "${GCC_FILESDIR}"/awk/fixlafiles.awk-no_gcc_la fixlafiles.awk || die
+ find "${D}/${LIBPATH}" -name libstdc++.la -type f -delete
+ find "${D}/${LIBPATH}" -name 'lib*san.la' -type f -delete #487550 #546700
exeinto "${DATAPATH}"
doexe "${GCC_FILESDIR}"/fix_libtool_files.sh || die
doexe "${GCC_FILESDIR}"/c{89,99} || die
@@ -1604,6 +1781,17 @@ gcc_movelibs() {
# older versions of gcc did not support --print-multi-os-directory
tc_version_is_at_least 3.2 || return 0
+ # For non-target libs which are for CHOST and not CTARGET, we want to
+ # move them to the compiler-specific CHOST internal dir. This is stuff
+ # that you want to link against when building tools rather than building
+ # code to run on the target.
+ if tc_version_is_at_least 5 && is_crosscompile ; then
+ dodir "${HOSTLIBPATH}"
+ mv "${D}"/usr/$(get_libdir)/libcc1* "${D}${HOSTLIBPATH}" || die
+ fi
+
+ # For all the libs that are built for CTARGET, move them into the
+ # compiler-specific CTARGET internal dir.
local x multiarg removedirs=""
for multiarg in $($(XGCC) -print-multi-lib) ; do
multiarg=${multiarg#*;}
@@ -1627,7 +1815,7 @@ gcc_movelibs() {
if [[ ${FROMDIR} != "${TODIR}" && -d ${FROMDIR} ]] ; then
local files=$(find "${FROMDIR}" -maxdepth 1 ! -type d 2>/dev/null)
if [[ -n ${files} ]] ; then
- mv ${files} "${TODIR}"
+ mv ${files} "${TODIR}" || die
fi
fi
done
@@ -1637,7 +1825,7 @@ gcc_movelibs() {
FROMDIR="${PREFIX}/lib/${OS_MULTIDIR}"
for x in "${D}${FROMDIR}"/pkgconfig/libgcj*.pc ; do
[[ -f ${x} ]] || continue
- sed -i "/^libdir=/s:=.*:=${LIBPATH}/${MULTIDIR}:" "${x}"
+ sed -i "/^libdir=/s:=.*:=${LIBPATH}/${MULTIDIR}:" "${x}" || die
mv "${x}" "${D}${FROMDIR}"/pkgconfig/libgcj-${GCC_PV}.pc || die
done
done
@@ -1649,28 +1837,32 @@ gcc_movelibs() {
for FROMDIR in ${removedirs} ; do
rmdir "${D}"${FROMDIR} >& /dev/null
done
- find "${D}" -type d | xargs rmdir >& /dev/null
+ find -depth "${D}" -type d -exec rmdir {} + >& /dev/null
}
# make sure the libtool archives have libdir set to where they actually
# -are-, and not where they -used- to be. also, any dependencies we have
# on our own .la files need to be updated.
fix_libtool_libdir_paths() {
+ local libpath="$1"
+
pushd "${D}" >/dev/null
- pushd "./${1}" >/dev/null
+ pushd "./${libpath}" >/dev/null
local dir="${PWD#${D%/}}"
local allarchives=$(echo *.la)
allarchives="\(${allarchives// /\\|}\)"
popd >/dev/null
- sed -i \
- -e "/^libdir=/s:=.*:='${dir}':" \
- ./${dir}/*.la
- sed -i \
- -e "/^dependency_libs=/s:/[^ ]*/${allarchives}:${LIBPATH}/\1:g" \
- $(find ./${PREFIX}/lib* -maxdepth 3 -name '*.la') \
- ./${dir}/*.la
+ # The libdir might not have any .la files. #548782
+ find "./${dir}" -maxdepth 1 -name '*.la' \
+ -exec sed -i -e "/^libdir=/s:=.*:='${dir}':" {} + || die
+ # Would be nice to combine these, but -maxdepth can not be specified
+ # on sub-expressions.
+ find "./${PREFIX}"/lib* -maxdepth 3 -name '*.la' \
+ -exec sed -i -e "/^dependency_libs=/s:/[^ ]*/${allarchives}:${libpath}/\1:g" {} + || die
+ find "./${dir}/" -maxdepth 1 -name '*.la' \
+ -exec sed -i -e "/^dependency_libs=/s:/[^ ]*/${allarchives}:${libpath}/\1:g" {} + || die
popd >/dev/null
}
@@ -1795,7 +1987,7 @@ toolchain_pkg_postinst() {
echo
ewarn "You might want to review the GCC upgrade guide when moving between"
ewarn "major versions (like 4.2 to 4.3):"
- ewarn "http://www.gentoo.org/doc/en/gcc-upgrading.xml"
+ ewarn "https://wiki.gentoo.org/wiki/Upgrading_GCC"
echo
# Clean up old paths
@@ -1815,6 +2007,12 @@ toolchain_pkg_postinst() {
elog "Testsuite results have been installed into /usr/share/doc/${PF}/testsuite"
echo
fi
+
+ if [[ -n ${PRERELEASE}${SNAPSHOT} ]] ; then
+ einfo "This GCC ebuild is provided for your convenience, and the use"
+ einfo "of this compiler is not supported by the Gentoo Developers."
+ einfo "Please report bugs to upstream at http://gcc.gnu.org/bugzilla/"
+ fi
}
toolchain_pkg_postrm() {
@@ -1857,26 +2055,36 @@ do_gcc_config() {
return 0
fi
- local current_gcc_config="" current_specs="" use_specs=""
+ local current_gcc_config target
current_gcc_config=$(env -i ROOT="${ROOT}" gcc-config -c ${CTARGET} 2>/dev/null)
if [[ -n ${current_gcc_config} ]] ; then
+ local current_specs use_specs
# figure out which specs-specific config is active
current_specs=$(gcc-config -S ${current_gcc_config} | awk '{print $3}')
[[ -n ${current_specs} ]] && use_specs=-${current_specs}
- fi
- if [[ -n ${use_specs} ]] && \
- [[ ! -e ${ROOT}/etc/env.d/gcc/${CTARGET}-${GCC_CONFIG_VER}${use_specs} ]]
- then
- ewarn "The currently selected specs-specific gcc config,"
- ewarn "${current_specs}, doesn't exist anymore. This is usually"
- ewarn "due to enabling/disabling hardened or switching to a version"
- ewarn "of gcc that doesnt create multiple specs files. The default"
- ewarn "config will be used, and the previous preference forgotten."
- use_specs=""
+
+ if [[ -n ${use_specs} ]] && \
+ [[ ! -e ${ROOT}/etc/env.d/gcc/${CTARGET}-${GCC_CONFIG_VER}${use_specs} ]]
+ then
+ ewarn "The currently selected specs-specific gcc config,"
+ ewarn "${current_specs}, doesn't exist anymore. This is usually"
+ ewarn "due to enabling/disabling hardened or switching to a version"
+ ewarn "of gcc that doesnt create multiple specs files. The default"
+ ewarn "config will be used, and the previous preference forgotten."
+ use_specs=""
+ fi
+
+ target="${CTARGET}-${GCC_CONFIG_VER}${use_specs}"
+ else
+ # The curent target is invalid. Attempt to switch to a valid one.
+ # Blindly pick the latest version. #529608
+ # TODO: Should update gcc-config to accept `-l ${CTARGET}` rather than
+ # doing a partial grep like this.
+ target=$(gcc-config -l 2>/dev/null | grep " ${CTARGET}-[0-9]" | tail -1 | awk '{print $2}')
fi
- gcc-config ${CTARGET}-${GCC_CONFIG_VER}${use_specs}
+ gcc-config "${target}"
}
should_we_gcc_config() {
@@ -1941,7 +2149,7 @@ is_ada() {
is_cxx() {
gcc-lang-supported 'c++' || return 1
- tc_version_is_at_least 4.8 && return 0
+ ! is_crosscompile && tc_version_is_at_least 4.8 && return 0
use cxx
}
@@ -1975,6 +2183,11 @@ is_go() {
use cxx && use_if_iuse go
}
+is_jit() {
+ gcc-lang-supported jit || return 1
+ use_if_iuse jit
+}
+
is_multilib() {
tc_version_is_at_least 3 || return 1
use multilib
@@ -1990,14 +2203,6 @@ is_objcxx() {
use cxx && use_if_iuse objc++
}
-is_treelang() {
- use_if_iuse boundschecking && return 1 #260532
- is_crosscompile && return 1 #199924
- gcc-lang-supported treelang || return 1
- #use treelang
- return 0
-}
-
# Grab a variable from the build system (taken from linux-info.eclass)
get_make_var() {
local var=$1 makefile=${2:-${WORKDIR}/build/Makefile}
@@ -2047,7 +2252,7 @@ hardened_gcc_is_stable() {
elif [[ $1 == "ssp" ]] ; then
if [[ ${CTARGET} == *-uclibc* ]] ; then
tocheck=${SSP_UCLIBC_STABLE}
- else
+ elif [[ ${CTARGET} == *-gnu* ]] ; then
tocheck=${SSP_STABLE}
fi
else
@@ -2088,7 +2293,7 @@ want_pie() {
has toolchain_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" toolchain_death_notice"
toolchain_death_notice() {
- if [[ -e "${WORKDIR}"/build ]] ; then
+ if [[ -e "${WORKDIR}"/build ]] ; then
pushd "${WORKDIR}"/build >/dev/null
(echo '' | $(tc-getCC ${CTARGET}) ${CFLAGS} -v -E - 2>&1) > gccinfo.log
[[ -e "${T}"/build.log ]] && cp "${T}"/build.log .
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-04-05 2:13 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-04-05 2:13 UTC (permalink / raw
To: gentoo-commits
commit: a82ad0552d4a5c9f9f243bbb946ff978907f76bb
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 5 02:12:47 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Apr 5 02:12:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=a82ad055
eclass/pax-utils.eclass: moved to tree
---
eclass/pax-utils.eclass | 220 -----------------------------------------------
1 files changed, 0 insertions(+), 220 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
deleted file mode 100644
index 9b9a5b9..0000000
--- a/eclass/pax-utils.eclass
+++ /dev/null
@@ -1,220 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
-
-# @ECLASS: pax-utils.eclass
-# @MAINTAINER:
-# The Gentoo Linux Hardened Team <hardened@gentoo.org>
-# @AUTHOR:
-# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
-# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
-# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
-# @BLURB: functions to provide pax markings
-# @DESCRIPTION:
-#
-# This eclass provides support for manipulating PaX markings on ELF binaries,
-# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
-# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
-# deciding which to use depending on what's installed on the build host, and
-# whether we're working with PT_PAX, XATTR_PAX or both.
-#
-# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
-# to contain either "PT", "XT" or "none". The default is to attempt both
-# PT_PAX and XATTR_PAX.
-
-if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
-___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
-
-# @ECLASS-VARIABLE: PAX_MARKINGS
-# @DESCRIPTION:
-# Control which markings are made:
-# PT = PT_PAX markings, XT = XATTR_PAX markings
-# Default to both PT and XT markings.
-PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
-
-# @FUNCTION: pax-mark
-# @USAGE: <flags> {<ELF files>}
-# @RETURN: Shell true if we succeed, shell false otherwise
-# @DESCRIPTION:
-# Marks <ELF files> with provided PaX <flags>
-#
-# Flags are passed directly to the utilities unchanged
-#
-# p: disable PAGEEXEC P: enable PAGEEXEC
-# e: disable EMUTRMAP E: enable EMUTRMAP
-# m: disable MPROTECT M: enable MPROTECT
-# r: disable RANDMMAP R: enable RANDMMAP
-# s: disable SEGMEXEC S: enable SEGMEXEC
-#
-# Default flags are 'PeMRS', which are the most restrictive settings. Refer
-# to http://pax.grsecurity.net/ for details on what these flags are all about.
-#
-# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
-# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
-# the bug report.
-
-
-pax-mark() {
-
- local f # loop over paxables
- local flags # pax flags
- local pt_fail=0 pt_failures="" # record PT_PAX failures
- local xt_fail=0 xt_failures="" # record xattr PAX marking failures
- local ret=0 # overal return code of this function
-
- # Only the actual PaX flags and z are accepted
- # 1. The leading '-' is optional
- # 2. -C -c only make sense for paxctl, but are unnecessary
- # because we progressively do -q -qc -qC
- # 3. z is allowed for the default
-
- flags="${1//[!zPpEeMmRrSs]}"
- [[ "${flags}" ]] || return 0
- shift
-
- # z = default. For XATTR_PAX, the default is no xattr field at all
- local dodefault=""
- [[ "${flags//[!z]}" ]] && dodefault="yes"
-
- if has PT ${PAX_MARKINGS}; then
-
- #First try paxctl -> this might try to create/convert program headers
- if type -p paxctl > /dev/null; then
- einfo "PT PaX marking -${flags} with paxctl"
- _pax_list_files einfo "$@"
- for f in "$@"; do
- # First, try modifying the existing PAX_FLAGS header
- paxctl -q${flags} "${f}" && continue
- # Second, try creating a PT_PAX header (works on ET_EXEC)
- # Even though this is less safe, most exes need it, eg bug #463170
- paxctl -qC${flags} "${f}" && continue
- # Third, try stealing the (unused under PaX) PT_GNU_STACK header
- paxctl -qc${flags} "${f}" && continue
- pt_fail=1
- pt_failures="${pt_failures} ${f}"
- done
-
- #Next try paxctl-ng -> this will not create/convert any program headers
- elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
- einfo "PT PaX marking -${flags} with paxctl-ng"
- flags="${flags//z}"
- _pax_list_files einfo "$@"
- for f in "$@"; do
- [[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
- [[ "${flags}" ]] || continue
- paxctl-ng -L -${flags} "${f}" && continue
- pt_fail=1
- pt_failures="${pt_failures} ${f}"
- done
-
- #Finally fall back on scanelf
- elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
- einfo "Fallback PaX marking -${flags} with scanelf"
- _pax_list_files einfo "$@"
- scanelf -Xxz ${flags} "$@"
-
- #We failed to set PT_PAX flags
- elif [[ ${PAX_MARKINGS} != "none" ]]; then
- pt_failures="$*"
- pt_fail=1
- fi
-
- if [[ ${pt_fail} == 1 ]]; then
- ewarn "Failed to set PT_PAX markings -${flags} for:"
- _pax_list_files ewarn ${pt_failures}
- ret=1
- fi
- fi
-
- if has XT ${PAX_MARKINGS}; then
-
- flags="${flags//z}"
-
- #First try paxctl-ng
- if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
- einfo "XT PaX marking -${flags} with paxctl-ng"
- _pax_list_files einfo "$@"
- for f in "$@"; do
- [[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
- [[ "${flags}" ]] || continue
- paxctl-ng -l -${flags} "${f}" && continue
- xt_fail=1
- xt_failures="${tx_failures} ${f}"
- done
-
- #Next try setfattr
- elif type -p setfattr > /dev/null; then
- [[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150
- einfo "XT PaX marking -${flags} with setfattr"
- _pax_list_files einfo "$@"
- for f in "$@"; do
- [[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
- setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
- xt_fail=1
- xt_failures="${tx_failures} ${f}"
- done
-
- #We failed to set XATTR_PAX flags
- elif [[ ${PAX_MARKINGS} != "none" ]]; then
- xt_failures="$*"
- xt_fail=1
- fi
-
- if [[ ${xt_fail} == 1 ]]; then
- ewarn "Failed to set XATTR_PAX markings -${flags} for:"
- _pax_list_files ewarn ${xt_failures}
- ret=1
- fi
- fi
-
- [[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."
-
- return ${ret}
-}
-
-# @FUNCTION: list-paxables
-# @USAGE: {<files>}
-# @RETURN: Subset of {<files>} which are ELF executables or shared objects
-# @DESCRIPTION:
-# Print to stdout all of the <files> that are suitable to have PaX flag
-# markings, i.e., filter out the ELF executables or shared objects from a list
-# of files. This is useful for passing wild-card lists to pax-mark, although
-# in general it is preferable for ebuilds to list precisely which ELFS are to
-# be marked. Often not all the ELF installed by a package need remarking.
-# @EXAMPLE:
-# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)
-list-paxables() {
- file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//'
-}
-
-# @FUNCTION: host-is-pax
-# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise
-# @DESCRIPTION:
-# This is intended for use where the build process must be modified conditionally
-# depending on whether the host is PaX enabled or not. It is not intedened to
-# determine whether the final binaries need PaX markings. Note: if procfs is
-# not mounted on /proc, this returns shell false (e.g. Gentoo/FBSD).
-host-is-pax() {
- grep -qs ^PaX: /proc/self/status
-}
-
-
-# INTERNAL FUNCTIONS
-# ------------------
-#
-# These functions are for use internally by the eclass - do not use
-# them elsewhere as they are not supported (i.e. they may be removed
-# or their function may change arbitratily).
-
-# Display a list of things, one per line, indented a bit, using the
-# display command in $1.
-_pax_list_files() {
- local f cmd
- cmd=$1
- shift
- for f in "$@"; do
- ${cmd} " ${f}"
- done
-}
-
-fi
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-04-02 11:30 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-04-02 11:30 UTC (permalink / raw
To: gentoo-commits
commit: 90700eb9dd2c89310ea5600ddfb194749b0b594e
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 2 11:30:04 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Apr 2 11:30:04 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=90700eb9
pax-utils.eclass: fix some typos
---
eclass/pax-utils.eclass | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index ee7e6e3..9b9a5b9 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -154,14 +154,14 @@ pax-mark() {
xt_failures="${tx_failures} ${f}"
done
- #We failed to set PT_PAX flags
+ #We failed to set XATTR_PAX flags
elif [[ ${PAX_MARKINGS} != "none" ]]; then
- pt_failures="$*"
- pt_fail=1
+ xt_failures="$*"
+ xt_fail=1
fi
if [[ ${xt_fail} == 1 ]]; then
- ewarn "Failed to set XT_PAX markings -${flags} for:"
+ ewarn "Failed to set XATTR_PAX markings -${flags} for:"
_pax_list_files ewarn ${xt_failures}
ret=1
fi
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-03-28 18:04 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-03-28 18:04 UTC (permalink / raw
To: gentoo-commits
commit: 01f6e550124b5c81be2565355558f59b7480645d
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 28 18:04:11 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Mar 28 18:04:11 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=01f6e550
pax-utils.eclass: incorporate suggestion from gentoo-dev@ list
---
eclass/pax-utils.eclass | 21 +++++++++++++--------
1 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 9299c02..ee7e6e3 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -25,6 +25,10 @@
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
+# @ECLASS-VARIABLE: PAX_MARKINGS
+# @DESCRIPTION:
+# Control which markings are made:
+# PT = PT_PAX markings, XT = XATTR_PAX markings
# Default to both PT and XT markings.
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
@@ -65,12 +69,12 @@ pax-mark() {
# 3. z is allowed for the default
flags="${1//[!zPpEeMmRrSs]}"
- [ "${flags}" ] || return 0
+ [[ "${flags}" ]] || return 0
shift
# z = default. For XATTR_PAX, the default is no xattr field at all
local dodefault=""
- [ "${flags//[!z]}" ] && dodefault="yes"
+ [[ "${flags//[!z]}" ]] && dodefault="yes"
if has PT ${PAX_MARKINGS}; then
@@ -81,10 +85,11 @@ pax-mark() {
for f in "$@"; do
# First, try modifying the existing PAX_FLAGS header
paxctl -q${flags} "${f}" && continue
- # Second, try stealing the (unused under PaX) PT_GNU_STACK header
- paxctl -qc${flags} "${f}" && continue
- # Third, creating a PT_PAX header (works on ET_EXEC)
+ # Second, try creating a PT_PAX header (works on ET_EXEC)
+ # Even though this is less safe, most exes need it, eg bug #463170
paxctl -qC${flags} "${f}" && continue
+ # Third, try stealing the (unused under PaX) PT_GNU_STACK header
+ paxctl -qc${flags} "${f}" && continue
pt_fail=1
pt_failures="${pt_failures} ${f}"
done
@@ -96,7 +101,7 @@ pax-mark() {
_pax_list_files einfo "$@"
for f in "$@"; do
[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
- [ "${flags}" ] || continue
+ [[ "${flags}" ]] || continue
paxctl-ng -L -${flags} "${f}" && continue
pt_fail=1
pt_failures="${pt_failures} ${f}"
@@ -131,7 +136,7 @@ pax-mark() {
_pax_list_files einfo "$@"
for f in "$@"; do
[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
- [ "${flags}" ] || continue
+ [[ "${flags}" ]] || continue
paxctl-ng -l -${flags} "${f}" && continue
xt_fail=1
xt_failures="${tx_failures} ${f}"
@@ -139,7 +144,7 @@ pax-mark() {
#Next try setfattr
elif type -p setfattr > /dev/null; then
- [ "${flags//[!Ee]}" ] || flags+="e" # bug 447150
+ [[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150
einfo "XT PaX marking -${flags} with setfattr"
_pax_list_files einfo "$@"
for f in "$@"; do
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-03-18 21:16 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-03-18 21:16 UTC (permalink / raw
To: gentoo-commits
commit: 744986bfa2879d3857b199078df97933c8b968bd
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 18 21:14:21 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Mar 18 21:14:21 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=744986bf
eclass/pax-utils.eclass: fixed typo, bug #462238
Thanks Bryan Gardiner <bog <AT> khumba.net>
---
eclass/pax-utils.eclass | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index b7670c1..9299c02 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -115,7 +115,7 @@ pax-mark() {
fi
if [[ ${pt_fail} == 1 ]]; then
- ewarn "Failed to set XT_PAX markings -${flags} for:"
+ ewarn "Failed to set PT_PAX markings -${flags} for:"
_pax_list_files ewarn ${pt_failures}
ret=1
fi
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-03-18 3:21 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-03-18 3:21 UTC (permalink / raw
To: gentoo-commits
commit: c7b456efa7554f3e30ef5f7f369d048282e4b7ec
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 18 03:20:40 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Mar 18 03:20:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c7b456ef
eclass/pax-utils.eclass: fix comment, thanks Arfrever
---
eclass/pax-utils.eclass | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index b27d5e2..b7670c1 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -25,7 +25,7 @@
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
-# Default to PT markings.
+# Default to both PT and XT markings.
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
# @FUNCTION: pax-mark
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-02-10 11:26 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-02-10 11:26 UTC (permalink / raw
To: gentoo-commits
commit: 4a7544ff141201ea952a62284e8cea0e0f5f0114
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 10 11:26:05 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 11:26:05 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=4a7544ff
eclass/pax-utils.eclass: cleaned up sanitize-flags code more, thanks Alphat-PC
---
eclass/pax-utils.eclass | 48 +++++++++++++++++-----------------------------
1 files changed, 18 insertions(+), 30 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 74a5ec7..b27d5e2 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -50,29 +50,6 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
# the bug report.
-# Only the actual pax flags and z are accepted
-#
-# 1. The leading '-' is irrelevant since it is santized out
-#
-# 2. Cc only make sense for paxctl, and even there these are
-# not needed as we progressively try:
-# paxctl -q${flags}
-# paxctl -qc${flags}
-# paxctl -qC${flags}
-# So we sanitize them out.
