Fix Gentoo hardened support

This checks the profile, if it has hardened in it's name it needs xattr support
unfortunately xattr support cannot yet be relied on everywhere, so it needs to
be disabled for hardened profile builds to correctly pax-mark.

Change-Id: I7fb855249a9e6c9b6497ab5061b4ea3c014f5081
Closes-Bug: 1537177

bin/disk-image-create

@@ -217,6 +217,15 @@ if [ -z "$DIB_ROOT_LABEL" ]; then
     fi
 fi
 
+# xattr support cannot be relied upon with tmpfs builds
+# some kernels supoprt it, some don't
+if [[ -n "${GENTOO_PROFILE}" ]]; then
+    if [[ "${GENTOO_PROFILE}" =~ "hardened" ]]; then
+        echo 'disabling tmpfs for gentoo hardened build'
+        export DIB_NO_TMPFS=1
+    fi
+fi
+
 mk_build_dir
 create_base
 # This variable needs to be propagated into the chroot

elements/base/pkg-map

@@ -5,6 +5,28 @@
     },
     "suse": {
       "dkms_package": ""
+    },
+    "gentoo": {
+      "ccache_package": "dev-util/ccache",
+      "curl": "net-misc/curl",
+      "dhcp_client": "net-misc/dhcp",
+      "dkms_package": "",
+      "extlinux": "sys-boot/syslinux",
+      "git": "dev-vcs/git",
+      "grub_bios": "sys-boot/grub",
+      "grub-pc": "sys-boot/grub",
+      "ironic-python-agent": "",
+      "iscsi_package": "sys-block/open-iscsi",
+      "isc-dhcp-client": "net-misc/dhcp",
+      "isolinux": "",
+      "ncat": "net-analyzer/netcat",
+      "qemu-utils": "app-emulation/qemu",
+      "python-dev": "",
+      "PyYAML": "dev-python/pyyaml",
+      "syslinux": "sys-boot/syslinux",
+      "syslinux-common": "",
+      "tftp": "net-ftp/tftp-hpa",
+      "tgt": "sys-block/tgt"
     }
   },
   "default": {

elements/gentoo/bin/install-packages

@@ -34,6 +34,12 @@ function show_options {
 
 function fix_shm {
     if [[ "${RUN_ONCE_SHM}" == '1' ]]; then
+        if [[ -L /dev/shm.orig ]]; then
+            rm /dev/shm.orig
+        fi
+        if [[ -d /dev/shm.orig ]]; then
+            rm -Rf /dev/shm.orig
+        fi
         mv /dev/shm /dev/shm.orig
         mkdir /dev/shm
         mount -t tmpfs none /dev/shm
@@ -53,7 +59,7 @@ function unfix_shm {
 function install_gentoo_packages {
     RUN_ONCE_SHM='1'
     fix_shm
-    emerge "$@"
+    emerge $@
     unfix_shm
 }
 

elements/gentoo/element-deps

@@ -1,2 +1,3 @@
 cache-url
 dib-run-parts
+package-installs

elements/gentoo/environment.d/00-gentoo-distro-name.bash

@@ -0,0 +1,2 @@
+export DISTRO_NAME=gentoo
+export GENTOO_PROFILE=$(eselect profile show | tail -n 1)

elements/gentoo/environment.d/10-gentoo-distro-name.bash

@@ -1 +0,0 @@
-export DISTRO_NAME=gentoo

elements/gentoo/package-installs.yaml

@@ -0,0 +1 @@
+sys-fs/dosfstools:

elements/gentoo/post-install.d/99-cleanup

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+if [[ ${DIB_DEBUG_TRACE:-0} -gt 0 ]]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# make sure system is in a consistant state
+USE="-build" emerge -uDNv --with-bdeps=y --jobs=2 @world
+USE="-build" emerge --verbose=n --depclean
+USE="-build" emerge -v --usepkg=n @preserved-rebuild
+
+# update config files
+etc-update --automode -5
+
+# clean up portage files
+emerge --verbose=n --depclean
+emaint all -f
+eselect news read all
+eclean-dist --destructive
+
+# clean up files that may have been changed during build
+shopt -s extglob
+rm -Rf /tmp/!(ccache|in_target*|profiledir*)
+shopt -u extglob
+
+rm -Rf /root/.ccache/* /usr/portage/* /usr/src/* /var/cache/edb/dep/* /var/cache/genkernel/* /var/empty/* /var/run/* /var/state/* /var/tmp/* /var/cache/portage/distfiles
+rm -Rf /etc/*- /etc/*.old /etc/ssh/ssh_host_* /root/.*history /root/.lesshst /root/.ssh/known_hosts /root/.viminfo /usr/share/genkernel /usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
+
+# shrink a bit
+for i in $(find /var/log -type f); do echo > $i; done
+find /usr/share/man/ -mindepth 1  -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
+
+# make it so we don't have to reinstall grub
+if [[ -a /usr/sbin/grub2-install ]]; then
+    mkdir -p /tmp/grub
+    touch /tmp/grub/install
+fi

elements/gentoo/pre-install.d/01-gentoo-install

@@ -7,3 +7,8 @@ set -eu
 set -o pipefail
 
 install -m 0755 -o root -g root $(dirname $0)/../bin/* /usr/local/bin
+
+# migrate pt_pax flags to xt_pax
+if [[ -a /usr/sbin/migrate-pax ]]; then
+    /usr/sbin/migrate-pax -m
+fi

elements/gentoo/root.d/10-gentoo-image

@@ -42,16 +42,16 @@ ELEMENT_DIR=${ELEMENT_DIR:-"${ELEMENTS_PATH}/gentoo"}
 GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/13.0'}
 if [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0" ]]; then
     FILENAME_BASE='gentoo-stage4'
-    SIGNED_SOURCE_SUFFIX='cloud'
+    SIGNED_SOURCE_SUFFIX='minimal'
 elif [[ "${GENTOO_PROFILE}" == "default/linux/amd64/13.0/no-multilib" ]]; then
     FILENAME_BASE='gentoo-stage4-nomultilib'
-    SIGNED_SOURCE_SUFFIX='cloud-nomultilib'
+    SIGNED_SOURCE_SUFFIX='minimal-nomultilib'
 elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64" ]]; then
     FILENAME_BASE='gentoo-stage4-hardened'
-    SIGNED_SOURCE_SUFFIX='hardened+cloud'
+    SIGNED_SOURCE_SUFFIX='hardened+minimal'
 elif [[ "${GENTOO_PROFILE}" == "hardened/linux/amd64/no-multilib" ]]; then
     FILENAME_BASE='gentoo-stage4-hardened-nomultilib'
-    SIGNED_SOURCE_SUFFIX='hardened+cloud-nomultilib'
+    SIGNED_SOURCE_SUFFIX='hardened+minimal-nomultilib'
 else
     echo 'invalid profile, please select from the following profiles'
     echo 'default/linux/amd64/13.0'