| 1 |
commit: 274837a3d1885f840e1f7c8ed08271135b7537dc |
| 2 |
Author: Your Name <you <AT> example <DOT> com> |
| 3 |
AuthorDate: Mon Jan 2 03:35:11 2017 +0000 |
| 4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Jan 2 03:37:52 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/releng.git/commit/?id=274837a3 |
| 7 |
|
| 8 |
add stage4 musl config |
| 9 |
|
| 10 |
.../package.keywords/stage4 | 4 + |
| 11 |
.../package.mask/stage4 | 1 + |
| 12 |
.../package.use/stage4 | 1 + |
| 13 |
tools-musl/run-stage4.sh | 5 ++ |
| 14 |
tools-musl/stage4-fsscript.sh | 81 ++++++++++++++++++++ |
| 15 |
tools-musl/stage4-hardened-amd64-configured.spec | 86 ++++++++++++++++++++++ |
| 16 |
tools-musl/stage4-hardened-amd64.spec | 86 ++++++++++++++++++++++ |
| 17 |
7 files changed, 264 insertions(+) |
| 18 |
|
| 19 |
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4 |
| 20 |
new file mode 100644 |
| 21 |
index 0000000..a21cf48 |
| 22 |
--- /dev/null |
| 23 |
+++ b/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4 |
| 24 |
@@ -0,0 +1,4 @@ |
| 25 |
+=sys-apps/portage-2.3.1 ~amd64 |
| 26 |
+=net-analyzer/macchanger-1.7.0-r1 ~amd64 |
| 27 |
+<sys-kernel/hardened-sources-4.5.0 ~amd64 |
| 28 |
+=sys-apps/busybox-1.26.0::musl |
| 29 |
|
| 30 |
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4 |
| 31 |
new file mode 100644 |
| 32 |
index 0000000..38a688c |
| 33 |
--- /dev/null |
| 34 |
+++ b/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4 |
| 35 |
@@ -0,0 +1 @@ |
| 36 |
+>sys-kernel/hardened-sources-4.5.0 |
| 37 |
|
| 38 |
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.use/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.use/stage4 |
| 39 |
new file mode 100644 |
| 40 |
index 0000000..4b84ae6 |
| 41 |
--- /dev/null |
| 42 |
+++ b/tools-musl/portage.amd64.hardened-stage4/package.use/stage4 |
| 43 |
@@ -0,0 +1 @@ |
| 44 |
+sys-boot/grub grub_platforms_pc |
| 45 |
|
| 46 |
diff --git a/tools-musl/run-stage4.sh b/tools-musl/run-stage4.sh |
| 47 |
new file mode 100755 |
| 48 |
index 0000000..e79acc7 |
| 49 |
--- /dev/null |
| 50 |
+++ b/tools-musl/run-stage4.sh |
| 51 |
@@ -0,0 +1,5 @@ |
| 52 |
+MUSL_DIR="$( cd "$( dirname ${BASH_SOURCE[0]} )" && pwd )" |
| 53 |
+cp "${MUSL_DIR}"/stage4-hardened-amd64.spec "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec |
| 54 |
+sed -i "s|@REPO_DIR@|${MUSL_DIR}|g" "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec |
| 55 |
+ |
| 56 |
+catalyst -f "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec | tee -a "${MUSL_DIR}"/zzz.log |
| 57 |
|
| 58 |
diff --git a/tools-musl/stage4-fsscript.sh b/tools-musl/stage4-fsscript.sh |
| 59 |
new file mode 100755 |
| 60 |
index 0000000..f222b1f |
| 61 |
--- /dev/null |
| 62 |
+++ b/tools-musl/stage4-fsscript.sh |
| 63 |
@@ -0,0 +1,81 @@ |
| 64 |
+#!/bin/bash |
| 65 |
+ |
| 66 |
+# Set timezone |
| 67 |
+echo 'UTC' > /etc/timezone |
| 68 |
+ |
| 69 |
+# Some rootfs stuff |
| 70 |
+grep -v rootfs /proc/mounts > /etc/mtab |
| 71 |
+ |
| 72 |