-#
-# 3. z is allowed for the default
-#
-sanitize-flags() {
- local flags=$1
- local clean=""
-
- for f in z P p E e M m R r S s; do
- [[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
- done
- echo "$clean"
-}
-
pax-mark() {
local f # loop over paxables
@@ -81,9 +58,20 @@ pax-mark() {
local xt_fail=0 xt_failures="" # record xattr PAX marking failures
local ret=0 # overal return code of this function
- flags="$(sanitize-flags $1)"
+ # Only the actual PaX flags and z are accepted
+ # 1. The leading '-' is optional
+ # 2. -C -c only make sense for paxctl, but are unnecessary
+ # because we progressively do -q -qc -qC
+ # 3. z is allowed for the default
+
+ flags="${1//[!zPpEeMmRrSs]}"
+ [ "${flags}" ] || return 0
shift
+ # z = default. For XATTR_PAX, the default is no xattr field at all
+ local dodefault=""
+ [ "${flags//[!z]}" ] && dodefault="yes"
+
if has PT ${PAX_MARKINGS}; then
#First try paxctl -> this might try to create/convert program headers
@@ -104,8 +92,11 @@ pax-mark() {
#Next try paxctl-ng -> this will not create/convert any program headers
elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
einfo "PT PaX marking -${flags} with paxctl-ng"
+ flags="${flags//z}"
_pax_list_files einfo "$@"
for f in "$@"; do
+ [[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
+ [ "${flags}" ] || continue
paxctl-ng -L -${flags} "${f}" && continue
pt_fail=1
pt_failures="${pt_failures} ${f}"
@@ -132,12 +123,7 @@ pax-mark() {
if has XT ${PAX_MARKINGS}; then
- # z = default. For XATTR_PAX, the default is no xattr field at all
- local dodefault=""
- if [[ "${flags}" != "${flags/z/}" ]]; then
- flags="${flags/z/}"
- dodefault="yes"
- fi
+ flags="${flags//z}"
#First try paxctl-ng
if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
@@ -145,6 +131,7 @@ pax-mark() {
_pax_list_files einfo "$@"
for f in "$@"; do
[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
+ [ "${flags}" ] || continue
paxctl-ng -l -${flags} "${f}" && continue
xt_fail=1
xt_failures="${tx_failures} ${f}"
@@ -152,6 +139,7 @@ pax-mark() {
#Next try setfattr
elif type -p setfattr > /dev/null; then
+ [ "${flags//[!Ee]}" ] || flags+="e" # bug 447150
einfo "XT PaX marking -${flags} with setfattr"
_pax_list_files einfo "$@"
for f in "$@"; do
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-02-10 11:21 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-02-10 11:21 UTC (permalink / raw
To: gentoo-commits
commit: 67b6eb5c26d6ea23825d006ce5848bab4fd454fe
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 10 11:20:56 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 11:20:56 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=67b6eb5c
eclass/pax-utils.eclass: cleaned up sanitize-flags code more, thanks Alphat-PC
---
eclass/pax-utils.eclass | 33 +++++++++------------------------
1 files changed, 9 insertions(+), 24 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 74a5ec7..8ef06bd 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -50,29 +50,6 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
# the bug report.
-# Only the actual pax flags and z are accepted
-#
-# 1. The leading '-' is irrelevant since it is santized out
-#
-# 2. Cc only make sense for paxctl, and even there these are
-# not needed as we progressively try:
-# paxctl -q${flags}
-# paxctl -qc${flags}
-# paxctl -qC${flags}
-# So we sanitize them out.
-#
-# 3. z is allowed for the default
-#
-sanitize-flags() {
- local flags=$1
- local clean=""
-
- for f in z P p E e M m R r S s; do
- [[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
- done
- echo "$clean"
-}
-
pax-mark() {
local f # loop over paxables
@@ -81,7 +58,14 @@ pax-mark() {
local xt_fail=0 xt_failures="" # record xattr PAX marking failures
local ret=0 # overal return code of this function
- flags="$(sanitize-flags $1)"
+ # Sanitize flags -- allow only actual PaX flags
+ # 1. The leading '-' is optional
+ # 2. -C -c only makes sense for paxctl. But the user need not provide
+ # it since we progressively do -q -qc and -qC
+ # 3. z is allowed for the defaults
+
+ flags="${1//[!zPpEeMmRrSs]}"
+ [ "${flags}" ] || return 0
shift
if has PT ${PAX_MARKINGS}; then
@@ -152,6 +136,7 @@ pax-mark() {
#Next try setfattr
elif type -p setfattr > /dev/null; then
+ [[ ${flags//[!Ee]} ]] || flags+="e" # bug 447150
einfo "XT PaX marking -${flags} with setfattr"
_pax_list_files einfo "$@"
for f in "$@"; do
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-02-10 1:56 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-02-10 1:56 UTC (permalink / raw
To: gentoo-commits
commit: 872bb4b2c4f56b12e14bb6b449a718ac31ae863f
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 10 01:56:13 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 01:56:13 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=872bb4b2
eclass/pax-utils.eclass: clean up sanitize-flags()
---
eclass/pax-utils.eclass | 52 ++++++++++++++++++----------------------------
1 files changed, 20 insertions(+), 32 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index fdc7769..74a5ec7 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -50,40 +50,28 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
# the bug report.
+# Only the actual pax flags and z are accepted
+#
+# 1. The leading '-' is irrelevant since it is santized out
+#
+# 2. Cc only make sense for paxctl, and even there these are
+# not needed as we progressively try:
+# paxctl -q${flags}
+# paxctl -qc${flags}
+# paxctl -qC${flags}
+# So we sanitize them out.
+#
+# 3. z is allowed for the default
+#
sanitize-flags() {
- # Only the actual pax flags and z are accepted
- #
- # 1. The leading '-' is irrelevant since it is santized out
- #
- # 2. Cc only make sense for paxctl, and even there these are
- # not needed as we progressively try:
- # paxctl -q${flags}
- # paxctl -qc${flags}
- # paxctl -qC${flags}
- # So we sanitize them out.
- #
- # 3. z is allowed for the default
- #
-
- local flags="$1"
- local clean=""
-
- [[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z"
-
- [[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P"
- [[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p"
- [[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E"
- [[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e"
- [[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M"
- [[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m"
- [[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R"
- [[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r"
- [[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S"
- [[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s"
-
- echo "$clean"
-}
+ local flags=$1
+ local clean=""
+ for f in z P p E e M m R r S s; do
+ [[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
+ done
+ echo "$clean"
+}
pax-mark() {
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2013-02-09 20:30 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2013-02-09 20:30 UTC (permalink / raw
To: gentoo-commits
commit: 3a2cbaec20cf614ec0dfbf7a6c0d3cedff412b5b
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 9 20:30:17 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Feb 9 20:30:17 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3a2cbaec
eclass/pax-utils.eclass: address bad pax flag combos, bug #445948
---
eclass/pax-utils.eclass | 80 ++++++++++++++++++++++++++++++++++++----------
1 files changed, 62 insertions(+), 18 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index acd11a3..fdc7769 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -49,6 +49,42 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
# the bug report.
+
+sanitize-flags() {
+ # Only the actual pax flags and z are accepted
+ #
+ # 1. The leading '-' is irrelevant since it is santized out
+ #
+ # 2. Cc only make sense for paxctl, and even there these are
+ # not needed as we progressively try:
+ # paxctl -q${flags}
+ # paxctl -qc${flags}
+ # paxctl -qC${flags}
+ # So we sanitize them out.
+ #
+ # 3. z is allowed for the default
+ #
+
+ local flags="$1"
+ local clean=""
+
+ [[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z"
+
+ [[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P"
+ [[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p"
+ [[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E"
+ [[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e"
+ [[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M"
+ [[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m"
+ [[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R"
+ [[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r"
+ [[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S"
+ [[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s"
+
+ echo "$clean"
+}
+
+
pax-mark() {
local f # loop over paxables
@@ -57,25 +93,14 @@ pax-mark() {
local xt_fail=0 xt_failures="" # record xattr PAX marking failures
local ret=0 # overal return code of this function
- # You can call pax-mark with/out leading '-' on flags
- flags=${1//-}
+ flags="$(sanitize-flags $1)"
shift
if has PT ${PAX_MARKINGS}; then
- #First try paxctl-ng
- if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
- einfo "PT PaX marking -${flags}"
- _pax_list_files einfo "$@"
- for f in "$@"; do
- paxctl-ng -L -${flags} "${f}" && continue
- pt_fail=1
- pt_failures="${pt_failures} ${f}"
- done
-
- #Next try paxctl
- elif type -p paxctl > /dev/null; then
- einfo "PT PaX marking -${flags}"
+ #First try paxctl -> this might try to create/convert program headers
+ if type -p paxctl > /dev/null; then
+ einfo "PT PaX marking -${flags} with paxctl"
_pax_list_files einfo "$@"
for f in "$@"; do
# First, try modifying the existing PAX_FLAGS header
@@ -88,9 +113,19 @@ pax-mark() {
pt_failures="${pt_failures} ${f}"
done
+ #Next try paxctl-ng -> this will not create/convert any program headers
+ elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
+ einfo "PT PaX marking -${flags} with paxctl-ng"
+ _pax_list_files einfo "$@"
+ for f in "$@"; do
+ paxctl-ng -L -${flags} "${f}" && continue
+ pt_fail=1
+ pt_failures="${pt_failures} ${f}"
+ done
+
#Finally fall back on scanelf
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
- einfo "Fallback PaX marking -${flags}"
+ einfo "Fallback PaX marking -${flags} with scanelf"
_pax_list_files einfo "$@"
scanelf -Xxz ${flags} "$@"
@@ -109,11 +144,19 @@ pax-mark() {
if has XT ${PAX_MARKINGS}; then
+ # z = default. For XATTR_PAX, the default is no xattr field at all
+ local dodefault=""
+ if [[ "${flags}" != "${flags/z/}" ]]; then
+ flags="${flags/z/}"
+ dodefault="yes"
+ fi
+
#First try paxctl-ng
if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
- einfo "XT PaX marking -${flags}"
+ einfo "XT PaX marking -${flags} with paxctl-ng"
_pax_list_files einfo "$@"
for f in "$@"; do
+ [[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
paxctl-ng -l -${flags} "${f}" && continue
xt_fail=1
xt_failures="${tx_failures} ${f}"
@@ -121,9 +164,10 @@ pax-mark() {
#Next try setfattr
elif type -p setfattr > /dev/null; then
- einfo "XT PaX marking -${flags}"
+ einfo "XT PaX marking -${flags} with setfattr"
_pax_list_files einfo "$@"
for f in "$@"; do
+ [[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
xt_fail=1
xt_failures="${tx_failures} ${f}"
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-12-30 1:29 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2012-12-30 1:29 UTC (permalink / raw
To: gentoo-commits
commit: 30566dc16112b2b0b2c1dc1eea2bc1806016d3f8
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 30 01:28:59 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Dec 30 01:28:59 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=30566dc1
eclass/pax-utils.eclass: correct to test if PT_PAX or XATTR_PAX is supported, bug #447616
---
eclass/pax-utils.eclass | 25 +++++++++++--------------
1 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index e860d04..acd11a3 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2011 Gentoo Foundation
+# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
@@ -11,17 +11,16 @@
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
# @BLURB: functions to provide pax markings
# @DESCRIPTION:
+#
# This eclass provides support for manipulating PaX markings on ELF binaries,
-# wrapping the use of the paxctl and scanelf utilities. It decides which to
-# use depending on what is installed on the build host, preferring paxctl to
-# scanelf. If paxctl is not installed, we fall back to scanelf since it is
-# always present. However, currently scanelf doesn't do all that paxctl can.
+# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
+# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
+# deciding which to use depending on what's installed on the build host, and
+# whether we're working with PT_PAX, XATTR_PAX or both.
#
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
-# to contain either "PT", "XT" or "none". If PAX_MARKINGS contains "PT", and
-# the necessary utility is installed, then PT_PAX_FLAGS markings will be made.
