dustin
/
aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: dustin:b19c0941a7437613bae9813f05c301c5936db545
Branches Tags
dustin:master
...
compare: dustin:cb7e0a5819ef0ba1d0f9691519975496aed2a6ce
Branches Tags
dustin:master

30 Commits
b19c0941a7 ... cb7e0a5819

Author SHA1 Message Date
Dustin cb7e0a5819 init-storage: Set SELinux context for /var 
This label needs to be applied before the subvolume is mounted initially
to prevent AVC denials.
 2023-03-12 12:53:16 -05:00
Dustin a84df60b4a Reinstall packages for updates/changed USE flags 
Packages which have been updated and/or had USE flag changes will now be
reinstalled in the destination root directory automatically.
 2023-03-12 12:53:16 -05:00
Dustin 9d507c74ae Create /var/log with systemd-tmpfiles 
*systemd-tmpfiles* can create btrfs subvolumes with the `v` entry type.
Using this mechanism instead of the `init-storage` script will allow for
greater flexibility when adding other subvolumes later.

Unfortunately, the default configuration for *systemd-tmpfiles* already
includes an entry for `/var/log` with the `d` (directory) type.  Since
individual entries cannot be overridden, we need to modify this entry.
 2023-03-12 12:53:16 -05:00
Dustin 328b59e84a Omit /var/.updated from rootfs image 
This file should not pre present when a machine is first booted, so that
systemd units with `ConditionNeedsUpdate=/var` will be activated.
 2023-03-12 12:53:16 -05:00
Dustin a5a642cb9a build: Rebuild when Portage config changes 
The `host-tools` and `build` targets will now be rebuilt automatically
when the respective Portage configuration changes.
 2023-03-12 12:53:16 -05:00
Dustin 274c592f5d Add factory reset feature 
The `factory-reset` command provides a way to completely wipe the data
partition, thus erasing any local configuration and state.  The command
itself simply enables a special systemd service unit that is activated
during the shutdown process.  This unit runs a script, after all
filesystems, except rootfs, have been unmmounted.  It then erases the
signature of the filesystem on the data partition, so it will appear
blank the next time the system boots.  This will trigger the
`init-storage` process, to create a new filesystem on the partition.
 2023-03-12 12:50:05 -05:00
Dustin 2ebb26529a Switch to Busybox awk 
Gentoo uses GNU awk by default, but since we are using Busybox for the
rest of the userspace utilities, it makes sense to use awk from Busybox
as well.
 2023-03-12 12:50:05 -05:00
Dustin 47ecbeed19 build-rootfs: Reinstall rebuilt binaries 
Binary packages that have been rebuilt since they were installed in the
destination root are now reinstalled automatically.
 2023-03-12 12:50:05 -05:00
Dustin ec34ffe7d2 build-rootfs: Pre-generate tmpfiles 
Some *tmpfiles.d(5)* entries specify paths in the immutable root
filesystem.  These need to be created at build time to prevent
*systemd-tmpfiles-setup.service* from failing at runtime.
 2023-03-12 12:50:05 -05:00
Dustin 1a1a64a16d rebuild-pkg: Script to rebuild/reinstall a binpkg 
This script can be used to rebuild a binary package in the SYSROOT and
reinstall it in the destination root.

```sh
./rebuild-pkg sec-policy/selinux-aimee-os
make -W /tmp/build/.built O=/tmp/build IMAGESDIR=${PWD}/images
```
 2023-03-12 12:50:05 -05:00
Dustin ff5f8b5c3b Begin custom SELinux policy module 
The *aimee-os* SELinux policy module provides rules that are specific to
our custom commands and system configuration.  These rules are not
suitable for including in the upstream policy, so we include them in a
separate package rather than patches to the base policy.

Currently, the policy module includes rules to allow the `init-storage`
and `system-update` programs to work.  It also includes rules to allow
SSH host keys to be stored in `/var/lib/ssh` instead of `/etc/ssh`,
since our `/etc` is immutable.
 2023-03-12 12:47:36 -05:00
Dustin 5939fb525c init-storage: Use a static path as mount point 
There's no particular reason why the directory used as the temporary
mount point for the data volume needs to be random.  Using a static
name, on the other hand, makes it easier for the SELinux policy to
apply the correct type transition and ensure the directory is labelled
correctly.
 2023-03-12 12:47:36 -05:00
Dustin c97c7f565b Add restorecon service 
This service runs `restorecon` on `/var` to fix any errant SELinux
labels when the system first boots following an update.
 2023-03-12 12:47:36 -05:00
Dustin 20b85fe8e2 Fix setting overlay directory timestamps 
Using `tar` to copy files and directories from the overlay directory to
the destination root preserves their timestamps.  This is not really
desirable, particularly for directories, because it may result in the
destination paths appearing older than the build.  This is especially
problematic for `/usr`, since its timestamps are important for systemd
units that use `ConditionNeedsUpdate` settings.

To ensure the timestamps are set correctly, we now use `rsync` to copy
the overlay, with the `-O` (`--omit-dir-times`) argument, to avoid
changing the timestamps of directories.  Additionally, we explicitly
update the timestamp of `/usr` to ensure that every new build triggers
the "needs update" condition.
 2023-03-12 12:47:36 -05:00
Dustin 9bdf0fbfd0 build: Trigger rebuild on overlay changes 
If any file in the `overlay` directory changes, the `build-rootfs.sh`
script needs to be re-run in order to copy the changes into the
destination root and regenerate the SquashFS image.
 2023-03-12 12:47:36 -05:00
Dustin 189f1f656e wip: build u-boot with Portage 2023-03-12 12:47:36 -05:00
Dustin 5f62193247 Use Portage config directly from src dir 
Instead of copying the Portage configuration files to `/etc/portage` and
`/usr/${target}/etc/portage`, the build scripts now use the
configuration directories from the source directory.  This avoids issues
with changes (especially removal of files) getting propagated to the
actual configuration paths.
 2023-03-12 12:47:36 -05:00
Dustin 3ca750f495 build: Rebuild when busybox.symlinks changes 2023-03-12 12:47:36 -05:00
Dustin 301589af22 Store SSH host keys in /var/lib/ssh 
For some reason, when OverlayFS is mounted at `/etc/ssh`, SELinux
prevents access both `sshd` and `ssh-keygen` access to the files there.
The AVC denials indicate that (some part of) the process is running in
the `mount_t` domain, which is not allowed to read or write `sshd_key_t`
files.

To work around this issue, without granting `mount_t` overly-permissive
access, we now configure the SSH daemon to read host keys from the
persistent data volume directly, instead of "tricking" it with
OverlayFS.  The `ssh-keygen` tool does not read the `HostKey` options
from `sshd_config`, though, so it has to be explicitly instructed to
create keys in this alternate location.  By using a systemd template
unit with `ConditionPathExists`, we avoid regnerating the keys on every
boot, since the `ssh-keygen` command is only run if the file does not
already exist.
 2023-03-12 12:47:36 -05:00
Dustin f2d6db5af1 Enable SELinux 
Enabling SELinux on the target system needs build-time and run-time
configuration changes for ther kernel and userspace.  Additionally,
SELinux requires a policy that defines allowed operations.  Gentoo
provides a reasonable baseline for all of these changes, but some
modifications are required.

First and foremost, the Gentoo SELinux policy is missing several
necessary rules for systemd-based systems.  Notably, services that use
alternate namespaces will fail to start because the base policy does not
allow systemd components the necessary privileges, so these rules have
to be added.  Similarly, `systemd-journald` needs additional privileges
in order to be able to capture all metadata for processes generating
syslog messages.  Finally, additional rules are necessary in order to
allow systemd to create files and directories prior to launching
servies.

Besides patching the policy, we also do some hackery to avoid shipping
the Python runtime in SELinux-enabled builds.  Several SELinux-related
packages, including *libselinux* and *policycoreutils* have dependencies
on Python modules for some of their functionality.  Unfortunately, the
Python build system does NOT properly cross-compile native extension
modules, so this functionality is not available on the target system.
Fortunately, none of the features provided by these modules are actually
needed at runtime, so we can safely ignore them and thus omit the entire
Python runtime and all Python programs from the final image.

It is important to note that it is impossible to build an
SELinux-enabled image on a host that is itself SELinux-enabled.
Operations such as changing file labels are checked against the SELinux
policy in the running kernel, and may be denied if the target policy
differs significantly from the running policy.  The `setfiles` command
fails, for example, when run on a Fedora host.  As such, building an
SELinux-enabled system should be done in a virtual machine using a
kernel that does not have a loaded SELinux policy.  The `ocivm` script
can be used to create a suitable runtime from a container image.
 2023-03-12 12:34:12 -05:00
Dustin fe602f2a92 install-update: Fix error message in die function 2023-03-08 11:12:00 -06:00
Dustin dbc02a99a1 Simplify specifying packages to build/install 
The Portage packages that need to be built and/or installed are now
specified in the `build.packages` and `install.packages` files,
respectively.  Similarly, packages to be installed on the host system
are specified in `host-tools.packages`.  Finally, the
`installonly.packages` file contains a list of packages that are
installed in the destination root, but not built in the sysroot
beforehand.

