profiles: rebase onto Gentoo's hardened profile

The default 10.0 is deprecated and removed upstream. Also, instead of twiddling the hardened flag we should just use the hardened profile. As part of this the host SDK no longer has multilib enabled, it isn't actually needed for anything anyway.
2025-08-20 05:51:18 +02:00 · 2014-08-01 16:51:14 -07:00 · 2014-08-01 16:51:14 -07:00 · 335dbe26f2
commit 335dbe26f2
parent 76abc5ad49
9 changed files with 13 additions and 14 deletions
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/parent
@ -1,4 +1,2 @@
 ..
-portage-stable:arch/amd64/no-multilib
-portage-stable:features/64bit-native
 :coreos/targets/generic
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.force
@ -1,2 +0,0 @@
-# We don't do multilib.
-multilib
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/make.defaults
@ -0,0 +1,5 @@
+# Disable PAX use flags, we don't use grsec kernels
+# Don't favor /dev/urandom over /dev/random, not sure why this flag
+# is enabled in hardened, the default profiles do not enable it.
+BOOTSTRAP_USE="${BOOTSTRAP_USE} -pax_kernel -xtpax"
+USE="-pax_kernel -urandom -xtpax"
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
@ -0,0 +1,2 @@
+# Do not force this flag, we don't need XATTR_PAX
+sys-apps/portage -xattr
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/packages
@ -0,0 +1,3 @@
+# Disable PAX utilities, we don't use grsec kernels
+-*sys-apps/paxctl
+-*sys-apps/elfix
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/parent
@ -1,5 +1,2 @@
-portage-stable:base
-portage-stable:default/linux
-portage-stable:arch/amd64
-portage-stable:releases/10.0
+portage-stable:hardened/linux/amd64/no-multilib
 :coreos/base
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@ -10,7 +10,7 @@ USE_EXPAND="${USE_EXPAND} BOARD_USE CROS_WORKON_TREE TESTS U_BOOT_CONFIG_USE U_B
 USE_EXPAND_HIDDEN="${USE_EXPAND_HIDDEN} CROS_WORKON_TREE"

 # Extra use flags for CoreOS SDK
-USE="${USE} hardened cros_host pic pie expat -introspection -cups -tcpd -pcre -berkdb"
+USE="${USE} cros_host pic pie expat -introspection -cups -tcpd -pcre -berkdb"

 # Enable bindist for both SDK and targets
 USE="${USE} bindist"
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/parent
@ -1 +1,2 @@
+portage-stable:targets/systemd
 :features/systemd
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.mask
@ -1,5 +0,0 @@
-# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-# Allow hardened glibc on the target.
-sys-libs/glibc -hardened