-# Similarly, if PAX_MARKINGS contains "XT", then xattr markings will be made.
-# If PAX_MARKINGS is set to "none", no markings will be made.
+# to contain either "PT", "XT" or "none". The default is to attempt both
+# PT_PAX and XATTR_PAX.
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
@@ -35,8 +34,7 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
# @DESCRIPTION:
# Marks <ELF files> with provided PaX <flags>
#
-# Flags are passed directly to the utilities unchanged. Possible flags at the
-# time of writing, taken from /sbin/paxctl, are:
+# Flags are passed directly to the utilities unchanged
#
# p: disable PAGEEXEC P: enable PAGEEXEC
# e: disable EMUTRMAP E: enable EMUTRMAP
@@ -46,7 +44,6 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
#
# Default flags are 'PeMRS', which are the most restrictive settings. Refer
# to http://pax.grsecurity.net/ for details on what these flags are all about.
-# Do not use the obsolete flag 'x'/'X' which has been deprecated.
#
# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
@@ -67,7 +64,7 @@ pax-mark() {
if has PT ${PAX_MARKINGS}; then
#First try paxctl-ng
- if type -p paxctl-ng > /dev/null; then
+ if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
einfo "PT PaX marking -${flags}"
_pax_list_files einfo "$@"
for f in "$@"; do
@@ -113,7 +110,7 @@ pax-mark() {
if has XT ${PAX_MARKINGS}; then
#First try paxctl-ng
- if type -p paxctl-ng > /dev/null; then
+ if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
einfo "XT PaX marking -${flags}"
_pax_list_files einfo "$@"
for f in "$@"; do
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-09-08 19:57 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-09-08 19:57 UTC (permalink / raw
To: gentoo-commits
commit: 6b8bd5927b7331c3f7b22a8171f1e68f2d576f3b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep 8 18:35:24 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Sep 8 18:35:24 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6b8bd592
Moved to main tree
---
eclass/selinux-policy-2.eclass | 283 ----------------------------------------
1 files changed, 0 insertions(+), 283 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
deleted file mode 100644
index 8e9929b..0000000
--- a/eclass/selinux-policy-2.eclass
+++ /dev/null
@@ -1,283 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.13 2012/07/26 12:53:01 swift Exp $
-
-# Eclass for installing SELinux policy, and optionally
-# reloading the reference-policy based modules.
-
-# @ECLASS: selinux-policy-2.eclass
-# @MAINTAINER:
-# selinux@gentoo.org
-# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
-# @DESCRIPTION:
-# The selinux-policy-2.eclass supports deployment of the various SELinux modules
-# defined in the sec-policy category. It is responsible for extracting the
-# specific bits necessary for single-module deployment (instead of full-blown
-# policy rebuilds) and applying the necessary patches.
-#
-# Also, it supports for bundling patches to make the whole thing just a bit more
-# manageable.
-
-# @ECLASS-VARIABLE: MODS
-# @DESCRIPTION:
-# This variable contains the (upstream) module name for the SELinux module.
-# This name is only the module name, not the category!
-: ${MODS:="_illegal"}
-
-# @ECLASS-VARIABLE: BASEPOL
-# @DESCRIPTION:
-# This variable contains the version string of the selinux-base-policy package
-# that this module build depends on. It is used to patch with the appropriate
-# patch bundle(s) that are part of selinux-base-policy.
-: ${BASEPOL:=""}
-
-# @ECLASS-VARIABLE: POLICY_PATCH
-# @DESCRIPTION:
-# This variable contains the additional patch(es) that need to be applied on top
-# of the patchset already contained within the BASEPOL variable. The variable
-# can be both a simple string (space-separated) or a bash array.
-: ${POLICY_PATCH:=""}
-
-# @ECLASS-VARIABLE: POLICY_FILES
-# @DESCRIPTION:
-# When defined, this contains the files (located in the ebuilds' files/
-# directory) which should be copied as policy module files into the store.
-# Generally, users would want to include at least a .te and .fc file, but .if
-# files are supported as well. The variable can be both a simple string
-# (space-separated) or a bash array.
-: ${POLICY_FILES:=""}
-
-# @ECLASS-VARIABLE: POLICY_TYPES
-# @DESCRIPTION:
-# This variable informs the eclass for which SELinux policies the module should
-# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
-# This variable is the same POLICY_TYPES variable that we tell SELinux
-# users to set in /etc/make.conf. Therefor, it is not the module that should
-# override it, but the user.
-: ${POLICY_TYPES:="targeted strict mcs mls"}
-
-extra_eclass=""
-case ${BASEPOL} in
- 9999) extra_eclass="git-2";
- EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git";
- EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
-esac
-
-inherit eutils ${extra_eclass}
-
-IUSE=""
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
-then
- SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
- http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-elif [[ "${BASEPOL}" != "9999" ]];
-then
- SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
-else
- SRC_URI=""
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-S="${WORKDIR}/"
-PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-
-# Modules should always depend on at least the first release of the
-# selinux-base-policy for which they are generated.
-if [[ -n ${BASEPOL} ]];
-then
- RDEPEND=">=sys-apps/policycoreutils-2.0.82
- >=sec-policy/selinux-base-policy-${BASEPOL}"
-else
- RDEPEND=">=sys-apps/policycoreutils-2.0.82
- >=sec-policy/selinux-base-policy-${PV}"
-fi
-DEPEND="${RDEPEND}
- sys-devel/m4
- >=sys-apps/checkpolicy-2.0.21"
-
-SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
-case "${EAPI:-0}" in
- 2|3|4) SELINUX_EXPF+=" src_prepare" ;;
- *) ;;
-esac
-
-EXPORT_FUNCTIONS ${SELINUX_EXPF}
-
-# @FUNCTION: selinux-policy-2_src_unpack
-# @DESCRIPTION:
-# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
-# older than 2, call src_prepare too.
-selinux-policy-2_src_unpack() {
- if [[ "${BASEPOL}" != "9999" ]];
- then
- unpack ${A}
- else
- git-2_src_unpack
- fi
-
- # Call src_prepare explicitly for EAPI 0 or 1
- has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
-}
-
-# @FUNCTION: selinux-policy-2_src_prepare
-# @DESCRIPTION:
-# Patch the reference policy sources with our set of enhancements. Start with
-# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
-# then apply the additional patches as offered by the ebuild.
-#
-# Next, extract only those files needed for this particular module (i.e. the .te
-# and .fc files for the given module in the MODS variable).
-#
-# Finally, prepare the build environments for each of the supported SELinux
-# types (such as targeted or strict), depending on the POLICY_TYPES variable
-# content.
-selinux-policy-2_src_prepare() {
- local modfiles
- local add_interfaces=0;
-
- # Create 3rd_party location for user-contributed policies
- cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
-
- # Patch the sources with the base patchbundle
- if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
- then
- cd "${S}"
- EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
- EPATCH_SUFFIX="patch" \
- EPATCH_SOURCE="${WORKDIR}" \
- EPATCH_FORCE="yes" \
- epatch
- fi
-
- # Copy additional files to the 3rd_party/ location
- if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
- [[ -n ${POLICY_FILES} ]];
- then
- add_interfaces=1;
- cd "${S}/refpolicy/policy/modules"
- for POLFILE in ${POLICY_FILES[@]};
- do
- cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
- done
- fi
-
- # Apply the additional patches refered to by the module ebuild.
- # But first some magic to differentiate between bash arrays and strings
- if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
- [[ -n ${POLICY_PATCH} ]];
- then
- cd "${S}/refpolicy/policy/modules"
- for POLPATCH in ${POLICY_PATCH[@]};
- do
- epatch "${POLPATCH}"
- done
- fi
-
- # Collect only those files needed for this particular module
- for i in ${MODS}; do
- modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
- modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
- if [ ${add_interfaces} -eq 1 ];
- then
- modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
- fi
- done
-
- for i in ${POLICY_TYPES}; do
- mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
- cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
- || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
-
- cp ${modfiles} "${S}"/${i} \
- || die "Failed to copy the module files to ${S}/${i}"
- done
-}
-
-# @FUNCTION: selinux-policy-2_src_compile
-# @DESCRIPTION:
-# Build the SELinux policy module (.pp file) for just the selected module, and
-# this for each SELinux policy mentioned in POLICY_TYPES
-selinux-policy-2_src_compile() {
- for i in ${POLICY_TYPES}; do
- # Parallel builds are broken, so we need to force -j1 here
- emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
- done
-}
-
-# @FUNCTION: selinux-policy-2_src_install
-# @DESCRIPTION:
-# Install the built .pp files in the correct subdirectory within
-# /usr/share/selinux.
-selinux-policy-2_src_install() {
- local BASEDIR="/usr/share/selinux"
-
- for i in ${POLICY_TYPES}; do
- for j in ${MODS}; do
- einfo "Installing ${i} ${j} policy package"
- insinto ${BASEDIR}/${i}
- doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
-
- if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
- then
- insinto ${BASEDIR}/${i}/include/3rd_party
- doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
- fi
- done
- done
-}
-
-# @FUNCTION: selinux-policy-2_pkg_postinst
-# @DESCRIPTION:
-# Install the built .pp files in the SELinux policy stores, effectively
-# activating the policy on the system.
-selinux-policy-2_pkg_postinst() {
- # build up the command in the case of multiple modules
- local COMMAND
- for i in ${MODS}; do
- COMMAND="-i ${i}.pp ${COMMAND}"
- done
-
- for i in ${POLICY_TYPES}; do
- einfo "Inserting the following modules into the $i module store: ${MODS}"
-
- cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
- semodule -s ${i} ${COMMAND}
- if [ $? -ne 0 ];
- then
- ewarn "SELinux module load failed. Trying full reload...";
- if [ "${i}" == "targeted" ];
- then
- semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
- else
- semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
- fi
- if [ $? -ne 0 ];
- then
- ewarn "Failed to reload SELinux policies."
- ewarn ""
- ewarn "If this is *not* the last SELinux module package being installed,"
- ewarn "then you can safely ignore this as the reloads will be retried"
- ewarn "with other, recent modules."
- ewarn ""
- ewarn "If it is the last SELinux module package being installed however,"
- ewarn "then it is advised to look at the error above and take appropriate"
- ewarn "action since the new SELinux policies are not loaded until the"
- ewarn "command finished succesfully."
- ewarn ""
- ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
- ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
- ewarn "or"
- ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
- ewarn "depending on if you need the unconfined domain loaded as well or not."
- else
- einfo "SELinux modules reloaded succesfully."
- fi
- else
- einfo "SELinux modules loaded succesfully."
- fi
- done
-}
-
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-05-15 18:11 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-05-15 18:11 UTC (permalink / raw
To: gentoo-commits
commit: 57a3be5bb9765b813f1e63696833bb2f27e84497
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 15 18:10:54 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 15 18:10:54 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=57a3be5b
Meh
---
eclass/selinux-policy-2.eclass | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 747e0f4..5989dd4 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -234,6 +234,7 @@ selinux-policy-2_pkg_postinst() {
then
ewarn "SELinux module load failed. Trying full reload...";
if [ "${i}" == "targeted" ];
+ then
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
else
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-05-15 17:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-05-15 17:58 UTC (permalink / raw
To: gentoo-commits
commit: 8d09ddcf47d6fb207aff5c54f66521b6089bc259
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 15 17:57:30 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 15 17:57:30 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=8d09ddcf
Cannot use semodule -l all the time, initial setup also uses this function
---
eclass/selinux-policy-2.eclass | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index ffa3913..747e0f4 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -233,7 +233,11 @@ selinux-policy-2_pkg_postinst() {
if [ $? -ne 0 ];
then
ewarn "SELinux module load failed. Trying full reload...";
- semodule -s ${i} -b base.pp -i $(semodule -l | awk '{print $1".pp"}');
+ if [ "${i}" == "targeted" ];
+ semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
+ else
+ semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
+ fi
if [ $? -ne 0 ];
then
eerror "Failed to reload SELinux policies."