This allows `make` to better track when the package sets change.  It
will also make it easier to maintain different sets for different
variants in the future.
 2023-03-08 11:12:00 -06:00
Dustin b2aac7c74e vm-build: Add script to build in a microvm 
This script uses the `ocivm` tool to launch a QEMU micro VM to build
the operating system.  This is necessary to produce an SELinux-enabled
system, since container runtimes interfere with the SELinux policy
build and filesystem labeling processes.
 2023-03-08 11:12:00 -06:00
Dustin f3b63a1dc2 prepare: Fix binpkg build for libcap 
Since we have to build *sys-libs/libcap* with the default Portage
configuration in order to avoid the circular dependency with PAM,
our configuration for binary package builds is not yet in place.  We
need to explicitly specify where to put the built packages and enable
multi-instance packages.
 2023-03-06 15:02:46 -06:00
Dustin 52aae70db2 prepare: Fix ownership of Portage DISTDIR 
If the Portage DISTDIR is a mounted filesystem, it may not have the
correct permissions initially.
 2023-03-03 12:36:15 -06:00
Dustin 5e4e37259e Fix overlay file ownerships 
By default, `tar` copies file ownership UID/GID.  This works fine when
the build is running in a rootless container, since the source UID/GID
numbers are mapped to 0/0 inside the container.  In other scenarios,
though, such as building in a microvm with the source directory on a
shared filesystem, the original numbers are preserved.  We need to
explicitly state that the files must be owned by root.
 2023-03-03 12:36:15 -06:00
Dustin 4900085a1c Support external build directory 
When running inside a QEMU microvm with the source directory shared
via 9pfs, the kernel build process fails

> Error: Could not mmap file: vmlinux

Thus, we need to run the build in a path on a local filesystem.  To
support this, the Makefile now supports an `O` option, and all the build
scripts have been adjusted to make use of it as needed.

Since building in a local filesystem would ultimately discard the final
artifacts when the VM terminates, we need yet a different location for
the files we want to keep.  The `IMAGESDIR` option can be used to
specify this path.  This path can be on a shared filesystem, thus
saving the artifacts outside the microvm.
 2023-03-03 12:36:15 -06:00
Dustin 8e556ca5a9 Do not install git on the build host 
No longer necessary.
 2023-02-21 09:58:18 -06:00
Dustin a8ccbe45a0 Improve handling of circular dependencies 
Several packages end up with circular dependencies, depending on which
Portage profile is selected.  The default profiles have a circular
dependency between *sys-libs/pam* and *sys-libs/libcap*.  Systemd and
SELinux profiles have even more issues.

We can break the circular dependencies by explicitly building *libcap*
with`USE=-pam` first, which happens to be the default configuration
generated by `crossdev`.  Then, we need to switch to a more complete
profile in order to build *glibc* and *util-linux*.  At this point, the
build root should be complete enough to build anything without circular
dependencies.
 2023-02-21 09:58:18 -06:00
Dustin 50b20eee8c Add start-container.sh script 
This will make it easier to manually create a container for development
and debugging.
 2023-02-21 09:58:18 -06:00
119 changed files with 1097 additions and 251 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,5 +1,10 @@
/images /images
/linux /linux
/output /output
/portage/config/*/etc/portage/make.profile
/portage/config/*/etc/portage/repos.conf
/portage/config/target/etc/portage/make.conf/10-crossdev.conf
/portage/repos/x-portage
/.built
/.prepared /.prepared
/.host-tools /.host-tools

4
.gitmodules vendored
View File

@ -1,4 +0,0 @@
[submodule "u-boot"]
path = u-boot
url = https://source.denx.de/u-boot/u-boot.git
branch = v2023.01

117
Makefile
View File

@ -1,94 +1,100 @@
update.tar: output/update.tar.zstd O ?= .
IMAGESDIR ?= $(O)/images
.prepared: \ update.tar: $(IMAGESDIR)/update.tar.zstd
$(O)/.prepared: \
prepare.sh \ prepare.sh \
config-portage.sh \
setup-local-repo.sh \ setup-local-repo.sh \
$(shell find portage host-portage -type f) \
$(shell find patches/ebuilds -type f) $(shell find patches/ebuilds -type f)
./prepare.sh ./prepare.sh
./config-portage.sh
./setup-local-repo.sh ./setup-local-repo.sh
touch .prepared mkdir -p $(O)
touch $(O)/.prepared
prepare: .prepared prepare: $(O)/.prepared
.host-tools: \ $(O)/.host-tools: \
build-host-tools.sh \ build-host-tools.sh \
.prepared host-tools.packages \
$(shell find portage/config/host -type f) \
$(O)/.prepared
./build-host-tools.sh ./build-host-tools.sh
touch .host-tools touch $(O)/.host-tools
host-tools: .host-tools host-tools: $(O)/.host-tools
.built: \ $(O)/.built: \
build.sh \ build.sh \
build-rootfs.sh \ build.packages \
linux/arch/arm64/boot/Image.gz \ install.packages \
.host-tools \ $(shell find portage/config/target -type f) \
.prepared $(O)/.host-tools \
$(O)/.prepared
./build.sh ./build.sh
./build-rootfs.sh touch $(O)/.built
touch .built
images/rootfs.squashfs: \ $(O)/.ready: \
build-rootfs.sh \
install.packages \
installonly.packages \
busybox.symlinks \
$(O)/linux/arch/arm64/boot/Image.gz \
$(shell find overlay -type f) \
$(O)/.host-tools \
$(O)/.built
./build-rootfs.sh
touch $(O)/.ready
$(IMAGESDIR)/rootfs.squashfs: \
build-squashfs.sh \ build-squashfs.sh \
squashfs.exclude \ squashfs.exclude \
.built $(O)/.ready
./build-squashfs.sh ./build-squashfs.sh "$(IMAGESDIR)"
squashfs: images/rootfs.squashfs squashfs: $(IMAGESDIR)/rootfs.squashfs
linux/arch/arm64/boot/Image.gz: \ $(O)/linux/arch/arm64/boot/Image.gz: \
build-kernel.sh \ build-kernel.sh \
linux.config \ linux.config \
.host-tools \ $(O)/.host-tools \
.prepared $(O)/.prepared
./build-kernel.sh ./build-kernel.sh "$(O)"
kernel: linux/arch/arm64/boot/Image.gz kernel: $(O)/linux/arch/arm64/boot/Image.gz
output/efi-part/EFI/BOOT/BOOTAA64.efi: \ $(O)/efi-part/EFI/BOOT/BOOTAA64.efi: \
build-grub.sh \ build-grub.sh \
grub.cfg \ grub.cfg \
.host-tools \ $(O)/.host-tools \
.prepared $(O)/.prepared
./build-grub.sh ./build-grub.sh "$(O)"
grub: output/efi-part/EFI/BOOT/BOOTAA64.efi grub: $(O)/efi-part/EFI/BOOT/BOOTAA64.efi
output/efi-part/u-boot.bin: \ $(IMAGESDIR)/sdcard.img: \
build-uboot.sh \
u-boot.config
./build-uboot.sh
uboot: output/efi-part/u-boot.bin
images/sdcard.img: \
genimage.cfg \ genimage.cfg \
genimage.sh \ genimage.sh \
post-build.sh \ post-build.sh \
output/efi-part/u-boot.bin \ $(O)/efi-part/EFI/BOOT/BOOTAA64.efi
output/efi-part/EFI/BOOT/BOOTAA64.efi ./post-build.sh "$(O)"
./post-build.sh ./genimage.sh "$(O)" "$(IMAGESDIR)"
./genimage.sh
sdcard.img: images/sdcard.img sdcard.img: $(IMAGESDIR)/sdcard.img
images/firmware.img: images/sdcard.img $(IMAGESDIR)/firmware.img: $(IMAGESDIR)/sdcard.img
output/update.tar.zstd: \ $(IMAGESDIR)/update.tar.zstd: \
images/rootfs.squashfs \ $(IMAGESDIR)/rootfs.squashfs \
images/firmware.img \ $(IMAGESDIR)/firmware.img \
install-update.sh \ install-update.sh \
.host-tools \ $(O)/.host-tools \
.prepared $(O)/.prepared
./build-update.sh ./build-update.sh "$(IMAGESDIR)"
clean: clean:
git -C u-boot clean -fdx && git -C u-boot checkout -- . rm -rf $(O)/linux $(O)/output $(IMAGESDIR) $(O)/tmp
rm -rf linux output images tmp rm -f $(O)/.prepared $(O)/.host-tools
rm -f .prepared .host-tools
.PHONY: \ .PHONY: \
grub \ grub \
@ -97,5 +103,4 @@ clean:
prepare \ prepare \
sdcard.img \ sdcard.img \
squashfs \ squashfs \
uboot \
update.tar update.tar

