AimeeOS
/
aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: AimeeOS:master
Branches Tags
AimeeOS:master
AimeeOS:dev/gentoo
AimeeOS:gentoo
AimeeOS:2.0dev
...
pull from: AimeeOS:gentoo
Branches Tags
AimeeOS:master
AimeeOS:dev/gentoo
AimeeOS:gentoo
AimeeOS:2.0dev

No commits in common. "master" and "gentoo" have entirely different histories.
master ... gentoo

122 changed files with 4036 additions and 701 deletions
Show Stats Expand all files Collapse all files

8
.gitignore vendored
View File

@ -1 +1,7 @@
/_build
/images
/linux
/output
/repos/x-portage
/.built
/.prepared
/.host-tools

0
board/raspberrypi3/cmdline.txt → .gitmodules vendored
View File

40
Config.in
View File

@ -1,40 +0,0 @@
config AIMEEOS
bool "Aimee OS"
depends on BR2_INIT_SYSTEMD
select BR2_TARGET_ROOTFS_SQUASHFS
select BR2_TARGET_ROOTFS_SQUASHFS4_GZIP
select BR2_LINUX_KERNEL_INSTALL_TARGET
select BR2_PACKAGE_SYSTEMD_EFI
select BR2_PACKAGE_SYSTEMD_COREDUMP
select BR2_PACKAGE_SYSTEMD_SYSUSERS
select BR2_PACKAGE_COREUTILS
select BR2_PACKAGE_TAR
select BR2_PACKAGE_ZSTD
select BR2_PACKAGE_HOST_DOSFSTOOLS
select BR2_PACKAGE_HOST_GENIMAGE
select BR2_PACKAGE_HOST_MTOOLS
select BR2_TARGET_GRUB2
select BR2_PACKAGE_HOST_ZSTD
select BR2_PACKAGE_AIMEE_OS_UTILS
help
Enable all Aimee OS features.
comment "Aimee OS needs systemd"
depends on !BR2_INIT_SYSTEMD
config AIMEEOS_RPI
bool "Aimee OS Raspberry Pi support"
depends on AIMEEOS
select BR2_TARGET_UBOOT
select BR2_TARGET_UBOOT_NEEDS_OPENSSL
select BR2_TARGET_UBOOT_NEEDS_GNUTLS
select BR2_TARGET_GRUB2_ARM_EFI
help
Support running Aimee OS on Rasperry Pi devices
config AIMEEOS_DEFAULT_ROOTFLAGS
string "Default kernel command line argumens"
help
Additional command line arguments to pass to the kernel by default.
source "$BR2_EXTERNAL_AIMEEOS_PATH/package/aimee-os-utils/Config.in"

130
Makefile Normal file
View File

@ -0,0 +1,130 @@
O ?= .
IMAGESDIR ?= $(O)/images
CONFIGDIR ?= .
export CONFIGDIR
update.tar: $(IMAGESDIR)/update.tar.zstd
$(O)/portage/.stamp: \
$(shell find portage -type f) \
$(shell find $(CONFIGDIR)/portage -type f)
rm -rf $(O)/portage
mkdir -p $(O)/portage/etc/portage
tar -C portage -c . | tar -C $(O)/portage/etc/portage -x
tar -C $(CONFIGDIR)/portage -c . | tar -C $(O)/portage/etc/portage -x
touch $@
portage: $(O)/portage/.stamp
$(O)/.prepared: \
$(O)/portage/.stamp \
prepare.sh \
setup-local-repo.sh
./prepare.sh
./setup-local-repo.sh
mkdir -p $(O)
touch $(O)/.prepared
prepare: $(O)/.prepared
$(O)/.built: \
build.sh \
build.packages \
install.packages \
$(wildcard $(CONFIGDIR)/build.packages) \
$(CONFIGDIR)/install.packages \
$(O)/portage/.stamp \
$(O)/.prepared
./build.sh
touch $(O)/.built
build: $(O)/.built
$(O)/semanage.mods: \
semanage.mods \
$(wildcard $(CONFIGDIR)/semanage.mods)
cat $^ > $@
$(O)/.ready: \
build-rootfs.sh \
install.packages \
$(CONFIGDIR)/install.packages \
$(wildcard $(CONFIGDIR)/installonly.packages) \
$(wildcard $(CONFIGDIR)/busybox.symlinks) \
$(O)/linux/arch/arm64/boot/Image.gz \
$(O)/semanage.mods \
$(shell find overlay -type f) \
$(shell find $(CONFIGDIR)/overlay -type f 2>/dev/null) \
$(O)/.built
./build-rootfs.sh "$(O)"
touch $(O)/.ready
$(O)/squashfs.exclude: \
squashfs.exclude \
$(shell test -f $(CONFIGDIR)/squashfs.exclude && echo $(CONFIGDIR)/squashfs.exclude)
mkdir -p $(O)
sort $^ > $@
$(O)/squashfs.pseudo: \
$(wildcard $(CONFIGDIR)/squashfs.pseudo)
sort /dev/null $^ > $@
$(IMAGESDIR)/rootfs.squashfs: \
build-squashfs.sh \
$(O)/squashfs.exclude \
$(O)/squashfs.pseudo \
$(O)/.ready
./build-squashfs.sh "$(O)" "$(IMAGESDIR)"
squashfs: $(IMAGESDIR)/rootfs.squashfs
$(O)/linux/arch/arm64/boot/Image.gz: \
build-kernel.sh \
$(CONFIGDIR)/linux.config \
$(O)/.prepared
./build-kernel.sh "$(O)"
kernel: $(O)/linux/arch/arm64/boot/Image.gz
$(O)/efi-part/EFI/BOOT/BOOTAA64.efi: \
build-grub.sh \
grub.cfg \
$(O)/.prepared
./build-grub.sh "$(O)"
grub: $(O)/efi-part/EFI/BOOT/BOOTAA64.efi
$(IMAGESDIR)/sdcard.img: \
genimage.cfg \
genimage.sh \
post-build.sh \
$(O)/efi-part/EFI/BOOT/BOOTAA64.efi \
$(IMAGESDIR)/rootfs.squashfs
./post-build.sh "$(O)"
./genimage.sh "$(O)" "$(IMAGESDIR)"
sdcard.img: $(IMAGESDIR)/sdcard.img
$(IMAGESDIR)/firmware.img: $(IMAGESDIR)/sdcard.img
$(IMAGESDIR)/update.tar.zstd: \
$(IMAGESDIR)/rootfs.squashfs \
$(IMAGESDIR)/firmware.img \
install-update.sh \
$(O)/.prepared
./build-update.sh "$(IMAGESDIR)"
clean:
rm -rf $(O)/linux $(O)/output $(IMAGESDIR) $(O)/tmp
rm -f $(O)/.prepared
.PHONY: \
build \
grub \
kernel \
portage \
prepare \
sdcard.img \
squashfs \
update.tar

18
README.md Normal file
View File

@ -0,0 +1,18 @@
## Errors
### SWIOTLB Buffer
> OF: reserved mem: failed to allocate memory for node
> …
> Can not allocate SWIOTLB buffer earlier and can't now provide you with the
> DMA bounce buffer
Ensure `start_x=1` is in `config.txt` and `start_file`/`fixup_file` are not
specified.
### U-Boot: Overwrite Reserved Memory
> ** Reading file would overwrite reserved memory **
Set `CONFIG_LMB_MAX_REGIONS=16` in `u-boot/.config`

1
board/qemu/genimage.cfg
View File

@ -1 +0,0 @@
../raspberrypi3/genimage.cfg

18
board/qemu/post-image.sh
View File

@ -1,18 +0,0 @@
#!/bin/sh
set -e
BOARD_DIR=$(dirname "$0")
genimage_tmp=$(mktemp -d)
trap 'rm -rf "${genimage_tmp}"' EXIT
mkdir -p "${genimage_tmp}"/rootfs "${genimage_tmp}"/tmp
cd "${BINARIES_DIR}"
genimage \
--rootpath "${genimage_tmp}/rootfs" \
--tmppath "${genimage_tmp}/tmp" \
--inputpath "${BINARIES_DIR}" \
--outputpath "${BINARIES_DIR}" \
--config "${BOARD_DIR}"/genimage.cfg

12
board/raspberrypi3/config.txt
View File

@ -1,12 +0,0 @@
start_file=start.elf
fixup_file=fixup.dat
kernel=u-boot.bin
disable_overscan=1
# U-Boot requires a UART port. There are three options for enabling one:
# 1. Disable Bluetooth with dtoverlay=disable-bt
# 2. Swap Bluetooth to the mini UART with dtoverlay=miniuart-bt
# 3. Enable the mini UART as primary with enable_uart=1
dtoverlay=disable-bt

26
board/raspberrypi3/post-image.sh
View File

@ -1,26 +0,0 @@
#!/bin/sh
set -e
BOARD_DIR=$(dirname "$0")
GRUBENV="${BINARIES_DIR}"/efi-part/EFI/BOOT/grubenv
genimage_tmp=$(mktemp -d)
trap 'rm -rf "${genimage_tmp}"' EXIT
cp -alf "${BINARIES_DIR}"/u-boot.bin "${BINARIES_DIR}"/efi-part/
cp -alf "${BINARIES_DIR}"/*.dtb "${BINARIES_DIR}"/efi-part/
cp -alf "${BINARIES_DIR}"/rpi-firmware/* "${BINARIES_DIR}"/efi-part/
mkdir -p "${genimage_tmp}"/rootfs "${genimage_tmp}"/tmp
grub-editenv "${GRUBENV}" set default=0
grub-editenv "${GRUBENV}" set timeout=3
cd "${BINARIES_DIR}"
genimage \
--rootpath "${genimage_tmp}/rootfs" \
--tmppath "${genimage_tmp}/tmp" \
--inputpath "${BINARIES_DIR}" \
--outputpath "${BINARIES_DIR}" \
--config "${BOARD_DIR}"/genimage.cfg