@@ -248,7 +252,10 @@ selinux-policy-2_pkg_postinst() {
eerror "command finished succesfully."
eerror ""
eerror "To reload, run the following command from within /usr/share/selinux/${i}:"
- eerror " semodule -b base.pp -i \$(semodule -l | awk '{print \$1\".pp\"}')"
+ eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
+ eerror "or"
+ eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
+ eerror "depending on if you need the unconfined domain loaded as well or not."
else
einfo "SELinux modules reloaded succesfully."
fi
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-05-06 14:14 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-05-06 14:14 UTC (permalink / raw
To: gentoo-commits
commit: 49dfc884d659c756408987a4ce5e015a517ec83b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 6 14:13:53 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 6 14:13:53 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=49dfc884
Full load support
---
eclass/selinux-policy-2.eclass | 27 ++++++++++++++++++++++++++-
1 files changed, 26 insertions(+), 1 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 07ee6c2..ed1a685 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -229,7 +229,32 @@ selinux-policy-2_pkg_postinst() {
einfo "Inserting the following modules into the $i module store: ${MODS}"
cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
- semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+ semodule -s ${i} ${COMMAND}
+ if [ $? -ne 0 ];
+ then
+ ewarn "SELinux module load failed. Trying full reload...";
+ semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
+ if [ $? -ne 0 ];
+ then
+ eerror "Failed to reload SELinux policies."
+ eerror ""
+ eerror "If this is *not* the last SELinux module package being installed,"
+ eerror "then you can safely ignore this as the reloads will be retried"
+ eerror "with other, recent modules."
+ eerror ""
+ eerror "If it is the last SELinux module package being installed however,"
+ eerror "then it is advised to look at the error above and take appropriate"
+ eerror "action since the new SELinux policies are not loaded until the"
+ eerror "command finished succesfully."
+ eerror ""
+ eerror "To reload, run the following command from within /usr/share/selinux/${i}:"
+ eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
+ else
+ einfo "SELinux modules reloaded succesfully."
+ fi
+ else
+ einfo "SELinux modules loaded succesfully."
+ fi
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-05-01 11:26 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-05-01 11:26 UTC (permalink / raw
To: gentoo-commits
commit: 36526e28cee3266ed5e62b56933fbc41e1ef3410
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 1 11:26:20 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 1 11:26:20 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=36526e28
Simplify eclass further, drop use of trigger file
---
eclass/selinux-policy-2.eclass | 37 +++++++++----------------------------
1 files changed, 9 insertions(+), 28 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index c6f993a..07ee6c2 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -138,44 +138,27 @@ selinux-policy-2_src_prepare() {
fi
# Copy additional files to the 3rd_party/ location
- if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]];
+ if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
+ [[ -n ${POLICY_FILES} ]];
then
- add_interfaces=1;
+ add_interfaces=1;
cd "${S}/refpolicy/policy/modules"
- for POLFILE in "${POLICY_FILES[@]}";
+ for POLFILE in ${POLICY_FILES[@]};
do
- cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy over ${POLFILE} to 3rd_party/ location";
+ cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
done
- else
- if [[ -n ${POLICY_FILES} ]];
- then
- add_interfaces=1;
- cd "${S}/refpolicy/policy/modules"
- for POLFILE in ${POLICY_FILES};
- do
- cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} into 3rd_party/ location";
- done
- fi
fi
# Apply the additional patches refered to by the module ebuild.
# But first some magic to differentiate between bash arrays and strings
- if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
+ if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
+ [[ -n ${POLICY_PATCH} ]];
then
cd "${S}/refpolicy/policy/modules"
- for POLPATCH in "${POLICY_PATCH[@]}";
+ for POLPATCH in ${POLICY_PATCH[@]};
do
epatch "${POLPATCH}"
done
- else
- if [[ -n ${POLICY_PATCH} ]];
- then
- cd "${S}/refpolicy/policy/modules"
- for POLPATCH in ${POLICY_PATCH};
- do
- epatch "${POLPATCH}"
- done
- fi
fi
# Collect only those files needed for this particular module
@@ -195,8 +178,6 @@ selinux-policy-2_src_prepare() {
cp ${modfiles} "${S}"/${i} \
|| die "Failed to copy the module files to ${S}/${i}"
-
- [ ${add_interfaces} -eq 1 ] && touch "${S}"/${i}/.install_interfaces;
done
}
@@ -224,7 +205,7 @@ selinux-policy-2_src_install() {
insinto ${BASEDIR}/${i}
doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
- if [[ -f "${S}/${i}/.install_interfaces" ]];
+ if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
then
insinto ${BASEDIR}/${i}/include/3rd_party
doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-04-22 19:35 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-04-22 19:35 UTC (permalink / raw
To: gentoo-commits
commit: bdb3ea2d45ee16ef260e01725d7d448610395108
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 19:35:37 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 19:35:37 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=bdb3ea2d
Adding 3rd_party location, which involves installation of the interface files
---
eclass/selinux-policy-2.eclass | 24 +++++++++++++++++++++---
1 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index fb22dd1..c6f993a 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -121,6 +121,10 @@ selinux-policy-2_src_unpack() {
# content.
selinux-policy-2_src_prepare() {
local modfiles
+ local add_interfaces=0;
+
+ # Create 3rd_party location for user-contributed policies
+ cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
# Patch the sources with the base patchbundle
if [[ -n ${BASEPOL} ]];
@@ -133,21 +137,23 @@ selinux-policy-2_src_prepare() {
epatch
fi
- # Copy additional files to the contrib/ location
+ # Copy additional files to the 3rd_party/ location
if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]];
then
+ add_interfaces=1;
cd "${S}/refpolicy/policy/modules"
for POLFILE in "${POLICY_FILES[@]}";
do
- cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
+ cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy over ${POLFILE} to 3rd_party/ location";
done
else
if [[ -n ${POLICY_FILES} ]];
then
+ add_interfaces=1;
cd "${S}/refpolicy/policy/modules"
for POLFILE in ${POLICY_FILES};
do
- cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
+ cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} into 3rd_party/ location";
done
fi
fi
@@ -176,6 +182,10 @@ selinux-policy-2_src_prepare() {
for i in ${MODS}; do
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+ if [ ${add_interfaces} -eq 1 ];
+ then
+ modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
+ fi
done
for i in ${POLICY_TYPES}; do
@@ -185,6 +195,8 @@ selinux-policy-2_src_prepare() {
cp ${modfiles} "${S}"/${i} \
|| die "Failed to copy the module files to ${S}/${i}"
+
+ [ ${add_interfaces} -eq 1 ] && touch "${S}"/${i}/.install_interfaces;
done
}
@@ -211,6 +223,12 @@ selinux-policy-2_src_install() {
einfo "Installing ${i} ${j} policy package"
insinto ${BASEDIR}/${i}
doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
+
+ if [[ -f "${S}/${i}/.install_interfaces" ]];
+ then
+ insinto ${BASEDIR}/${i}/include/3rd_party
+ doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
+ fi
done
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-04-22 19:35 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-04-22 19:35 UTC (permalink / raw
To: gentoo-commits
commit: e331cd79231ea08fa39006640112c4c9f1de9b7f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 18:18:36 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 18:18:36 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=e331cd79
Policy files are meant to be in filesdir, so already use it
---
eclass/selinux-policy-2.eclass | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 6724067..fb22dd1 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -139,7 +139,7 @@ selinux-policy-2_src_prepare() {
cd "${S}/refpolicy/policy/modules"
for POLFILE in "${POLICY_FILES[@]}";
do
- cp "${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
+ cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
done
else
if [[ -n ${POLICY_FILES} ]];
@@ -147,7 +147,7 @@ selinux-policy-2_src_prepare() {
cd "${S}/refpolicy/policy/modules"
for POLFILE in ${POLICY_FILES};
do
- cp "${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
+ cp "${FILESDIR}/${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
done
fi
fi
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-04-22 18:07 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-04-22 18:07 UTC (permalink / raw
To: gentoo-commits
commit: 6fa49b811f98a49d4c80929fbe4665e2aa398491
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 18:06:43 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 18:06:43 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6fa49b81
Adding support for POLICY_FILES (mark modules as contrib/ modules)
---
eclass/selinux-policy-2.eclass | 28 ++++++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index a20d3e9..6724067 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -38,6 +38,15 @@
# can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""}
+# @ECLASS-VARIABLE: POLICY_FILES
+# @DESCRIPTION:
+# When defined, this contains the files (located in the ebuilds' files/
+# directory) which should be copied as policy module files into the store.
+# Generally, users would want to include at least a .te and .fc file, but .if
+# files are supported as well. The variable can be both a simple string
+# (space-separated) or a bash array.
+: ${POLICY_FILES:=""}
+
# @ECLASS-VARIABLE: POLICY_TYPES
# @DESCRIPTION:
# This variable informs the eclass for which SELinux policies the module should
@@ -124,6 +133,25 @@ selinux-policy-2_src_prepare() {
epatch
fi
+ # Copy additional files to the contrib/ location
+ if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]];
+ then
+ cd "${S}/refpolicy/policy/modules"
+ for POLFILE in "${POLICY_FILES[@]}";
+ do
+ cp "${POLFILE}" contrib/ || die "Could not copy over ${POLFILE} to contrib/ location";
+ done
+ else
+ if [[ -n ${POLICY_FILES} ]];
+ then
+ cd "${S}/refpolicy/policy/modules"
+ for POLFILE in ${POLICY_FILES};
+ do
+ cp "${POLFILE}" contrib/ || die "Could not copy ${POLFILE} into contrib/ location";
+ done
+ fi
+ fi
+
# Apply the additional patches refered to by the module ebuild.
# But first some magic to differentiate between bash arrays and strings
if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2012-04-22 18:00 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2012-04-22 18:00 UTC (permalink / raw
To: gentoo-commits
commit: c9c0824e1e0ac98a651a991f7266d25783ab542d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 17:59:48 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 17:59:48 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c9c0824e
Adding (as-is) selinux policy eclass
---
eclass/selinux-policy-2.eclass | 208 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 208 insertions(+), 0 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
new file mode 100644
index 0000000..a20d3e9
--- /dev/null
+++ b/eclass/selinux-policy-2.eclass
@@ -0,0 +1,208 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.11 2011/08/29 01:28:10 vapier Exp $
+
+# Eclass for installing SELinux policy, and optionally
+# reloading the reference-policy based modules.
+
+# @ECLASS: selinux-policy-2.eclass
+# @MAINTAINER:
+# selinux@gentoo.org
+# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
+# @DESCRIPTION:
+# The selinux-policy-2.eclass supports deployment of the various SELinux modules
+# defined in the sec-policy category. It is responsible for extracting the
+# specific bits necessary for single-module deployment (instead of full-blown
+# policy rebuilds) and applying the necessary patches.
+#
+# Also, it supports for bundling patches to make the whole thing just a bit more
+# manageable.
+
+# @ECLASS-VARIABLE: MODS
+# @DESCRIPTION:
+# This variable contains the (upstream) module name for the SELinux module.
+# This name is only the module name, not the category!
+: ${MODS:="_illegal"}
+
+# @ECLASS-VARIABLE: BASEPOL
+# @DESCRIPTION:
+# This variable contains the version string of the selinux-base-policy package
+# that this module build depends on. It is used to patch with the appropriate
+# patch bundle(s) that are part of selinux-base-policy.
+: ${BASEPOL:=""}
+
+# @ECLASS-VARIABLE: POLICY_PATCH
+# @DESCRIPTION:
+# This variable contains the additional patch(es) that need to be applied on top
+# of the patchset already contained within the BASEPOL variable. The variable
+# can be both a simple string (space-separated) or a bash array.
+: ${POLICY_PATCH:=""}
+
+# @ECLASS-VARIABLE: POLICY_TYPES
+# @DESCRIPTION:
+# This variable informs the eclass for which SELinux policies the module should
+# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
+# This variable is the same POLICY_TYPES variable that we tell SELinux
+# users to set in /etc/make.conf. Therefor, it is not the module that should
+# override it, but the user.
+: ${POLICY_TYPES:="targeted strict mcs mls"}
+
+inherit eutils
+
+IUSE=""
+
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+if [[ -n ${BASEPOL} ]];
+then
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
+ http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+else
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+
+# Modules should always depend on at least the first release of the
+# selinux-base-policy for which they are generated.
+if [[ -n ${BASEPOL} ]];
+then
+ RDEPEND=">=sys-apps/policycoreutils-2.0.82
+ >=sec-policy/selinux-base-policy-${BASEPOL}"
+else
+ RDEPEND=">=sys-apps/policycoreutils-2.0.82
+ >=sec-policy/selinux-base-policy-${PV}"
+fi
+DEPEND="${RDEPEND}
+ sys-devel/m4
+ >=sys-apps/checkpolicy-2.0.21"
+
+SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
+case "${EAPI:-0}" in
+ 2|3|4) SELINUX_EXPF+=" src_prepare" ;;
+ *) ;;
+esac
+
+EXPORT_FUNCTIONS ${SELINUX_EXPF}
+
+# @FUNCTION: selinux-policy-2_src_unpack
+# @DESCRIPTION:
+# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
+# older than 2, call src_prepare too.
+selinux-policy-2_src_unpack() {
+ unpack ${A}
+
+ # Call src_prepare explicitly for EAPI 0 or 1
+ has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
+}
+
+# @FUNCTION: selinux-policy-2_src_prepare
+# @DESCRIPTION:
+# Patch the reference policy sources with our set of enhancements. Start with
+# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
+# then apply the additional patches as offered by the ebuild.
+#
+# Next, extract only those files needed for this particular module (i.e. the .te
+# and .fc files for the given module in the MODS variable).
+#
+# Finally, prepare the build environments for each of the supported SELinux
+# types (such as targeted or strict), depending on the POLICY_TYPES variable
+# content.
+selinux-policy-2_src_prepare() {
+ local modfiles
+
+ # Patch the sources with the base patchbundle
+ if [[ -n ${BASEPOL} ]];
+ then
+ cd "${S}"
+ EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
+ EPATCH_SUFFIX="patch" \
+ EPATCH_SOURCE="${WORKDIR}" \
+ EPATCH_FORCE="yes" \
+ epatch
+ fi
+
+ # Apply the additional patches refered to by the module ebuild.
+ # But first some magic to differentiate between bash arrays and strings
+ if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
+ then
+ cd "${S}/refpolicy/policy/modules"
+ for POLPATCH in "${POLICY_PATCH[@]}";
+ do
+ epatch "${POLPATCH}"
+ done
+ else
+ if [[ -n ${POLICY_PATCH} ]];
+ then
+ cd "${S}/refpolicy/policy/modules"
+ for POLPATCH in ${POLICY_PATCH};
+ do
+ epatch "${POLPATCH}"
+ done
+ fi
+ fi
+
+ # Collect only those files needed for this particular module
+ for i in ${MODS}; do
+ modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
+ modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+ done
+
+ for i in ${POLICY_TYPES}; do
+ mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+ cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+ || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
+
+ cp ${modfiles} "${S}"/${i} \
+ || die "Failed to copy the module files to ${S}/${i}"
+ done
+}
+
+# @FUNCTION: selinux-policy-2_src_compile
+# @DESCRIPTION:
+# Build the SELinux policy module (.pp file) for just the selected module, and
+# this for each SELinux policy mentioned in POLICY_TYPES
+selinux-policy-2_src_compile() {
+ for i in ${POLICY_TYPES}; do
+ # Parallel builds are broken, so we need to force -j1 here
+ emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+ done
+}
+
+# @FUNCTION: selinux-policy-2_src_install
+# @DESCRIPTION:
+# Install the built .pp files in the correct subdirectory within
+# /usr/share/selinux.
+selinux-policy-2_src_install() {
+ local BASEDIR="/usr/share/selinux"
+
+ for i in ${POLICY_TYPES}; do
+ for j in ${MODS}; do
+ einfo "Installing ${i} ${j} policy package"
+ insinto ${BASEDIR}/${i}
+ doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
+ done
+ done
+}
+
+# @FUNCTION: selinux-policy-2_pkg_postinst
+# @DESCRIPTION:
+# Install the built .pp files in the SELinux policy stores, effectively
+# activating the policy on the system.
+selinux-policy-2_pkg_postinst() {
+ # build up the command in the case of multiple modules
+ local COMMAND
+ for i in ${MODS}; do
+ COMMAND="-i ${i}.pp ${COMMAND}"
+ done
+
+ for i in ${POLICY_TYPES}; do
+ einfo "Inserting the following modules into the $i module store: ${MODS}"
+
+ cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
+ semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+ done
+}
+
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-07 10:47 Anthony G. Basile
0 siblings, 0 replies; 41+ messages in thread
From: Anthony G. Basile @ 2011-08-07 10:47 UTC (permalink / raw
To: gentoo-commits
commit: 0fc8c9095feaf0c14ed3ae3300ccda5e8326fbec
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Aug 7 10:47:39 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Aug 7 10:47:39 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0fc8c909
eclass/selinux-policy-2.eclass: moved to tree
---
eclass/selinux-policy-2.eclass | 204 ----------------------------------------
1 files changed, 0 insertions(+), 204 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
deleted file mode 100644
index 3b75c1f..0000000
--- a/eclass/selinux-policy-2.eclass
+++ /dev/null
@@ -1,204 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.6 2011/05/20 19:06:07 blueness Exp $
-
-# Eclass for installing SELinux policy, and optionally
-# reloading the reference-policy based modules.
-
-# @ECLASS: selinux-policy-2.eclass
-# @MAINTAINER:
-# selinux@gentoo.org
-# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
-# @DESCRIPTION:
-# The selinux-policy-2.eclass supports deployment of the various SELinux modules
-# defined in the sec-policy category. It is responsible for extracting the
-# specific bits necessary for single-module deployment (instead of full-blown
-# policy rebuilds) and applying the necessary patches.
-#
-# Also, it supports for bundling patches to make the whole thing just a bit more
-# manageable.
-
-# @ECLASS-VARIABLE: MODS
-# @DESCRIPTION:
-# This variable contains the (upstream) module name for the SELinux module.
-# This name is only the module name, not the category!
-: ${MODS:="_illegal"}
-
-# @ECLASS-VARIABLE: BASEPOL
-# @DESCRIPTION:
-# This variable contains the version string of the selinux-base-policy package
-# that this module build depends on. It is used to patch with the appropriate
-# patch bundle(s) that are part of selinux-base-policy.
-: ${BASEPOL:=""}
-
-# @ECLASS-VARIABLE: POLICY_PATCH
-# @DESCRIPTION:
-# This variable contains the additional patch(es) that need to be applied on top
-# of the patchset already contained within the BASEPOL variable. The variable
-# can be both a simple string (space-separated) or a bash array.
-: ${POLICY_PATCH:=""}
-
-# @ECLASS-VARIABLE: POLICY_TYPES
-# @DESCRIPTION:
-# This variable informs the eclass for which SELinux policies the module should
-# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
-# This variable is the same POLICY_TYPES variable that we tell SELinux
-# users to set in /etc/make.conf. Therefor, it is not the module that should
-# override it, but the user.
-: ${POLICY_TYPES:="targeted strict mcs mls"}
-
-inherit eutils
-
-IUSE=""
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ -n ${BASEPOL} ]];
-then
- SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
- http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-else
- SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-S="${WORKDIR}/"
-PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
-
-# Modules should always depend on at least the first release of the
-# selinux-base-policy for which they are generated.
-if [[ -n ${BASEPOL} ]];
-then
- RDEPEND=">=sys-apps/policycoreutils-2.0.82
- >=sec-policy/selinux-base-policy-${BASEPOL}"
-else
- RDEPEND=">=sys-apps/policycoreutils-2.0.82
- >=sec-policy/selinux-base-policy-${PV}"
-fi
-DEPEND="${RDEPEND}
- sys-devel/m4
- >=sys-apps/checkpolicy-2.0.21"
-
-SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
-case "${EAPI:-0}" in
- 2|3|4) SELINUX_EXPF+=" src_prepare" ;;
- *) ;;
-esac
-
-EXPORT_FUNCTIONS ${SELINUX_EXPF}
-
-# @FUNCTION: selinux-policy-2_src_unpack
-# @DESCRIPTION:
-# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
-# older than 2, call src_prepare too.
-selinux-policy-2_src_unpack() {
- unpack ${A}
-
- # Call src_prepare explicitly for EAPI 0 or 1
- has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
-}
-
-# @FUNCTION: selinux-policy-2_src_prepare
-# @DESCRIPTION:
-# Patch the reference policy sources with our set of enhancements. Start with
-# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
-# then apply the additional patches as offered by the ebuild.
-#
-# Next, extract only those files needed for this particular module (i.e. the .te
-# and .fc files for the given module in the MODS variable).
-#
-# Finally, prepare the build environments for each of the supported SELinux
-# types (such as targeted or strict), depending on the POLICY_TYPES variable
-# content.
-selinux-policy-2_src_prepare() {
- local modfiles
-
- # Patch the sources with the base patchbundle
- if [[ -n ${BASEPOL} ]];
- then
- cd "${S}"
- epatch "${PATCHBUNDLE}"
- fi
-
- # Apply the additional patches refered to by the module ebuild.
- # But first some magic to differentiate between bash arrays and strings
- if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
- then
- cd "${S}/refpolicy/policy/modules"
- for POLPATCH in "${POLICY_PATCH[@]}";
- do
- epatch "${POLPATCH}"
- done
- else
- if [[ -n ${POLICY_PATCH} ]];
- then
- cd "${S}/refpolicy/policy/modules"
- for POLPATCH in ${POLICY_PATCH};
- do
- epatch "${POLPATCH}"
- done
- fi
- fi
-
- # Collect only those files needed for this particular module
- for i in ${MODS}; do
- modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
- modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
- done
-
- for i in ${POLICY_TYPES}; do
- mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
- cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
- || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
-
- cp ${modfiles} "${S}"/${i} \
- || die "Failed to copy the module files to ${S}/${i}"
- done
-}
-
-# @FUNCTION: selinux-policy-2_src_compile
-# @DESCRIPTION:
-# Build the SELinux policy module (.pp file) for just the selected module, and
-# this for each SELinux policy mentioned in POLICY_TYPES
-selinux-policy-2_src_compile() {
- for i in ${POLICY_TYPES}; do
- # Parallel builds are broken, so we need to force -j1 here
- emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
- done
-}
-
-# @FUNCTION: selinux-policy-2_src_install
-# @DESCRIPTION:
-# Install the built .pp files in the correct subdirectory within
-# /usr/share/selinux.
-selinux-policy-2_src_install() {
- local BASEDIR="/usr/share/selinux"
-
- for i in ${POLICY_TYPES}; do
- for j in ${MODS}; do
- einfo "Installing ${i} ${j} policy package"
- insinto ${BASEDIR}/${i}
- doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
- done
- done
-}
-
-# @FUNCTION: selinux-policy-2_pkg_postinst
-# @DESCRIPTION:
-# Install the built .pp files in the SELinux policy stores, effectively
-# activating the policy on the system.