16
build-grub.sh
View File

@ -5,6 +5,8 @@ set -e
. ./config . ./config
O="${1}"
GRUB_MODULES=' GRUB_MODULES='
boot boot
echo echo
@ -26,17 +28,17 @@ zstd
' '
echo 'Creating GRUB image ...' echo 'Creating GRUB image ...'
mkdir -p output/efi-part/EFI/BOOT mkdir -p "${O}"/efi-part/EFI/BOOT
grub-mkimage \ grub-mkimage \
-O arm64-efi \ -O arm64-efi \
-o output/efi-part/EFI/BOOT/BOOTAA64.efi \ -o "${O}"/efi-part/EFI/BOOT/BOOTAA64.efi \
-d /usr/${target}/usr/lib/grub/arm64-efi \ -d /usr/${target}/usr/lib/grub/arm64-efi \
-p /EFI/gentoo \ -p /EFI/gentoo \
${GRUB_MODULES} ${GRUB_MODULES}
echo 'Generating GRUB configuration file ...' echo 'Generating GRUB configuration file ...'
mkdir -p output/efi-part/EFI/gentoo mkdir -p "${O}"/efi-part/EFI/gentoo
cp -uv grub.cfg output/efi-part/EFI/gentoo cp -uv grub.cfg "${O}"/efi-part/EFI/gentoo
grub-editenv output/efi-part/EFI/gentoo/grubenv set rootflags='ro' grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set rootflags='ro'
grub-editenv output/efi-part/EFI/gentoo/grubenv set default=0 grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set default=0
grub-editenv output/efi-part/EFI/gentoo/grubenv set timeout=5 grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set timeout=5

13
build-host-tools.sh
View File

@ -1,13 +1,6 @@
#!/bin/sh #!/bin/sh
# vim: set sw=4 ts=4 sts=4 et : # vim: set sw=4 ts=4 sts=4 et :
emerge -vnUj \ PORTAGE_CONFIGROOT="${PWD}"/portage/config/host \
dev-vcs/git \ < host-tools.packages xargs -ro \
sys-apps/systemd \ emerge -vnUj
sys-boot/grub \
sys-fs/btrfs-progs \
sys-fs/dosfstools \
sys-fs/genimage \
sys-fs/mtools \
sys-fs/squashfs-tools \
|| exit

29
build-kernel.sh
View File

@ -3,16 +3,21 @@
set -e set -e
O="${1}"
. ./config . ./config
PORTAGE_CONFIGROOT="${PWD}"/portage/config/host \
emerge -vnj ${kernel_pkg} emerge -vnj ${kernel_pkg}
export ARCH=arm64 CROSS_COMPILE=${target}- export ARCH=arm64 CROSS_COMPILE=${target}-
mkdir -p linux unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
cd linux mkdir -p "${O}"/linux
/usr/src/linux/scripts/kconfig/merge_config.sh -m \ /usr/src/linux/scripts/kconfig/merge_config.sh -m \
-O "${O}"/linux \
/usr/src/linux/arch/*/configs/${kernel_defconfig}_defconfig \ /usr/src/linux/arch/*/configs/${kernel_defconfig}_defconfig \
../linux.config linux.config
cd "${O}"/linux
make -C /usr/src/linux O=${PWD} olddefconfig make -C /usr/src/linux O=${PWD} olddefconfig
make -j$(nproc) make -j$(nproc)
touch arch/arm64/boot/Image.gz touch arch/arm64/boot/Image.gz
@ -22,14 +27,14 @@ cd -
printf 'Installing Kernel %s ...\n' "${kver}" printf 'Installing Kernel %s ...\n' "${kver}"
mkdir -p /mnt/gentoo/boot mkdir -p /mnt/gentoo/boot
cp -au linux/arch/arm64/boot/Image.gz /mnt/gentoo/boot/vmlinuz-${kver} cp -au "${O}"/linux/arch/arm64/boot/Image.gz /mnt/gentoo/boot/vmlinuz-${kver}
cp -au linux/.config /mnt/gentoo/boot/config-${kver} cp -au "${O}"/linux/.config /mnt/gentoo/boot/config-${kver}
cp -au linux/System.map /mnt/gentoo/boot/System.map-${kver} cp -au "${O}"/linux/System.map /mnt/gentoo/boot/System.map-${kver}
printf 'Installing device tree binaries ...\n' printf 'Installing device tree binaries ...\n'
mkdir -p output/efi-part/overlays mkdir -p "${O}"/efi-part/overlays
cp -au linux/arch/arm64/boot/dts/${device_tree} output/efi-part/ cp -u "${O}"/linux/arch/arm64/boot/dts/${device_tree} "${O}"/efi-part/
cp -au \ cp -u \
linux/arch/arm64/boot/dts/overlays/*.dtb \ "${O}"/linux/arch/arm64/boot/dts/overlays/*.dtb \
linux/arch/arm64/boot/dts/overlays/*.dtbo \ "${O}"/linux/arch/arm64/boot/dts/overlays/*.dtbo \
output/efi-part/overlays/ "${O}"/efi-part/overlays/

51
build-rootfs.sh
View File

@ -23,20 +23,14 @@ ln -snf \
cp -r portage/. /mnt/gentoo/etc/portage/ cp -r portage/. /mnt/gentoo/etc/portage/
ROOT=/mnt/gentoo \ ROOT=/mnt/gentoo \
PORTAGE_CONFIGROOT=/mnt/gentoo \ PORTAGE_CONFIGROOT="${PWD}"/portage/config/target \
${target}-emerge -Kvnj \ < install.packages xargs -ro \
sys-apps/busybox \ ${target}-emerge -KvnuUDj --rebuilt-binaries=y
sys-apps/systemd \
net-misc/openssh \
net-misc/wget \
sys-fs/btrfs-progs \
--
ROOT=/mnt/gentoo \ ROOT=/mnt/gentoo \
PORTAGE_CONFIGROOT=/mnt/gentoo \ PORTAGE_CONFIGROOT="${PWD}"/portage/config/target \
${target}-emerge -vnj \ < installonly.packages xargs -ro \
net-wireless/wireless-regdb \ ${target}-emerge -vnuUDj
sys-kernel/linux-firmware \
--
ROOT=/mnt/gentoo \ ROOT=/mnt/gentoo \
locale-gen locale-gen
@ -59,8 +53,7 @@ while read name; do
fi fi
done < busybox.symlinks done < busybox.symlinks
tar -c -C overlay . \ rsync -rltpDO overlay/ /mnt/gentoo/
| tar -x --keep-newer-files -C /mnt/gentoo
cp -uv /usr/${target}/usr/bin/grub-editenv /mnt/gentoo/usr/bin/ cp -uv /usr/${target}/usr/bin/grub-editenv /mnt/gentoo/usr/bin/
@ -73,6 +66,8 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
fi fi
rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
sed -i 's:d /var/log :v /var/log :' /mnt/gentoo/lib/tmpfiles.d/var.conf
systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create
systemctl preset-all --root=/mnt/gentoo systemctl preset-all --root=/mnt/gentoo
rm -f /mnt/gentoo/lib/systemd/system/sysinit.target.wants/ldconfig.service rm -f /mnt/gentoo/lib/systemd/system/sysinit.target.wants/ldconfig.service
@ -86,3 +81,29 @@ if ! grep -q Include /mnt/gentoo/etc/ssh/sshd_config; then
echo 'Include /etc/ssh/sshd_config.d/*.conf' \ echo 'Include /etc/ssh/sshd_config.d/*.conf' \
>> /mnt/gentoo/etc/ssh/sshd_config >> /mnt/gentoo/etc/ssh/sshd_config
fi fi
# Although `semanage` accepts a `--store` argument that supposedly
# instructs it to operate on an alternate SELinux policy store, it
# doesn't actually work. As such, we have to run `semanage` in an
# alternate mount namespace with the target policy store bind-mounted
# at the default location so `semanage` can operate on it.
unshare -m sh -e <<EOF
mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
semanage boolean -N -m --on ssh_sysadm_login
semanage login -N -m -s root root
semanage user -N -m -R sysadm_r root
EOF
setfiles \
-p \
-F \
-m \
-r /mnt/gentoo \
-c /mnt/gentoo/etc/selinux/strict/policy/policy.* \
-e /mnt/gentoo/var/db/pkg \
-e /mnt/gentoo/etc/portage \
/mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \
/mnt/gentoo
touch /mnt/gentoo/usr