+# This is set in rackspaces prep, might help us |
| 73 |
+echo 'net.ipv4.conf.eth0.arp_notify = 1' >> /etc/sysctl.conf |
| 74 |
+echo 'vm.swappiness = 0' >> /etc/sysctl.conf |
| 75 |
+ |
| 76 |
+# Let's configure our grub |
| 77 |
+# Access on both regular tty and serial console |
| 78 |
+mkdir /boot/grub |
| 79 |
+cat >>/etc/default/grub <<EOF |
| 80 |
+GRUB_TERMINAL='serial console' |
| 81 |
+GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8" |
| 82 |
+GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" |
| 83 |
+EOF |
| 84 |
+grub-mkconfig -o /boot/grub/grub.cfg |
| 85 |
+sed -r -i 's/loop[0-9]+p1/LABEL\=cloudimg-rootfs/g' /boot/grub/grub.cfg |
| 86 |
+sed -i 's/root=.*\ ro/root=LABEL\=cloudimg-rootfs\ ro/' /boot/grub/grub.cfg |
| 87 |
+ |
| 88 |
+# And the fstab |
| 89 |
+echo 'LABEL=cloudimg-rootfs / ext4 defaults 0 0' > /etc/fstab |
| 90 |
+ |
| 91 |
+# allow the console log |
| 92 |
+sed -i 's/#s0/s0/g' /etc/inittab |
| 93 |
+ |
| 94 |
+# let ipv6 use normal slaac |
| 95 |
+sed -i 's/slaac/#slaac/g' /etc/dhcpcd.conf |
| 96 |
+# don't let dhcpcd set domain name or hostname |
| 97 |
+sed -i 's/domain_name\,\ domain_search\,\ host_name/domain_search/g' /etc/dhcpcd.conf |
| 98 |
+ |
| 99 |
+# need to do this here because it clobbers an openrc owned file |
| 100 |
+cat > /etc/conf.d/hostname << "EOL" |
| 101 |
+# Set to the hostname of this machine |
| 102 |
+if [ -f /etc/hostname ];then |
| 103 |
+ hostname=$(cat /etc/hostname 2> /dev/null | cut -d"." -f1 2> /dev/null) |
| 104 |
+else |
| 105 |
+ hostname="localhost" |
| 106 |
+fi |
| 107 |
+EOL |
| 108 |
+chmod 0644 /etc/conf.d/hostname |
| 109 |
+chown root:root /etc/conf.d/hostname |
| 110 |
+ |
| 111 |
+# set a nice default for /etc/resolv.conf |
| 112 |
+cat > /etc/resolv.conf << EOL |
| 113 |
+nameserver 8.8.8.8 |
| 114 |
+nameserver 2001:4860:4860::8888 |
| 115 |
+EOL |
| 116 |
+ |
| 117 |
+# let's upgrade (security fixes and otherwise) |
| 118 |
+USE="-build" emerge -uDNv --with-bdeps=y --buildpkg=y --jobs=2 @world |
| 119 |
+USE="-build" emerge --verbose=n --depclean |
| 120 |
+USE="-build" emerge -v --usepkg=n --buildpkg=y @preserved-rebuild |
| 121 |
+etc-update --automode -5 |
| 122 |
+ |
| 123 |
+# Clean up portage |
| 124 |
+emerge --verbose=n --depclean |
| 125 |
+if [[ -a /usr/bin/eix ]]; then |
| 126 |
+ eix-update |
| 127 |
+fi |
| 128 |
+emaint all -f |
| 129 |
+eselect news read all |
| 130 |
+eclean-dist --destructive |
| 131 |
+sed -i '/^USE=\"\${USE}\ \ build\"$/d' /etc/portage/make.conf |
| 132 |
+ |
| 133 |
+# clean up system |
| 134 |
+passwd -d root |
| 135 |
+passwd -l root |
| 136 |
+for i in $(find /var/log -type f); do truncate -s 0 $i; done |
| 137 |
+# remove foreign manpages |
| 138 |
+find /usr/share/man/ -mindepth 1 -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \; |
| 139 |
+ |
| 140 |
+# fine if this fails, aka non-hardened |
| 141 |
+if [[ -x /usr/sbin/migrate-pax ]]; then |
| 142 |
+ echo 'migraging pax' |
| 143 |
+ /usr/sbin/migrate-pax -m |
| 144 |
+fi |
| 145 |
|
| 146 |
diff --git a/tools-musl/stage4-hardened-amd64-configured.spec b/tools-musl/stage4-hardened-amd64-configured.spec |
| 147 |
new file mode 100644 |
| 148 |
index 0000000..ccbdc4f |
| 149 |
--- /dev/null |
| 150 |
+++ b/tools-musl/stage4-hardened-amd64-configured.spec |
| 151 |
@@ -0,0 +1,86 @@ |
| 152 |
+subarch: amd64 |
| 153 |
+target: stage4 |
| 154 |
+version_stamp: cloud-latest |
| 155 |
+rel_type: default |
| 156 |
+profile: hardened/linux/musl/amd64 |
| 157 |
+snapshot: current |
| 158 |
+source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened |
| 159 |
+portage_confdir: /root/releng/tools-musl/portage.amd64.hardened-stage4 |
| 160 |
+portage_overlay: /opt/overlays/musl |
| 161 |
+ |
| 162 |
+stage4/use: |
| 163 |
+ bash-completion |
| 164 |
+ bindist |
| 165 |
+ bzip2 |
| 166 |
+ idm |
| 167 |
+ ipv6 |
| 168 |
+ mmx |
| 169 |
+ sse |
| 170 |
+ sse2 |
| 171 |
+ urandom |
| 172 |
+ |
| 173 |
+stage4/packages: |
| 174 |
+ app-admin/logrotate |
| 175 |
+ app-admin/sudo |
| 176 |
+ app-admin/syslog-ng |
| 177 |
+ app-editors/vim |
| 178 |
+ app-portage/eix |
| 179 |
+ app-portage/gentoolkit |
| 180 |
+ net-misc/dhcpcd |
| 181 |
+ net-misc/iputils |
| 182 |
+ sys-boot/grub |
| 183 |
+ sys-apps/dmidecode |
| 184 |
+ sys-apps/gptfdisk |
| 185 |
+ sys-apps/iproute2 |
| 186 |
+ sys-apps/lsb-release |
| 187 |
+ sys-apps/pciutils |
| 188 |
+ sys-block/parted |
| 189 |
+ sys-devel/bc |
| 190 |
+ sys-power/acpid |
| 191 |
+ sys-process/cronie |
| 192 |
+stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh |
| 193 |
+stage4/rcadd: |
| 194 |
+ acpid|default |
| 195 |
+ cronie|default |
| 196 |
+ dhcpcd|default |
| 197 |
+ net.lo|default |
| 198 |
+ netmount|default |
| 199 |
+ sshd|default |
| 200 |
+ syslog-ng|default |
| 201 |
+ |
| 202 |
+boot/kernel: gentoo |
| 203 |
+boot/kernel/gentoo/sources: hardened-sources |
| 204 |
+boot/kernel/gentoo/config: /root/releng/tools-musl/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config |
| 205 |
+boot/kernel/gentoo/extraversion: openstack |
| 206 |
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4 |
| 207 |
+ |
| 208 |
+# all of the cleanup... |
| 209 |
+stage4/unmerge: |
| 210 |
+ sys-kernel/genkernel |
| 211 |
+ sys-kernel/hardened-sources |
| 212 |
+ |
| 213 |
+stage4/empty: |
| 214 |
+ /root/.ccache |
| 215 |
+ /tmp |
| 216 |
+ /usr/portage/distfiles |
| 217 |
+ /usr/src |
| 218 |
+ /var/cache/edb/dep |
| 219 |
+ /var/cache/genkernel |
| 220 |
+ /var/cache/portage/distfiles |
| 221 |
+ /var/empty |
| 222 |
+ /var/run |
| 223 |
+ /var/state |
| 224 |
+ /var/tmp |
| 225 |
+ |
| 226 |
+stage4/rm: |
| 227 |
+ /etc/*- |
| 228 |
+ /etc/*.old |
| 229 |
+ /etc/ssh/ssh_host_* |
| 230 |
+ /root/.*history |
| 231 |
+ /root/.lesshst |
| 232 |
+ /root/.ssh/known_hosts |
| 233 |
+ /root/.viminfo |
| 234 |
+ # Remove any generated stuff by genkernel |
| 235 |
+ /usr/share/genkernel |
| 236 |
+ # This is 3MB of crap for each copy |
| 237 |
