build: Implement CONFIGDIR setting

In effort to support different builds of Aimee OS using the same scripts, without necessarily having to fork this repository, the build system now supports a `CONFIGDIR` setting. When this variable is set, files defining the target environment, such as the lists of packages to install, the kernel configuration, the Portage configuration, etc. are found in the path it specifes. The reference build, for the Home Assistant Yellow board, is configured in the `yellow` directory. To build it, run: ```sh CONFIGDIR=yellow ./vm-build.sh ```
2023-03-13 16:21:20 -05:00
parent 1914b3aba0
commit 31d8a98f64
100 changed files with 83 additions and 53 deletions
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -0,0 +1,172 @@
+policy_module(aimee-os, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type aimee_storinit_t;
+type aimee_storinit_exec_t;
+init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
+
+type aimee_storinit_runtime_t;
+files_runtime_file(aimee_storinit_runtime_t)
+
+type aimee_sysupdate_t;
+type aimee_sysupdate_exec_t;
+userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
+
+type aimee_sysupdate_tmp_t;
+files_tmp_file(aimee_sysupdate_tmp_t)
+
+type aimee_factory_reset_t;
+type aimee_factory_reset_exec_t;
+init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
+
+########################################
+#
+# init-storage local policy
+#
+
+allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
+allow aimee_storinit_t self:capability { chown fsetid sys_admin };
+
+manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
+manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
+files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
+
+corecmd_exec_bin(aimee_storinit_t)
+
+storage_raw_read_fixed_disk(aimee_storinit_t)
+fstools_domtrans(aimee_storinit_t)
+mount_exec(aimee_storinit_t)
+miscfiles_read_localization(aimee_storinit_t)
+mount_list_runtime(aimee_storinit_t)
+dev_read_sysfs(aimee_storinit_t)
+kernel_search_debugfs(aimee_storinit_t)
+kernel_list_unlabeled(aimee_storinit_t)
+fs_getattr_all_fs(aimee_storinit_t)
+fs_mount_all_fs(aimee_storinit_t)
+fs_unmount_all_fs(aimee_storinit_t)
+allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
+
+gen_require(`
+	type mount_runtime_t;
+')
+dontaudit aimee_storinit_t mount_runtime_t:dir write;
+
+files_manage_var_dirs(aimee_storinit_t)
+files_manage_var_files(aimee_storinit_t)
+files_manage_var_symlinks(aimee_storinit_t)
+
+gen_require(`
+	type var_lib_t, var_lock_t, var_run_t;
+	type semanage_store_t;
+	type semanage_read_lock_t, semanage_trans_lock_t;
+	type system_dbusd_var_lib_t;
+	type init_var_lib_t;
+	type auditd_log_t;
+	type tmp_t;
+	attribute logfile;
+')
+manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
+manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
+manage_files_pattern(aimee_storinit_t, logfile, logfile)
+manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
+manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
+
+########################################
+#
+# system-update local policy
+#
+
+allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
+allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
+allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
+
+files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
+manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
+manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
+
+filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
+
+domain_use_interactive_fds(aimee_sysupdate_t)
+userdom_use_inherited_user_terminals(aimee_sysupdate_t)
+corecmd_exec_bin(aimee_sysupdate_t)
+selinux_get_fs_mount(aimee_sysupdate_t)
+seutil_read_config(aimee_sysupdate_t)
+userdom_search_user_home_dirs(aimee_sysupdate_t)
+kernel_read_system_state(aimee_sysupdate_t)
+fstools_exec(aimee_sysupdate_t)
+fstools_manage_runtime_files(aimee_sysupdate_t)
+miscfiles_read_localization(aimee_sysupdate_t)
+storage_raw_rw_fixed_disk(aimee_sysupdate_t)
+dev_read_sysfs(aimee_sysupdate_t)
+files_read_etc_files(aimee_sysupdate_t)
+systemd_read_resolved_runtime(aimee_sysupdate_t)
+systemd_stream_connect_resolved(aimee_sysupdate_t)
+corenet_tcp_connect_http_port(aimee_sysupdate_t)
+corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
+files_manage_non_security_dirs(aimee_sysupdate_t)
+files_manage_non_security_files(aimee_sysupdate_t)
+mount_exec(aimee_sysupdate_t)
+mount_list_runtime(aimee_sysupdate_t)
+fs_getattr_all_fs(aimee_sysupdate_t)
+fs_mount_all_fs(aimee_sysupdate_t)
+fs_unmount_all_fs(aimee_sysupdate_t)
+dbus_system_bus_client(aimee_sysupdate_t)
+systemd_dbus_chat_logind(aimee_sysupdate_t)
+logging_send_syslog_msg(aimee_sysupdate_t)
+files_mounton_non_security(aimee_sysupdate_t)
+
+gen_require(`
+	type sysadm_t;
+	role sysadm_r;
+')
+aimee_os_run_system_update(sysadm_t, sysadm_r)
+
+# factory-reset local policy
+#
+
+allow aimee_factory_reset_t self:capability { sys_admin };
+allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_exec_bin(aimee_factory_reset_t)
+dev_read_sysfs(aimee_factory_reset_t)
+kernel_read_system_state(aimee_factory_reset_t)
+fstools_exec(aimee_factory_reset_t)
+fstools_manage_runtime_files(aimee_factory_reset_t)
+miscfiles_read_localization(aimee_factory_reset_t)
+storage_raw_rw_fixed_disk(aimee_factory_reset_t)
+
+########################################
+#
+# Additional policy rules for Aimee OS-specific behavior
+#
+
+# Allow ssh-keygen to create host key files in /var/lib/ssh
+gen_require(`
+	type ssh_keygen_t;
+	type sshd_key_t, var_lib_t;
+')
+allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
+filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)