6
build-squashfs.sh
View File

@ -5,10 +5,12 @@ set -e
. ./config . ./config
mkdir -p images IMAGESDIR="${1}"
mkdir -p "${IMAGESDIR}"
mksquashfs \ mksquashfs \
/mnt/gentoo \ /mnt/gentoo \
images/rootfs.squashfs \ "${IMAGESDIR}"/rootfs.squashfs \
-comp gzip \ -comp gzip \
-ef squashfs.exclude \ -ef squashfs.exclude \
-no-exports \ -no-exports \

10
build-uboot.sh
View File

@ -5,12 +5,14 @@ set -e
. ./config . ./config
O="${1}"
./patch-uboot.sh ./patch-uboot.sh
cd u-boot cd u-boot
cat configs/rpi_4_defconfig ../u-boot.config > configs/yellow_defconfig cat configs/rpi_4_defconfig ../u-boot.config > configs/yellow_defconfig
make yellow_defconfig make O="${O}"/u-boot yellow_defconfig
CROSS_COMPILE=${target}- make CROSS_COMPILE=${target}- make O="${O}"/u-boot -j$(nproc)
cd .. cd ..
mkdir -p output/efi-part mkdir -p "${O}"/efi-part
cp -au u-boot/u-boot.bin output/efi-part cp -u "${O}"/u-boot/u-boot.bin "${O}"/efi-part

8
build-update.sh
View File

@ -5,11 +5,13 @@ set -e
. ./config . ./config
cd images IMAGESDIR="$1"
cd "${IMAGESDIR}"
sha256sum firmware.img > digests sha256sum firmware.img > digests
sha256sum rootfs.squashfs >> digests sha256sum rootfs.squashfs >> digests
ln ../install-update.sh install cp -u "${OLDPWD}"/install-update.sh install
tar -c --zstd -f ../output/update.tar.zstd \ tar -c --zstd -f update.tar.zstd \
digests \ digests \
firmware.img \ firmware.img \
rootfs.squashfs \ rootfs.squashfs \

3
build.packages Normal file
View File

@ -0,0 +1,3 @@
sys-boot/grub
sys-boot/raspberrypi-firmware
sys-boot/u-boot

23
build.sh
View File

@ -5,18 +5,15 @@ set -e
. ./config . ./config
USE=-pam \ unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
${target}-emerge -1nvj --nodeps sys-libs/libcap
USE='-cramfs -ncurses -nls -pam -readline -su -suid -systemd -udev' \
${target}-emerge -1nvj --nodeps sys-apps/util-linux
${target}-emerge -vnuUDj \ export PORTAGE_CONFIGROOT="${PWD}"/portage/config/target
net-misc/openssh \
net-misc/wget \ ${target}-emerge -vuUDj sys-apps/util-linux
sys-apps/busybox \
sys-apps/systemd \ cat \
sys-boot/grub \ build.packages \
sys-boot/raspberrypi-firmware \ install.packages \
sys-fs/btrfs-progs \ | xargs -ro \
-- ${target}-emerge -vnuUDj
${target}-emerge -v @preserved-rebuild ${target}-emerge -v @preserved-rebuild

1
busybox.symlinks
View File

@ -1,5 +1,6 @@
basename basename
cat cat
chcon
cp cp
dd dd
df df

2
config
View File

@ -1,5 +1,5 @@
target=aarch64-unknown-linux-gnu target=aarch64-unknown-linux-gnu
profile=default/linux/arm64/17.0/systemd/merged-usr profile=default/linux/arm64/17.0/systemd/selinux/merged-usr
kernel_pkg=sys-kernel/raspberrypi-sources kernel_pkg=sys-kernel/raspberrypi-sources
kernel_defconfig=bcm2835 kernel_defconfig=bcm2835
device_tree=broadcom/bcm2711-rpi-cm4-ha-yellow.dtb device_tree=broadcom/bcm2711-rpi-cm4-ha-yellow.dtb

9
config-portage.sh
View File

@ -1,9 +0,0 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
set -e
. ./config
cp -r host-portage/. /etc/portage/
cp -r portage/. /usr/${target}/etc/portage/

2
genimage.cfg
View File

@ -4,7 +4,7 @@ image firmware.img {
vfat { vfat {
} }
srcpath = "output/efi-part" srcpath = "efi-part"
size = 32M size = 32M
} }

10
genimage.sh
View File

@ -14,14 +14,18 @@ cleanup() {
. ./config . ./config
O="${1}"
IMAGESDIR="${2}"
trap cleanup INT TERM QUIT EXIT trap cleanup INT TERM QUIT EXIT
tmproot=$(mktemp -d) tmproot=$(mktemp -d)
tmppath=$(mktemp -d) tmppath=$(mktemp -d)
cd "${O}"
genimage \ genimage \
--rootpath "${tmproot}" \ --rootpath "${tmproot}" \
--tmppath "${tmppath}" \ --tmppath "${tmppath}" \
--inputpath images/ \ --inputpath "${IMAGESDIR}" \
--outputpath images/ \ --outputpath "${IMAGESDIR}" \
--mkdosfs mkfs.vfat \ --mkdosfs mkfs.vfat \
--config genimage.cfg --config "${OLDPWD}"/genimage.cfg

2
host-portage/package.use/systemd
View File

@ -1,2 +0,0 @@
sys-apps/dbus systemd
sys-apps/systemd -*

9
host-tools.packages Normal file
View File

@ -0,0 +1,9 @@
sec-policy/selinux-base
sys-apps/policycoreutils
sys-apps/systemd
sys-boot/grub
sys-fs/btrfs-progs
sys-fs/dosfstools
sys-fs/genimage
sys-fs/mtools
sys-fs/squashfs-tools

2
install-update.sh
View File

@ -8,7 +8,7 @@ die() {
if [ $rc -eq 0 ]; then if [ $rc -eq 0 ]; then
rc=1 rc=1
fi fi
error "$@" eerror "$@"
exit $rc exit $rc
} }

6
install.packages Normal file
View File

@ -0,0 +1,6 @@
net-misc/openssh
net-misc/wget
sec-policy/selinux-aimee-os
sys-apps/busybox
sys-apps/systemd
sys-fs/btrfs-progs

2
installonly.packages Normal file
View File

@ -0,0 +1,2 @@
net-wireless/wireless-regdb
sys-kernel/linux-firmware

7
linux.config
View File

@ -47,3 +47,10 @@ CONFIG_IPV6_SIT_6RD=m
# CONFIG_MEDIA_CEC_SUPPORT is not set # CONFIG_MEDIA_CEC_SUPPORT is not set
# CONFIG_MEDIA_SUPPORT is not set # CONFIG_MEDIA_SUPPORT is not set
CONFIG_AUDIT=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY_SELINUX=y
# DEFAULT_SECURITY_DAC is not set

23
ocivm.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
set -e
. ./config
name=build_yellow
if ! ocivm list | grep -q localhost/cross-${target}; then
ocivm import localhost/cross-${target}
fi
ocivm \
--log-level DEBUG \
run \
-n ${name} \
-w /tmp/src \
-v "${PWD}":/tmp/src \
-v distfiles:/var/cache/distfiles:size=4G \
-v packages:/var/cache/binpkgs \
-v portage:/var/db/repos/gentoo:size=4G \
--tmpfs /usr/aarch64-unknown-linux-gnu/tmp \
--tmpfs /var/tmp \
localhost/cross-aarch64-unknown-linux-gnu \
"$@"

2
overlay/etc/fstab
View File

@ -1,3 +1 @@
PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2 PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2
PARTLABEL=dch-data /run/etc btrfs subvol=etc,nosuid,noexec,nodev 0 0
overlay /etc/ssh overlay lowerdir=/etc/ssh,upperdir=/run/etc/rw/ssh,workdir=/run/etc/.work,x-systemd.requires=run-etc.mount 0 0

15
overlay/etc/selinux/config Normal file
View File

@ -0,0 +1,15 @@
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=strict

16
overlay/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,16 @@
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
AcceptEnv COLORTERM
HostKey /var/lib/ssh/ssh_host_rsa_key
HostKey /var/lib/ssh/ssh_host_ecdsa_key
HostKey /var/lib/ssh/ssh_host_ed25519_key
Include /etc/ssh/sshd_config.d/*.conf

27
overlay/usr/bin/factory-reset Executable file
View File

@ -0,0 +1,27 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
. /lib/gentoo/functions.sh
confirm() {
unset _confirm
printf '%s [y/N] ' "${1-Do you want to continue?}"
read _confirm
case "${_confirm}" in
[Yy]|[Yy][Ee][Ss])
return 0
;;
*)
return 1
;;
esac
}
printf "${WARN}"
printf 'This operation will COMPLETELY ERASE all data and information '
printf 'stored on this system!\n'
printf "${NORMAL}"
confirm || exit 9
ewarn 'The system will now reboot and wipe all data.'
systemctl enable --runtime factory-reset.service
systemctl reboot

6
overlay/usr/lib/systemd/system-preset/80-local-default.preset
View File

@ -1,3 +1,7 @@
enable auditd.service
enable restorecon.service
disable ldconfig.service disable ldconfig.service
disable systemd-userdbd.service disable systemd-userdbd.service
@ -12,4 +16,4 @@ enable systemd-networkd.socket
disable getty@.service disable getty@.service
enable sshd.socket enable sshd.socket
enable ssh-keygen.service enable ssh-keygen.target

5
overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf Normal file
View File

@ -0,0 +1,5 @@
[Service]
# Do not run augenrules; read audit rules from the audit.rules file as
# it exists already. Audit rules are generated at build time.
ExecStartPost=
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

13
overlay/usr/lib/systemd/system/factory-reset.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Perform a factory reset
DefaultDependencies=no
After=umount.target
Before=systemd-reboot.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/factory-reset
StandardOutput=kmsg+console
[Install]
WantedBy=final.target

15
overlay/usr/lib/systemd/system/restorecon.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Restore SELinux file contexts in /var
ConditionNeedsUpdate=/var
DefaultDependencies=no
After=local-fs.target
Before=sysinit.target
Before=systemd-tmpfiles-setup.service
Before=systemd-update-done.service
[Service]
Type=oneshot
ExecStart=/usr/sbin/restorecon -RFv /var
[Install]
WantedBy=sysinit.target

9
overlay/usr/lib/systemd/system/ssh-keygen.service
View File

@ -1,9 +0,0 @@
[Unit]
Description=Generate SSH host keys
[Service]
Type=oneshot
ExecStart=/usr/bin/ssh-keygen -A
[Install]
WantedBy=sshd@.service

7
overlay/usr/lib/systemd/system/ssh-keygen.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Wants=ssh-keygen@rsa.service
Wants=ssh-keygen@ecdsa.service
Wants=ssh-keygen@ed25519.service
[Install]
WantedBy=multi-user.target

11
overlay/usr/lib/systemd/system/ssh-keygen@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Generate SSH %I host key
ConditionPathExists=!%S/ssh/ssh_host_%I_key
[Service]
Type=oneshot
StateDirectory=ssh
ExecStart=/usr/bin/ssh-keygen -t %I -f %S/ssh/ssh_host_%I_key -N ''
[Install]
WantedBy=sshd-keygen.target

2
overlay/usr/lib/systemd/system/sshd@.service.d/after-keygen.conf
View File

@ -1,2 +0,0 @@
[Unit]
After=ssh-keygen.service

13
overlay/usr/libexec/factory-reset Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
DATAPART=PARTLABEL=dch-data
seq 1 30
dev=$(findfs "${DATAPART}")
if [ -z "${dev}" ]; then
printf 'Could not find data partition (%s)\n' "${DATAPART}" >&2
exit 1
fi
wipefs -fa "${dev}"

12
overlay/usr/libexec/init-storage
View File

@ -15,8 +15,8 @@ copy_var() {
dev="$1" dev="$1"
echo 'Copying /var contents to data volume' echo 'Copying /var contents to data volume'
mount -o subvol=var "${dev}" "${tmpdir}" mount -o subvol=var "${dev}" "${tmpdir}" || exit
cp -auv /var/. "${tmpdir}" cp -auv /var/. "${tmpdir}" || exit
umount "${tmpdir}" umount "${tmpdir}"
} }
@ -26,11 +26,8 @@ format_dev() {
mkfs.btrfs "${dev}" || exit mkfs.btrfs "${dev}" || exit
mount "${dev}" "${tmpdir}" || exit mount "${dev}" "${tmpdir}" || exit
btrfs subvolume create "${tmpdir}"/etc || exit
mkdir -p "${tmpdir}"/etc/.work "${tmpdir}"/etc/rw || exit
mkdir -p "${tmpdir}"/etc/rw/ssh
btrfs subvolume create "${tmpdir}"/var || exit btrfs subvolume create "${tmpdir}"/var || exit
btrfs subvolume create "${tmpdir}"/var/log || exit chcon -t var_t "${tmpdir}"/var || exit
umount "${dev}" || exit umount "${dev}" || exit
} }
@ -49,7 +46,8 @@ else
fi fi
trap cleanup INT TERM QUIT EXIT trap cleanup INT TERM QUIT EXIT
tmpdir=$(mktemp -d -p /run storinit.XXXXXX) tmpdir=/run/storinit
mkdir -p "${tmpdir}"
if ! has_fs "${datapart}"; then if ! has_fs "${datapart}"; then
format_dev "${datapart}" format_dev "${datapart}"

18
podman-build.sh
View File

@ -3,23 +3,7 @@
set -e set -e
. ./config cid=$(./start-container.sh)
cid=$(podman run \
--tmpfs /var/tmp \
--tmpfs /usr/${target}/tmp \
-v portage:/var/db/repos/gentoo \
-v packages:/var/cache/binpkgs \
-v distfiles:/var/cache/distfiles \
-v packages:/usr/${target}/var/cache/binpkgs \
-v /mnt/gentoo \
-v ${PWD}:/tmp/build:rw,z \
-w /tmp/build \
-d \
-e FEATURES='-ipc-sandbox -network-sandbox -pid-sandbox' \
cross-${target} \
python -c 'from signal import *;signal(SIGTERM, lambda x, y: None);pause()'
)
./patch-uboot.sh ./patch-uboot.sh

0
host-portage/env/nobuildpkg → portage/config/host/etc/portage/env/nobuildpkg vendored
View File

0
host-portage/make.conf/15-keywords.conf → portage/config/host/etc/portage/make.conf/15-keywords.conf
View File

0
host-portage/make.conf/20-binpkgs.conf → portage/config/host/etc/portage/make.conf/20-binpkgs.conf
View File

0
host-portage/make.conf/80-quiet.conf → portage/config/host/etc/portage/make.conf/80-quiet.conf
View File

0
host-portage/package.accept_keywords/kernel → portage/config/host/etc/portage/package.accept_keywords/kernel
View File

0
host-portage/package.env/kernel → portage/config/host/etc/portage/package.env/kernel
View File

0
host-portage/package.use/btrfs-progs → portage/config/host/etc/portage/package.use/btrfs-progs
View File

0
host-portage/package.use/git → portage/config/host/etc/portage/package.use/git
View File

0
host-portage/package.use/grub → portage/config/host/etc/portage/package.use/grub
View File

0
host-portage/package.use/kernel → portage/config/host/etc/portage/package.use/kernel
View File

2
portage/config/host/etc/portage/package.use/selinux Normal file
View File

@ -0,0 +1,2 @@
sys-libs/libselinux python
sys-process/audit python

0
host-portage/package.use/squashfs-tools → portage/config/host/etc/portage/package.use/squashfs-tools
View File

4
portage/config/host/etc/portage/package.use/systemd Normal file
View File

@ -0,0 +1,4 @@
sys-apps/dbus systemd
sys-apps/systemd -*
sec-policy/selinux-base systemd
sec-policy/selinux-base-policy systemd

0
host-portage/patches/sys-kernel/raspberrypi-sources/0001-ARM-dts-bcm2711-Add-device-tree-for-Home-Assistant-Y.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0001-ARM-dts-bcm2711-Add-device-tree-for-Home-Assistant-Y.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0001-ARM-dts-bcm2711-Add-device-tree-for-Home-Assistant-Y.patch2 → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0001-ARM-dts-bcm2711-Add-device-tree-for-Home-Assistant-Y.patch2
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0001-ARM-dts-bcm283x-add-compatible-picked-up-by-U-Boot.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0001-ARM-dts-bcm283x-add-compatible-picked-up-by-U-Boot.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0002-ARM-dts-bcm2711-yellow-Mux-UART4-for-SiLabs-radio-mo.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0002-ARM-dts-bcm2711-yellow-Mux-UART4-for-SiLabs-radio-mo.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0003-ARM-dts-bcm2711-yellow-Mux-debug-UART5.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0003-ARM-dts-bcm2711-yellow-Mux-debug-UART5.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0004-ARM-dts-bcm2711-yellow-Enable-I2C6-by-default.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0004-ARM-dts-bcm2711-yellow-Enable-I2C6-by-default.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0005-ARM-dts-bcm2711-yellow-add-I2S-audio-codec.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0005-ARM-dts-bcm2711-yellow-add-I2S-audio-codec.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0006-ARM-dts-bcm2711-yellow-enable-GPIO-keys.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0006-ARM-dts-bcm2711-yellow-enable-GPIO-keys.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0007-ARM-dts-bcm2711-yellow-add-user-LED.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0007-ARM-dts-bcm2711-yellow-add-user-LED.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0008-ARM-dts-bcm2711-yellow-add-NXP-PCF85063A-RTC.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0008-ARM-dts-bcm2711-yellow-add-NXP-PCF85063A-RTC.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0009-ARM-dts-bcm2711-yellow-enable-USB-host-mode-by-defau.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0009-ARM-dts-bcm2711-yellow-enable-USB-host-mode-by-defau.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0010-ARM-dts-bcm2711-yellow-use-generic-activity-trigger-.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0010-ARM-dts-bcm2711-yellow-use-generic-activity-trigger-.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0011-ARM-dts-bcm2711-yellow-use-USB-OTG-mode-by-default.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0011-ARM-dts-bcm2711-yellow-use-USB-OTG-mode-by-default.patch
View File