-selinux-policy-2_pkg_postinst() {
- # build up the command in the case of multiple modules
- local COMMAND
- for i in ${MODS}; do
- COMMAND="-i ${i}.pp ${COMMAND}"
- done
-
- for i in ${POLICY_TYPES}; do
- einfo "Inserting the following modules into the $i module store: ${MODS}"
-
- cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
- semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
- done
-}
-
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 19:16 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 19:16 UTC (permalink / raw
To: gentoo-commits
commit: 0e949f45a78986a1779e22f297e221ebc1569dcd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 19:02:18 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 19:02:18 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0e949f45
Quotation within bash test statements are not needed. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 086d835..400abb7 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -120,9 +120,9 @@ selinux-policy-2_src_prepare() {
fi
# Apply the additional patches refered to by the module ebuild
- if [[ -n "${POLICY_PATCH}" ]];
+ if [[ -n ${POLICY_PATCH} ]];
then
- for POLPATCH in "${POLICY_PATCH}";
+ for POLPATCH in ${POLICY_PATCH};
do
cd "${S}/refpolicy/policy/modules"
epatch "${POLPATCH}"
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 19:16 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 19:16 UTC (permalink / raw
To: gentoo-commits
commit: a5a72f5b16fc711977cd8798cb6bcb16769d7e8f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 19:15:36 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 19:15:36 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=a5a72f5b
Support bash arrays for POLICY_PATCH. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 21 ++++++++++++++++-----
1 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 400abb7..3b75c1f 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -34,7 +34,8 @@
# @ECLASS-VARIABLE: POLICY_PATCH
# @DESCRIPTION:
# This variable contains the additional patch(es) that need to be applied on top
-# of the patchset already contained within the BASEPOL variable.
+# of the patchset already contained within the BASEPOL variable. The variable
+# can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""}
# @ECLASS-VARIABLE: POLICY_TYPES
@@ -119,14 +120,24 @@ selinux-policy-2_src_prepare() {
epatch "${PATCHBUNDLE}"
fi
- # Apply the additional patches refered to by the module ebuild
- if [[ -n ${POLICY_PATCH} ]];
+ # Apply the additional patches refered to by the module ebuild.
+ # But first some magic to differentiate between bash arrays and strings
+ if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
then
- for POLPATCH in ${POLICY_PATCH};
+ cd "${S}/refpolicy/policy/modules"
+ for POLPATCH in "${POLICY_PATCH[@]}";
do
- cd "${S}/refpolicy/policy/modules"
epatch "${POLPATCH}"
done
+ else
+ if [[ -n ${POLICY_PATCH} ]];
+ then
+ cd "${S}/refpolicy/policy/modules"
+ for POLPATCH in ${POLICY_PATCH};
+ do
+ epatch "${POLPATCH}"
+ done
+ fi
fi
# Collect only those files needed for this particular module
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 19:01 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 19:01 UTC (permalink / raw
To: gentoo-commits
commit: 8d254c9a2cb65463e5a639207c5874d05bdb6990
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 19:00:25 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 19:00:25 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=8d254c9a
Use emake instead of make. Force -j1 since parallel builds are broken. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 2c9fac0..086d835 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -151,7 +151,8 @@ selinux-policy-2_src_prepare() {
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
for i in ${POLICY_TYPES}; do
- make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+ # Parallel builds are broken, so we need to force -j1 here
+ emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 19:01 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 19:01 UTC (permalink / raw
To: gentoo-commits
commit: 9b650758a5b4d4353b9c759cb566161f3a1402f6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 13:23:26 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 13:23:26 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=9b650758
Emake fails here with weird errors about missing files that should be generated during the make session
---
eclass/selinux-policy-2.eclass | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 75b20ba..2c9fac0 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -151,7 +151,7 @@ selinux-policy-2_src_prepare() {
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
for i in ${POLICY_TYPES}; do
- emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+ make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 13:14 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 13:14 UTC (permalink / raw
To: gentoo-commits
commit: b73399d26ce05e9c82d38e5cb1af11f7203cad55
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 13:13:41 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 13:13:41 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=b73399d2
Awch, messed around -n and -z
---
eclass/selinux-policy-2.eclass | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index c953a36..75b20ba 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -53,10 +53,10 @@ IUSE=""
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
if [[ -n ${BASEPOL} ]];
then
- SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
-else
SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+else
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
fi
LICENSE="GPL-2"
@@ -69,10 +69,10 @@ PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
if [[ -n ${BASEPOL} ]];
then
RDEPEND=">=sys-apps/policycoreutils-2.0.82
- >=sec-policy/selinux-base-policy-${PV}"
+ >=sec-policy/selinux-base-policy-${BASEPOL}"
else
RDEPEND=">=sys-apps/policycoreutils-2.0.82
- >=sec-policy/selinux-base-policy-${BASEPOL}"
+ >=sec-policy/selinux-base-policy-${PV}"
fi
DEPEND="${RDEPEND}
sys-devel/m4
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 0d82dd29d5e286586d4776746d12f66f6f517357
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:56:23 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:56:23 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0d82dd29
Use einfo for showing progress information. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 0229ad4..ed3f5af 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -164,7 +164,7 @@ selinux-policy-2_src_install() {
for i in ${POLICY_TYPES}; do
for j in ${MODS}; do
- echo "Installing ${i} ${j} policy package"
+ einfo "Installing ${i} ${j} policy package"
insinto ${BASEDIR}/${i}
doins "${S}"/${i}/${j}.pp
done
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 5d5e738bf014a81a9d558204de486d188dc8afd3
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:58:20 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:58:20 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=5d5e738b
Use die on doins (needed for EAPI < 4). Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index ed3f5af..c953a36 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -166,7 +166,7 @@ selinux-policy-2_src_install() {
for j in ${MODS}; do
einfo "Installing ${i} ${j} policy package"
insinto ${BASEDIR}/${i}
- doins "${S}"/${i}/${j}.pp
+ doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
done
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: b5eaa0acf1f5497cdbc5fe41329e8a510dc19284
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:18:16 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:18:16 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=b5eaa0ac
Use $(...) instead of backticks. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 5b92514..83ac176 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -131,8 +131,8 @@ selinux-policy-2_src_prepare() {
# Collect only those files needed for this particular module
for i in ${MODS}; do
- modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles"
- modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles"
+ modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
+ modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
done
for i in ${POLICY_TYPES}; do
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 3c5f2f67bbb75895798b3efb0fd7811d2447bf15
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:23:23 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:23:23 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3c5f2f67
Add die statements where appropriate. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 83ac176..423553a 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -136,10 +136,12 @@ selinux-policy-2_src_prepare() {
done
for i in ${POLICY_TYPES}; do
- mkdir "${S}"/${i}
- cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile
+ mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
+ cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
+ || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
- cp ${modfiles} "${S}"/${i}
+ cp ${modfiles} "${S}"/${i} \
+ || die "Failed to copy the module files to ${S}/${i}"
done
}
@@ -183,7 +185,7 @@ selinux-policy-2_pkg_postinst() {
for i in ${POLICY_TYPES}; do
einfo "Inserting the following modules into the $i module store: ${MODS}"
- cd /usr/share/selinux/${i}
+ cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 2f23308160e9aab96410721249df4534b26bb087
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:55:54 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:55:54 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=2f233081
Use emake instead of make. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 423553a..0229ad4 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -151,7 +151,7 @@ selinux-policy-2_src_prepare() {
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
for i in ${POLICY_TYPES}; do
- make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+ emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
done
}
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 56283a111f9abeeb4bceb9a7d3adf371cfa2a35a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:14:45 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:14:45 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=56283a11
Use bash tests. Do not use quotation when we are confident that the variable is declared properly and does not contain spaces or escaped characters. POLICY_PATCH requires quotation as it can contain spaces. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 61a67b5..9808fab 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -51,7 +51,7 @@ inherit eutils
IUSE=""
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ -n "${BASEPOL}" ]];
+if [[ -n ${BASEPOL} ]];
then
SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
else
@@ -66,7 +66,7 @@ PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
# Modules should always depend on at least the first release of the
# selinux-base-policy for which they are generated.
-if [[ -n "${BASEPOL}" ]];
+if [[ -n ${BASEPOL} ]];
then
RDEPEND=">=sys-apps/policycoreutils-2.0.82
>=sec-policy/selinux-base-policy-${PV}"
@@ -113,14 +113,14 @@ selinux-policy-2_src_prepare() {
local modfiles
# Patch the sources with the base patchbundle
- if [[ -n "${BASEPOL}" ]];
+ if [[ -n ${BASEPOL} ]];
then
cd "${S}"
epatch "${PATCHBUNDLE}"
fi
# Apply the additional patches refered to by the module ebuild
- if [ -n "${POLICY_PATCH}" ];
+ if [[ -n "${POLICY_PATCH}" ]];
then
for POLPATCH in "${POLICY_PATCH}";
do
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 9fad4b94864b862d60ca24a0dac34e65b35d4000
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:15:47 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:15:47 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=9fad4b94
epatch always dies (not related to any EAPI). Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 9808fab..5b92514 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -125,9 +125,7 @@ selinux-policy-2_src_prepare() {
for POLPATCH in "${POLICY_PATCH}";
do
cd "${S}/refpolicy/policy/modules"
- # Although epatch dies in EAPI=4 by itself, we support other EAPIs
- # too for the time being, so we explicitly die on it.
- epatch "${POLPATCH}" || die "Failed to apply patch ${POLPATCH}"
+ epatch "${POLPATCH}"
done
fi
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 0162eaf09d639ea29b088b569ca1cdf147c2b370
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:05:56 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:05:56 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0162eaf0
Make BASEPOL checks consistent with POLICY_PATCH checks, thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 3c42633..6ae1046 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -29,7 +29,7 @@
# This variable contains the version string of the selinux-base-policy package
# that this module build depends on. It is used to patch with the appropriate
# patch bundle(s) that are part of selinux-base-policy.
-: ${BASEPOL:="0"}
+: ${BASEPOL:=""}
# @ECLASS-VARIABLE: POLICY_PATCH
# @DESCRIPTION:
@@ -51,7 +51,7 @@ inherit eutils
IUSE=""
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
-if [[ "${BASEPOL}" == "0" ]];
+if [[ -n "${BASEPOL}" ]];
then
SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
else
@@ -66,7 +66,7 @@ PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
# Modules should always depend on at least the first release of the
# selinux-base-policy for which they are generated.
-if [[ "${BASEPOL}" == "0" ]];
+if [[ -n "${BASEPOL}" ]];
then
RDEPEND=">=sys-apps/policycoreutils-2.0.82
>=sec-policy/selinux-base-policy-${PV}"
@@ -116,7 +116,7 @@ selinux-policy-2_src_prepare() {
local modfiles
# Patch the sources with the base patchbundle
- if [[ "${BASEPOL}" != "0" ]];
+ if [[ -n "${BASEPOL}" ]];
then
cd "${S}"
epatch "${PATCHBUNDLE}"
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 11:58 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 11:58 UTC (permalink / raw
To: gentoo-commits
commit: 0223c058850ff90c8d6495f3408c0e0445198d9e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 11:12:43 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 11:12:43 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=0223c058
EAPI is a string, not a number. Use has function. Thanks to Peter Volkov (pva <AT> g.o)
---
eclass/selinux-policy-2.eclass | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 6ae1046..61a67b5 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -93,11 +93,8 @@ EXPORT_FUNCTIONS ${SELINUX_EXPF}
selinux-policy-2_src_unpack() {
unpack ${A}
- if [[ ${EAPI:-0} -le 1 ]];
- then
- # Call src_prepare explicitly for EAPI 0 or 1
- selinux-policy-2_src_prepare
- fi
+ # Call src_prepare explicitly for EAPI 0 or 1
+ has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
}
# @FUNCTION: selinux-policy-2_src_prepare
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-08-03 8:29 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-08-03 8:29 UTC (permalink / raw
To: gentoo-commits
commit: 6c782ad7479b4e661a8c0616f7f3bff17d04b1b0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 3 08:28:32 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 3 08:28:32 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6c782ad7
Adding updated selinux-policy-2 eclass
---
eclass/selinux-policy-2.eclass | 195 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 195 insertions(+), 0 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
new file mode 100644
index 0000000..3c42633
--- /dev/null
+++ b/eclass/selinux-policy-2.eclass
@@ -0,0 +1,195 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.6 2011/05/20 19:06:07 blueness Exp $
+
+# Eclass for installing SELinux policy, and optionally
+# reloading the reference-policy based modules.