14
boot/grub2/gen-grub-cfg.sh
View File

@ -1,14 +0,0 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
vers=${BR2_EXTERNAL_AIMEEOS_VERSION}
br2_vers=${BR2_VERSION_FULL}
kernel_filename=$1
cat > "${TARGET_DIR}"/boot/grub.cfg <<EOF
menuentry "Aimee OS ${vers} (Buildroot ${br2_vers}) on \$dev" --class gnu-linux --id "id-\$partuuid" "\$dev" "\$partuuid" {
set root="\$2"
linux "/boot/${kernel_filename}" root=PARTUUID=\$3 ro \$rootflags
initrd "/boot/initramfs.img.zst"
}
EOF

11
boot/grub2/grub.cfg
View File

@ -1,11 +0,0 @@
# vim: set ft=sh :
# vim: set sw=4 ts=4 sts=4 et:
load_env
regexp --set 1:disk '(.*),.*' $root
for dev in ($disk,gpt*); do
if [ -f $dev/boot/grub.cfg ]; then
probe --set partuuid --part-uuid $dev
source $dev/boot/grub.cfg
fi
done

27
boot/initramfs/initramfs-init.sh
View File

@ -1,27 +0,0 @@
#!/bin/sh
mkdir -p \
/dev \
/proc \
/run \
/sys \
/sysroot \
&& :
mount -t devtmpfs devtmpfs /dev
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t tmpfs tmpfs /run
set -- $(cat /proc/cmdline)
for arg; do
case "${arg}" in
root=*)
root=${arg#root=}
;;
esac
done
init-storage "${root}"
exec switch_root /sysroot /sbin/init

114
boot/mkinitramfs.sh
View File

@ -1,114 +0,0 @@
#!/bin/sh
if [ $(id -u) != 0 ]; then
exec "${HOST_DIR}"/bin/fakeroot "$0" "$@"
fi
export PATH="${HOST_DIR}:${PATH}"
TARGET_DIR=$1
WORKDIR=$(mktemp -d)
OUTDIR="${WORKDIR}"/initramfs
LIB_CACHE="${WORKDIR}"/libs.cache
PKGDIR="${0%/*}"
trap 'rm -rf "${WORKDIR}"' INT QUIT TERM EXIT
cache_libs() {
find \
"${TARGET_DIR}"/usr/lib \
"${TARGET_DIR}"/usr/lib64 \
\( -type f -o -type l \) \
-name '*.so*' \
| sed "s@${TARGET_DIR}@@" \
> "${LIB_CACHE}"
}
bin_install() {
for arg; do
arg=${arg#/}
[ -e "${OUTDIR}/${arg}" ] && continue
mkdir -p "${OUTDIR}/${arg%/*}"
cp -a "${TARGET_DIR}/${arg}" "${OUTDIR}/${arg}"
if [ -h "${TARGET_DIR}/${arg}" ]; then
bin_install "$(realpath --relative-to "${TARGET_DIR}" "${TARGET_DIR}/${arg}")"
elif [ -f "${TARGET_DIR}/${arg}" ]; then
readelf --dynamic "${TARGET_DIR}/${arg}" \
| awk '$2=="(NEEDED)"{gsub(/\[|\]/,"",$5); print $5}' \
| while IFS= read -r lib; do
path="$(grep "${lib}"'$' "${LIB_CACHE}")"
if [ -z "${path}" ]; then
printf 'ERROR could not resolve shared library %s\n' "${lib}" >&2
return 1
fi
bin_install "${path}"
done
elif [ ! -e "${TARGET_DIR}/${arg}" ]; then
printf 'ERROR could not find /%s to copy\n' "${arg}" >&2
return 1
fi
done
}
mk_skel() {
mkdir -p "${OUTDIR}"/dev
mknod -m 0622 "${OUTDIR}"/dev/console c 5 1
mkdir -p \
"${OUTDIR}"/usr \
"${OUTDIR}"/usr/bin \
"${OUTDIR}"/usr/sbin \
"${OUTDIR}"/usr/lib
ln -s usr/bin "${OUTDIR}"/bin
ln -s usr/sbin "${OUTDIR}"/sbin
ln -s usr/lib "${OUTDIR}"/lib
if [ -h "${TARGET_DIR}"/usr/lib64 ]; then
cp -P "${TARGET_DIR}"/usr/lib64 "${OUTDIR}"/usr
fi
if [ -h "${TARGET_DIR}"/lib64 ]; then
cp -P "${TARGET_DIR}"/lib64 "${OUTDIR}"
fi
}
rm -rf "${OUTDIR}"
mk_skel || exit
cache_libs || exit
bin_install \
/bin/cat \
/bin/cp \
/bin/ls \
/bin/mkdir \
/bin/mount \
/bin/rm \
/bin/sh \
/bin/sleep \
/bin/sort \
/bin/tail \
/bin/umount \
/usr/bin/btrfs \
/usr/bin/mkfs.btrfs \
/usr/bin/mountpoint \
/usr/bin/readlink \
/usr/sbin/blkid \
/usr/sbin/findfs \
/usr/sbin/partx \
/usr/sbin/sfdisk \
/usr/sbin/switch_root \
|| exit
if [ -e "${TARGET_DIR}"/usr/bin/setfiles ]; then
bin_install /usr/bin/setfiles || exit
fi
install "${PKGDIR}"/initramfs/initramfs-init.sh "${OUTDIR}"/init || exit
install "${PKGDIR}"/initramfs/init-storage.sh "${OUTDIR}"/usr/bin/init-storage || exit
mkdir -p "${TARGET_DIR}"/boot
(cd "${OUTDIR}" && find . -mindepth 1 \
| LC_ALL=C sort \
| cpio --reproducible --quiet -o -H newc \
| zstd \
) > "${TARGET_DIR}"/boot/initramfs.img.zst

44
build-grub.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
GRUB_MODULES='
boot
echo
efi_gop
eval
fat
gzio
linux
loadenv
normal
part_gpt
probe
regexp
serial
squash4
test
xzio
zstd
'
echo 'Creating GRUB image ...'
mkdir -p "${O}"/efi-part/EFI/BOOT
grub-mkimage \
-O arm64-efi \
-o "${O}"/efi-part/EFI/BOOT/BOOTAA64.efi \
-d /usr/${target}/usr/lib/grub/arm64-efi \
-p /EFI/gentoo \
${GRUB_MODULES}
echo 'Generating GRUB configuration file ...'
mkdir -p "${O}"/efi-part/EFI/gentoo
cp -uv grub.cfg "${O}"/efi-part/EFI/gentoo
grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set rootflags='ro'
grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set default=0
grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set timeout=5

40
build-kernel.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
O="${1}"
. "${CONFIGDIR:=${PWD}}"/config
USE=symlink \
emerge -vnuUj ${kernel_pkg}
export ARCH=arm64 CROSS_COMPILE=${target}-
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
mkdir -p "${O}"/linux
/usr/src/linux/scripts/kconfig/merge_config.sh -m \
-O "${O}"/linux \
/usr/src/linux/arch/*/configs/${kernel_defconfig}_defconfig \
"${CONFIGDIR}"/linux.config
cd "${O}"/linux
make -C /usr/src/linux O=${PWD} olddefconfig
make -j$(nproc)
touch arch/arm64/boot/Image.gz
kver=$(make -s kernelversion)
make modules_install INSTALL_MOD_PATH=/mnt/gentoo/usr
cd -
printf 'Installing Kernel %s ...\n' "${kver}"
mkdir -p /mnt/gentoo/boot
cp -au "${O}"/linux/arch/arm64/boot/Image.gz /mnt/gentoo/boot/vmlinuz-${kver}
cp -au "${O}"/linux/.config /mnt/gentoo/boot/config-${kver}
cp -au "${O}"/linux/System.map /mnt/gentoo/boot/System.map-${kver}
printf 'Installing device tree binaries ...\n'
mkdir -p "${O}"/efi-part/overlays
cp -u "${O}"/linux/arch/arm64/boot/dts/${device_tree} "${O}"/efi-part/
cp -u \
"${O}"/linux/arch/arm64/boot/dts/overlays/*.dtb \
"${O}"/linux/arch/arm64/boot/dts/overlays/*.dtbo \
"${O}"/efi-part/overlays/

