From 335dbe26f24c97c9beaf3e5a8a2c21f1c2debc60 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Fri, 1 Aug 2014 16:51:14 -0700
Subject: [PATCH 1/5] profiles: rebase onto Gentoo's hardened profile

The default 10.0 is deprecated and removed upstream. Also, instead of
twiddling the hardened flag we should just use the hardened profile.

As part of this the host SDK no longer has multilib enabled, it isn't
actually needed for anything anyway.
---
 .../coreos-overlay/profiles/coreos/amd64/generic/parent      | 2 --
 .../coreos-overlay/profiles/coreos/amd64/generic/use.force   | 2 --
 .../coreos-overlay/profiles/coreos/amd64/make.defaults       | 5 +++++
 .../coreos-overlay/profiles/coreos/amd64/package.use.force   | 2 ++
 .../coreos-overlay/profiles/coreos/amd64/packages            | 3 +++
 .../third_party/coreos-overlay/profiles/coreos/amd64/parent  | 5 +----
 .../coreos-overlay/profiles/coreos/base/make.defaults        | 2 +-
 .../third_party/coreos-overlay/profiles/coreos/base/parent   | 1 +
 .../profiles/coreos/targets/generic/package.use.mask         | 5 -----
 9 files changed, 13 insertions(+), 14 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent
index 6fe462edfa..767f085901 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent
@@ -1,4 +1,2 @@
 ..
-portage-stable:arch/amd64/no-multilib
-portage-stable:features/64bit-native
 :coreos/targets/generic
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force
deleted file mode 100644
index 330bf8920a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force
+++ /dev/null
@@ -1,2 +0,0 @@
-# We don't do multilib.
--multilib
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults
new file mode 100644
index 0000000000..8793dcad02
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults
@@ -0,0 +1,5 @@
+# Disable PAX use flags, we don't use grsec kernels
+# Don't favor /dev/urandom over /dev/random, not sure why this flag
+# is enabled in hardened, the default profiles do not enable it.
+BOOTSTRAP_USE="${BOOTSTRAP_USE} -pax_kernel -xtpax"
+USE="-pax_kernel -urandom -xtpax"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
new file mode 100644
index 0000000000..aafa196b0c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
@@ -0,0 +1,2 @@
+# Do not force this flag, we don't need XATTR_PAX
+sys-apps/portage -xattr
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages
new file mode 100644
index 0000000000..511adccb20
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages
@@ -0,0 +1,3 @@
+# Disable PAX utilities, we don't use grsec kernels
+-*sys-apps/paxctl
+-*sys-apps/elfix
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent
index 09dff0fee8..e939d1587c 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent
@@ -1,5 +1,2 @@
-portage-stable:base
-portage-stable:default/linux
-portage-stable:arch/amd64
-portage-stable:releases/10.0
+portage-stable:hardened/linux/amd64/no-multilib
 :coreos/base
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index 623d494da7..7c7f8c84d3 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -10,7 +10,7 @@ USE_EXPAND="${USE_EXPAND} BOARD_USE CROS_WORKON_TREE TESTS U_BOOT_CONFIG_USE U_B
 USE_EXPAND_HIDDEN="${USE_EXPAND_HIDDEN} CROS_WORKON_TREE"
 
 # Extra use flags for CoreOS SDK
-USE="${USE} hardened cros_host pic pie expat -introspection -cups -tcpd -pcre -berkdb"
+USE="${USE} cros_host pic pie expat -introspection -cups -tcpd -pcre -berkdb"
 
 # Enable bindist for both SDK and targets
 USE="${USE} bindist"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent
index 5ec03dee4d..e00b432785 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent
@@ -1 +1,2 @@
+portage-stable:targets/systemd
 :features/systemd
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask
deleted file mode 100644
index 7de6ed2169..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask
+++ /dev/null
@@ -1,5 +0,0 @@
-# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-# Allow hardened glibc on the target.
-sys-libs/glibc -hardened

From c8896e79e9e81f1131233a98ba0ef094c62af36e Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Fri, 1 Aug 2014 17:29:07 -0700
Subject: [PATCH 2/5] profiles: disable static binaries