+
+# @ECLASS: selinux-policy-2.eclass
+# @MAINTAINER:
+# selinux@gentoo.org
+# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
+# @DESCRIPTION:
+# The selinux-policy-2.eclass supports deployment of the various SELinux modules
+# defined in the sec-policy category. It is responsible for extracting the
+# specific bits necessary for single-module deployment (instead of full-blown
+# policy rebuilds) and applying the necessary patches.
+#
+# Also, it supports for bundling patches to make the whole thing just a bit more
+# manageable.
+
+# @ECLASS-VARIABLE: MODS
+# @DESCRIPTION:
+# This variable contains the (upstream) module name for the SELinux module.
+# This name is only the module name, not the category!
+: ${MODS:="_illegal"}
+
+# @ECLASS-VARIABLE: BASEPOL
+# @DESCRIPTION:
+# This variable contains the version string of the selinux-base-policy package
+# that this module build depends on. It is used to patch with the appropriate
+# patch bundle(s) that are part of selinux-base-policy.
+: ${BASEPOL:="0"}
+
+# @ECLASS-VARIABLE: POLICY_PATCH
+# @DESCRIPTION:
+# This variable contains the additional patch(es) that need to be applied on top
+# of the patchset already contained within the BASEPOL variable.
+: ${POLICY_PATCH:=""}
+
+# @ECLASS-VARIABLE: POLICY_TYPES
+# @DESCRIPTION:
+# This variable informs the eclass for which SELinux policies the module should
+# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
+# This variable is the same POLICY_TYPES variable that we tell SELinux
+# users to set in /etc/make.conf. Therefor, it is not the module that should
+# override it, but the user.
+: ${POLICY_TYPES:="targeted strict mcs mls"}
+
+inherit eutils
+
+IUSE=""
+
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+if [[ "${BASEPOL}" == "0" ]];
+then
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
+else
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
+ http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
+
+# Modules should always depend on at least the first release of the
+# selinux-base-policy for which they are generated.
+if [[ "${BASEPOL}" == "0" ]];
+then
+ RDEPEND=">=sys-apps/policycoreutils-2.0.82
+ >=sec-policy/selinux-base-policy-${PV}"
+else
+ RDEPEND=">=sys-apps/policycoreutils-2.0.82
+ >=sec-policy/selinux-base-policy-${BASEPOL}"
+fi
+DEPEND="${RDEPEND}
+ sys-devel/m4
+ >=sys-apps/checkpolicy-2.0.21"
+
+SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
+case "${EAPI:-0}" in
+ 2|3|4) SELINUX_EXPF+=" src_prepare" ;;
+ *) ;;
+esac
+
+EXPORT_FUNCTIONS ${SELINUX_EXPF}
+
+# @FUNCTION: selinux-policy-2_src_unpack
+# @DESCRIPTION:
+# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
+# older than 2, call src_prepare too.
+selinux-policy-2_src_unpack() {
+ unpack ${A}
+
+ if [[ ${EAPI:-0} -le 1 ]];
+ then
+ # Call src_prepare explicitly for EAPI 0 or 1
+ selinux-policy-2_src_prepare
+ fi
+}
+
+# @FUNCTION: selinux-policy-2_src_prepare
+# @DESCRIPTION:
+# Patch the reference policy sources with our set of enhancements. Start with
+# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
+# then apply the additional patches as offered by the ebuild.
+#
+# Next, extract only those files needed for this particular module (i.e. the .te
+# and .fc files for the given module in the MODS variable).
+#
+# Finally, prepare the build environments for each of the supported SELinux
+# types (such as targeted or strict), depending on the POLICY_TYPES variable
+# content.
+selinux-policy-2_src_prepare() {
+ local modfiles
+
+ # Patch the sources with the base patchbundle
+ if [[ "${BASEPOL}" != "0" ]];
+ then
+ cd "${S}"
+ epatch "${PATCHBUNDLE}"
+ fi
+
+ # Apply the additional patches refered to by the module ebuild
+ if [ -n "${POLICY_PATCH}" ];
+ then
+ for POLPATCH in "${POLICY_PATCH}";
+ do
+ cd "${S}/refpolicy/policy/modules"
+ # Although epatch dies in EAPI=4 by itself, we support other EAPIs
+ # too for the time being, so we explicitly die on it.
+ epatch "${POLPATCH}" || die "Failed to apply patch ${POLPATCH}"
+ done
+ fi
+
+ # Collect only those files needed for this particular module
+ for i in ${MODS}; do
+ modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles"
+ modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles"
+ done
+
+ for i in ${POLICY_TYPES}; do
+ mkdir "${S}"/${i}
+ cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile
+
+ cp ${modfiles} "${S}"/${i}
+ done
+}
+
+# @FUNCTION: selinux-policy-2_src_compile
+# @DESCRIPTION:
+# Build the SELinux policy module (.pp file) for just the selected module, and
+# this for each SELinux policy mentioned in POLICY_TYPES
+selinux-policy-2_src_compile() {
+ for i in ${POLICY_TYPES}; do
+ make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+ done
+}
+
+# @FUNCTION: selinux-policy-2_src_install
+# @DESCRIPTION:
+# Install the built .pp files in the correct subdirectory within
+# /usr/share/selinux.
+selinux-policy-2_src_install() {
+ local BASEDIR="/usr/share/selinux"
+
+ for i in ${POLICY_TYPES}; do
+ for j in ${MODS}; do
+ echo "Installing ${i} ${j} policy package"
+ insinto ${BASEDIR}/${i}
+ doins "${S}"/${i}/${j}.pp
+ done
+ done
+}
+
+# @FUNCTION: selinux-policy-2_pkg_postinst
+# @DESCRIPTION:
+# Install the built .pp files in the SELinux policy stores, effectively
+# activating the policy on the system.
+selinux-policy-2_pkg_postinst() {
+ # build up the command in the case of multiple modules
+ local COMMAND
+ for i in ${MODS}; do
+ COMMAND="-i ${i}.pp ${COMMAND}"
+ done
+
+ for i in ${POLICY_TYPES}; do
+ einfo "Inserting the following modules into the $i module store: ${MODS}"
+
+ cd /usr/share/selinux/${i}
+ semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+ done
+}
+
^ permalink raw reply related [flat|nested] 41+ messages in thread* [gentoo-commits] proj/hardened-dev:master commit in: eclass/
@ 2011-05-15 13:33 Sven Vermeulen
0 siblings, 0 replies; 41+ messages in thread
From: Sven Vermeulen @ 2011-05-15 13:33 UTC (permalink / raw
To: gentoo-commits
commit: 6ad31711c339f1dfba4c3594388aa3ed10bfea43
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 15 13:30:41 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 15 13:30:41 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6ad31711
Update on eclass, fail build when module fails to load, as per agreement on gentoo-hardened <AT> g.o
---
eclass/selinux-policy-2.eclass | 92 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 92 insertions(+), 0 deletions(-)
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
new file mode 100644
index 0000000..710c23a
--- /dev/null
+++ b/eclass/selinux-policy-2.eclass
@@ -0,0 +1,92 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.5 2011/02/05 11:28:10 blueness Exp $
+
+# Eclass for installing SELinux policy, and optionally
+# reloading the reference-policy based modules.
+
+inherit eutils
+
+IUSE=""
+
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+S="${WORKDIR}/"
+
+RDEPEND=">=sys-apps/policycoreutils-1.30.30
+ >=sec-policy/selinux-base-policy-${PV}"
+
+DEPEND="${RDEPEND}
+ sys-devel/m4
+ >=sys-apps/checkpolicy-1.30.12"
+
+selinux-policy-2_src_unpack() {
+ local modfiles
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+
+ unpack ${A}
+
+ for i in ${MODS}; do
+ modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles"
+ modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles"
+ done
+
+ for i in ${POLICY_TYPES}; do
+ mkdir "${S}"/${i}
+ cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile
+
+ cp ${modfiles} "${S}"/${i}
+
+ if [ -n "${POLICY_PATCH}" ]; then
+ for POLPATCH in "${POLICY_PATCH}";
+ do
+ cd "${S}"/${i}
+ einfo "Patching ${i}"
+ epatch "${POLPATCH}" || die "failed patch ${POLPATCH}"
+ done
+ fi
+
+ done
+}
+
+selinux-policy-2_src_compile() {
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+
+ for i in ${POLICY_TYPES}; do
+ make NAME=$i -C "${S}"/${i} || die "${i} compile failed"
+ done
+}
+
+selinux-policy-2_src_install() {
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+ local BASEDIR="/usr/share/selinux"
+
+ for i in ${POLICY_TYPES}; do
+ for j in ${MODS}; do
+ echo "Installing ${i} ${j} policy package"
+ insinto ${BASEDIR}/${i}
+ doins "${S}"/${i}/${j}.pp
+ done
+ done
+}
+
+selinux-policy-2_pkg_postinst() {
+ # build up the command in the case of multiple modules
+ local COMMAND
+ for i in ${MODS}; do
+ COMMAND="-i ${i}.pp ${COMMAND}"
+ done
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="strict targeted"
+
+ for i in ${POLICY_TYPES}; do
+ einfo "Inserting the following modules into the $i module store: ${MODS}"
+
+ cd /usr/share/selinux/${i}
+ semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
+ done
+}
+
+EXPORT_FUNCTIONS src_unpack src_compile src_install pkg_postinst
^ permalink raw reply related [flat|nested] 41+ messages in thread
end of thread, other threads:[~2016-05-01 23:52 UTC | newest]
Thread overview: 41+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-23 18:23 [gentoo-commits] proj/hardened-dev:master commit in: eclass/ Magnus Granberg
-- strict thread matches above, loose matches on Subject: below --
2016-05-01 23:52 Anthony G. Basile
2016-05-01 19:51 Anthony G. Basile
2016-05-01 19:42 Magnus Granberg
2016-04-23 18:23 Magnus Granberg
2013-04-05 2:13 Anthony G. Basile
2013-04-02 11:30 Anthony G. Basile
2013-03-28 18:04 Anthony G. Basile
2013-03-18 21:16 Anthony G. Basile
2013-03-18 3:21 Anthony G. Basile
2013-02-10 11:26 Anthony G. Basile
2013-02-10 11:21 Anthony G. Basile
2013-02-10 1:56 Anthony G. Basile
2013-02-09 20:30 Anthony G. Basile
2012-12-30 1:29 Anthony G. Basile
2012-09-08 19:57 Sven Vermeulen
2012-05-15 18:11 Sven Vermeulen
2012-05-15 17:58 Sven Vermeulen
2012-05-06 14:14 Sven Vermeulen
2012-05-01 11:26 Sven Vermeulen
2012-04-22 19:35 Sven Vermeulen
2012-04-22 19:35 Sven Vermeulen
2012-04-22 18:07 Sven Vermeulen
2012-04-22 18:00 Sven Vermeulen
2011-08-07 10:47 Anthony G. Basile
2011-08-03 19:16 Sven Vermeulen
2011-08-03 19:16 Sven Vermeulen
2011-08-03 19:01 Sven Vermeulen
2011-08-03 19:01 Sven Vermeulen
2011-08-03 13:14 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 11:58 Sven Vermeulen
2011-08-03 8:29 Sven Vermeulen
2011-05-15 13:33 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox