From 335dbe26f24c97c9beaf3e5a8a2c21f1c2debc60 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 1 Aug 2014 16:51:14 -0700 Subject: [PATCH] profiles: rebase onto Gentoo's hardened profile The default 10.0 is deprecated and removed upstream. Also, instead of twiddling the hardened flag we should just use the hardened profile. As part of this the host SDK no longer has multilib enabled, it isn't actually needed for anything anyway. --- .../coreos-overlay/profiles/coreos/amd64/generic/parent | 2 -- .../coreos-overlay/profiles/coreos/amd64/generic/use.force | 2 -- .../coreos-overlay/profiles/coreos/amd64/make.defaults | 5 +++++ .../coreos-overlay/profiles/coreos/amd64/package.use.force | 2 ++ .../coreos-overlay/profiles/coreos/amd64/packages | 3 +++ .../third_party/coreos-overlay/profiles/coreos/amd64/parent | 5 +---- .../coreos-overlay/profiles/coreos/base/make.defaults | 2 +- .../third_party/coreos-overlay/profiles/coreos/base/parent | 1 + .../profiles/coreos/targets/generic/package.use.mask | 5 ----- 9 files changed, 13 insertions(+), 14 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent index 6fe462edfa..767f085901 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent @@ -1,4 +1,2 @@ .. -portage-stable:arch/amd64/no-multilib -portage-stable:features/64bit-native :coreos/targets/generic diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force deleted file mode 100644 index 330bf8920a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force +++ /dev/null @@ -1,2 +0,0 @@ -# We don't do multilib. --multilib diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults new file mode 100644 index 0000000000..8793dcad02 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults @@ -0,0 +1,5 @@ +# Disable PAX use flags, we don't use grsec kernels +# Don't favor /dev/urandom over /dev/random, not sure why this flag +# is enabled in hardened, the default profiles do not enable it. +BOOTSTRAP_USE="${BOOTSTRAP_USE} -pax_kernel -xtpax" +USE="-pax_kernel -urandom -xtpax" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force new file mode 100644 index 0000000000..aafa196b0c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force @@ -0,0 +1,2 @@ +# Do not force this flag, we don't need XATTR_PAX +sys-apps/portage -xattr diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages new file mode 100644 index 0000000000..511adccb20 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages @@ -0,0 +1,3 @@ +# Disable PAX utilities, we don't use grsec kernels +-*sys-apps/paxctl +-*sys-apps/elfix diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent index 09dff0fee8..e939d1587c 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent @@ -1,5 +1,2 @@ -portage-stable:base -portage-stable:default/linux -portage-stable:arch/amd64 -portage-stable:releases/10.0 +portage-stable:hardened/linux/amd64/no-multilib :coreos/base diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults index 623d494da7..7c7f8c84d3 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults @@ -10,7 +10,7 @@ USE_EXPAND="${USE_EXPAND} BOARD_USE CROS_WORKON_TREE TESTS U_BOOT_CONFIG_USE U_B USE_EXPAND_HIDDEN="${USE_EXPAND_HIDDEN} CROS_WORKON_TREE" # Extra use flags for CoreOS SDK -USE="${USE} hardened cros_host pic pie expat -introspection -cups -tcpd -pcre -berkdb" +USE="${USE} cros_host pic pie expat -introspection -cups -tcpd -pcre -berkdb" # Enable bindist for both SDK and targets USE="${USE} bindist" diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent index 5ec03dee4d..e00b432785 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent @@ -1 +1,2 @@ +portage-stable:targets/systemd :features/systemd diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask deleted file mode 100644 index 7de6ed2169..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask +++ /dev/null @@ -1,5 +0,0 @@ -# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. -# Distributed under the terms of the GNU General Public License v2 - -# Allow hardened glibc on the target. -sys-libs/glibc -hardened