Left over from some odd behaviors of the ChromeOS build systems.
---
 .../profiles/coreos/base/package.use          | 38 -------------------
 .../coreos/targets/generic/package.use        |  3 +-
 .../profiles/coreos/targets/sdk/package.use   |  6 ---
 3 files changed, 1 insertion(+), 46 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index d63a0dcc2e..e51504f3a2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -21,54 +21,16 @@ media-libs/gd           png
 media-libs/libmtp       -crypt
 # We don't want any driver/hw rendering on the host
 media-sound/alsa-utils	-libsamplerate minimal
-net-misc/curl		ares static-libs
 sci-geosciences/gpsd	-cxx
-# verity and other packages link statically with libuuid.
-sys-apps/util-linux	-perl static-libs
-sys-boot/grub       grub_platforms_pc grub_platforms_efi-64 grub_platforms_coreboot static
 sys-devel/gettext	-git
-# Build emulation statically so that we can execute it within a chroot and
-# still find the shared libraries.
-net-misc/dhcpcd -crash
-# Building qemu-kvm with static libraries and X/sdl does not work right now,
-# with the likely problem in libsdl-1.2.13-r1 from upstream.  Previously,
-# this comment was here:
-# build kvm with X and sdl so we have an option of running it with local
-# display without VNC
 app-emulation/qemu	aio caps curl jpeg ncurses png python seccomp threads uuid vhost-net virtfs vnc xattr qemu_softmmu_targets_x86_64
-dev-libs/libaio		static-libs
-cross-armv7a-cros-linux-gnueabi/gcc   hardfp
-cross-armv6j-cros-linux-gnueabi/gcc   hardfp -thumb
-# pciutils is required by flashrom / mosys which is required to be statically
-# compiled to reduce dependency during auto update.
-sys-apps/pciutils	static-libs
-# xz-utils includes liblzma, which is picked by bmpblk_utility (vboot_reference)
-# and may be executed outside chroot.
-app-arch/xz-utils	static-libs
 
-app-emulation/xen-tools -ocaml -hvm -xend -pygrub -qemu -flask -screen -doc amd64
-
-=sys-libs/gdbm-1.8.3-r4 berkdb
->=sys-libs/libseccomp-1.0.1 static-libs
-=app-text/ghostscript-gpl-9.05-r1 cups
-=coreos-base/cros-devutils-0.0.1-r516 cros_host
-=sys-libs/libcap-ng-0.6.6 static-libs
->=sys-libs/ncurses-5.9-r2 static-libs
->=media-libs/libjpeg-turbo-1.2.1 static-libs
->=dev-libs/openssl-1.0.1c static-libs
-=x11-libs/cairo-1.10.2-r3 X
-=media-libs/libpng-1.5.13-r1 static-libs
->=virtual/jpeg-0 static-libs
->=media-libs/libjpeg-turbo-1.2.0-r1 static-libs
 sys-apps/gptfdisk -icu
 
 # for profile migration
 dev-libs/apr-util -gdbm
 sys-libs/gdbm berkdb
 
-# TODO: disable most static things
-sys-libs/zlib static-libs
-
 dev-vcs/git -perl -iconv
 
 net-analyzer/nmap ncat -lua
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
index 2738000830..0f5b66f60e 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
@@ -19,11 +19,10 @@ sys-apps/busybox	-pam -selinux
 sys-apps/dbus		-X -systemd
 sys-apps/smartmontools	minimal
 sys-block/parted        device-mapper
-sys-fs/lvm2		-lvm1 -readline -static
+sys-fs/lvm2		-lvm1 -readline
 sys-fs/squashfs         lzo
 sys-libs/ncurses	minimal
 sys-libs/pam        -berkdb
-sys-libs/zlib		static-libs
 sys-libs/gdbm		berkdb
 
 
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
index 25c20a0b33..6a1aa5217e 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
@@ -1,9 +1,3 @@
-# TODO: remove static stuff
-app-arch/bzip2 static-libs
-app-arch/pbzip2 static
-app-arch/pigz static
-dev-libs/glib static-libs
-
 coreos-base/update_engine delta_generator
 sys-apps/flashrom dediprog ft2232_spi serprog
 

From a95045fda3faaa258b005300bc2ebf45dc756f39 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Fri, 1 Aug 2014 17:41:46 -0700
Subject: [PATCH 3/5] hard-host-depends: remove google-breakpad

This package does not build in the SDK after removing multilib support.
We don't actually need it, kill it.
---
 .../google-breakpad/files/chromeos-version.sh | 11 ---
 .../google-breakpad-1084-r52.ebuild           | 93 -------------------
 .../google-breakpad-9999.ebuild               | 91 ------------------
 ...ld => hard-host-depends-0.0.1-r166.ebuild} |  0
 .../hard-host-depends-0.0.1.ebuild            |  2 +-
 5 files changed, 1 insertion(+), 196 deletions(-)
 delete mode 100755 sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/files/chromeos-version.sh
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-1084-r52.ebuild
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-9999.ebuild
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/{hard-host-depends-0.0.1-r165.ebuild => hard-host-depends-0.0.1-r166.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/files/chromeos-version.sh b/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/files/chromeos-version.sh
deleted file mode 100755
index fa970952bd..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/files/chromeos-version.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-#
-# This script is given one argument: the base of the source directory of
-# the package, and it prints a string on stdout with the numerical version
-# number for said repo.
-
-"$1"/configure --version | awk '{print $NF; exit}'
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-1084-r52.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-1084-r52.ebuild
deleted file mode 100644
index 533d53704f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-1084-r52.ebuild
+++ /dev/null
@@ -1,93 +0,0 @@
-# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=4
-CROS_WORKON_COMMIT="232fb3ad52342305e55b3a1d51632a9bd52d18cc"
-CROS_WORKON_TREE="cc72c3a2e2d1746bb31faf70937fc427ad6a57aa"
-CROS_WORKON_PROJECT="chromiumos/platform/google-breakpad"
-
-inherit autotools cros-debug cros-workon toolchain-funcs
-
-DESCRIPTION="Google crash reporting"
-HOMEPAGE="http://code.google.com/p/google-breakpad"
-SRC_URI=""
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="amd64 x86 arm"
-IUSE=""
-
-RDEPEND="net-misc/curl"
-DEPEND="${RDEPEND}"
-
-src_prepare() {
-	eautoreconf
-	if ! tc-is-cross-compiler; then
-		einfo "Creating a separate 32b src directory"
-		mkdir ../work32
-		cp -a . ../work32
-		mv ../work32 .
-	fi
-}
-
-src_configure() {
-	#TODO(raymes): Uprev breakpad so this isn't necessary. See
-	# (crosbug.com/14275).
-	[ "$ARCH" = "arm" ] && append-cflags "-marm" && append-cxxflags "-marm"
-
-	# We purposefully disable optimizations due to optimizations causing
-	# src/processor code to crash (minidump_stackwalk) as well as tests
-	# to fail.  See
-	# http://code.google.com/p/google-breakpad/issues/detail?id=400.
-	append-flags "-O0"
-
-	tc-export CC CXX LD PKG_CONFIG
-
-	econf
-
-	if ! tc-is-cross-compiler; then
-	        einfo "Running 32b configuration"
-		cd work32 || die "chdir failed"
-		append-flags "-m32"
-		econf
-		filter-flags "-m32"
-	fi
-}
-
-src_compile() {
-	tc-export CC CXX PKG_CONFIG
-	emake
-
-	if ! tc-is-cross-compiler; then
-		cd work32 || die "chdir failed"
-		einfo "Building dump_syms and minidump-2-core with -m32"
-		emake src/tools/linux/dump_syms/dump_syms \
-		      src/tools/linux/md2core/minidump-2-core
-	fi
-}
-
-src_test() {
-	emake check
-}
-
-src_install() {
-	tc-export CXX PKG_CONFIG
-	emake DESTDIR="${D}" install
-	insinto /usr/include/google-breakpad/client/linux/handler
-	doins src/client/linux/handler/*.h
-	insinto /usr/include/google-breakpad/client/linux/crash_generation
-	doins src/client/linux/crash_generation/*.h
-	insinto /usr/include/google-breakpad/common/linux
-	doins src/common/linux/*.h
-	insinto /usr/include/google-breakpad/processor
-	doins src/processor/*.h
-	dobin src/tools/linux/core2md/core2md \
-	      src/tools/linux/md2core/minidump-2-core \
-	      src/tools/linux/dump_syms/dump_syms \
-	      src/tools/linux/symupload/sym_upload \
-	      src/tools/linux/symupload/minidump_upload
-	if ! tc-is-cross-compiler; then
-		newbin work32/src/tools/linux/dump_syms/dump_syms dump_syms.32
-		newbin work32/src/tools/linux/md2core/minidump-2-core \
-		       minidump-2-core.32
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-9999.ebuild
deleted file mode 100644
index 67afc9f4ce..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/google-breakpad/google-breakpad-9999.ebuild
+++ /dev/null
@@ -1,91 +0,0 @@
-# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=4
-CROS_WORKON_PROJECT="chromiumos/platform/google-breakpad"
-
-inherit autotools cros-debug cros-workon toolchain-funcs
-
-DESCRIPTION="Google crash reporting"
-HOMEPAGE="http://code.google.com/p/google-breakpad"
-SRC_URI=""
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~amd64 ~x86 ~arm"
-IUSE=""
-
-RDEPEND="net-misc/curl"
-DEPEND="${RDEPEND}"
-
-src_prepare() {
-	eautoreconf
-	if ! tc-is-cross-compiler; then
-		einfo "Creating a separate 32b src directory"
-		mkdir ../work32
-		cp -a . ../work32
-		mv ../work32 .
-	fi
-}
-
-src_configure() {
-	#TODO(raymes): Uprev breakpad so this isn't necessary. See
-	# (crosbug.com/14275).
-	[ "$ARCH" = "arm" ] && append-cflags "-marm" && append-cxxflags "-marm"
-
-	# We purposefully disable optimizations due to optimizations causing
-	# src/processor code to crash (minidump_stackwalk) as well as tests
-	# to fail.  See
-	# http://code.google.com/p/google-breakpad/issues/detail?id=400.
-	append-flags "-O0"
-
-	tc-export CC CXX LD PKG_CONFIG
-
-	econf
-
-	if ! tc-is-cross-compiler; then
-	        einfo "Running 32b configuration"
-		cd work32 || die "chdir failed"
-		append-flags "-m32"
-		econf
-		filter-flags "-m32"
-	fi
-}
-
-src_compile() {
-	tc-export CC CXX PKG_CONFIG
-	emake
-
-	if ! tc-is-cross-compiler; then
-		cd work32 || die "chdir failed"
-		einfo "Building dump_syms and minidump-2-core with -m32"
-		emake src/tools/linux/dump_syms/dump_syms \
-		      src/tools/linux/md2core/minidump-2-core
-	fi
-}
-
-src_test() {
-	emake check
-}
-
-src_install() {
-	tc-export CXX PKG_CONFIG
-	emake DESTDIR="${D}" install
-	insinto /usr/include/google-breakpad/client/linux/handler
-	doins src/client/linux/handler/*.h
-	insinto /usr/include/google-breakpad/client/linux/crash_generation
-	doins src/client/linux/crash_generation/*.h
-	insinto /usr/include/google-breakpad/common/linux
-	doins src/common/linux/*.h
-	insinto /usr/include/google-breakpad/processor
-	doins src/processor/*.h
-	dobin src/tools/linux/core2md/core2md \
-	      src/tools/linux/md2core/minidump-2-core \
-	      src/tools/linux/dump_syms/dump_syms \
-	      src/tools/linux/symupload/sym_upload \
-	      src/tools/linux/symupload/minidump_upload
-	if ! tc-is-cross-compiler; then
-		newbin work32/src/tools/linux/dump_syms/dump_syms dump_syms.32
-		newbin work32/src/tools/linux/md2core/minidump-2-core \
-		       minidump-2-core.32
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r165.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r166.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r165.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r166.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
index e8e51c1167..a2c10b924d 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@@ -37,7 +37,6 @@ RDEPEND="${RDEPEND}
 	app-arch/unzip
 	app-emulation/qemu
 	app-text/texi2html
-	coreos-base/google-breakpad
 	coreos-base/cros-devutils[cros_host]
 	coreos-base/cros-testutils
 	coreos-base/vboot_reference
@@ -187,4 +186,5 @@ RDEPEND="${RDEPEND}
 # Uninstall these packages.
 RDEPEND="${RDEPEND}
 	!net-misc/dhcpcd
+	!coreos-base/google-breakpad
 	"