120
build-rootfs.sh Executable file
View File

@ -0,0 +1,120 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
mkdir -p /mnt/gentoo/etc/portage
ln -snf \
/var/db/repos/gentoo/profiles/${profile} \
/mnt/gentoo/etc/portage/make.profile
USE=build \
emerge \
--root=/mnt/gentoo \
--config-root="${O}"/portage \
-kvnjU \
sys-apps/baselayout
cat \
install.packages \
"${CONFIGDIR}"/install.packages \
| xargs -ro \
${target}-emerge \
--root=/mnt/gentoo \
--config-root="${O}"/portage \
-KvnuUDj \
--rebuilt-binaries=y
if [ -f "${CONFIGDIR}"/installonly.packages ]; then
< "${CONFIGDIR}"/installonly.packages xargs -ro \
${target}-emerge \
--root=/mnt/gentoo \
--config-root="${O}"/portage \
-vnuUDj
fi
ROOT=/mnt/gentoo \
locale-gen
mkdir -p \
/mnt/gentoo/boot/efi \
/mnt/gentoo/dev \
/mnt/gentoo/home \
/mnt/gentoo/proc \
/mnt/gentoo/sys \
|| exit
: > /mnt/gentoo/etc/machine-id
cat \
"${CONFIGDIR}"/busybox.symlinks \
busybox.symlinks \
| while read name; do
if [ ! -h /mnt/gentoo/bin/"${name}" ]; then
printf "'/bin/%s' -> 'busybox'\n" "${name}"
ln -snf busybox /mnt/gentoo/bin/"${name}" \
|| printf 'Failed to create busybox symlink for %s\n' "${name}"
fi
done
rsync -rltpDO overlay/ /mnt/gentoo/
if [ -d "${CONFIGDIR}"/overlay ]; then
rsync -rltpDO "${CONFIGDIR}"/overlay/ /mnt/gentoo/
fi
cp -uv /usr/${target}/usr/bin/grub-editenv /mnt/gentoo/usr/bin/
if [ -d /mnt/gentoo/usr/${target} ]; then
rsync -aO /mnt/gentoo/usr/${target}/ /mnt/gentoo/
fi
if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
mv /mnt/gentoo/etc/udev/hwdb.bin /mnt/gentoo/usr/lib/udev/
fi
rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create
systemctl preset-all --root=/mnt/gentoo
rm -f /mnt/gentoo/lib/systemd/system/sysinit.target.wants/ldconfig.service
systemd-sysusers --root=/mnt/gentoo
if grep -q '^root:.*/bin/bash$' /mnt/gentoo/etc/passwd; then
sed -ri 's@(root:.*):/bin/bash@\1:/bin/sh@' /mnt/gentoo/etc/passwd
fi
if ! grep -q Include /mnt/gentoo/etc/ssh/sshd_config; then
echo 'Include /etc/ssh/sshd_config.d/*.conf' \
>> /mnt/gentoo/etc/ssh/sshd_config
fi
case ${profile} in *selinux*)
# Although `semanage` accepts a `--store` argument that supposedly
# instructs it to operate on an alternate SELinux policy store, it
# doesn't actually work. As such, we have to run `semanage` in an
# alternate mount namespace with the target policy store bind-mounted
# at the default location so `semanage` can operate on it.
unshare -m sh -e <<EOF
mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
semanage import -N -f "${O}"/semanage.mods
EOF
setfiles \
-p \
-F \
-m \
-r /mnt/gentoo \
-c /mnt/gentoo/etc/selinux/mcs/policy/policy.* \
-e /mnt/gentoo/var/db/pkg \
-e /mnt/gentoo/etc/portage \
/mnt/gentoo/etc/selinux/mcs/contexts/files/file_contexts \
/mnt/gentoo
;;
esac
touch /mnt/gentoo/usr

20
build-squashfs.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
IMAGESDIR="${2}"
mkdir -p "${IMAGESDIR}"
mksquashfs \
/mnt/gentoo \
"${IMAGESDIR}"/rootfs.squashfs \
-comp gzip \
-ef "${O}"/squashfs.exclude \
-pf "${O}"/squashfs.pseudo \
-no-exports \
-noappend \
-wildcards

20
build-update.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
IMAGESDIR="$1"
cd "${IMAGESDIR}"
sha256sum firmware.img > digests
sha256sum rootfs.squashfs >> digests
cp -u "${OLDPWD}"/install-update.sh install
tar -c --zstd -f update.tar.zstd \
digests \
firmware.img \
rootfs.squashfs \
install \
|| exit
rm install

1
build.packages Normal file
View File

@ -0,0 +1 @@
sys-boot/grub

21
build.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR}"/config
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
export PORTAGE_CONFIGROOT="${O}"/portage
${target}-emerge -bkvuUDj sys-apps/util-linux
cat \
build.packages \
install.packages \
"${CONFIGDIR}"/build.packages \
"${CONFIGDIR}"/install.packages \
| xargs -rot \
${target}-emerge -bkvnuUDj
${target}-emerge -bv @preserved-rebuild

62
busybox.symlinks Normal file
View File

@ -0,0 +1,62 @@
basename
cat
chcon
cp
dd
df
du
echo
env
false
free
fsync
fuser
grep
groups
head
id
install
ip
kill
less
link
ln
ls
lsof
mkdir
mkfifo
mktemp
mv
nice
nproc
pgrep
ping
ping6
pkill
ppidof
printf
ps
readahead
readlink
realpath
rm
rmdir
sed
seq
sh
sha1sum
sha256sum
sha3sum
sha512sum
sort
stat
stty
sync
tac
tail
tar
tee
truncate
tty
uname
uptime

75
ci/Jenkinsfile vendored
View File

@ -1,75 +0,0 @@
pipeline {
parameters {
booleanParam 'CLEAN_BUILD'
string 'CUSTOM_TARGET'
}
options {
disableConcurrentBuilds()
}
agent {
kubernetes {
yamlFile 'ci/podTemplate.yaml'
yamlMergeStrategy merge()
workspaceVolume persistentVolumeClaimWorkspaceVolume(
claimName: 'buildroot-aimeeos'
)
defaultContainer 'build'
}
}
environment {
BR2_CCACHE_DIR = "${env.JENKINS_AGENT_WORKDIR}/br2-ccache"
}
stages {
stage('Clean') {
when {
expression {
return params.CLEAN_BUILD
}
}
steps {
sh 'git clean -fdx'
}
}
stage('Prepare') {
steps {
container('jnlp') {
sh 'if [ ! -d buildroot ]; then git clone https://gitlab.com/buildroot.org/buildroot.git -b 2025.05.x --depth 1; else git -C buildroot pull; fi'
}
}
}
stage('Build') {
steps {
sh 'make -C buildroot O="${PWD}"/_build BR2_EXTERNAL="${PWD}" aimeeos_qemu_aarch64_defconfig'
script {
if (params.CUSTOM_TARGET) {
sh "make -C _build '${CUSTOM_TARGET}'"
}
}
sh 'make -C _build'
}
post {
success {
dir('_build') {
archiveArtifacts('.config')
}
dir('_build/images') {
sh 'zstd -f firmware.img'
sh 'zstd -f sdcard.img'
archiveArtifacts([
'firmware.img.zst',
'rootfs.squashfs',
'sdcard.img.zst',
'update.tar.zst',
].join(','))
}
}
}
}
}
}

19
ci/podTemplate.yaml
View File

@ -1,19 +0,0 @@
spec:
containers:
- name: build
image: git.pyrocufflink.net/containerimages/buildroot
resources:
limits: &resources
cpu: 6
memory: 12Gi
requests: *resources
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
subPath: ssh_known_hosts
securityContext:
fsGroupChangePolicy: OnRootMismatch
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts

14
configs/aimeeos_qemu_aarch64_defconfig
View File

@ -1,14 +0,0 @@
BR2_aarch64=y
BR2_TOOLCHAIN_BUILDROOT_VENDOR="aimeeos"
BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
BR2_INIT_SYSTEMD=y
BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/qemu/post-image.sh"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
# BR2_PACKAGE_BUSYBOX is not set
# BR2_TARGET_ROOTFS_TAR is not set
AIMEEOS=y
AIMEEOS_DEFAULT_ROOTFLAGS="systemd.mask=serial-getty@ttyAMA0 systemd.debug_shell systemd.default_debug_tty=ttyAMA0"

28
configs/aimeeos_rpi3_defconfig
View File

@ -1,28 +0,0 @@
BR2_arm=y
BR2_cortex_a53=y
BR2_ARM_FPU_NEON_VFPV4=y
BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
BR2_GLOBAL_PATCH_DIR="board/raspberrypi/patches"
BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
BR2_INIT_SYSTEMD=y
BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/raspberrypi3/post-image.sh"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_TARBALL=y
BR2_LINUX_KERNEL_CUSTOM_TARBALL_LOCATION="$(call github,raspberrypi,linux,ac69f097e1fba94502cbd36278db204120a37943)/linux-ac69f097e1fba94502cbd36278db204120a37943.tar.gz"
BR2_LINUX_KERNEL_DEFCONFIG="bcm2709"
BR2_LINUX_KERNEL_ZSTD=y
BR2_LINUX_KERNEL_DTS_SUPPORT=y
BR2_LINUX_KERNEL_INTREE_DTS_NAME="broadcom/bcm2710-rpi-3-b broadcom/bcm2710-rpi-3-b-plus broadcom/bcm2710-rpi-cm3"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_XZ=y
BR2_PACKAGE_RPI_FIRMWARE=y
BR2_PACKAGE_RPI_FIRMWARE_BOOTCODE_BIN=y
BR2_PACKAGE_RPI_FIRMWARE_VARIANT_PI=y
BR2_PACKAGE_RPI_FIRMWARE_CMDLINE_FILE="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/raspberrypi3/cmdline.txt"
BR2_PACKAGE_RPI_FIRMWARE_CONFIG_FILE="$(BR2_EXTERNAL_AIMEEOS_PATH)/board/raspberrypi3/config.txt"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_UBOOT_BOARD_DEFCONFIG="rpi_3_32b"
BR2_PACKAGE_HOST_KMOD_XZ=y
AIMEEOS=y
AIMEEOS_RPI=y

2
external.desc
View File

@ -1,2 +0,0 @@
name: AIMEEOS
desc: Aimee OS (Buildroot)