0
host-portage/patches/sys-kernel/raspberrypi-sources/0012-ARM-dts-bcm2711-yellow-Add-LED-overrides.patch → portage/config/host/etc/portage/patches/sys-kernel/raspberrypi-sources/0012-ARM-dts-bcm2711-yellow-Add-LED-overrides.patch
View File

0
portage/env/nobuildpkg → portage/config/target/etc/portage/env/nobuildpkg vendored
View File

0
portage/make.conf/10-common.conf → portage/config/target/etc/portage/make.conf/10-common.conf
View File

0
portage/make.conf/20-binpkgs.conf → portage/config/target/etc/portage/make.conf/20-binpkgs.conf
View File

0
portage/make.conf/30-default-use.conf → portage/config/target/etc/portage/make.conf/30-default-use.conf
View File

0
portage/make.conf/40-lang.conf → portage/config/target/etc/portage/make.conf/40-lang.conf
View File

0
portage/make.conf/80-quiet.conf → portage/config/target/etc/portage/make.conf/80-quiet.conf
View File

0
portage/package.env/linux-firmware → portage/config/target/etc/portage/package.env/linux-firmware
View File

0
portage/package.license/firmware → portage/config/target/etc/portage/package.license/firmware
View File

1
portage/config/target/etc/portage/package.use/awk Normal file
View File

@ -0,0 +1 @@
app-alternatives/awk -gawk busybox

0
portage/package.use/busybox → portage/config/target/etc/portage/package.use/busybox
View File

0
portage/package.use/firmware → portage/config/target/etc/portage/package.use/firmware
View File

0
portage/package.use/grub → portage/config/target/etc/portage/package.use/grub
View File

1
portage/config/target/etc/portage/package.use/python Normal file
View File

@ -0,0 +1 @@
dev-lang/python -ensurepip

1
portage/config/target/etc/portage/package.use/u-boot Normal file
View File

@ -0,0 +1 @@
sys-boot/u-boot savedconfig

1
portage/config/target/etc/portage/patches/sec-policy/selinux-base-policy Symbolic link
View File

@ -0,0 +1 @@
selinux-base

40
portage/config/target/etc/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch Normal file
View File

@ -0,0 +1,40 @@
From 45fbe472c6d0b8ecf320b4f04ebf6c09ec85ba33 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 3 Mar 2023 15:04:28 -0600
Subject: [PATCH] systemd: Fixes for systemd-resolved
---
refpolicy/policy/modules/system/systemd.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
index ef25974..78f2b07 100644
--- a/refpolicy/policy/modules/system/systemd.te
+++ b/refpolicy/policy/modules/system/systemd.te
@@ -228,6 +228,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_runtime_file(systemd_resolved_runtime_t)
+init_mountpoint(systemd_resolved_runtime_t)
type systemd_stdio_bridge_t;
type systemd_stdio_bridge_exec_t;
@@ -1441,6 +1442,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_howl_port(systemd_resolved_t)
selinux_use_status_page(systemd_resolved_t)
@@ -1452,6 +1454,7 @@ files_list_runtime(systemd_resolved_t)
fs_getattr_all_fs(systemd_resolved_t)
fs_search_cgroup_dirs(systemd_resolved_t)
+fs_search_all(systemd_resolved_t)
init_dgram_send(systemd_resolved_t)
--
2.39.0

24
portage/config/target/etc/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch Normal file
View File

@ -0,0 +1,24 @@
From c1510fe7d63665ea133da3b044c2c63a9b104a02 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Mar 2023 09:57:44 -0600
Subject: [PATCH] mount: Allow mounting on etc_t
---
refpolicy/policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index d028723..f73cd29 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -89,6 +89,7 @@ files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
+files_mounton_etc_dirs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
--
2.39.0

24
portage/config/target/etc/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch Normal file
View File

@ -0,0 +1,24 @@
From 81e1ed4da36c7638f63e78969f70d77f87fb3600 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Mar 2023 10:16:13 -0600
Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
---
refpolicy/policy/modules/kernel/kernel.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 5124ae0..b0d7e8f 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
# Other possible mount points for the root fs are in files
allow kernel_t unlabeled_t:dir mounton;
+files_mountpoint(unlabeled_t)
# Kernel-generated traffic e.g., TCP resets on
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
--
2.39.0

24
portage/config/target/etc/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch Normal file
View File

@ -0,0 +1,24 @@
From 552ee711eaba5d9efff087feff23b2e6f6249743 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 6 Mar 2023 12:10:19 -0600
Subject: [PATCH] Allow systemd-journald list cgroup directories
---
refpolicy/policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index abd61e6..08f77b5 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
+fs_list_cgroup_dirs(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
--
2.39.0

76
portage/config/target/etc/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch Normal file
View File

@ -0,0 +1,76 @@
From bb58cbda2f45ee5d25b44dd256bd3de52bfcc3d8 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 10 Mar 2023 12:39:41 -0600
Subject: [PATCH] Allow systemd to create directories
This allows use of the `RuntimeDirectory`, `StateDirectory`, etc. unit
settings.
---
refpolicy/policy/modules/kernel/files.if | 18 ++++++++++++++++++
refpolicy/policy/modules/system/init.te | 14 ++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index f7217b2..9966a21 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -608,6 +608,24 @@ interface(`files_manage_non_security_dirs',`
allow $1 non_security_file_type:dir manage_dir_perms;
')
+########################################
+## <summary>
+## Allow attempts to setattr any directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir { read setattr };
+')
+
########################################
## <summary>
## Create non-security directories.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 97a75cf..7b44a43 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
## </desc>
gen_tunable(init_mounton_non_security, false)
+## <desc>
+## <p>
+## Enable init create, setattr, mounton on non_security_file_type
+## </p>
+## </desc>
+gen_tunable(init_create_dirs, true)
+
attribute init_mountpoint_type;
attribute init_path_unit_loc_type;
attribute init_script_domain_type;
@@ -606,6 +613,13 @@ ifdef(`init_systemd',`
unconfined_create_keys(init_t)
unconfined_write_keys(init_t)
')
+
+ tunable_policy(`init_create_dirs',`
+ files_create_non_security_dirs(init_t)
+ files_mounton_non_security(init_t)
+ files_setattr_non_security_dirs(init_t)
+ ')
+
',`
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
--
2.39.0

1
portage/config/target/etc/portage/profile/package.provided Normal file
View File

@ -0,0 +1 @@
app-admin/setools-4.4.0-r3

6
portage/savedconfig/sys-apps/busybox → portage/config/target/etc/portage/savedconfig/sys-apps/busybox
View File

@ -32,7 +32,7 @@ CONFIG_FEATURE_SUID=y
# CONFIG_FEATURE_SUID_CONFIG_QUIET is not set # CONFIG_FEATURE_SUID_CONFIG_QUIET is not set
# CONFIG_FEATURE_PREFER_APPLETS is not set # CONFIG_FEATURE_PREFER_APPLETS is not set
CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe" CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
# CONFIG_SELINUX is not set CONFIG_SELINUX=y
# CONFIG_FEATURE_CLEAN_UP is not set # CONFIG_FEATURE_CLEAN_UP is not set
# CONFIG_FEATURE_SYSLOG_INFO is not set # CONFIG_FEATURE_SYSLOG_INFO is not set
# CONFIG_FEATURE_SYSLOG is not set # CONFIG_FEATURE_SYSLOG is not set
@ -407,7 +407,7 @@ CONFIG_DEFAULT_SETFONT_DIR=""
# #
# Editors # Editors
# #
# CONFIG_AWK is not set CONFIG_AWK=y
# CONFIG_FEATURE_AWK_LIBM is not set # CONFIG_FEATURE_AWK_LIBM is not set
# CONFIG_FEATURE_AWK_GNU_EXTENSIONS is not set # CONFIG_FEATURE_AWK_GNU_EXTENSIONS is not set
# CONFIG_CMP is not set # CONFIG_CMP is not set
@ -1076,7 +1076,7 @@ CONFIG_SV_DEFAULT_SERVICE_DIR=""
# CONFIG_SVC is not set # CONFIG_SVC is not set
# CONFIG_SVOK is not set # CONFIG_SVOK is not set
# CONFIG_SVLOGD is not set # CONFIG_SVLOGD is not set
# CONFIG_CHCON is not set CONFIG_CHCON=y
# CONFIG_GETENFORCE is not set # CONFIG_GETENFORCE is not set
# CONFIG_GETSEBOOL is not set # CONFIG_GETSEBOOL is not set
# CONFIG_LOAD_POLICY is not set # CONFIG_LOAD_POLICY is not set

