* [gentoo-commits] proj/releng:master commit in: tools-musl/, tools-musl/portage.amd64.hardened-stage4/package.use/, ...
@ 2017-01-02 3:38 Matt Thode
0 siblings, 0 replies; only message in thread
From: Matt Thode @ 2017-01-02 3:38 UTC (permalink / raw
To: gentoo-commits
commit: 274837a3d1885f840e1f7c8ed08271135b7537dc
Author: Your Name <you <AT> example <DOT> com>
AuthorDate: Mon Jan 2 03:35:11 2017 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Mon Jan 2 03:37:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/releng.git/commit/?id=274837a3
add stage4 musl config
.../package.keywords/stage4 | 4 +
.../package.mask/stage4 | 1 +
.../package.use/stage4 | 1 +
tools-musl/run-stage4.sh | 5 ++
tools-musl/stage4-fsscript.sh | 81 ++++++++++++++++++++
tools-musl/stage4-hardened-amd64-configured.spec | 86 ++++++++++++++++++++++
tools-musl/stage4-hardened-amd64.spec | 86 ++++++++++++++++++++++
7 files changed, 264 insertions(+)
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4
new file mode 100644
index 0000000..a21cf48
--- /dev/null
+++ b/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4
@@ -0,0 +1,4 @@
+=sys-apps/portage-2.3.1 ~amd64
+=net-analyzer/macchanger-1.7.0-r1 ~amd64
+<sys-kernel/hardened-sources-4.5.0 ~amd64
+=sys-apps/busybox-1.26.0::musl
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4
new file mode 100644
index 0000000..38a688c
--- /dev/null
+++ b/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4
@@ -0,0 +1 @@
+>sys-kernel/hardened-sources-4.5.0
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.use/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.use/stage4
new file mode 100644
index 0000000..4b84ae6
--- /dev/null
+++ b/tools-musl/portage.amd64.hardened-stage4/package.use/stage4
@@ -0,0 +1 @@
+sys-boot/grub grub_platforms_pc
diff --git a/tools-musl/run-stage4.sh b/tools-musl/run-stage4.sh
new file mode 100755
index 0000000..e79acc7
--- /dev/null
+++ b/tools-musl/run-stage4.sh
@@ -0,0 +1,5 @@
+MUSL_DIR="$( cd "$( dirname ${BASH_SOURCE[0]} )" && pwd )"
+cp "${MUSL_DIR}"/stage4-hardened-amd64.spec "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec
+sed -i "s|@REPO_DIR@|${MUSL_DIR}|g" "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec
+
+catalyst -f "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec | tee -a "${MUSL_DIR}"/zzz.log
diff --git a/tools-musl/stage4-fsscript.sh b/tools-musl/stage4-fsscript.sh
new file mode 100755
index 0000000..f222b1f
--- /dev/null
+++ b/tools-musl/stage4-fsscript.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Set timezone
+echo 'UTC' > /etc/timezone
+
+# Some rootfs stuff
+grep -v rootfs /proc/mounts > /etc/mtab
+
+# This is set in rackspaces prep, might help us
+echo 'net.ipv4.conf.eth0.arp_notify = 1' >> /etc/sysctl.conf
+echo 'vm.swappiness = 0' >> /etc/sysctl.conf
+
+# Let's configure our grub
+# Access on both regular tty and serial console
+mkdir /boot/grub
+cat >>/etc/default/grub <<EOF
+GRUB_TERMINAL='serial console'
+GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
+GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
+EOF
+grub-mkconfig -o /boot/grub/grub.cfg
+sed -r -i 's/loop[0-9]+p1/LABEL\=cloudimg-rootfs/g' /boot/grub/grub.cfg
+sed -i 's/root=.*\ ro/root=LABEL\=cloudimg-rootfs\ ro/' /boot/grub/grub.cfg
+
+# And the fstab
+echo 'LABEL=cloudimg-rootfs / ext4 defaults 0 0' > /etc/fstab
+
+# allow the console log
+sed -i 's/#s0/s0/g' /etc/inittab
+
+# let ipv6 use normal slaac
+sed -i 's/slaac/#slaac/g' /etc/dhcpcd.conf
+# don't let dhcpcd set domain name or hostname
+sed -i 's/domain_name\,\ domain_search\,\ host_name/domain_search/g' /etc/dhcpcd.conf
+
+# need to do this here because it clobbers an openrc owned file
+cat > /etc/conf.d/hostname << "EOL"
+# Set to the hostname of this machine
+if [ -f /etc/hostname ];then
+ hostname=$(cat /etc/hostname 2> /dev/null | cut -d"." -f1 2> /dev/null)
+else
+ hostname="localhost"
+fi
+EOL
+chmod 0644 /etc/conf.d/hostname
+chown root:root /etc/conf.d/hostname
+
+# set a nice default for /etc/resolv.conf
+cat > /etc/resolv.conf << EOL
+nameserver 8.8.8.8
+nameserver 2001:4860:4860::8888
+EOL
+
+# let's upgrade (security fixes and otherwise)
+USE="-build" emerge -uDNv --with-bdeps=y --buildpkg=y --jobs=2 @world
+USE="-build" emerge --verbose=n --depclean
+USE="-build" emerge -v --usepkg=n --buildpkg=y @preserved-rebuild
+etc-update --automode -5
+
+# Clean up portage
+emerge --verbose=n --depclean
+if [[ -a /usr/bin/eix ]]; then
+ eix-update
+fi
+emaint all -f
+eselect news read all
+eclean-dist --destructive
+sed -i '/^USE=\"\${USE}\ \ build\"$/d' /etc/portage/make.conf
+
+# clean up system
+passwd -d root
+passwd -l root