79
external.mk
View File

@ -1,79 +0,0 @@
ifeq ($(AIMEEOS),y)
BR2_TOOLCHAIN_BUILDROOT_VENDOR = "aimeeos"
# Disable the default fstab
SKELETON_INIT_SYSTEMD_ROOT_RO_OR_RW =
# Disable the default var.mount
SKELETON_INIT_SYSTEMD_ROOTFS_PRE_CMD_HOOKS =
# Do not run preset-all at build time
SYSTEMD_PRESET_ALL =
# Enable required kernel options for Aimee OS storage
define AIMEEOS_LINUX_CONFIG_FIXUPS
$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_DEV_INITRD)
$(call KCONFIG_ENABLE_OPT,CONFIG_EFI)
$(call KCONFIG_ENABLE_OPT,CONFIG_NLS_CODEPAGE_437)
$(call KCONFIG_ENABLE_OPT,CONFIG_NLS_ISO8859_1)
$(call KCONFIG_ENABLE_OPT,CONFIG_NLS_UTF8)
$(call KCONFIG_ENABLE_OPT,CONFIG_VFAT_FS)
$(call KCONFIG_SET_OPT,CONFIG_BTRFS_FS,y)
$(call KCONFIG_SET_OPT,CONFIG_OVERLAY_FS,y)
$(call KCONFIG_SET_OPT,CONFIG_SQUASHFS,y)
$(call KCONFIG_SET_OPT,CONFIG_MSDOS_FS,y)
endef
LINUX_KCONFIG_FIXUP_CMDS += $(AIMEEOS_LINUX_CONFIG_FIXUPS)
# Generate the initramfs image after building the target
BR2_ROOTFS_POST_BUILD_SCRIPT += $(BR2_EXTERNAL_AIMEEOS_PATH)/boot/mkinitramfs.sh
# Ensure the requisite GRUB2 modules are selected
define AIMEEOS_GRUB2_MODULES
boot
configfile
echo
efi_gop
fat
gzio
linux
loadenv
minicmd
normal
part_gpt
probe
regexp
squash4
terminfo
test
zstd
endef
BR2_TARGET_GRUB2_BUILTIN_MODULES_EFI += $(AIMEEOS_GRUB2_MODULES)
# Overwrite the grub.cfg provided by Buildroot with our own.
define AIMEEOS_GRUB2_INSTALL_IMAGES_CMDS
$(foreach tuple, $(GRUB2_TUPLES-y), \
$(INSTALL) -D -m 0644 $(BR2_EXTERNAL_AIMEEOS_PATH)/boot/grub2/grub.cfg $(GRUB2_CFG_$(tuple))
)
$(HOST_DIR)/bin/grub-editenv $(BINARIES_DIR)/efi-part/EFI/BOOT/grubenv set \
default=0 \
timeout=3 \
rootflags=$(AIMEEOS_DEFAULT_ROOTFLAGS)
endef
GRUB2_INSTALL_IMAGES_CMDS += $(AIMEEOS_GRUB2_INSTALL_IMAGES_CMDS)
# Generate the grub.cfg stub for the kernel embedded in rootfs.squashfs
define AIMEEOS_GEN_GRUB_CFG
$(BR2_EXTERNAL_AIMEEOS_PATH)/boot/grub2/gen-grub-cfg.sh $(LINUX_IMAGE_NAME)
endef
LINUX_TARGET_FINALIZE_HOOKS += AIMEEOS_GEN_GRUB_CFG
define AIMEEOS_TARGET_FINALIZE_HOOKS
echo uninitialized > $(TARGET_DIR)/etc/machine-id
endef
TARGET_FINALIZE_HOOKS += AIMEEOS_TARGET_FINALIZE_HOOKS
BR2_ROOTFS_POST_IMAGE_SCRIPT += $(BR2_EXTERNAL_AIMEEOS_PATH)/update/make-package.sh
endif
include $(sort $(wildcard $(BR2_EXTERNAL_AIMEEOS_PATH)/package/*/*.mk))

20
flash.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
dev=$(readlink -f "$1")
wipefs -fa "${dev}"
pv images/sdcard.img \
| dd of="${dev}" bs=1M conv=sparse oflag=sync
sync; sync; sync
sleep 1
for p in /sys/class/block/${dev##*/}/*/partition; do
[ -f "${p}" ] || continue
case $(cat "${p}") in
1|2)
;;
*)
p=${p%/*}
wipefs -fa /dev/${p##*/}
;;
esac
done

4
board/raspberrypi3/genimage.cfg → genimage.cfg
View File

@ -5,7 +5,7 @@ image firmware.img {
}
srcpath = "efi-part"
size = 64M
size = 32M
}
image sdcard.img {
@ -32,7 +32,7 @@ image sdcard.img {
size = 512M
}
partition aimeeos-data {
partition dch-data {
partition-type-uuid = "L"
autoresize = true
}

31
genimage.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
cleanup() {
if [ -n "${tmproot}" ]; then
if [ "${tmproot}" != / ]; then
rm -rf "${tmproot}"
fi
unset tmproot
fi
}
. "${CONFIGDIR:=${PWD}}"/config
O="${1}"
IMAGESDIR="${2}"
trap cleanup INT TERM QUIT EXIT
tmproot=$(mktemp -d)
tmppath=$(mktemp -d)
cd "${O}"
genimage \
--rootpath "${tmproot}" \
--tmppath "${tmppath}" \
--inputpath "${IMAGESDIR}" \
--outputpath "${IMAGESDIR}" \
--mkdosfs mkfs.vfat \
--config "${OLDPWD}"/genimage.cfg

19
grub.cfg Normal file
View File

@ -0,0 +1,19 @@
# vim: set ft=sh :
# vim: set sw=4 ts=4 sts=4 et:
load_env
regexp --set 1:disk '(.*),.*' $root
for dev in ($disk,gpt*); do
probe --set partuuid --part-uuid $dev
for path in $dev/boot/vmlinuz-*; do
if [ -f $path ]; then
regexp --set 1:kernel '.*/(vmlinuz-.*)' $path
regexp --set 1:kver 'vmlinuz-(.*)' $kernel
menuentry "Gentoo Linux $kver on $dev" --class gnu-linux --id "id-$partuuid-$kver" "$dev" "$kernel" $partuuid {
set root="$2"
linux "/boot/$3" root=PARTUUID=$4 $rootflags
}
fi
done
done

94
install-update.sh Executable file
View File

@ -0,0 +1,94 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
. /lib/gentoo/functions.sh
die() {
rc=$?
if [ $rc -eq 0 ]; then
rc=1
fi
eerror "$@"
exit $rc
}
get_partuuid() {
blkid -o value -s PARTUUID "$1"
}
set_default_boot() {
_rc=0
mkdir -p newroot || return
mount -oro "$1" newroot || return
_kernel=$(find newroot/boot -name 'vmlinuz-*' -printf '%P\n' \
| sort -V \
| tail -n1
)
_kver=${_kernel#vmlinuz-}
_partuuid=$(get_partuuid "$1")
_id=id-${_partuuid}-${_kver}
ebegin 'Setting default boot entry'
veindent
veinfo "Menu entry ID: ${_id}"
veoutdent
grub-editenv /boot/efi/EFI/gentoo/grubenv set "default=${_id}" || _rc=$?
eend $_rc
umount newroot
return $_rc
}
write_firmware() {
_rc=0
_esp=$(findfs PARTLABEL='EFI System Partition')
if [ -z "${_esp}" ]; then
eerror 'Could not identify EFI System Partition'
return 1
fi
if ! mountpoint -q /boot/efi; then
mount -o ro "${_esp}" /boot/efi \
|| ewarn 'Failed to mount EFI System Partition'
fi
if [ -f /boot/efi/EFI/gentoo/grubenv ]; then
ebegin 'Saving current GRUB environment'
cp /boot/efi/EFI/gentoo/grubenv .
ewend $? 'Failed to save GRUB environment'
fi
if mountpoint -q /boot/efi; then
umount /boot/efi || return
fi
ebegin "Writing firmware image to EFI System Partition (${_esp})"
dd if=firmware.img of="${_esp}" bs=1M || _rc=$?
if [ $_rc -eq 0 ]; then
mount -orw "${_esp}" /boot/efi || rc=$?
fi
if [ $_rc -eq 0 ]; then
if [ -f grubenv ]; then
ebegin 'Restoring GRUB environment'
cp grubenv /boot/efi/EFI/gentoo/grubenv || _rc=$?
eend $_rc
fi
fi
return $_rc
}
write_rootfs() {
_rc=0
ebegin "Writing rootfs image to $1"
dd if=rootfs.squashfs of="$1" bs=1M || _rc=$?
eend $_rc
}
rc=0
newroot="$1"
write_rootfs "${newroot}" || die 'Failed to write new rootfs image to disk'
write_firmware || die 'Failed to write new firmware image to disk'
if ! set_default_boot "${newroot}"; then
rc=$?
eerror 'Failed to set default boot option'
fi
if [ $rc -eq 0 ]; then
einfo 'Successfully installed update'
fi
exit $rc

5
install.packages Normal file
View File

@ -0,0 +1,5 @@
net-misc/openssh
net-misc/wget
sys-apps/busybox
sys-apps/systemd
sys-fs/btrfs-progs

20
ocivm.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
set -e
. "${CONFIGDIR:=${PWD}}"/config
if ! ocivm list | grep -q localhost/cross-${target}; then
ocivm import localhost/cross-${target}
fi
ocivm \
--log-level DEBUG \
run \
-m 8G \
-n ${buildvm:-aimeebuild} \
-w /tmp/src \
-v "${PWD}":/tmp/src \
-v portagecache:/var/cache:size=16G \
-v portage:/var/db/repos/gentoo:size=4G \
localhost/cross-aarch64-unknown-linux-gnu \
"$@"