From f3217852edefb654f1c4052b2b6f2e2dec9a76f4 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Sat, 2 Aug 2014 16:30:24 -0700
Subject: [PATCH 4/5] docker: sync ebuild with latest version in Gentoo

Most of the change here isn't significant except for the compilation
fixes for compiling with a hardened compiler. This was not an issue
previously because the SDK's cross compiler wasn't hardened.
---
 ...er-1.1.2.ebuild => docker-1.1.2-r1.ebuild} |  0
 .../app-emulation/docker/docker-9999.ebuild   | 62 +++++++++++++------
 2 files changed, 44 insertions(+), 18 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-1.1.2.ebuild => docker-1.1.2-r1.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.1.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.1.2-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.1.2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.1.2-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
index 4feafd179b..97cab15380 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@@ -26,30 +26,29 @@ inherit bash-completion-r1 linux-info systemd udev user cros-workon
 
 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="aufs btrfs +device-mapper doc lxc vim-syntax zsh-completion symlink-usr"
+IUSE="aufs +btrfs contrib +device-mapper doc lxc vim-syntax zsh-completion"
 
-# TODO work with upstream to allow us to build without lvm2 installed if we have -device-mapper
 CDEPEND="
 	>=dev-db/sqlite-3.7.9:3
-	sys-fs/lvm2[thin]
+	device-mapper? (
+		sys-fs/lvm2[thin]
+	)
 "
 DEPEND="
 	${CDEPEND}
 	>=dev-lang/go-1.2
-	>=sys-fs/btrfs-progs-0.20
+	btrfs? (
+		>=sys-fs/btrfs-progs-0.20
+	)
 	dev-vcs/git
 	dev-vcs/mercurial
-	doc? (
-		dev-python/sphinx
-		dev-python/sphinxcontrib-httpdomain
-	)
 "
 RDEPEND="
 	${CDEPEND}
 	!app-emulation/docker-bin
 	>=net-firewall/iptables-1.4
 	lxc? (
-		>=app-emulation/lxc-0.8
+		>=app-emulation/lxc-1.0
 	)
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
@@ -61,14 +60,21 @@ RDEPEND="
 	)
 "
 
-RESTRICT="strip"
+RESTRICT="installsources strip"
 
 pkg_setup() {
+	if kernel_is lt 3 8; then
+		ewarn ""
+		ewarn "Using Docker with kernels older than 3.8 is unstable and unsupported."
+		ewarn ""
+	fi
+
 	# many of these were borrowed from the app-emulation/lxc ebuild
 	CONFIG_CHECK+="
 		~CGROUPS
 		~CGROUP_CPUACCT
 		~CGROUP_DEVICE
+		~CGROUP_FREEZER
 		~CGROUP_SCHED
 		~CPUSETS
 		~MEMCG_SWAP
@@ -144,13 +150,29 @@ src_compile() {
 	export CGO_CFLAGS="-I${ROOT}/usr/include"
 	export CGO_LDFLAGS="-L${ROOT}/usr/lib"
 
+	# if we're building from a zip, we need the GITCOMMIT value
 	[ "$DOCKER_GITCOMMIT" ] && export DOCKER_GITCOMMIT
+
+	if gcc-specs-pie; then
+		sed -i "s/EXTLDFLAGS_STATIC='/EXTLDFLAGS_STATIC='-fno-PIC /" hack/make.sh || die
+		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
+
+		sed -i 's/LDFLAGS_STATIC_DOCKER="/LDFLAGS_STATIC_DOCKER="-extldflags -fno-PIC /' hack/make/dynbinary || die
+		grep -q -- '-fno-PIC' hack/make/dynbinary || die 'hardened sed failed'
+	fi
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in aufs btrfs device-mapper; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
 	# time to build!
 	./hack/make.sh dynbinary || die
 
-	if use doc; then
-		emake -C docs docs man || die
-	fi
+	# TODO pandoc the man pages using docs/man/md2man-all.sh
 }
 
 src_install() {
@@ -172,8 +194,11 @@ src_install() {
 
 	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
 	if use doc; then
-		dohtml -r docs/_build/html/*
-		doman docs/_build/man/*
+		# TODO doman contrib/man/man*/*
+
+		docompress -x /usr/share/doc/${PF}/md
+		docinto md
+		dodoc -r docs/sources/*
 	fi
 
 	dobashcomp contrib/completion/bash/*
@@ -189,9 +214,10 @@ src_install() {
 		doins -r contrib/syntax/vim/syntax
 	fi
 