100
portage/config/target/etc/portage/savedconfig/sys-boot/u-boot Normal file
View File

@ -0,0 +1,100 @@
CONFIG_ARM=y
CONFIG_ARCH_BCM283X=y
CONFIG_TEXT_BASE=0x00080000
CONFIG_TARGET_RPI_4=y
CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x7fffe30
CONFIG_ENV_SIZE=0x4000
CONFIG_DEFAULT_DEVICE_TREE="bcm2711-rpi-4-b"
CONFIG_SYS_PROMPT="U-Boot> "
CONFIG_DM_RESET=y
CONFIG_SYS_LOAD_ADDR=0x1000000
CONFIG_DISTRO_DEFAULTS=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_USE_PREBOOT=y
CONFIG_PREBOOT="pci enum; usb start;"
# CONFIG_DISPLAY_CPUINFO is not set
# CONFIG_DISPLAY_BOARDINFO is not set
CONFIG_MISC_INIT_R=y
CONFIG_FDT_SIMPLEFB=y
CONFIG_SYS_PBSIZE=1049
CONFIG_CMD_DFU=y
CONFIG_CMD_GPIO=y
CONFIG_CMD_MMC=y
CONFIG_CMD_PCI=y
CONFIG_CMD_USB=y
CONFIG_CMD_FS_UUID=y
CONFIG_ENV_FAT_DEVICE_AND_PART="0:1"
CONFIG_SYS_RELOC_GD_ENV_ADDR=y
CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG=y
CONFIG_TFTP_TSIZE=y
CONFIG_DM_DMA=y
CONFIG_DFU_MMC=y
CONFIG_SYS_DFU_DATA_BUF_SIZE=0x100000
CONFIG_SYS_DFU_MAX_FILE_SIZE=0x200000
CONFIG_BCM2835_GPIO=y
CONFIG_MMC_SDHCI=y
CONFIG_MMC_SDHCI_SDMA=y
CONFIG_MMC_SDHCI_BCM2835=y
CONFIG_BCMGENET=y
CONFIG_PCI=y
CONFIG_PCI_BRCMSTB=y
CONFIG_PINCTRL=y
# CONFIG_PINCTRL_GENERIC is not set
CONFIG_DM_RNG=y
CONFIG_RNG_IPROC200=y
# CONFIG_REQUIRE_SERIAL_CONSOLE is not set
CONFIG_SYSINFO=y
CONFIG_SYSINFO_SMBIOS=y
CONFIG_USB=y
CONFIG_DM_USB_GADGET=y
CONFIG_USB_XHCI_HCD=y
CONFIG_USB_XHCI_PCI=y
CONFIG_USB_KEYBOARD=y
CONFIG_USB_GADGET=y
CONFIG_USB_GADGET_MANUFACTURER="FSL"
CONFIG_USB_GADGET_VENDOR_NUM=0x0525
CONFIG_USB_GADGET_PRODUCT_NUM=0xa4a5
CONFIG_USB_GADGET_DWC2_OTG=y
CONFIG_USB_GADGET_DOWNLOAD=y
CONFIG_VIDEO=y
# CONFIG_VIDEO_BPP8 is not set
# CONFIG_VIDEO_BPP16 is not set
CONFIG_SYS_WHITE_ON_BLACK=y
CONFIG_VIDEO_BCM2835=y
CONFIG_CONSOLE_SCROLL_LINES=10
CONFIG_PHYS_TO_BUS=y
CONFIG_OF_LIBFDT_OVERLAY=y
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_BOOTDELAY=-2
# CONFIG_ISO_PARTITION is not set
CONFIG_EFI_PARTITION=y
CONFIG_FS_EXT4=y
CONFIG_FS_FAT=y
# CONFIG_ENV_IS_IN_FAT is not set
# CONFIG_ENV_IS_IN_EXT4 is not set
CONFIG_ENV_IS_NOWHERE=y
CONFIG_CMD_SETEXPR=y
CONFIG_CMD_FILEENV=y
CONFIG_CMD_SQUASHFS=y
CONFIG_LZO=y
# CONFIG_DOS_PARTITION is not set
CONFIG_USB_STORAGE=y
CONFIG_USB_FUNCTION_MASS_STORAGE=y
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_GENERIC=y
CONFIG_USB_OHCI_HCD=y
CONFIG_USB_XHCI_BRCM=y
CONFIG_NVME_PCI=y
CONFIG_CMD_NVME=y
CONFIG_NVME=y
CONFIG_CMD_USB_MASS_STORAGE=y
CONFIG_CMD_BOOTEFI=y
CONFIG_EFI_LOADER=y
CONFIG_LMB_MAX_REGIONS=16

0
portage/savedconfig/sys-kernel/linux-firmware → portage/config/target/etc/portage/savedconfig/sys-kernel/linux-firmware
View File

2
portage/repos/aimee-os/metadata/layout.conf Normal file
View File

@ -0,0 +1,2 @@
masters = gentoo
thin-manifests = true

1
portage/repos/aimee-os/profiles/repo_name Normal file
View File

@ -0,0 +1 @@
aimee-os

2
portage/repos/aimee-os/sec-policy/selinux-aimee-os/Manifest Normal file
View File

@ -0,0 +1,2 @@
DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6

7
portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc Normal file
View File

@ -0,0 +1,7 @@
/usr/bin/system-update -- gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
/usr/libexec/factory-reset -- gen_context(system_u:object_r:aimee_factory_reset_exec_t,s0)
/usr/libexec/init-storage -- gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
/var/run/storinit(/.*)? gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
/var/lib/ssh/.*_key.* -- gen_context(system_u:object_r:sshd_key_t,s0)

47
portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if Normal file
View File

@ -0,0 +1,47 @@
## <summary>Policy for Aimee OS utilities.</summary>
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`aimee_os_system_update_domtrans',`
gen_require(`
type aimee_sysupdate_t, aimee_sysupdate_exec_t;
')
domtrans_pattern($1, aimee_sysupdate_exec_t, aimee_sysupdate_t)
')
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain, and allow the specified role the
## aimee_sysupdate_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`aimee_os_run_system_update',`
gen_require(`
type aimee_sysupdate_t;
')
aimee_os_system_update_domtrans($1)
role $2 types aimee_sysupdate_t;
')

172
portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te Normal file
View File

@ -0,0 +1,172 @@
policy_module(aimee-os, 1.0)
########################################
#
# Declarations
#
type aimee_storinit_t;
type aimee_storinit_exec_t;
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
type aimee_storinit_runtime_t;
files_runtime_file(aimee_storinit_runtime_t)
type aimee_sysupdate_t;
type aimee_sysupdate_exec_t;
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
type aimee_sysupdate_tmp_t;
files_tmp_file(aimee_sysupdate_tmp_t)
type aimee_factory_reset_t;
type aimee_factory_reset_exec_t;
init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
########################################
#
# init-storage local policy
#
allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
allow aimee_storinit_t self:capability { chown fsetid sys_admin };
manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
corecmd_exec_bin(aimee_storinit_t)
storage_raw_read_fixed_disk(aimee_storinit_t)
fstools_domtrans(aimee_storinit_t)
mount_exec(aimee_storinit_t)
miscfiles_read_localization(aimee_storinit_t)
mount_list_runtime(aimee_storinit_t)
dev_read_sysfs(aimee_storinit_t)
kernel_search_debugfs(aimee_storinit_t)
kernel_list_unlabeled(aimee_storinit_t)
fs_getattr_all_fs(aimee_storinit_t)
fs_mount_all_fs(aimee_storinit_t)
fs_unmount_all_fs(aimee_storinit_t)
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
gen_require(`
type mount_runtime_t;
')
dontaudit aimee_storinit_t mount_runtime_t:dir write;
files_manage_var_dirs(aimee_storinit_t)
files_manage_var_files(aimee_storinit_t)
files_manage_var_symlinks(aimee_storinit_t)
gen_require(`
type var_lib_t, var_lock_t, var_run_t;
type semanage_store_t;
type semanage_read_lock_t, semanage_trans_lock_t;
type system_dbusd_var_lib_t;
type init_var_lib_t;
type auditd_log_t;
type tmp_t;
attribute logfile;
')
manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
manage_files_pattern(aimee_storinit_t, logfile, logfile)
manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
########################################
#
# system-update local policy
#
allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
domain_use_interactive_fds(aimee_sysupdate_t)
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
corecmd_exec_bin(aimee_sysupdate_t)
selinux_get_fs_mount(aimee_sysupdate_t)
seutil_read_config(aimee_sysupdate_t)
userdom_search_user_home_dirs(aimee_sysupdate_t)
kernel_read_system_state(aimee_sysupdate_t)
fstools_exec(aimee_sysupdate_t)
fstools_manage_runtime_files(aimee_sysupdate_t)
miscfiles_read_localization(aimee_sysupdate_t)
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
dev_read_sysfs(aimee_sysupdate_t)
files_read_etc_files(aimee_sysupdate_t)
systemd_read_resolved_runtime(aimee_sysupdate_t)
systemd_stream_connect_resolved(aimee_sysupdate_t)
corenet_tcp_connect_http_port(aimee_sysupdate_t)
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
files_manage_non_security_dirs(aimee_sysupdate_t)
files_manage_non_security_files(aimee_sysupdate_t)
mount_exec(aimee_sysupdate_t)
mount_list_runtime(aimee_sysupdate_t)
fs_getattr_all_fs(aimee_sysupdate_t)
fs_mount_all_fs(aimee_sysupdate_t)
fs_unmount_all_fs(aimee_sysupdate_t)
dbus_system_bus_client(aimee_sysupdate_t)
systemd_dbus_chat_logind(aimee_sysupdate_t)
logging_send_syslog_msg(aimee_sysupdate_t)
files_mounton_non_security(aimee_sysupdate_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_system_update(sysadm_t, sysadm_r)
# factory-reset local policy
#
allow aimee_factory_reset_t self:capability { sys_admin };
allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
corecmd_exec_bin(aimee_factory_reset_t)
dev_read_sysfs(aimee_factory_reset_t)
kernel_read_system_state(aimee_factory_reset_t)
fstools_exec(aimee_factory_reset_t)
fstools_manage_runtime_files(aimee_factory_reset_t)
miscfiles_read_localization(aimee_factory_reset_t)
storage_raw_rw_fixed_disk(aimee_factory_reset_t)
########################################
#
# Additional policy rules for Aimee OS-specific behavior
#
# Allow ssh-keygen to create host key files in /var/lib/ssh
gen_require(`
type ssh_keygen_t;
type sshd_key_t, var_lib_t;
')
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)