1
overlay/etc/fstab Normal file
View File

@ -0,0 +1 @@
PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2

1
overlay/etc/locale.conf Normal file
View File

@ -0,0 +1 @@
LANG=en_US.UTF-8

1
overlay/etc/locale.gen Normal file
View File

@ -0,0 +1 @@
en_US.UTF-8 UTF-8

1
overlay/etc/resolv.conf Symbolic link
View File

@ -0,0 +1 @@
../run/systemd/resolve/resolv.conf

15
overlay/etc/selinux/config Normal file
View File

@ -0,0 +1,15 @@
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=mcs

16
overlay/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,16 @@
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
AcceptEnv COLORTERM
HostKey /var/lib/ssh/ssh_host_rsa_key
HostKey /var/lib/ssh/ssh_host_ecdsa_key
HostKey /var/lib/ssh/ssh_host_ed25519_key
Include /etc/ssh/sshd_config.d/*.conf

2
overlay/etc/ssh/sshd_config.d/authorized-keys-command.conf Normal file
View File

@ -0,0 +1,2 @@
AuthorizedKeysCommand /usr/libexec/ssh-authorized-keys %u %t
AuthorizedKeysCommandUser nobody

5
overlay/etc/systemd/network/95-default.network Normal file
View File

@ -0,0 +1,5 @@
[Match]
Type=ether
[Network]
DHCP=yes

27
overlay/usr/bin/factory-reset Executable file
View File

@ -0,0 +1,27 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
. /lib/gentoo/functions.sh
confirm() {
unset _confirm
printf '%s [y/N] ' "${1-Do you want to continue?}"
read _confirm
case "${_confirm}" in
[Yy]|[Yy][Ee][Ss])
return 0
;;
*)
return 1
;;
esac
}
printf "${WARN}"
printf 'This operation will COMPLETELY ERASE all data and information '
printf 'stored on this system!\n'
printf "${NORMAL}"
confirm || exit 9
ewarn 'The system will now reboot and wipe all data.'
systemctl enable --runtime factory-reset.service
systemctl reboot

56
overlay/usr/bin/set-root-password Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
if [ -z "${_UNSHARED}" ]; then
export _UNSHARED=1
exec unshare -m "$0" "$@"
fi
unset _UNSHARED
cleanup() {
if is_mount -q /etc; then
umount -R /etc
fi
if [ -n "${tmpdir}" ] && [ "${tmpdir}" != / ]; then
if is_mount "${tmpdir}"; then
umount -R "${tmpdir}"
fi
rm -rf "${tmpdir}"
fi
unset tmpdir
}
is_mount() {
awk '
BEGIN { rc = 1 }
$5 == "'"${1}"'" { rc = 0 }
END { exit rc }
' /proc/self/mountinfo
}
tmpdir=$(mktemp -d)
trap 'cleanup' INT QUIT TERM EXIT
mount \
-t tmpfs \
-o private,rootcontext=system_u:object_r:etc_t:s0 \
tmpfs \
"${tmpdir}" \
|| exit
mkdir -p \
"${tmpdir}"/etc \
"${tmpdir}"/etc/pam.d \
"${tmpdir}"/etc/security \
"${tmpdir}"/etc/selinux \
|| exit
cp -a /etc/passwd /etc/shadow "${tmpdir}"/etc || exit
mount -o bind /etc/pam.d "${tmpdir}"/etc/pam.d || exit
mount -o bind /etc/security "${tmpdir}"/etc/security || exit
mount -o bind /etc/selinux "${tmpdir}"/etc/selinux || exit
mount --rbind "${tmpdir}"/etc /etc || exit
passwd || exit
mv /etc/shadow "${tmpdir}"/shadow || exit
umount -R /etc || exit
cat "${tmpdir}"/shadow > /etc/shadow || exit

0
package/aimee-os-utils/system-update.sh → overlay/usr/bin/system-update
View File

1
overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.bin.xz Symbolic link
View File

@ -0,0 +1 @@
../cypress/cyfmac43455-sdio.bin.xz

1
overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.txt.xz Symbolic link
View File

@ -0,0 +1 @@
brcmfmac43455-sdio.raspberrypi,4-model-b.txt.xz

19
overlay/usr/lib/systemd/system-preset/80-local-default.preset Normal file
View File

@ -0,0 +1,19 @@
enable auditd.service
enable restorecon.service
disable ldconfig.service
disable systemd-userdbd.service
disable systemd-userdbd.socket
enable systemd-networkd-wait-online.service
enable systemd-networkd.service
enable systemd-networkd.socket
#enable systemd-time-wait-sync.service
disable getty@.service
enable sshd.socket
enable ssh-keygen.target

5
overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf Normal file
View File

@ -0,0 +1,5 @@
[Service]
# Do not run augenrules; read audit rules from the audit.rules file as
# it exists already. Audit rules are generated at build time.
ExecStartPost=
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

13
overlay/usr/lib/systemd/system/factory-reset.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Perform a factory reset
DefaultDependencies=no
After=umount.target
Before=systemd-reboot.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/factory-reset
StandardOutput=kmsg+console
[Install]
WantedBy=final.target

15
overlay/usr/lib/systemd/system/init-storage.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Initialize persistent data storage
DefaultDependencies=no
Before=local-fs-pre.target
After=systemd-journald.service
After=systemd-remount-fs.service
After=systemd-sysctl.service
After=systemd-udev-trigger.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/init-storage
StandardInput=null
StandardOutput=journal+console
StandardError=journal+console

7
overlay/usr/lib/systemd/system/ssh-keygen.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Wants=ssh-keygen@rsa.service
Wants=ssh-keygen@ecdsa.service
Wants=ssh-keygen@ed25519.service
[Install]
WantedBy=multi-user.target

11
overlay/usr/lib/systemd/system/ssh-keygen@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Generate SSH %I host key
ConditionPathExists=!%S/ssh/ssh_host_%I_key
[Service]
Type=oneshot
StateDirectory=ssh
ExecStart=/usr/bin/ssh-keygen -t %I -f %S/ssh/ssh_host_%I_key -N ''
[Install]
WantedBy=sshd-keygen.target

1
overlay/usr/lib/systemd/system/sysinit.target.wants/init-storage.service Symbolic link
View File

@ -0,0 +1 @@
../init-storage.service

2
overlay/usr/lib/systemd/system/systemd-tmpfiles-setup.service.d/force-subvol.conf Normal file
View File

@ -0,0 +1,2 @@
[Service]
Environment=SYSTEMD_TMPFILES_FORCE_SUBVOL=1

11
overlay/usr/libexec/factory-reset Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
DATAPART=$(awk '$2=="/var"{print $1}' /etc/fstab)
dev=$(findfs "${DATAPART}")
if [ -z "${dev}" ]; then
printf 'Could not find data partition (%s)\n' "${DATAPART}" >&2
exit 1
fi
wipefs -fa "${dev}"

79
boot/initramfs/init-storage.sh → overlay/usr/libexec/init-storage
View File

@ -18,26 +18,15 @@ cleanup() {
fi
}
copy_vol() {
copy_var() {
dev="$1"
vol=$2
printf 'Copying %s contents to data volume\n' "${vol}" >&2
mount -o subvol="${vol#/}" "${dev}" "${tmpdir}" || exit
cp -au${VERBOSE+v} /sysroot/${vol#/}/. "${tmpdir}" || exit
echo 'Copying /var contents to data volume'
mount -o subvol=var "${dev}" "${tmpdir}" || exit
cp -acuv /var/. "${tmpdir}" || exit
umount "${tmpdir}"
}
find_part() {
_i=0
while [ $_i -lt 5 ]; do
findfs "$1" 2>/dev/null && return
_i=$((_i + 1))
sleep 1
done
findfs "$1"
}
format_dev() {
dev="$1"
partno=$(partition_number "${dev}")
@ -56,8 +45,8 @@ format_dev() {
fi
fi
printf 'Creating BTRFS filesystem on %s\n' "${dev}" >&2
mkfs.btrfs --quiet "${dev}" || exit
printf 'Creating BTRFS filesystem on %s\n' "${dev}"
mkfs.btrfs "${dev}" || exit
mount "${dev}" "${tmpdir}" || exit
for vol in ${SUBVOLUMES}; do
@ -100,9 +89,6 @@ partition_number() {
}
relabel_all() {
if [ ! -d /sys/fs/selinux ] || [ ! -f /etc/selinux/config ]; then
return
fi
selinuxtype=$(. /etc/selinux/config && echo ${SELINUXTYPE})
find "${tmpdir}" | \
setfiles \
@ -132,7 +118,7 @@ resize_partition() {
"${_type}" \
"${_uuid}" \
"${_label}" \
| sfdisk -N "${_part}" "${_disk}" --quiet --force \
| sfdisk -N "${_part}" "${_disk}" --force \
|| return $?
partx -u "${_disk}"
}
@ -140,20 +126,43 @@ resize_partition() {
setup_etc() {
dev="$1"
echo 'Initializing /etc overlay' >&2
mkdir -p /run/aimeeos/etc || return
mount -o subvol=etc "${dev}" /run/aimeeos/etc || return
mkdir -p /run/aimeeos/etc/rw /run/aimeeos/etc/work || return
mount -t overlay \
-o lowerdir=/sysroot/etc,upperdir=/run/aimeeos/etc/rw,workdir=/run/aimeeos/etc/work \
overlay \
/sysroot/etc
echo 'Initializing writable paths in /etc'
mount -o subvol=etc "${dev}" "${tmpdir}" || exit
if [ ! -f "${tmpdir}"/shadow ]; then
cp -ca /etc/shadow "${tmpdir}"/shadow || exit
fi
mount -o bind "${tmpdir}"/shadow /etc/shadow || exit
if [ -f /etc/aimee-os/writable-etc ]; then
while read type path; do
if [ ! -e "${tmpdir}/${path}" ]; then
if [ -e /etc/"${path}" ]; then
case "${path}" in
*/*)
mkdir -p "${tmpdir}/${path%/*}"
;;
esac
cp -ca /etc/"${path}" "${tmpdir}/${path}"
elif [ "${type}" = d ]; then
mkdir -p "${tmpdir}/${path}"
elif [ "${type}" = f ]; then
: > "${tmpdir}/${path}"
else
printf 'Invalid path type %s for %s\n' \
"${type}" \
"${path}" \
>&2
continue
fi
fi
mount -o bind "${tmpdir}/${path}" /etc/"${path}"
done < /etc/aimee-os/writable-etc
fi
umount "${tmpdir}"
}
rootdev=$(find_part "$1")
datapart=$(find_part "${2:-PARTLABEL=aimeeos-data}")
datapart=$(findfs $(awk '$2=="/var"{print $1}' /etc/fstab))
if [ -b "${datapart}" ]; then
printf 'Found data partition: %s\n' "${datapart}" >&2
printf 'Found data partition: %s\n' "${datapart}"
else
echo 'Could not identify data partition' >&2
exit 1
@ -167,9 +176,5 @@ if ! has_fs "${datapart}"; then
format_dev "${datapart}"
fi
mkdir -p /sysroot
mount -o ro "${rootdev}" /sysroot || exit
setup_etc "${datapart}"
copy_vol "${datapart}" /var
exit 0
copy_var "${datapart}"