+ /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz |
| 238 |
|
| 239 |
diff --git a/tools-musl/stage4-hardened-amd64.spec b/tools-musl/stage4-hardened-amd64.spec |
| 240 |
new file mode 100644 |
| 241 |
index 0000000..e8b30e9 |
| 242 |
--- /dev/null |
| 243 |
+++ b/tools-musl/stage4-hardened-amd64.spec |
| 244 |
@@ -0,0 +1,86 @@ |
| 245 |
+subarch: amd64 |
| 246 |
+target: stage4 |
| 247 |
+version_stamp: cloud-latest |
| 248 |
+rel_type: default |
| 249 |
+profile: hardened/linux/musl/amd64 |
| 250 |
+snapshot: current |
| 251 |
+source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened |
| 252 |
+portage_confdir: @REPO_DIR@/portage.amd64.hardened-stage4 |
| 253 |
+portage_overlay: /opt/overlays/musl |
| 254 |
+ |
| 255 |
+stage4/use: |
| 256 |
+ bash-completion |
| 257 |
+ bindist |
| 258 |
+ bzip2 |
| 259 |
+ idm |
| 260 |
+ ipv6 |
| 261 |
+ mmx |
| 262 |
+ sse |
| 263 |
+ sse2 |
| 264 |
+ urandom |
| 265 |
+ |
| 266 |
+stage4/packages: |
| 267 |
+ app-admin/logrotate |
| 268 |
+ app-admin/sudo |
| 269 |
+ app-admin/syslog-ng |
| 270 |
+ app-editors/vim |
| 271 |
+ app-portage/eix |
| 272 |
+ app-portage/gentoolkit |
| 273 |
+ net-misc/dhcpcd |
| 274 |
+ net-misc/iputils |
| 275 |
+ sys-boot/grub |
| 276 |
+ sys-apps/dmidecode |
| 277 |
+ sys-apps/gptfdisk |
| 278 |
+ sys-apps/iproute2 |
| 279 |
+ sys-apps/lsb-release |
| 280 |
+ sys-apps/pciutils |
| 281 |
+ sys-block/parted |
| 282 |
+ sys-devel/bc |
| 283 |
+ sys-power/acpid |
| 284 |
+ sys-process/cronie |
| 285 |
+stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh |
| 286 |
+stage4/rcadd: |
| 287 |
+ acpid|default |
| 288 |
+ cronie|default |
| 289 |
+ dhcpcd|default |
| 290 |
+ net.lo|default |
| 291 |
+ netmount|default |
| 292 |
+ sshd|default |
| 293 |
+ syslog-ng|default |
| 294 |
+ |
| 295 |
+boot/kernel: gentoo |
| 296 |
+boot/kernel/gentoo/sources: hardened-sources |
| 297 |
+boot/kernel/gentoo/config: @REPO_DIR@/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config |
| 298 |
+boot/kernel/gentoo/extraversion: openstack |
| 299 |
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4 |
| 300 |
+ |
| 301 |
+# all of the cleanup... |
| 302 |
+stage4/unmerge: |
| 303 |
+ sys-kernel/genkernel |
| 304 |
+ sys-kernel/hardened-sources |
| 305 |
+ |
| 306 |
+stage4/empty: |
| 307 |
+ /root/.ccache |
| 308 |
+ /tmp |
| 309 |
+ /usr/portage/distfiles |
| 310 |
+ /usr/src |
| 311 |
+ /var/cache/edb/dep |
| 312 |
+ /var/cache/genkernel |
| 313 |
+ /var/cache/portage/distfiles |
| 314 |
+ /var/empty |
| 315 |
+ /var/run |
| 316 |
+ /var/state |
| 317 |
+ /var/tmp |
| 318 |
+ |
| 319 |
+stage4/rm: |
| 320 |
+ /etc/*- |
| 321 |
+ /etc/*.old |
| 322 |
+ /etc/ssh/ssh_host_* |
| 323 |
+ /root/.*history |
| 324 |
+ /root/.lesshst |
| 325 |
+ /root/.ssh/known_hosts |
| 326 |
+ /root/.viminfo |
| 327 |
+ # Remove any generated stuff by genkernel |
| 328 |
+ /usr/share/genkernel |
| 329 |
+ # This is 3MB of crap for each copy |
| 330 |
+ /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz |
Archives