-	insinto /usr/share/${P}/contrib
-	doins contrib/README
-	cp -R "${S}/contrib"/* "${D}/usr/share/${P}/contrib/"
+	if use contrib; then
+		mkdir -p "${D}/usr/share/${PN}/contrib"
+		cp -R contrib/* "${D}/usr/share/${PN}/contrib"
+	fi
 }
 
 pkg_postinst() {

From 5282f537c9fe969e17a4a1796e51dde79fd85517 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Sat, 2 Aug 2014 17:55:51 -0700
Subject: [PATCH 5/5] systemd: work around broken configure test for
 -Wl,-fuse-ld=gold

---
 ...fuse-ld-gold-does-not-work-correctly.patch | 47 +++++++++++++++++++
 ...-215-r10.ebuild => systemd-215-r11.ebuild} |  4 ++
 .../sys-apps/systemd/systemd-9999.ebuild      |  2 +
 3 files changed, 53 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-hack-testing-Wl-fuse-ld-gold-does-not-work-correctly.patch
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-215-r10.ebuild => systemd-215-r11.ebuild} (99%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-hack-testing-Wl-fuse-ld-gold-does-not-work-correctly.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-hack-testing-Wl-fuse-ld-gold-does-not-work-correctly.patch
new file mode 100644
index 0000000000..c8d5a52ae3
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-hack-testing-Wl-fuse-ld-gold-does-not-work-correctly.patch
@@ -0,0 +1,47 @@
+From 00197239142c519270e44f94b1126a45e7f65511 Mon Sep 17 00:00:00 2001
+From: Michael Marineau <michael.marineau@coreos.com>
+Date: Sat, 2 Aug 2014 17:45:00 -0700
+Subject: [PATCH] hack: testing -Wl,-fuse-ld=gold does not work correctly on
+ hardened
+
+Not sure why this test falsely passes with the hardened compiler when it
+normally will report the following error:
+
+    ld: -f may not be used without -shared
+
+But apparently the default options hardened uses makes interpreting the
+option as -f valid usage. For reference the option is:
+
+    -f name
+    --auxiliary=name
+        When creating an ELF shared object, set the internal DT_AUXILIARY
+        field to the specified name.  This tells the dynamic linker that
+        the symbol table of the shared object should be used as an
+        auxiliary filter on the symbol table of the shared object name.
+
+This in turn causes a stray library to show up in ldd output:
+
+    use-ld=gold => not found
+
+Which seems mostly harmless but does cause some confusion.
+---
+ configure.ac | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ae88382..85966b9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -216,8 +216,7 @@ CC_CHECK_FLAGS_APPEND([with_ldflags], [LDFLAGS], [\
+         -Wl,--gc-sections \
+         -Wl,-z,relro \
+         -Wl,-z,now \
+-        -pie \
+-        -Wl,-fuse-ld=gold])
++        -pie])
+ AC_SUBST([OUR_LDFLAGS], "$with_ldflags $sanitizer_ldflags")
+ 
+ AC_CHECK_SIZEOF(pid_t)
+-- 
+1.8.5.5
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-215-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-215-r11.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-215-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-215-r11.ebuild
index a1feadf44f..51ea10f3e3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-215-r10.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-215-r11.ebuild
@@ -20,6 +20,7 @@ EGIT_BRANCH=v${PV%%.*}-stable
 inherit git-r3
 fi
 
+AUTOTOOLS_AUTORECONF=yes
 AUTOTOOLS_PRUNE_LIBTOOL_FILES=all
 PYTHON_COMPAT=( python{2_7,3_2,3_3} )
 inherit autotools-utils bash-completion-r1 fcaps linux-info multilib \
@@ -116,6 +117,9 @@ fi
 	# backports from master
 	epatch "${FILESDIR}"/215-*.patch
 
+	# remove -Wl,-fuse-ld=gold
+	epatch "${FILESDIR}"/0001-hack-testing-Wl-fuse-ld-gold-does-not-work-correctly.patch
+
 	# Bug 463376
 	sed -i -e 's/GROUP="dialout"/GROUP="uucp"/' rules/*.rules || die
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
index 1db1d29f58..7d2351bc22 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
@@ -110,6 +110,8 @@ if [[ ${PV} == *9999 ]]; then
 		echo 'EXTRA_DIST =' > docs/gtk-doc.make
 	fi
 fi
+	# remove -Wl,-fuse-ld=gold
+	epatch "${FILESDIR}"/0001-hack-testing-Wl-fuse-ld-gold-does-not-work-correctly.patch
 
 	# Bug 463376
 	sed -i -e 's/GROUP="dialout"/GROUP="uucp"/' rules/*.rules || die