4
overlay/usr/libexec/ssh-authorized-keys Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
exec wget -q -O - https://sshkeys.pyrocufflink.blue/"$1"/"$2".pub

10
package/aimee-os-utils/90-default.network
View File

@ -1,10 +0,0 @@
[Match]
Type=ether
Name=en* eth*
[Network]
DHCP=true
[DHCPv4]
ClientIdentifier=mac
UseDomain=true

10
package/aimee-os-utils/Config.in
View File

@ -1,10 +0,0 @@
config BR2_PACKAGE_AIMEE_OS_UTILS
bool
select BR2_PACKAGE_BTRFS_PROGS
select BR2_PACKAGE_UTIL_LINUX
select BR2_PACKAGE_UTIL_LINUX_BINARIES
select BR2_PACKAGE_UTIL_LINUX_MOUNTPOINT
select BR2_PACKAGE_UTIL_LINUX_PARTX
select BR2_PACKAGE_UTIL_LINUX_SWITCH_ROOT
select BR2_PACKAGE_WGET
select BR2_TARGET_GRUB2_INSTALL_TOOLS

31
package/aimee-os-utils/aimee-os-utils.mk
View File

@ -1,31 +0,0 @@
################################################################################
#
# Aimee OS Utils
#
################################################################################
AIMEE_OS_UTILS_VERSION = 2.0
AIMEE_OS_UTILS_LICENSE = GPL-3.0+
AIMEE_OS_UTILS_DEPENDENCIES = \
host-fakeroot \
btrfs-progs \
AIMEE_OS_UTILS_SOURCE =
define AIMEE_OS_UTILS_INSTALL_TARGET_CMDS
$(INSTALL) -D -m u=rwx,go=rx \
$(AIMEE_OS_UTILS_PKGDIR)/system-update.sh \
$(TARGET_DIR)/usr/sbin/system-update
mkdir -p $(TARGET_DIR)/boot/efi
endef
define AIMEE_OS_UTILS_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m u=rw,go=r \
$(AIMEE_OS_UTILS_PKGDIR)/var.mount \
$(TARGET_DIR)/usr/lib/systemd/system/var.mount
$(INSTALL) -D -m u=rw,go=r \
$(AIMEE_OS_UTILS_PKGDIR)/90-default.network \
$(TARGET_DIR)/usr/lib/systemd/network/90-default.network
endef
$(eval $(generic-package))

12
package/aimee-os-utils/var.mount
View File

@ -1,12 +0,0 @@
[Unit]
Description=/var
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
[Mount]
What=PARTLABEL=aimeeos-data
Where=/var
Type=btrfs
Options=subvol=var,nosuid,nodev,noexec

13
podman-build.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
cid=$(./start-container.sh)
./patch-uboot.sh
podman exec -it ${cid} make
podman stop ${cid}
podman rm ${cid}

1
portage/env/nobuildpkg vendored Normal file
View File

@ -0,0 +1 @@
FEATURES=-buildpkg

2
portage/make.conf/20-binpkgs.conf Normal file
View File

@ -0,0 +1,2 @@
FEATURES="${FEATURES} binpkg-multi-instance buildpkg"
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg --binpkg-respect-use=y"

1
portage/make.conf/30-default-use.conf Normal file
View File

@ -0,0 +1 @@
USE='-man -doc minimal pam zstd'

2
portage/make.conf/40-goarch.conf Normal file
View File

@ -0,0 +1,2 @@
GOOS=linux
GOARCH=${ARCH}

3
portage/make.conf/40-lang.conf Normal file
View File

@ -0,0 +1,3 @@
LINGUAS=en
L10N=en-US
USE="${USE} -nls"

2
portage/make.conf/80-quiet.conf Normal file
View File

@ -0,0 +1,2 @@
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --quiet-build=y"
FEATURES="${FEATURES} -news"

1
portage/package.env/linux-firmware Normal file
View File

@ -0,0 +1 @@
sys-kernel/linux-firmware nobuildpkg

1
portage/package.env/raspberrypi-firmware Normal file
View File

@ -0,0 +1 @@
sys-boot/raspberrypi-firmware nobuildpkg

1
portage/package.use/awk Normal file
View File

@ -0,0 +1 @@
app-alternatives/awk -gawk busybox

1
portage/package.use/busybox Normal file
View File

@ -0,0 +1 @@
sys-apps/busybox savedconfig

1
portage/package.use/firmware Normal file
View File

@ -0,0 +1 @@
sys-kernel/linux-firmware compress compress-xz savedconfig

1
portage/package.use/python Normal file
View File

@ -0,0 +1 @@
dev-lang/python -ensurepip

1
portage/package.use/u-boot Normal file
View File

@ -0,0 +1 @@
sys-boot/u-boot savedconfig

1
portage/patches/sec-policy/selinux-base-policy Symbolic link
View File

@ -0,0 +1 @@
selinux-base

24
portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch Normal file
View File

@ -0,0 +1,24 @@
From 21d7cfbc3969ddea86e7dcc2dd15f8009ffcabe6 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 3 Mar 2023 15:04:28 -0600
Subject: [PATCH] systemd: Fixes for systemd-resolved
---
refpolicy/policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
index da64b11..9013931 100644
--- a/refpolicy/policy/modules/system/systemd.te
+++ b/refpolicy/policy/modules/system/systemd.te
@@ -236,6 +236,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_runtime_file(systemd_resolved_runtime_t)
+init_mountpoint(systemd_resolved_runtime_t)
type systemd_stdio_bridge_t;
type systemd_stdio_bridge_exec_t;
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch Normal file
View File

@ -0,0 +1,24 @@
From 1a7dfe6699484a6b7808cc02df7354b146b07a36 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Mar 2023 09:57:44 -0600
Subject: [PATCH] mount: Allow mounting on etc_t
---
refpolicy/policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 22a4766..f405615 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -92,6 +92,7 @@ files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
+files_mounton_etc_dirs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch Normal file
View File

@ -0,0 +1,24 @@
From b24010882565c3ea5f9ab9b3007648f1e4d2e603 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Mar 2023 10:16:13 -0600
Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
---
refpolicy/policy/modules/kernel/kernel.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 56dbd5a..0dff529 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
+files_mountpoint(unlabeled_t)
# Kernel-generated traffic e.g., TCP resets on
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch Normal file
View File

@ -0,0 +1,24 @@
From 6e4feac42f7c646e3353e0747767f1226f6c513e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 6 Mar 2023 12:10:19 -0600
Subject: [PATCH] Allow systemd-journald list cgroup directories
---
refpolicy/policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 227dc67..0c6f372 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
+fs_list_cgroup_dirs(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
--
2.40.1

76
portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch Normal file
View File

@ -0,0 +1,76 @@
From 3e580c1cc3c31745c180dfd69bfd913ef1333c63 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 10 Mar 2023 12:39:41 -0600
Subject: [PATCH] Allow systemd to create directories
This allows use of the `RuntimeDirectory`, `StateDirectory`, etc. unit
settings.
---
refpolicy/policy/modules/kernel/files.if | 18 ++++++++++++++++++
refpolicy/policy/modules/system/init.te | 14 ++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 6fe764a..add9b6d 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -564,6 +564,24 @@ interface(`files_manage_non_security_dirs',`
allow $1 non_security_file_type:dir manage_dir_perms;
')
+########################################
+## <summary>
+## Allow attempts to setattr any directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir { read setattr };
+')
+
########################################
## <summary>
## Create non-security directories.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9997215..554a04d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
## </desc>
gen_tunable(init_mounton_non_security, false)
+## <desc>
+## <p>
+## Enable init create, setattr, mounton on non_security_file_type
+## </p>
+## </desc>
+gen_tunable(init_create_dirs, true)
+
attribute init_mountpoint_type;
attribute init_path_unit_loc_type;
attribute init_script_domain_type;
@@ -625,6 +632,13 @@ ifdef(`init_systemd',`
unconfined_create_keys(init_t)
unconfined_write_keys(init_t)
')
+
+ tunable_policy(`init_create_dirs',`
+ files_create_non_security_dirs(init_t)
+ files_mounton_non_security(init_t)
+ files_setattr_non_security_dirs(init_t)
+ ')
+
',`
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
--
2.40.1

25
portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch Normal file
View File

