From 98385913fe59cc76111b6496ec08ad138d33c619 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 14:21:15 -0800
Subject: [PATCH 1/7] profiles: enable seccomp globally

Upstream has enabled this flag, should be fine for us too but do so
prior to syncing with upstream to test for sure.

Keeping seccomp disabled for bind-tools since it breaks
cross-compilation and fixing it isn't very important.
---
 .../coreos-overlay/profiles/coreos/arm64/use.mask          | 2 ++
 .../coreos-overlay/profiles/coreos/base/make.defaults      | 4 ++++
 .../profiles/coreos/targets/generic/package.use            | 7 ++++---
 3 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask
new file mode 100644
index 0000000000..1f68389902
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask
@@ -0,0 +1,2 @@
+# TODO(marineam): remove after portage-stable/profiles is updated.
+-seccomp
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index 228ca622e9..36dbf9e60d 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -32,6 +32,10 @@ USE="${USE} -zeroconf"
 # No need for OpenMP support in GCC and other apps
 USE="${USE} -openmp"
 
+# Test enabling seccomp globally prior to syncing other profile changes.
+# TODO(marineam): remove after portage-stable/profiles is updated.
+USE="${USE} seccomp"
+
 # Set SELinux policy
 POLICY_TYPES="targeted mcs mls"
 
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
index e6a81f1aac..1142d571d4 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
@@ -41,7 +41,8 @@ app-shells/bash -net vanilla
 # disable nss utilities
 dev-libs/nss -utils
 
-# enable seccomp support in docker
-app-emulation/docker seccomp
-app-emulation/containerd seccomp
+# needed by docker
 sys-libs/libseccomp static-libs
+
+# bind-tools' configure script breaks when cross-compiling with seccomp enabled
+net-dns/bind-tools -seccomp

From b9d040727d9e277df98e455289b6ab4d5b3aa6a4 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 14:44:42 -0800
Subject: [PATCH 2/7] profiles: unmask selinux only in amd64 target profile

---
 .../coreos-overlay/profiles/coreos/amd64/generic/use.mask       | 2 ++
 .../third_party/coreos-overlay/profiles/coreos/base/use.mask    | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask
new file mode 100644
index 0000000000..a24662d0ea
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/use.mask
@@ -0,0 +1,2 @@
+# Unmask selinux so it can be enabled selectively in package.use
+-selinux
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
index 5fefecaa49..d7d483989a 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
@@ -1,2 +1 @@
 kdbus
--selinux

From e54160699869cbaa83549daf03f4e0fcfe5c8dc2 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 14:50:48 -0800
Subject: [PATCH 3/7] profiles: remove coreos/amd64/usr profile

This was only in use during the root->usr migration, since then it is
merely an alias for coreos/amd64/generic which is what we actually use.

The arm64 copy has never been used.
---
 .../third_party/coreos-overlay/profiles/coreos/amd64/usr/parent  | 1 -
 .../third_party/coreos-overlay/profiles/coreos/arm64/usr/parent  | 1 -
 2 files changed, 2 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent
deleted file mode 100644
index 16225a84d6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/usr/parent
+++ /dev/null
@@ -1 +0,0 @@
-:coreos/amd64/generic
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent
deleted file mode 100644
index 0989a17981..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/usr/parent
+++ /dev/null
@@ -1 +0,0 @@
-:coreos/arm64/generic

From 39940dad6fb7e235a82f0423a9bb14142f3bc327 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 15:00:31 -0800
Subject: [PATCH 4/7] profiles: hard mask python3 use flags, add 3.5 to the
 list

This seems less clunky than editing $BOOTSTRAP_USE.

3.2 is no longer in portage while 3.5 is coming so update the versions.
---
 .../coreos-overlay/profiles/coreos/base/make.defaults    | 7 -------
 .../coreos-overlay/profiles/coreos/base/use.mask         | 9 +++++++++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index 36dbf9e60d..aaf58deb7b 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -39,13 +39,6 @@ USE="${USE} seccomp"
 # Set SELinux policy
 POLICY_TYPES="targeted mcs mls"
 
-# Override upstream's python settings
-USE="$USE python_targets_python2_7 python_single_target_python2_7"
-USE="$USE -python_targets_python3_2 -python_single_target_python3_2"
-USE="$USE -python_targets_python3_3 -python_single_target_python3_3"
-BOOTSTRAP_USE="$BOOTSTRAP_USE -python_targets_python3_2"
-BOOTSTRAP_USE="$BOOTSTRAP_USE -python_targets_python3_3"
-
 # Disable packages or optional features with distribution issues.
 ACCEPT_RESTRICT="* -bindist -mirror"
 USE="${USE} bindist"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
index d7d483989a..bed2a39fb4 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask
@@ -1 +1,10 @@
+# Never enable experimental code
 kdbus
+
+# Block python3 for now
+python_targets_python3_3
+python_targets_python3_4
+python_targets_python3_5
+python_single_target_python3_3
+python_single_target_python3_4
+python_single_target_python3_5