14
portage/repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild Normal file
View File

@ -0,0 +1,14 @@
# Copyright 2023 Dustin C. Hatch
# Distributed under the terms of the GNU General Public License v2
EAPI=7
IUSE=""
MODS="aimee-os"
POLICY_FILES="aimee-os.te aimee-os.fc aimee-os.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for AimeeOS"
KEYWORDS="~amd64 ~arm ~arm64 ~x86"

11
portage/repos/aimee-os/sys-boot/u-boot/Manifest Normal file
View File

@ -0,0 +1,11 @@
AUX 0001-drivers-bcm283x-don-t-explicitly-disable-init.patch 1684 BLAKE2B 801bf1c6b0b5e678d2e23689edb6612af3b2acd89f21b926a36f98ca600083603b8ee53c7ad8f11dc706db67819437910ce7ba9d7406c5763b25c88cd620a338 SHA512 f39fe500ca17dfd7f32d0eb986cfd110b225edcf01c6d235a2af1d9d5fcb8c1922a5db89dc683bb1e259bd9675beecc07948543c5ab98d1ee6e5d7693b86060a
AUX 0001-rpi-Use-CONFIG_OF_BOARD-instead-of-CONFIG_EMBED.patch 2621 BLAKE2B ac8792433c3ebde967b083d12855faa21ed4fca5a0095bd38c4b597714430f77bfa81b70b8e26535fcf64650590d60510de5c4e18760d56d1ecb9ab692a44ac8 SHA512 18340a67637873179317a16a565c5b34490bd4dbf6dabac7c2ee5947349977fed6dd71253af55233c3e2912ddec6a15e17a29440b0e009b267c93deb28bc7713
AUX 0002-drivers-bcm283x-allow-to-spawn-any-PL011-UART.patch 2228 BLAKE2B efb42405ecc011973d5f8417bb7a82618d1d24917f0bd246d908ac8abd0bee6ed062ff2d77caa485cdbc02959de5c1cc7ca1943055708a8f6ab8ff34751e1aa1 SHA512 283ec38a092c370306037324a67b40141398e6102ba04b64304f2998870e0f1aa86891894c749789eb59454b8972d094771b5a8ca7ae3747760de246812c5c2c
AUX 0002-rpi-add-NVMe-to-boot-order.patch 1290 BLAKE2B a5e911e07b7b6723845d004bd5513db9cfebe73b7de2c7e4073d0725f6e3159b7b72381f859e357abf4f28421609fb18ad8fcc669d3b94db124771a36df51497 SHA512 f3d8351235b74f234aed5893523b36a355c1afcb92ee0f481c552c83c418856e450b6cf2c7c7ad4ab40fe41d0561f0e283da403b5245e76649f1fa996f88b6fa
AUX 0003-Revert-nvme-Correct-the-prps-per-page-calculation-me.patch 1610 BLAKE2B 1a5530178fef080472e1355adf6eccc92e6ced11aba0fc3f2042f16bf7a8b0a1cdb236723b93c95d30431cef03a595258355a0d20489f9533f47e0c541d0f232 SHA512 bda4d59519caa41dd7133d39740a39ce8d01197e16738b8af4ebc8fea096a3f73f88a11763a2a7938ed181819a0f7c442d1d14211f1d8cee9ecdb2c5f6eeb4f9
AUX 0004-usb-xhci-brcm-Make-driver-compatible-with-downstream.patch 1172 BLAKE2B 98589d6c4062e6cdc17522cd98d8c5ddcd0bdb953b0dc5a8c997f960da397a6174ab748afda5f64cfc2ad4c6ffeb65e76f9e346b2ae0a2466593968f06f32857 SHA512 1b92eabeb731f4c7ae8b2401942994b0515a673f4583a4333deb5ebac0981ac34c744c68e195dbad7a7cd92d6efe1a180446509cf3fe72ad443b094c5e74ed8e
AUX 0005-nvme-improve-readability-of-nvme_setup_prps.patch 1757 BLAKE2B 152cb9ea9662f7271b7cf3226825e825cc0d6420ed2ef77b7a8186b25b5eccf92edac32823d1f79afea3307269897c68d3899fd9b018cf11109c2739af7fccc3 SHA512 2192379f650ce1b43be1df43c06ae031f7bdbaeeecab1a195ca0f254d9e00bb7ed03256b90a5e5edc80c37bca449d0648a3a90d2d73faaec0561465f728e2b59
AUX 0006-nvme-Use-pointer-for-CPU-addressed-buffers.patch 9077 BLAKE2B b28afb568d791bed8c93f222b62677d87629d803747bb52cba74fff50752aaa4522b0fcdece58148d9da77a7da6a547dc4d47cfc9ae5fe7de0fbe6d7a0a9a497 SHA512 a84424877cc858b7596fe4f263a48e94fca7075c2c9a10d28fe1e569ca4e893af2ba3536c26d93ce15d8792d27a6c8779ef9669730414e6cc0de7af672dd31c2
AUX 0007-nvme-translate-virtual-addresses-into-the-bus-s-addr.patch 6480 BLAKE2B 6d7fec7096bf239f08a5e7e7ac5f8c58dcd72829b37d2f3e8b2e96c173a43449f538148cece64c5f48da68826eeec0c1db7a8ac6cc254a853a3cdf04d7431b95 SHA512 fecba2572d5f1dd7e941efdecb935a734ef1385af9b9300d84decd9bf91c4387b500fa08f655af62d33d085907353972f613ec97b3dd96ed18cac4811d5210a1
DIST u-boot-2023.01.tar.bz2 18560442 BLAKE2B 9412da6c7c8da8be64e470347d150ea2ba9a33b84f463c8ff3109e3db6c2dbcf13c8ab2e02bf3a2c412ff57c91987da922e4dde6a26e317e7b9e65101f7a6d62 SHA512 417a28267eb7875820d08fafc7316f164663609378637539e71648b0b9b7d28796b6c381717f31b0ab6472805fefd32628ef7d1b2e7b9f3c51c8ad122993f679
EBUILD u-boot-2023.01.ebuild 1762 BLAKE2B c0fba3aec8bfd26da6d32014bb38a2e5e8235f8ded6a7681f6cc1f5557b5437b5da6366740141465265b174832f38b6e669bd0bf956d241652acf69076596a71 SHA512 fa2b82ab1ea4fdc71ad9a5022433da137aad1722e02f18d7be0ff67d7130570a2783e4cac0f1fc1851537325750b9584d48ee4d99f01908a179fb58c0eb0724f

0
patches/uboot/0001-drivers-bcm283x-don-t-explicitly-disable-init.patch → portage/repos/aimee-os/sys-boot/u-boot/files/0001-drivers-bcm283x-don-t-explicitly-disable-init.patch
View File

0
patches/uboot/0001-rpi-Use-CONFIG_OF_BOARD-instead-of-CONFIG_EMBED.patch → portage/repos/aimee-os/sys-boot/u-boot/files/0001-rpi-Use-CONFIG_OF_BOARD-instead-of-CONFIG_EMBED.patch
View File

Some files were not shown because too many files have changed in this diff Show More