@ -0,0 +1,25 @@
From 936c142431d96fec0474fa3c5b27e41f5906a3d0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 14 Mar 2023 13:40:23 -0500
Subject: [PATCH] Allow init to setattr on char devices
This is required for local logins to work.
---
refpolicy/policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 554a04d..cd8ed37 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -392,6 +392,7 @@ ifdef(`init_systemd',`
dev_create_urand_dev(init_t)
# systemd writes to /dev/watchdog on shutdown
dev_write_watchdog(init_t)
+ dev_setattr_all_chr_files(init_t)
domain_read_all_domains_state(init_t)
# for starting systemd --user in the right domain:
--
2.40.1

33
portage/patches/sec-policy/selinux-base/0007-podman-Allow-crun-to-chown-stdio-sockets.patch Normal file
View File

@ -0,0 +1,33 @@
From 5595c5c29e6038da5e5a61b1f38c231e2ca4301e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 23 Mar 2023 09:44:02 -0500
Subject: [PATCH] podman: Allow crun to chown stdio sockets
Podman (actually `crun`) fails to launch containers as systemd units
with this error:
fchown std stream 1: Permission denied
The error is caused by this AVC denial:
AVC avc: denied { setattr } for pid=262 comm="crun" name="UNIX-STREAM" dev="sockfs" ino=9811 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
---
refpolicy/policy/modules/services/podman.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index d929bb2..7649298 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -75,6 +75,8 @@ ifdef(`init_systemd',`
init_start_transient_units(podman_t)
init_stop_transient_units(podman_t)
+ init_rw_stream_sockets(podman_t)
+
# podman can read logs from containers which are
# sent to the system journal
logging_search_logs(podman_t)
--
2.40.1

28
portage/patches/sec-policy/selinux-base/0008-systemd-Allow-quadlet-to-read-container-configs.patch Normal file
View File

@ -0,0 +1,28 @@
From d7001620adab1780ae51fc916f8eee824ecd6709 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 23 Mar 2023 10:45:11 -0500
Subject: [PATCH] systemd: Allow quadlet to read container configs
---
refpolicy/policy/modules/system/systemd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
index 9013931..54868ea 100644
--- a/refpolicy/policy/modules/system/systemd.te
+++ b/refpolicy/policy/modules/system/systemd.te
@@ -582,6 +582,11 @@ optional_policy(`
zfs_read_config(systemd_generator_t)
')
+optional_policy(`
+ # needed by podman-system-generator
+ container_read_config(systemd_generator_t)
+')
+
#######################################
#
# systemd-homed policy
--
2.40.1

24
portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch Normal file
View File

@ -0,0 +1,24 @@
From 04e3b1f3f91ad10b5fc69b59bba0e24f360905fa Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 14:56:02 -0500
Subject: [PATCH] podman: Allow podman to use fd inherited from init
---
refpolicy/policy/modules/services/podman.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index 7649298..e622f25 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -76,6 +76,7 @@ ifdef(`init_systemd',`
init_stop_transient_units(podman_t)
init_rw_stream_sockets(podman_t)
+ init_use_fds(podman_t)
# podman can read logs from containers which are
# sent to the system journal
--
2.40.1

28
portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch Normal file
View File

@ -0,0 +1,28 @@
From c59490d5823a17de62697cce367fbbb99156f424 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 14:59:28 -0500
Subject: [PATCH] Allow podman to validate security contexts
Addresses this AVC denial:
avc: denied { write } for pid=244 comm="podman" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0
---
refpolicy/policy/modules/services/podman.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index e622f25..243880f 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -64,6 +64,8 @@ container_manage_sock_files(podman_t)
podman_spec_rangetrans_conmon(podman_t, s0)
+selinux_validate_context(podman_t)
+
ifdef(`init_systemd',`
init_dbus_chat(podman_t)
init_setsched(podman_t)
--
2.40.1

38
portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch Normal file
View File

@ -0,0 +1,38 @@
From 6d997d50fe41abc68b8828cac4fa7ce1d7bbd2f1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 15:03:40 -0500
Subject: [PATCH] podman: Allow conmon to signal containers
Addresses these AVC denials:
avc: denied { kill } for pid=274 comm="conmon" capability=5 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:podman_conmon_t:s0 tclass=capability permissive=0
avc: denied { signal } for pid=278 comm="conmon" scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:container_t:s0:c273,c333 tclass=process permissive=0
---
refpolicy/policy/modules/services/podman.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
index 243880f..0d64e19 100644
--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
@@ -196,7 +196,7 @@ ifdef(`init_systemd',`
# podman conmon local policy
#
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
dontaudit podman_conmon_t self:capability net_admin;
podman_domtrans(podman_conmon_t)
@@ -219,6 +219,8 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
container_manage_engine_tmp_files(podman_conmon_t)
container_manage_engine_tmp_sock_files(podman_conmon_t)
+container_signal_all_containers(podman_conmon_t)
+
ifdef(`init_systemd',`
init_get_transient_units_status(podman_conmon_t)
init_start_transient_units(podman_conmon_t)
--
2.40.1

1
portage/patches/sec-policy/selinux-container Symbolic link
View File

@ -0,0 +1 @@
selinux-base

1
portage/patches/sec-policy/selinux-podman Symbolic link
View File

@ -0,0 +1 @@
selinux-base

1190
portage/savedconfig/sys-apps/busybox Normal file
View File

File diff suppressed because it is too large Load Diff

10
post-build.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
if [ -f "${CONFIGDIR}"/post-build.sh ]; then
. "${CONFIGDIR}"/post-build.sh
fi

60
prepare.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
# Ensure we have a Portage repo
if [ ! -f /var/db/repos/gentoo/metadata/timestamp ]; then
emerge-webrsync
fi
chown portage: "$(portageq envvar DISTDIR)"
ARCH=$(PORTAGE_CONFIGROOT=/usr/${target} portageq envvar ARCH)
PKGDIR=$(portageq envvar PKGDIR)
FEATURES="${FEATURES} binpkg-multi-instance"
# For some reason, libcap installs its pkg-config files in the wrong
# place. More strangely, even though `PKG_CONFIG_PATH` contains that
# directory, `pkg-config` does not find the `.pc` files for libcap.
# We work around this by merging /usr/lib64/pkgconfig and
# /usr/lib/pkgconfig.
FEATURES="${FEATURES}" \
PKGDIR="${PKGDIR}" \
${target}-emerge -kb1vnj sys-libs/libcap
if [ -d /usr/${target}/usr/lib/pkgconfig ] \
&& [ ! -d /usr/${target}/usr/lib64/pkgconfig ]; then
mv /usr/${target}/usr/lib/pkgconfig /usr/${target}/usr/lib64
ln -snf ../lib64/pkgconfig /usr/${target}/usr/lib/pkgconfig
fi
if [ ! -f portage/make.conf/10-crossdev.conf ]; then
mkdir -p "${O}"/portage/etc/portage/make.conf
sed -r \
-e 's: ?-pam::' \
-e '/PKGDIR=/d' \
/usr/${target}/etc/portage/make.conf \
> "${O}"/portage/etc/portage/make.conf/10-crossdev.conf
fi
ln -snf /var/db/repos/gentoo/profiles/${profile} \
/usr/${target}/etc/portage/make.profile
FEATURES="${FEATURES}" \
PKGDIR="${PKGDIR}" \
${target}-emerge -bk1nvj sys-libs/glibc
FEATURES="${FEATURES}" \
PKGDIR=$(portageq envvar PKGDIR) \
USE='pam build' \
${target}-emerge -bknvj sys-apps/util-linux
# Set the Portage profile
mkdir -p "${O}"/portage/etc/portage
ln -snf \
/var/db/repos/gentoo/profiles/${profile} \
${O}/portage/etc/portage/make.profile

12
rebuild-pkg.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. "${CONFIGDIR:=${PWD}}"/config
unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
export PORTAGE_CONFIGROOT="${O}"/portage
${target}-emerge -bkv1j --usepkg-exclude="$*" "$@"

2
repos/aimee-os/metadata/layout.conf Normal file
View File

@ -0,0 +1,2 @@
masters = gentoo
thin-manifests = true

1
repos/aimee-os/profiles/repo_name Normal file
View File

@ -0,0 +1 @@
aimee-os

2
repos/aimee-os/sec-policy/selinux-aimee-os/Manifest Normal file
View File

@ -0,0 +1,2 @@
DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6

8
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc Normal file
View File

@ -0,0 +1,8 @@
/usr/bin/system-update -- gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
/usr/bin/set-root-password -- gen_context(system_u:object_r:aimee_set_root_password_exec_t,s0)
/usr/libexec/factory-reset -- gen_context(system_u:object_r:aimee_factory_reset_exec_t,s0)
/usr/libexec/init-storage -- gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
/var/run/storinit(/.*)? gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
/var/lib/ssh/.*_key.* -- gen_context(system_u:object_r:sshd_key_t,s0)

135
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if Normal file
View File

@ -0,0 +1,135 @@
## <summary>Policy for Aimee OS utilities.</summary>
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`aimee_os_system_update_domtrans',`
gen_require(`
type aimee_sysupdate_t, aimee_sysupdate_exec_t;
')
domtrans_pattern($1, aimee_sysupdate_exec_t, aimee_sysupdate_t)
')
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain, and allow the specified role the
## aimee_sysupdate_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`aimee_os_run_system_update',`
gen_require(`
type aimee_sysupdate_t;
')
aimee_os_system_update_domtrans($1)
role $2 types aimee_sysupdate_t;
')
########################################
## <summary>
## Execute set-root-password in the
## aimee_set_root_password_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`aimee_os_set_root_password_domtrans',`
gen_require(`
type aimee_set_root_password_t, aimee_set_root_password_exec_t;
')
domtrans_pattern($1, aimee_set_root_password_exec_t, aimee_set_root_password_t)
')
########################################
## <summary>
## Execute set-root-password in the
## aimee_set_root_password_t domain, and
## allow the specified role the
## aimee_set_root_password_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`aimee_os_run_set_root_password',`
gen_require(`
type aimee_set_root_password_t;
')
aimee_os_set_root_password_domtrans($1)
role $2 types aimee_set_root_password_t;
mount_run(aimee_set_root_password_t, $2)
')
########################################
## <summary>
## Execute set-root-password in the caller
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aimee_os_set_root_password_exec',`
gen_require(`
type aimee_set_root_password_exec_t;
')
corecmd_search_bin($1)
can_exec($1, aimee_set_root_password_exec_t)
')
########################################
## <summary>
## Create, read, write, and delete temporary
## files used by Aimee OS set-root-password.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aimee_os_manage_set_root_password_tmp_files',`
gen_require(`
type aimee_set_root_password_tmp_t;
')
manage_files_pattern($1, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
read_lnk_files_pattern($1, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
')

271
repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te Normal file
View File

@ -0,0 +1,271 @@
policy_module(aimee-os, 1.0)
########################################
#
# Declarations
#
type aimee_storinit_t;
type aimee_storinit_exec_t;
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
type aimee_storinit_runtime_t;
files_runtime_file(aimee_storinit_runtime_t)
type aimee_sysupdate_t;
type aimee_sysupdate_exec_t;
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
type aimee_sysupdate_tmp_t;
files_tmp_file(aimee_sysupdate_tmp_t)
type aimee_factory_reset_t;
type aimee_factory_reset_exec_t;
init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
type aimee_set_root_password_t;
type aimee_set_root_password_exec_t;
userdom_user_application_domain(aimee_set_root_password_t, aimee_set_root_password_exec_t)
type aimee_set_root_password_tmp_t;
files_tmp_file(aimee_set_root_password_tmp_t)
########################################
#
# init-storage local policy
#
allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
allow aimee_storinit_t self:capability { dac_read_search dac_override chown fowner fsetid sys_admin };
allow aimee_storinit_t self:process { setfscreate };
manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
corecmd_exec_bin(aimee_storinit_t)
files_read_etc_files(aimee_storinit_t)
storage_raw_read_fixed_disk(aimee_storinit_t)
fstools_domtrans(aimee_storinit_t)
mount_exec(aimee_storinit_t)
miscfiles_read_localization(aimee_storinit_t)
mount_list_runtime(aimee_storinit_t)
dev_read_sysfs(aimee_storinit_t)
kernel_search_debugfs(aimee_storinit_t)
kernel_list_unlabeled(aimee_storinit_t)
fs_getattr_all_fs(aimee_storinit_t)
fs_mount_all_fs(aimee_storinit_t)
fs_unmount_all_fs(aimee_storinit_t)
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
gen_require(`
type mount_runtime_t;
')
dontaudit aimee_storinit_t mount_runtime_t:dir write;
seutil_read_config(aimee_storinit_t)
seutil_read_file_contexts(aimee_storinit_t)
seutil_read_bin_policy(aimee_storinit_t)
seutil_domtrans_setfiles(aimee_storinit_t)
kernel_manage_unlabeled_dirs(aimee_storinit_t)
files_manage_non_security_dirs(aimee_storinit_t)
files_relabel_non_security_dirs(aimee_storinit_t)
files_manage_non_security_files(aimee_storinit_t)
files_relabel_non_security_files(aimee_storinit_t)
logging_manage_audit_log(aimee_storinit_t)
gen_require(`
attribute non_security_file_type;
')
manage_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
relabel_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
auth_manage_shadow(aimee_storinit_t)
auth_relabel_shadow(aimee_storinit_t)
gen_require(`
type shadow_t;
attribute configfile;
')
allow aimee_storinit_t shadow_t:file mounton;
allow aimee_storinit_t configfile:{file dir} mounton;
########################################
#
# system-update local policy
#
allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
domain_use_interactive_fds(aimee_sysupdate_t)
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
corecmd_exec_bin(aimee_sysupdate_t)
selinux_get_fs_mount(aimee_sysupdate_t)
seutil_read_config(aimee_sysupdate_t)
userdom_search_user_home_dirs(aimee_sysupdate_t)
kernel_read_system_state(aimee_sysupdate_t)
fstools_exec(aimee_sysupdate_t)
fstools_manage_runtime_files(aimee_sysupdate_t)
miscfiles_read_localization(aimee_sysupdate_t)
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
dev_read_sysfs(aimee_sysupdate_t)
files_read_etc_files(aimee_sysupdate_t)
systemd_read_resolved_runtime(aimee_sysupdate_t)
systemd_stream_connect_resolved(aimee_sysupdate_t)
corenet_tcp_connect_http_port(aimee_sysupdate_t)
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
files_manage_non_security_dirs(aimee_sysupdate_t)
files_manage_non_security_files(aimee_sysupdate_t)
mount_exec(aimee_sysupdate_t)
mount_list_runtime(aimee_sysupdate_t)
fs_getattr_all_fs(aimee_sysupdate_t)
fs_mount_all_fs(aimee_sysupdate_t)
fs_unmount_all_fs(aimee_sysupdate_t)
dbus_system_bus_client(aimee_sysupdate_t)
systemd_dbus_chat_logind(aimee_sysupdate_t)
logging_send_syslog_msg(aimee_sysupdate_t)
files_mounton_non_security(aimee_sysupdate_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_system_update(sysadm_t, sysadm_r)
# factory-reset local policy
#
allow aimee_factory_reset_t self:capability { sys_admin };
allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
corecmd_exec_bin(aimee_factory_reset_t)
dev_read_sysfs(aimee_factory_reset_t)
kernel_read_system_state(aimee_factory_reset_t)
files_read_etc_files(aimee_factory_reset_t)
fstools_exec(aimee_factory_reset_t)
fstools_manage_runtime_files(aimee_factory_reset_t)
miscfiles_read_localization(aimee_factory_reset_t)
storage_raw_rw_fixed_disk(aimee_factory_reset_t)
########################################
#
# set-root-password local policy
#
gen_require(`
class passwd { passwd };
')
allow aimee_set_root_password_t self:capability { sys_admin };
allow aimee_set_root_password_t self:fifo_file rw_fifo_file_perms;
allow aimee_set_root_password_t self:process setfscreate;
allow aimee_set_root_password_t self:process { ptrace sigkill sigstop signal };
allow aimee_set_root_password_t self:passwd passwd;
files_tmp_filetrans(aimee_set_root_password_t, aimee_set_root_password_tmp_t, dir)
manage_dirs_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
manage_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
relabel_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
domain_use_interactive_fds(aimee_set_root_password_t)
userdom_use_inherited_user_terminals(aimee_set_root_password_t)
userdom_search_user_home_dirs(aimee_set_root_password_t)
corecmd_exec_bin(aimee_set_root_password_t)
selinux_get_fs_mount(aimee_set_root_password_t)
seutil_read_config(aimee_set_root_password_t)
miscfiles_read_localization(aimee_set_root_password_t)
files_mounton_root(aimee_set_root_password_t)
aimee_os_set_root_password_exec(aimee_set_root_password_t)
mount_list_runtime(aimee_set_root_password_t)
fs_getattr_all_fs(aimee_set_root_password_t)
fs_mount_all_fs(aimee_set_root_password_t)
fs_unmount_all_fs(aimee_set_root_password_t)
files_read_var_lib_files(aimee_set_root_password_t)
files_manage_etc_files(aimee_set_root_password_t)
files_relabel_etc_files(aimee_set_root_password_t)
files_manage_etc_dirs(aimee_set_root_password_t)
auth_manage_shadow(aimee_set_root_password_t)
auth_relabel_shadow(aimee_set_root_password_t)
files_mounton_etc_dirs(aimee_set_root_password_t)
usermanage_domtrans_passwd(aimee_set_root_password_t)
dev_read_sysfs(aimee_set_root_password_t)
aimee_os_manage_set_root_password_tmp_files(aimee_set_root_password_t)
gen_require(`
type mount_t;
type passwd_t;
')
allow aimee_set_root_password_t aimee_set_root_password_tmp_t:dir mounton;
allow mount_t aimee_set_root_password_tmp_t:dir mounton;
aimee_os_manage_set_root_password_tmp_files(passwd_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_set_root_password(sysadm_t, sysadm_r)
########################################
#
# Additional policy rules for Aimee OS-specific behavior
#
# Allow ssh-keygen to create host key files in /var/lib/ssh
gen_require(`
type ssh_keygen_t;
type sshd_key_t, var_lib_t;
')
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)
# Allow login to execute /bin/busybox (via /bin/sh symlink)
gen_require(`
type local_login_t;
')
corecmd_exec_bin(local_login_t)
# Allow root to log in on the serial console
gen_require(`
type sysadm_t;
')
init_use_fds(sysadm_t)
# Allow podman to relabel any file (to container_file_t)
optional_policy(`
gen_require(`
type podman_t;
')
files_relabel_non_security_dirs(podman_t)
files_relabel_non_security_files(podman_t)
')
# Allow podman to mount /dev/log in containers
optional_policy(`
gen_require(`
type podman_t, container_t;
type devlog_t;
')
allow podman_t devlog_t:sock_file mounton;
logging_send_syslog_msg(container_t)
')
# Allow podman to mount tty devices in containers
optional_policy(`
gen_require(`
type container_t, kernel_t;
type tty_device_t;
')
term_use_unallocated_ttys(container_t)
container_mountpoint(tty_device_t)
dev_rw_generic_usb_dev(kernel_t)
dev_setattr_generic_usb_dev(kernel_t)
')

Some files were not shown because too many files have changed in this diff Show More