build: Implement CONFIGDIR setting

In effort to support different builds of Aimee OS using the same
scripts, without necessarily having to fork this repository, the build
system now supports a `CONFIGDIR` setting.  When this variable is set,
files defining the target environment, such as the lists of packages to
install, the kernel configuration, the Portage configuration, etc. are
found in the path it specifes.

The reference build, for the Home Assistant Yellow board, is configured
in the `yellow` directory.  To build it, run:

```sh
CONFIGDIR=yellow ./vm-build.sh
```

repos/aimee-os/sec-policy/selinux-aimee-os/Manifest

@@ -0,0 +1,2 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6

repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc

@@ -0,0 +1,7 @@
+/usr/bin/system-update		--	gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
+/usr/libexec/factory-reset	--	gen_context(system_u:object_r:aimee_factory_reset_exec_t,s0)
+/usr/libexec/init-storage	--	gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
+
+/var/run/storinit(/.*)?			gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
+
+/var/lib/ssh/.*_key.*		--	gen_context(system_u:object_r:sshd_key_t,s0)

repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if

@@ -0,0 +1,47 @@
+## <summary>Policy for Aimee OS utilities.</summary>
+
+########################################
+## <summary>
+##	Execute system-update in the aimee_sysupdate_t
+##	domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aimee_os_system_update_domtrans',`
+	gen_require(`
+		type aimee_sysupdate_t, aimee_sysupdate_exec_t;
+	')
+
+	domtrans_pattern($1, aimee_sysupdate_exec_t, aimee_sysupdate_t)
+')
+
+########################################
+## <summary>
+##	Execute system-update in the aimee_sysupdate_t
+##	domain, and allow the specified role the
+##	aimee_sysupdate_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aimee_os_run_system_update',`
+	gen_require(`
+		type aimee_sysupdate_t;
+	')
+
+	aimee_os_system_update_domtrans($1)
+	role $2 types aimee_sysupdate_t;
+')

repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te

@@ -0,0 +1,172 @@
+policy_module(aimee-os, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type aimee_storinit_t;
+type aimee_storinit_exec_t;
+init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
+
+type aimee_storinit_runtime_t;
+files_runtime_file(aimee_storinit_runtime_t)
+
+type aimee_sysupdate_t;
+type aimee_sysupdate_exec_t;
+userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
+
+type aimee_sysupdate_tmp_t;
+files_tmp_file(aimee_sysupdate_tmp_t)
+
+type aimee_factory_reset_t;
+type aimee_factory_reset_exec_t;
+init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
+
+########################################
+#
+# init-storage local policy
+#
+
+allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
+allow aimee_storinit_t self:capability { chown fsetid sys_admin };
+
+manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
+manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
+files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
+
+corecmd_exec_bin(aimee_storinit_t)
+
+storage_raw_read_fixed_disk(aimee_storinit_t)
+fstools_domtrans(aimee_storinit_t)
+mount_exec(aimee_storinit_t)
+miscfiles_read_localization(aimee_storinit_t)
+mount_list_runtime(aimee_storinit_t)
+dev_read_sysfs(aimee_storinit_t)
+kernel_search_debugfs(aimee_storinit_t)
+kernel_list_unlabeled(aimee_storinit_t)
+fs_getattr_all_fs(aimee_storinit_t)
+fs_mount_all_fs(aimee_storinit_t)
+fs_unmount_all_fs(aimee_storinit_t)
+allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
+
+gen_require(`
+	type mount_runtime_t;
+')
+dontaudit aimee_storinit_t mount_runtime_t:dir write;
+
+files_manage_var_dirs(aimee_storinit_t)
+files_manage_var_files(aimee_storinit_t)
+files_manage_var_symlinks(aimee_storinit_t)
+
+gen_require(`
+	type var_lib_t, var_lock_t, var_run_t;
+	type semanage_store_t;
+	type semanage_read_lock_t, semanage_trans_lock_t;
+	type system_dbusd_var_lib_t;
+	type init_var_lib_t;
+	type auditd_log_t;
+	type tmp_t;
+	attribute logfile;
+')
+manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
+manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
+manage_files_pattern(aimee_storinit_t, logfile, logfile)
+manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
+manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
+
+########################################
+#
+# system-update local policy
+#
+
+allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
+allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
+allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
+
+files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
+manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
+manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
+
+filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
+
+domain_use_interactive_fds(aimee_sysupdate_t)
+userdom_use_inherited_user_terminals(aimee_sysupdate_t)
+corecmd_exec_bin(aimee_sysupdate_t)
+selinux_get_fs_mount(aimee_sysupdate_t)
+seutil_read_config(aimee_sysupdate_t)
+userdom_search_user_home_dirs(aimee_sysupdate_t)
+kernel_read_system_state(aimee_sysupdate_t)
+fstools_exec(aimee_sysupdate_t)
+fstools_manage_runtime_files(aimee_sysupdate_t)
+miscfiles_read_localization(aimee_sysupdate_t)
+storage_raw_rw_fixed_disk(aimee_sysupdate_t)
+dev_read_sysfs(aimee_sysupdate_t)
+files_read_etc_files(aimee_sysupdate_t)
+systemd_read_resolved_runtime(aimee_sysupdate_t)
+systemd_stream_connect_resolved(aimee_sysupdate_t)
+corenet_tcp_connect_http_port(aimee_sysupdate_t)
+corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
+files_manage_non_security_dirs(aimee_sysupdate_t)
+files_manage_non_security_files(aimee_sysupdate_t)
+mount_exec(aimee_sysupdate_t)
+mount_list_runtime(aimee_sysupdate_t)
+fs_getattr_all_fs(aimee_sysupdate_t)
+fs_mount_all_fs(aimee_sysupdate_t)
+fs_unmount_all_fs(aimee_sysupdate_t)
+dbus_system_bus_client(aimee_sysupdate_t)
+systemd_dbus_chat_logind(aimee_sysupdate_t)
+logging_send_syslog_msg(aimee_sysupdate_t)
+files_mounton_non_security(aimee_sysupdate_t)
+
+gen_require(`
+	type sysadm_t;
+	role sysadm_r;
+')
+aimee_os_run_system_update(sysadm_t, sysadm_r)
+
+# factory-reset local policy
+#
+
+allow aimee_factory_reset_t self:capability { sys_admin };
+allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_exec_bin(aimee_factory_reset_t)
+dev_read_sysfs(aimee_factory_reset_t)
+kernel_read_system_state(aimee_factory_reset_t)
+fstools_exec(aimee_factory_reset_t)
+fstools_manage_runtime_files(aimee_factory_reset_t)
+miscfiles_read_localization(aimee_factory_reset_t)
+storage_raw_rw_fixed_disk(aimee_factory_reset_t)
+
+########################################
+#
+# Additional policy rules for Aimee OS-specific behavior
+#
+
+# Allow ssh-keygen to create host key files in /var/lib/ssh
+gen_require(`
+	type ssh_keygen_t;
+	type sshd_key_t, var_lib_t;
+')
+allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
+filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)

repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild

@@ -0,0 +1,14 @@
+# Copyright 2023 Dustin C. Hatch
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+IUSE=""
+MODS="aimee-os"
+POLICY_FILES="aimee-os.te aimee-os.fc aimee-os.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for AimeeOS"
+
+KEYWORDS="~amd64 ~arm ~arm64 ~x86"