From 4f266084bdca70265becadab9ddd0cda0867c8d9 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 15:27:58 -0800
Subject: [PATCH 5/7] profiles: disable portage xattr on all architectures

Upstream has enabled the xattr flag globally which should be fine except
we don't need it for portage.
---
 .../coreos-overlay/profiles/coreos/amd64/package.use.force     | 2 --
 .../coreos-overlay/profiles/coreos/arm64/package.use.force     | 3 ---
 .../coreos-overlay/profiles/coreos/base/package.use            | 2 ++
 .../coreos-overlay/profiles/coreos/base/package.use.force      | 3 +++
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
index aafa196b0c..e69de29bb2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.use.force
@@ -1,2 +0,0 @@
-# Do not force this flag, we don't need XATTR_PAX
-sys-apps/portage -xattr
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force
index 3d5dc12d3b..952d0233bd 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.force
@@ -1,6 +1,3 @@
-# Do not force this flag, we don't need XATTR_PAX
-sys-apps/portage -xattr
-
 sys-auth/polkit -introspection
 sys-apps/systemd -introspection
 sys-fs/udev-init-scripts -introspection
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 5c27e283ec..5196ea6a52 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -79,3 +79,5 @@ dev-cpp/glog gflags
 # enable rpc for rpc.rquotad
 sys-fs/quota rpc
 
+# Don't bother building portage w/xattr, we don't need XATTR_PAX
+sys-apps/portage -xattr
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force
index bd6530bb7e..b642673c60 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force
@@ -1,2 +1,5 @@
 # Copyright (c) 2014 The CoreOS Authors. All rights reserved.
 # Distributed under the terms of the GNU General Public License v2
+
+# Do not force this flag, we don't need XATTR_PAX
+sys-apps/portage -xattr

From 7026c00e0b9296981aea37c761a606a18de216d1 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 16:32:00 -0800
Subject: [PATCH 6/7] profiles: enable xattr globally

Already enabled on amd64 by default but not on arm64.
---
 .../coreos-overlay/profiles/coreos/base/make.defaults         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index aaf58deb7b..2244caca68 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -32,9 +32,9 @@ USE="${USE} -zeroconf"
 # No need for OpenMP support in GCC and other apps
 USE="${USE} -openmp"
 
-# Test enabling seccomp globally prior to syncing other profile changes.
+# Test enabling some flags globally prior to syncing other profile changes.
 # TODO(marineam): remove after portage-stable/profiles is updated.
-USE="${USE} seccomp"
+USE="${USE} seccomp xattr"
 
 # Set SELinux policy
 POLICY_TYPES="targeted mcs mls"

From adf6418fac56629292c05e08cb68d3165d7a05c8 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 28 Dec 2016 16:52:02 -0800
Subject: [PATCH 7/7] profiles: disable systemd+gnutls globally instead of for
 targets only

The flag is harmless in the SDK but unneeded. Keeping it disabled
reduces the amount of diff noise when updating portage-stable/profiles.
---
 .../coreos-overlay/profiles/coreos/base/package.use         | 5 +++--
 .../profiles/coreos/targets/generic/package.use             | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 5196ea6a52..732ded3933 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -36,8 +36,9 @@ net-analyzer/nmap ncat -lua
 # removes mta dependencies
 app-admin/sudo -sendmail
 
-# use lzma which is the default on non-gentoo systems
-sys-apps/systemd curl gcrypt lzma -lz4
+# use lzma which is the default on non-gentoo systems, avoid pulling in gnutls
+sys-apps/systemd curl gcrypt lzma -lz4 -ssl
+net-libs/libmicrohttpd -ssl
 
 # disable kernel config detection and module building
 net-firewall/ipset -modules
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
index 1142d571d4..24bf0ed15e 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
@@ -22,11 +22,11 @@ sys-libs/ncurses	minimal
 sys-libs/pam        -berkdb
 sys-libs/gdbm		berkdb
 
-# enable journal gateway and container features, avoid pulling in gnutls
-sys-apps/systemd audit importd http nat -ssl
+# enable journal gateway and container features
+sys-apps/systemd audit importd http nat
 
 # epoll is needed for systemd-journal-remote to work. coreos/bugs#919
-net-libs/libmicrohttpd epoll -ssl
+net-libs/libmicrohttpd epoll
 
 sys-boot/syslinux       -custom-cflags