+for i in $(find /var/log -type f); do truncate -s 0 $i; done
+# remove foreign manpages
+find /usr/share/man/ -mindepth 1 -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
+
+# fine if this fails, aka non-hardened
+if [[ -x /usr/sbin/migrate-pax ]]; then
+ echo 'migraging pax'
+ /usr/sbin/migrate-pax -m
+fi
diff --git a/tools-musl/stage4-hardened-amd64-configured.spec b/tools-musl/stage4-hardened-amd64-configured.spec
new file mode 100644
index 0000000..ccbdc4f
--- /dev/null
+++ b/tools-musl/stage4-hardened-amd64-configured.spec
@@ -0,0 +1,86 @@
+subarch: amd64
+target: stage4
+version_stamp: cloud-latest
+rel_type: default
+profile: hardened/linux/musl/amd64
+snapshot: current
+source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened
+portage_confdir: /root/releng/tools-musl/portage.amd64.hardened-stage4
+portage_overlay: /opt/overlays/musl
+
+stage4/use:
+ bash-completion
+ bindist
+ bzip2
+ idm
+ ipv6
+ mmx
+ sse
+ sse2
+ urandom
+
+stage4/packages:
+ app-admin/logrotate
+ app-admin/sudo
+ app-admin/syslog-ng
+ app-editors/vim
+ app-portage/eix
+ app-portage/gentoolkit
+ net-misc/dhcpcd
+ net-misc/iputils
+ sys-boot/grub
+ sys-apps/dmidecode
+ sys-apps/gptfdisk
+ sys-apps/iproute2
+ sys-apps/lsb-release
+ sys-apps/pciutils
+ sys-block/parted
+ sys-devel/bc
+ sys-power/acpid
+ sys-process/cronie
+stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh
+stage4/rcadd:
+ acpid|default
+ cronie|default
+ dhcpcd|default
+ net.lo|default
+ netmount|default
+ sshd|default
+ syslog-ng|default
+
+boot/kernel: gentoo
+boot/kernel/gentoo/sources: hardened-sources
+boot/kernel/gentoo/config: /root/releng/tools-musl/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config
+boot/kernel/gentoo/extraversion: openstack
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4
+
+# all of the cleanup...
+stage4/unmerge:
+ sys-kernel/genkernel
+ sys-kernel/hardened-sources
+
+stage4/empty:
+ /root/.ccache
+ /tmp
+ /usr/portage/distfiles
+ /usr/src
+ /var/cache/edb/dep
+ /var/cache/genkernel
+ /var/cache/portage/distfiles
+ /var/empty
+ /var/run
+ /var/state
+ /var/tmp
+
+stage4/rm:
+ /etc/*-
+ /etc/*.old
+ /etc/ssh/ssh_host_*
+ /root/.*history
+ /root/.lesshst
+ /root/.ssh/known_hosts
+ /root/.viminfo
+ # Remove any generated stuff by genkernel
+ /usr/share/genkernel
+ # This is 3MB of crap for each copy
+ /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
diff --git a/tools-musl/stage4-hardened-amd64.spec b/tools-musl/stage4-hardened-amd64.spec
new file mode 100644
index 0000000..e8b30e9
--- /dev/null
+++ b/tools-musl/stage4-hardened-amd64.spec
@@ -0,0 +1,86 @@
+subarch: amd64
+target: stage4
+version_stamp: cloud-latest
+rel_type: default
+profile: hardened/linux/musl/amd64
+snapshot: current
+source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened
+portage_confdir: @REPO_DIR@/portage.amd64.hardened-stage4
+portage_overlay: /opt/overlays/musl
+
+stage4/use:
+ bash-completion
+ bindist
+ bzip2
+ idm
+ ipv6
+ mmx
+ sse
+ sse2
+ urandom
+
+stage4/packages:
+ app-admin/logrotate
+ app-admin/sudo
+ app-admin/syslog-ng
+ app-editors/vim
+ app-portage/eix
+ app-portage/gentoolkit
+ net-misc/dhcpcd
+ net-misc/iputils
+ sys-boot/grub
+ sys-apps/dmidecode
+ sys-apps/gptfdisk
+ sys-apps/iproute2
+ sys-apps/lsb-release
+ sys-apps/pciutils
+ sys-block/parted
+ sys-devel/bc
+ sys-power/acpid
+ sys-process/cronie
+stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh
+stage4/rcadd:
+ acpid|default
+ cronie|default
+ dhcpcd|default
+ net.lo|default
+ netmount|default
+ sshd|default
+ syslog-ng|default
+
+boot/kernel: gentoo
+boot/kernel/gentoo/sources: hardened-sources
+boot/kernel/gentoo/config: @REPO_DIR@/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config
+boot/kernel/gentoo/extraversion: openstack
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4
+
+# all of the cleanup...
+stage4/unmerge:
+ sys-kernel/genkernel
+ sys-kernel/hardened-sources
+
+stage4/empty:
+ /root/.ccache
+ /tmp
+ /usr/portage/distfiles
+ /usr/src
+ /var/cache/edb/dep
+ /var/cache/genkernel
+ /var/cache/portage/distfiles
+ /var/empty
+ /var/run
+ /var/state
+ /var/tmp
+
+stage4/rm:
+ /etc/*-
+ /etc/*.old
+ /etc/ssh/ssh_host_*
+ /root/.*history
+ /root/.lesshst
+ /root/.ssh/known_hosts
+ /root/.viminfo
+ # Remove any generated stuff by genkernel
+ /usr/share/genkernel
+ # This is 3MB of crap for each copy
+ /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-01-02 3:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-02 3:38 [gentoo-commits] proj/releng:master commit in: tools-musl/, tools-musl/portage.amd64.hardened-stage4/package.use/, Matt Thode
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox