.gitignore

@@ -1,10 +1,5 @@
 /images
 /linux
 /output
-/portage/config/*/etc/portage/make.profile
-/portage/config/*/etc/portage/repos.conf
-/portage/config/target/etc/portage/make.conf/10-crossdev.conf
-/portage/repos/x-portage
-/.built
 /.prepared
 /.host-tools

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "u-boot"]
+	path = u-boot
+	url = https://source.denx.de/u-boot/u-boot.git
+	branch = v2023.01

Makefile

@@ -1,100 +1,94 @@
-O ?= .
-IMAGESDIR ?= $(O)/images
+update.tar: output/update.tar.zstd
 
-update.tar: $(IMAGESDIR)/update.tar.zstd
-
-$(O)/.prepared: \
+.prepared: \
 		prepare.sh \
+		config-portage.sh \
 		setup-local-repo.sh \
+		$(shell find portage host-portage -type f) \
 		$(shell find patches/ebuilds -type f)
 	./prepare.sh
+	./config-portage.sh
 	./setup-local-repo.sh
-	mkdir -p $(O)
-	touch $(O)/.prepared
+	touch .prepared
 
-prepare: $(O)/.prepared
+prepare: .prepared
 
-$(O)/.host-tools: \
+.host-tools: \
 		build-host-tools.sh \
-		host-tools.packages \
-		$(shell find portage/config/host -type f) \
-		$(O)/.prepared
+		.prepared
 	./build-host-tools.sh
-	touch $(O)/.host-tools
+	touch .host-tools
 
-host-tools: $(O)/.host-tools
+host-tools: .host-tools
 
-$(O)/.built: \
+.built: \
 		build.sh \
-		build.packages \
-		install.packages \
-		$(shell find portage/config/target -type f) \
-		$(O)/.host-tools \
-		$(O)/.prepared
-	./build.sh
-	touch $(O)/.built
-
-$(O)/.ready: \
 		build-rootfs.sh \
-		install.packages \
-		installonly.packages \
-		busybox.symlinks \
-		$(O)/linux/arch/arm64/boot/Image.gz \
-		$(shell find overlay -type f) \
-		$(O)/.host-tools \
-		$(O)/.built
+		linux/arch/arm64/boot/Image.gz \
+		.host-tools \
+		.prepared
+	./build.sh
 	./build-rootfs.sh
-	touch $(O)/.ready
+	touch .built
 
-$(IMAGESDIR)/rootfs.squashfs: \
+images/rootfs.squashfs: \
 		build-squashfs.sh \
 		squashfs.exclude \
-		$(O)/.ready
-	./build-squashfs.sh "$(IMAGESDIR)"
+		.built
+	./build-squashfs.sh
 
-squashfs: $(IMAGESDIR)/rootfs.squashfs
+squashfs: images/rootfs.squashfs
 
-$(O)/linux/arch/arm64/boot/Image.gz: \
+linux/arch/arm64/boot/Image.gz: \
 		build-kernel.sh \
 		linux.config \
-		$(O)/.host-tools \
-		$(O)/.prepared
-	./build-kernel.sh "$(O)"
+		.host-tools \
+		.prepared
+	./build-kernel.sh
 
-kernel: $(O)/linux/arch/arm64/boot/Image.gz
+kernel: linux/arch/arm64/boot/Image.gz
 
-$(O)/efi-part/EFI/BOOT/BOOTAA64.efi: \
+output/efi-part/EFI/BOOT/BOOTAA64.efi: \
 		build-grub.sh \
 		grub.cfg \
-		$(O)/.host-tools \
-		$(O)/.prepared
-	./build-grub.sh "$(O)"
+		.host-tools \
+		.prepared
+	./build-grub.sh
 
-grub: $(O)/efi-part/EFI/BOOT/BOOTAA64.efi
+grub: output/efi-part/EFI/BOOT/BOOTAA64.efi
 
-$(IMAGESDIR)/sdcard.img: \
+output/efi-part/u-boot.bin: \
+		build-uboot.sh \
+		u-boot.config
+	./build-uboot.sh
+
+uboot: output/efi-part/u-boot.bin
+
+images/sdcard.img: \
 		genimage.cfg \
 		genimage.sh \
 		post-build.sh \
-		$(O)/efi-part/EFI/BOOT/BOOTAA64.efi
-	./post-build.sh "$(O)"
-	./genimage.sh "$(O)" "$(IMAGESDIR)"
+		output/efi-part/u-boot.bin \
+		output/efi-part/EFI/BOOT/BOOTAA64.efi
+	./post-build.sh
+	./genimage.sh
 
-sdcard.img: $(IMAGESDIR)/sdcard.img
+sdcard.img: images/sdcard.img
 
-$(IMAGESDIR)/firmware.img: $(IMAGESDIR)/sdcard.img
+images/firmware.img: images/sdcard.img
 
-$(IMAGESDIR)/update.tar.zstd: \
-		$(IMAGESDIR)/rootfs.squashfs \
-		$(IMAGESDIR)/firmware.img \
+output/update.tar.zstd: \
+		images/rootfs.squashfs \
+		images/firmware.img \
 		install-update.sh \
-		$(O)/.host-tools \
-		$(O)/.prepared
-	./build-update.sh "$(IMAGESDIR)"
+		.host-tools \
+		.prepared
+	./build-update.sh
 
 clean:
-	rm -rf $(O)/linux $(O)/output $(IMAGESDIR) $(O)/tmp
-	rm -f $(O)/.prepared $(O)/.host-tools
+	git -C u-boot clean -fdx && git -C u-boot checkout -- .
+	rm -rf linux output images tmp
+	rm -f .prepared .host-tools
 
 .PHONY: \
 	grub \
@@ -103,4 +97,5 @@ clean:
 	prepare \
 	sdcard.img \
 	squashfs \
+	uboot \
 	update.tar

build-grub.sh

@@ -5,8 +5,6 @@ set -e
 
 . ./config
 
-O="${1}"
-
 GRUB_MODULES='
 boot
 echo
@@ -28,17 +26,17 @@ zstd
 '
 
 echo 'Creating GRUB image ...'
-mkdir -p "${O}"/efi-part/EFI/BOOT
+mkdir -p output/efi-part/EFI/BOOT
 grub-mkimage \
     -O arm64-efi \
-    -o "${O}"/efi-part/EFI/BOOT/BOOTAA64.efi \
+    -o output/efi-part/EFI/BOOT/BOOTAA64.efi \
     -d /usr/${target}/usr/lib/grub/arm64-efi \
     -p /EFI/gentoo \
     ${GRUB_MODULES}
 
 echo 'Generating GRUB configuration file ...'
-mkdir -p "${O}"/efi-part/EFI/gentoo
-cp -uv grub.cfg "${O}"/efi-part/EFI/gentoo
-grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set rootflags='ro'
-grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set default=0
-grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set timeout=5
+mkdir -p output/efi-part/EFI/gentoo
+cp -uv grub.cfg output/efi-part/EFI/gentoo
+grub-editenv output/efi-part/EFI/gentoo/grubenv set rootflags='ro'
+grub-editenv output/efi-part/EFI/gentoo/grubenv set default=0
+grub-editenv output/efi-part/EFI/gentoo/grubenv set timeout=5

build-host-tools.sh

@@ -1,6 +1,13 @@
 #!/bin/sh
 # vim: set sw=4 ts=4 sts=4 et :
 
-PORTAGE_CONFIGROOT="${PWD}"/portage/config/host \
-< host-tools.packages xargs -ro \
-emerge -vnUj
+emerge -vnUj \
+    dev-vcs/git \
+    sys-apps/systemd \
+    sys-boot/grub \
+    sys-fs/btrfs-progs \
+    sys-fs/dosfstools \
+    sys-fs/genimage \
+    sys-fs/mtools \
+    sys-fs/squashfs-tools \
+    || exit

build-kernel.sh

@@ -3,21 +3,16 @@
 
 set -e
 
-O="${1}"
-
 . ./config
 
-PORTAGE_CONFIGROOT="${PWD}"/portage/config/host \
 emerge -vnj ${kernel_pkg}
 
 export ARCH=arm64 CROSS_COMPILE=${target}-
-unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
-mkdir -p "${O}"/linux
+mkdir -p linux
+cd linux
 /usr/src/linux/scripts/kconfig/merge_config.sh -m \
-    -O "${O}"/linux \
     /usr/src/linux/arch/*/configs/${kernel_defconfig}_defconfig \
-    linux.config
-cd "${O}"/linux
+    ../linux.config
 make -C /usr/src/linux O=${PWD} olddefconfig
 make -j$(nproc)
 touch arch/arm64/boot/Image.gz
@@ -27,14 +22,14 @@ cd -
 
 printf 'Installing Kernel %s ...\n' "${kver}"
 mkdir -p /mnt/gentoo/boot
-cp -au "${O}"/linux/arch/arm64/boot/Image.gz /mnt/gentoo/boot/vmlinuz-${kver}
-cp -au "${O}"/linux/.config /mnt/gentoo/boot/config-${kver}
-cp -au "${O}"/linux/System.map /mnt/gentoo/boot/System.map-${kver}
+cp -au linux/arch/arm64/boot/Image.gz /mnt/gentoo/boot/vmlinuz-${kver}
+cp -au linux/.config /mnt/gentoo/boot/config-${kver}
+cp -au linux/System.map /mnt/gentoo/boot/System.map-${kver}
 
 printf 'Installing device tree binaries ...\n'
-mkdir -p "${O}"/efi-part/overlays
-cp -u "${O}"/linux/arch/arm64/boot/dts/${device_tree} "${O}"/efi-part/
-cp -u \
-    "${O}"/linux/arch/arm64/boot/dts/overlays/*.dtb \
-    "${O}"/linux/arch/arm64/boot/dts/overlays/*.dtbo \
-    "${O}"/efi-part/overlays/
+mkdir -p output/efi-part/overlays
+cp -au linux/arch/arm64/boot/dts/${device_tree} output/efi-part/
+cp -au \
+    linux/arch/arm64/boot/dts/overlays/*.dtb \
+    linux/arch/arm64/boot/dts/overlays/*.dtbo \
+    output/efi-part/overlays/

build-rootfs.sh

@@ -23,14 +23,20 @@ ln -snf \
 cp -r portage/. /mnt/gentoo/etc/portage/
 
 ROOT=/mnt/gentoo \
-PORTAGE_CONFIGROOT="${PWD}"/portage/config/target \
-< install.packages xargs -ro \
-${target}-emerge -KvnuUDj --rebuilt-binaries=y
-
+PORTAGE_CONFIGROOT=/mnt/gentoo \
+${target}-emerge -Kvnj \
+    sys-apps/busybox \
+    sys-apps/systemd \
+    net-misc/openssh \
+    net-misc/wget \
+    sys-fs/btrfs-progs \
+    --
 ROOT=/mnt/gentoo \
-PORTAGE_CONFIGROOT="${PWD}"/portage/config/target \
-< installonly.packages xargs -ro \
-${target}-emerge -vnuUDj
+PORTAGE_CONFIGROOT=/mnt/gentoo \
+${target}-emerge -vnj \
+    net-wireless/wireless-regdb \
+    sys-kernel/linux-firmware \
+    --
 
 ROOT=/mnt/gentoo \
 locale-gen
@@ -53,7 +59,8 @@ while read name; do
     fi
 done < busybox.symlinks
 
-rsync -rltpDO overlay/ /mnt/gentoo/
+tar -c -C overlay . \
+    | tar -x --keep-newer-files -C /mnt/gentoo
 
 cp -uv /usr/${target}/usr/bin/grub-editenv /mnt/gentoo/usr/bin/
 
@@ -66,8 +73,6 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
 fi
 
 rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
-sed -i 's:d /var/log :v /var/log :' /mnt/gentoo/lib/tmpfiles.d/var.conf
-systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create
 
 systemctl preset-all --root=/mnt/gentoo
 rm -f /mnt/gentoo/lib/systemd/system/sysinit.target.wants/ldconfig.service
@@ -81,29 +86,3 @@ if ! grep -q Include /mnt/gentoo/etc/ssh/sshd_config; then
     echo 'Include /etc/ssh/sshd_config.d/*.conf' \
         >> /mnt/gentoo/etc/ssh/sshd_config
 fi
-
-# Although `semanage` accepts a `--store` argument that supposedly
-# instructs it to operate on an alternate SELinux policy store, it
-# doesn't actually work.  As such, we have to run `semanage` in an
-# alternate mount namespace with the target policy store bind-mounted
-# at the default location so `semanage` can operate on it.
-unshare -m sh -e <<EOF
-mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
-mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
-semanage boolean -N -m --on ssh_sysadm_login
-semanage login -N -m -s root root
-semanage user -N -m -R sysadm_r root
-EOF
-
-setfiles \
-    -p \
-    -F \
-    -m \
-    -r /mnt/gentoo \
-    -c /mnt/gentoo/etc/selinux/strict/policy/policy.* \
-    -e /mnt/gentoo/var/db/pkg \
-    -e /mnt/gentoo/etc/portage \
-    /mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \
-    /mnt/gentoo
-
-touch /mnt/gentoo/usr

build-squashfs.sh

@@ -5,12 +5,10 @@ set -e
 
 . ./config
 
-IMAGESDIR="${1}"
-
-mkdir -p "${IMAGESDIR}"
+mkdir -p images
 mksquashfs \
     /mnt/gentoo \
-    "${IMAGESDIR}"/rootfs.squashfs \
+    images/rootfs.squashfs \
     -comp gzip \
     -ef squashfs.exclude \
     -no-exports \

build-uboot.sh

@@ -5,14 +5,12 @@ set -e
 
 . ./config
 
-O="${1}"
-
 ./patch-uboot.sh
 cd u-boot
 cat configs/rpi_4_defconfig ../u-boot.config > configs/yellow_defconfig
-make O="${O}"/u-boot yellow_defconfig
-CROSS_COMPILE=${target}- make O="${O}"/u-boot -j$(nproc)
+make yellow_defconfig
+CROSS_COMPILE=${target}- make
 cd ..
 
-mkdir -p "${O}"/efi-part
-cp -u "${O}"/u-boot/u-boot.bin "${O}"/efi-part
+mkdir -p output/efi-part
+cp -au u-boot/u-boot.bin output/efi-part

build-update.sh

@@ -5,13 +5,11 @@ set -e
 
 . ./config
 
-IMAGESDIR="$1"
-
-cd "${IMAGESDIR}"
+cd images
 sha256sum firmware.img > digests
 sha256sum rootfs.squashfs >> digests
-cp -u "${OLDPWD}"/install-update.sh install
-tar -c --zstd -f update.tar.zstd \
+ln ../install-update.sh install
+tar -c --zstd -f ../output/update.tar.zstd \
     digests \
     firmware.img \
     rootfs.squashfs \

build.packages

@@ -1,3 +0,0 @@
-sys-boot/grub
-sys-boot/raspberrypi-firmware
-sys-boot/u-boot

build.sh

@@ -5,15 +5,18 @@ set -e
 
 . ./config
 
-unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
+USE=-pam \
+${target}-emerge -1nvj --nodeps sys-libs/libcap
+USE='-cramfs -ncurses -nls -pam -readline -su -suid -systemd -udev' \
+${target}-emerge -1nvj --nodeps sys-apps/util-linux
 
-export PORTAGE_CONFIGROOT="${PWD}"/portage/config/target
-
-${target}-emerge -vuUDj sys-apps/util-linux
-
-cat \
-    build.packages \
-    install.packages \
-    | xargs -ro \
-${target}-emerge -vnuUDj
+${target}-emerge -vnuUDj \
+    net-misc/openssh \
+    net-misc/wget \
+    sys-apps/busybox \
+    sys-apps/systemd \
+    sys-boot/grub \
+    sys-boot/raspberrypi-firmware \
+    sys-fs/btrfs-progs \
+    --
 ${target}-emerge -v @preserved-rebuild

busybox.symlinks

@@ -1,6 +1,5 @@
 basename
 cat
-chcon
 cp
 dd
 df

config

@@ -1,5 +1,5 @@
 target=aarch64-unknown-linux-gnu
-profile=default/linux/arm64/17.0/systemd/selinux/merged-usr
+profile=default/linux/arm64/17.0/systemd/merged-usr
 kernel_pkg=sys-kernel/raspberrypi-sources
 kernel_defconfig=bcm2835
 device_tree=broadcom/bcm2711-rpi-cm4-ha-yellow.dtb

config-portage.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+set -e
+
+. ./config
+
+cp -r host-portage/. /etc/portage/
+cp -r portage/. /usr/${target}/etc/portage/

genimage.cfg

@@ -4,7 +4,7 @@ image firmware.img {
 	vfat {
 	}
 
-	srcpath = "efi-part"
+	srcpath = "output/efi-part"
 	size = 32M
 }
 

genimage.sh

@@ -14,18 +14,14 @@ cleanup() {
 
 . ./config
 
-O="${1}"
-IMAGESDIR="${2}"
-
 trap cleanup INT TERM QUIT EXIT
 tmproot=$(mktemp -d)
 tmppath=$(mktemp -d)
 
-cd "${O}"
 genimage \
     --rootpath "${tmproot}" \
     --tmppath "${tmppath}" \
-    --inputpath "${IMAGESDIR}" \
-    --outputpath "${IMAGESDIR}" \
+    --inputpath images/ \
+    --outputpath images/ \
     --mkdosfs mkfs.vfat \
-    --config "${OLDPWD}"/genimage.cfg
+    --config genimage.cfg

host-portage/package.use/systemd

@@ -0,0 +1,2 @@
+sys-apps/dbus systemd
+sys-apps/systemd -*

host-tools.packages

@@ -1,9 +0,0 @@
-sec-policy/selinux-base
-sys-apps/policycoreutils
-sys-apps/systemd
-sys-boot/grub
-sys-fs/btrfs-progs
-sys-fs/dosfstools
-sys-fs/genimage
-sys-fs/mtools
-sys-fs/squashfs-tools

install-update.sh

@@ -8,7 +8,7 @@ die() {
     if [ $rc -eq 0 ]; then
         rc=1
     fi
-    eerror "$@"
+    error "$@"
     exit $rc
 }
 

install.packages

@@ -1,6 +0,0 @@
-net-misc/openssh
-net-misc/wget
-sec-policy/selinux-aimee-os
-sys-apps/busybox
-sys-apps/systemd
-sys-fs/btrfs-progs

installonly.packages

@@ -1,2 +0,0 @@
-net-wireless/wireless-regdb
-sys-kernel/linux-firmware

linux.config

@@ -47,10 +47,3 @@ CONFIG_IPV6_SIT_6RD=m
 
 # CONFIG_MEDIA_CEC_SUPPORT is not set
 # CONFIG_MEDIA_SUPPORT is not set
-
-CONFIG_AUDIT=y
-CONFIG_SECURITY=y
-CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_SELINUX=y
-CONFIG_DEFAULT_SECURITY_SELINUX=y
-# DEFAULT_SECURITY_DAC is not set

ocivm.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. ./config
-
-name=build_yellow
-if ! ocivm list | grep -q localhost/cross-${target}; then
-    ocivm import localhost/cross-${target}
-fi
-ocivm \
-    --log-level DEBUG \
-    run \
-    -n ${name} \
-    -w /tmp/src \
-    -v "${PWD}":/tmp/src \
-    -v distfiles:/var/cache/distfiles:size=4G \
-    -v packages:/var/cache/binpkgs \
-    -v portage:/var/db/repos/gentoo:size=4G \
-    --tmpfs /usr/aarch64-unknown-linux-gnu/tmp \
-    --tmpfs /var/tmp \
-    localhost/cross-aarch64-unknown-linux-gnu \
-    "$@"

overlay/etc/fstab

@@ -1 +1,3 @@
 PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2
+PARTLABEL=dch-data /run/etc btrfs subvol=etc,nosuid,noexec,nodev 0 0
+overlay /etc/ssh overlay lowerdir=/etc/ssh,upperdir=/run/etc/rw/ssh,workdir=/run/etc/.work,x-systemd.requires=run-etc.mount 0 0

overlay/etc/selinux/config

@@ -1,15 +0,0 @@
-# This file controls the state of SELinux on the system on boot.
-
-# SELINUX can take one of these three values:
-#	enforcing - SELinux security policy is enforced.
-#	permissive - SELinux prints warnings instead of enforcing.
-#	disabled - No SELinux policy is loaded.
-SELINUX=enforcing
-
-# SELINUXTYPE can take one of these four values:
-#	targeted - Only targeted network daemons are protected.
-#	strict   - Full SELinux protection.
-#	mls      - Full SELinux protection with Multi-Level Security
-#	mcs      - Full SELinux protection with Multi-Category Security 
-#	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict

overlay/etc/ssh/sshd_config

@@ -1,16 +0,0 @@
-PasswordAuthentication no
-
-UsePAM yes
-PrintMotd no
-PrintLastLog no
-
-Subsystem	sftp	/usr/lib64/misc/sftp-server
-
-AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
-AcceptEnv COLORTERM
-
-HostKey /var/lib/ssh/ssh_host_rsa_key
-HostKey /var/lib/ssh/ssh_host_ecdsa_key
-HostKey /var/lib/ssh/ssh_host_ed25519_key
-
-Include /etc/ssh/sshd_config.d/*.conf

overlay/usr/bin/factory-reset

@@ -1,27 +0,0 @@
-#!/bin/sh
-# vim: set sw=4 ts=4 sts=4 et :
-
-. /lib/gentoo/functions.sh
-
-confirm() {
-    unset _confirm
-    printf '%s [y/N] ' "${1-Do you want to continue?}"
-    read _confirm
-    case "${_confirm}" in
-    [Yy]|[Yy][Ee][Ss])
-        return 0
-        ;;
-    *)
-        return 1
-        ;;
-    esac
-}
-
-printf "${WARN}"
-printf 'This operation will COMPLETELY ERASE all data and information '
-printf 'stored on this system!\n'
-printf "${NORMAL}"
-confirm || exit 9
-ewarn 'The system will now reboot and wipe all data.'
-systemctl enable --runtime factory-reset.service
-systemctl reboot

overlay/usr/lib/systemd/system-preset/80-local-default.preset

@@ -1,7 +1,3 @@
-enable auditd.service
-
-enable restorecon.service
-
 disable ldconfig.service
 
 disable systemd-userdbd.service
@@ -16,4 +12,4 @@ enable systemd-networkd.socket
 disable getty@.service
 
 enable sshd.socket
-enable ssh-keygen.target
+enable ssh-keygen.service

overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf

@@ -1,5 +0,0 @@
-[Service]
-# Do not run augenrules; read audit rules from the audit.rules file as
-# it exists already.  Audit rules are generated at build time.
-ExecStartPost=
-ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

overlay/usr/lib/systemd/system/factory-reset.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Perform a factory reset
-DefaultDependencies=no
-After=umount.target
-Before=systemd-reboot.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/libexec/factory-reset
-StandardOutput=kmsg+console
-
-[Install]
-WantedBy=final.target

overlay/usr/lib/systemd/system/restorecon.service

@@ -1,15 +0,0 @@
-[Unit]
-Description=Restore SELinux file contexts in /var
-ConditionNeedsUpdate=/var
-DefaultDependencies=no
-After=local-fs.target
-Before=sysinit.target
-Before=systemd-tmpfiles-setup.service
-Before=systemd-update-done.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/sbin/restorecon -RFv /var
-
-[Install]
-WantedBy=sysinit.target

overlay/usr/lib/systemd/system/ssh-keygen.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Generate SSH host keys
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ssh-keygen -A
+
+[Install]
+WantedBy=sshd@.service

overlay/usr/lib/systemd/system/ssh-keygen.target

@@ -1,7 +0,0 @@
-[Unit]
-Wants=ssh-keygen@rsa.service
-Wants=ssh-keygen@ecdsa.service
-Wants=ssh-keygen@ed25519.service
-
-[Install]
-WantedBy=multi-user.target

overlay/usr/lib/systemd/system/ssh-keygen@.service

@@ -1,11 +0,0 @@
-[Unit]
-Description=Generate SSH %I host key
-ConditionPathExists=!%S/ssh/ssh_host_%I_key
-
-[Service]
-Type=oneshot
-StateDirectory=ssh
-ExecStart=/usr/bin/ssh-keygen -t %I -f %S/ssh/ssh_host_%I_key -N ''
-
-[Install]
-WantedBy=sshd-keygen.target

overlay/usr/lib/systemd/system/sshd@.service.d/after-keygen.conf

@@ -0,0 +1,2 @@
+[Unit]
+After=ssh-keygen.service

overlay/usr/libexec/factory-reset

@@ -1,13 +0,0 @@
-#!/bin/sh
-# vim: set sw=4 ts=4 sts=4 et :
-
-DATAPART=PARTLABEL=dch-data
-
-seq 1 30
-
-dev=$(findfs "${DATAPART}")
-if [ -z "${dev}" ]; then
-    printf 'Could not find data partition (%s)\n' "${DATAPART}" >&2
-    exit 1
-fi
-wipefs -fa "${dev}"

overlay/usr/libexec/init-storage

@@ -15,8 +15,8 @@ copy_var() {
     dev="$1"
 
     echo 'Copying /var contents to data volume'
-    mount -o subvol=var "${dev}" "${tmpdir}" || exit
-    cp -auv /var/. "${tmpdir}" || exit
+    mount -o subvol=var "${dev}" "${tmpdir}"
+    cp -auv /var/. "${tmpdir}"
     umount "${tmpdir}"
 }
 
@@ -26,8 +26,11 @@ format_dev() {
     mkfs.btrfs "${dev}" || exit
 
     mount "${dev}" "${tmpdir}" || exit
+    btrfs subvolume create "${tmpdir}"/etc || exit
+    mkdir -p "${tmpdir}"/etc/.work "${tmpdir}"/etc/rw || exit
+    mkdir -p "${tmpdir}"/etc/rw/ssh
     btrfs subvolume create "${tmpdir}"/var || exit
-    chcon -t var_t "${tmpdir}"/var || exit
+    btrfs subvolume create "${tmpdir}"/var/log || exit
     umount "${dev}" || exit
 }
 
@@ -46,8 +49,7 @@ else
 fi
 
 trap cleanup INT TERM QUIT EXIT
-tmpdir=/run/storinit
-mkdir -p "${tmpdir}"
+tmpdir=$(mktemp -d -p /run storinit.XXXXXX)
 
 if ! has_fs "${datapart}"; then
     format_dev "${datapart}"

podman-build.sh

@@ -3,7 +3,23 @@
 
 set -e
 
-cid=$(./start-container.sh)
+. ./config
+
+cid=$(podman run \
+    --tmpfs /var/tmp \
+    --tmpfs /usr/${target}/tmp \
+    -v portage:/var/db/repos/gentoo \
+    -v packages:/var/cache/binpkgs \
+    -v distfiles:/var/cache/distfiles \
+    -v packages:/usr/${target}/var/cache/binpkgs \
+    -v /mnt/gentoo \
+    -v ${PWD}:/tmp/build:rw,z \
+    -w /tmp/build \
+    -d \
+    -e FEATURES='-ipc-sandbox -network-sandbox -pid-sandbox' \
+    cross-${target} \
+    python -c 'from signal import *;signal(SIGTERM, lambda x, y: None);pause()'
+)
 
 ./patch-uboot.sh
 

portage/config/host/etc/portage/package.use/selinux

@@ -1,2 +0,0 @@
-sys-libs/libselinux python
-sys-process/audit python

portage/config/host/etc/portage/package.use/systemd

@@ -1,4 +0,0 @@
-sys-apps/dbus systemd
-sys-apps/systemd -*
-sec-policy/selinux-base systemd
-sec-policy/selinux-base-policy systemd

portage/config/target/etc/portage/package.use/awk

@@ -1 +0,0 @@
-app-alternatives/awk -gawk busybox

portage/config/target/etc/portage/package.use/python

@@ -1 +0,0 @@
-dev-lang/python -ensurepip

portage/config/target/etc/portage/package.use/u-boot

@@ -1 +0,0 @@
-sys-boot/u-boot savedconfig

portage/config/target/etc/portage/patches/sec-policy/selinux-base-policy

@@ -1 +0,0 @@
-selinux-base

portage/config/target/etc/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch

@@ -1,40 +0,0 @@
-From 45fbe472c6d0b8ecf320b4f04ebf6c09ec85ba33 Mon Sep 17 00:00:00 2001
-From: "Dustin C. Hatch" <dustin@hatch.name>
-Date: Fri, 3 Mar 2023 15:04:28 -0600
-Subject: [PATCH] systemd: Fixes for systemd-resolved
-
----
- refpolicy/policy/modules/system/systemd.te | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
-index ef25974..78f2b07 100644
---- a/refpolicy/policy/modules/system/systemd.te
-+++ b/refpolicy/policy/modules/system/systemd.te
-@@ -228,6 +228,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
- 
- type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
- files_runtime_file(systemd_resolved_runtime_t)
-+init_mountpoint(systemd_resolved_runtime_t)
- 
- type systemd_stdio_bridge_t;
- type systemd_stdio_bridge_exec_t;
-@@ -1441,6 +1442,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
- corenet_udp_bind_generic_node(systemd_resolved_t)
- corenet_udp_bind_dns_port(systemd_resolved_t)
- corenet_udp_bind_llmnr_port(systemd_resolved_t)
-+corenet_udp_bind_howl_port(systemd_resolved_t)
- 
- selinux_use_status_page(systemd_resolved_t)
- 
-@@ -1452,6 +1454,7 @@ files_list_runtime(systemd_resolved_t)
- 
- fs_getattr_all_fs(systemd_resolved_t)
- fs_search_cgroup_dirs(systemd_resolved_t)
-+fs_search_all(systemd_resolved_t)
- 
- init_dgram_send(systemd_resolved_t)
- 
--- 
-2.39.0
-

portage/config/target/etc/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch

@@ -1,24 +0,0 @@
-From c1510fe7d63665ea133da3b044c2c63a9b104a02 Mon Sep 17 00:00:00 2001
-From: "Dustin C. Hatch" <dustin@hatch.name>
-Date: Sat, 4 Mar 2023 09:57:44 -0600
-Subject: [PATCH] mount: Allow mounting on etc_t
-
----
- refpolicy/policy/modules/system/mount.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
-index d028723..f73cd29 100644
---- a/refpolicy/policy/modules/system/mount.te
-+++ b/refpolicy/policy/modules/system/mount.te
-@@ -89,6 +89,7 @@ files_manage_etc_runtime_files(mount_t)
- files_etc_filetrans_etc_runtime(mount_t, file)
- files_mounton_all_mountpoints(mount_t)
- files_unmount_rootfs(mount_t)
-+files_mounton_etc_dirs(mount_t)
- # These rules need to be generalized.  Only admin, initrc should have it:
- files_relabelto_all_file_type_fs(mount_t)
- files_mount_all_file_type_fs(mount_t)
--- 
-2.39.0
-

portage/config/target/etc/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch

@@ -1,24 +0,0 @@
-From 81e1ed4da36c7638f63e78969f70d77f87fb3600 Mon Sep 17 00:00:00 2001
-From: "Dustin C. Hatch" <dustin@hatch.name>
-Date: Sat, 4 Mar 2023 10:16:13 -0600
-Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
-
----
- refpolicy/policy/modules/kernel/kernel.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
-index 5124ae0..b0d7e8f 100644
---- a/refpolicy/policy/modules/kernel/kernel.te
-+++ b/refpolicy/policy/modules/kernel/kernel.te
-@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
- 
- # Other possible mount points for the root fs are in files
- allow kernel_t unlabeled_t:dir mounton;
-+files_mountpoint(unlabeled_t)
- # Kernel-generated traffic e.g., TCP resets on
- # connections with invalidated labels:
- allow kernel_t unlabeled_t:packet send;
--- 
-2.39.0
-

portage/config/target/etc/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch

@@ -1,24 +0,0 @@
-From 552ee711eaba5d9efff087feff23b2e6f6249743 Mon Sep 17 00:00:00 2001
-From: "Dustin C. Hatch" <dustin@hatch.name>
-Date: Mon, 6 Mar 2023 12:10:19 -0600
-Subject: [PATCH] Allow systemd-journald list cgroup directories
-
----
- refpolicy/policy/modules/system/logging.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
-index abd61e6..08f77b5 100644
---- a/refpolicy/policy/modules/system/logging.te
-+++ b/refpolicy/policy/modules/system/logging.te
-@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
- 
- fs_getattr_all_fs(syslogd_t)
- fs_search_auto_mountpoints(syslogd_t)
-+fs_list_cgroup_dirs(syslogd_t)
- 
- mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
- 
--- 
-2.39.0
-

portage/config/target/etc/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch

@@ -1,76 +0,0 @@
-From bb58cbda2f45ee5d25b44dd256bd3de52bfcc3d8 Mon Sep 17 00:00:00 2001
-From: "Dustin C. Hatch" <dustin@hatch.name>
-Date: Fri, 10 Mar 2023 12:39:41 -0600
-Subject: [PATCH] Allow systemd to create directories
-
-This allows use of the `RuntimeDirectory`, `StateDirectory`, etc. unit
-settings.
----
- refpolicy/policy/modules/kernel/files.if | 18 ++++++++++++++++++
- refpolicy/policy/modules/system/init.te  | 14 ++++++++++++++
- 2 files changed, 32 insertions(+)
-
-diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
-index f7217b2..9966a21 100644
---- a/refpolicy/policy/modules/kernel/files.if
-+++ b/refpolicy/policy/modules/kernel/files.if
-@@ -608,6 +608,24 @@ interface(`files_manage_non_security_dirs',`
- 	allow $1 non_security_file_type:dir manage_dir_perms;
- ')
- 
-+########################################
-+## <summary>
-+##	Allow attempts to setattr any directory
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_setattr_non_security_dirs',`
-+	gen_require(`
-+		attribute non_security_file_type;
-+	')
-+
-+	allow $1 non_security_file_type:dir { read setattr };
-+')
-+
- ########################################
- ## <summary>
- ##	Create non-security directories.
-diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
-index 97a75cf..7b44a43 100644
---- a/refpolicy/policy/modules/system/init.te
-+++ b/refpolicy/policy/modules/system/init.te
-@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
- ## </desc>
- gen_tunable(init_mounton_non_security, false)
- 
-+## <desc>
-+## <p>
-+## Enable init create, setattr, mounton on non_security_file_type
-+## </p>
-+## </desc>
-+gen_tunable(init_create_dirs, true)
-+
- attribute init_mountpoint_type;
- attribute init_path_unit_loc_type;
- attribute init_script_domain_type;
-@@ -606,6 +613,13 @@ ifdef(`init_systemd',`
- 		unconfined_create_keys(init_t)
- 		unconfined_write_keys(init_t)
- 	')
-+
-+	tunable_policy(`init_create_dirs',`
-+	    files_create_non_security_dirs(init_t)
-+	    files_mounton_non_security(init_t)
-+	    files_setattr_non_security_dirs(init_t)
-+	')
-+
- ',`
- 	tunable_policy(`init_upstart',`
- 		corecmd_shell_domtrans(init_t, initrc_t)
--- 
-2.39.0
-

portage/config/target/etc/portage/profile/package.provided

@@ -1 +0,0 @@
-app-admin/setools-4.4.0-r3

portage/config/target/etc/portage/savedconfig/sys-boot/u-boot

@@ -1,100 +0,0 @@
-CONFIG_ARM=y
-CONFIG_ARCH_BCM283X=y
-CONFIG_TEXT_BASE=0x00080000
-CONFIG_TARGET_RPI_4=y
-CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
-CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x7fffe30
-CONFIG_ENV_SIZE=0x4000
-CONFIG_DEFAULT_DEVICE_TREE="bcm2711-rpi-4-b"
-CONFIG_SYS_PROMPT="U-Boot> "
-CONFIG_DM_RESET=y
-CONFIG_SYS_LOAD_ADDR=0x1000000
-CONFIG_DISTRO_DEFAULTS=y
-CONFIG_OF_BOARD_SETUP=y
-CONFIG_USE_PREBOOT=y
-CONFIG_PREBOOT="pci enum; usb start;"
-# CONFIG_DISPLAY_CPUINFO is not set
-# CONFIG_DISPLAY_BOARDINFO is not set
-CONFIG_MISC_INIT_R=y
-CONFIG_FDT_SIMPLEFB=y
-CONFIG_SYS_PBSIZE=1049
-CONFIG_CMD_DFU=y
-CONFIG_CMD_GPIO=y
-CONFIG_CMD_MMC=y
-CONFIG_CMD_PCI=y
-CONFIG_CMD_USB=y
-CONFIG_CMD_FS_UUID=y
-CONFIG_ENV_FAT_DEVICE_AND_PART="0:1"
-CONFIG_SYS_RELOC_GD_ENV_ADDR=y
-CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG=y
-CONFIG_TFTP_TSIZE=y
-CONFIG_DM_DMA=y
-CONFIG_DFU_MMC=y
-CONFIG_SYS_DFU_DATA_BUF_SIZE=0x100000
-CONFIG_SYS_DFU_MAX_FILE_SIZE=0x200000
-CONFIG_BCM2835_GPIO=y
-CONFIG_MMC_SDHCI=y
-CONFIG_MMC_SDHCI_SDMA=y
-CONFIG_MMC_SDHCI_BCM2835=y
-CONFIG_BCMGENET=y
-CONFIG_PCI=y
-CONFIG_PCI_BRCMSTB=y
-CONFIG_PINCTRL=y
-# CONFIG_PINCTRL_GENERIC is not set
-CONFIG_DM_RNG=y
-CONFIG_RNG_IPROC200=y
-# CONFIG_REQUIRE_SERIAL_CONSOLE is not set
-CONFIG_SYSINFO=y
-CONFIG_SYSINFO_SMBIOS=y
-CONFIG_USB=y
-CONFIG_DM_USB_GADGET=y
-CONFIG_USB_XHCI_HCD=y
-CONFIG_USB_XHCI_PCI=y
-CONFIG_USB_KEYBOARD=y
-CONFIG_USB_GADGET=y
-CONFIG_USB_GADGET_MANUFACTURER="FSL"
-CONFIG_USB_GADGET_VENDOR_NUM=0x0525
-CONFIG_USB_GADGET_PRODUCT_NUM=0xa4a5
-CONFIG_USB_GADGET_DWC2_OTG=y
-CONFIG_USB_GADGET_DOWNLOAD=y
-CONFIG_VIDEO=y
-# CONFIG_VIDEO_BPP8 is not set
-# CONFIG_VIDEO_BPP16 is not set
-CONFIG_SYS_WHITE_ON_BLACK=y
-CONFIG_VIDEO_BCM2835=y
-CONFIG_CONSOLE_SCROLL_LINES=10
-CONFIG_PHYS_TO_BUS=y
-CONFIG_OF_LIBFDT_OVERLAY=y
-
-# CONFIG_LOCALVERSION_AUTO is not set
-CONFIG_BOOTDELAY=-2
-# CONFIG_ISO_PARTITION is not set
-CONFIG_EFI_PARTITION=y
-CONFIG_FS_EXT4=y
-CONFIG_FS_FAT=y
-# CONFIG_ENV_IS_IN_FAT is not set
-# CONFIG_ENV_IS_IN_EXT4 is not set
-CONFIG_ENV_IS_NOWHERE=y
-CONFIG_CMD_SETEXPR=y
-CONFIG_CMD_FILEENV=y
-CONFIG_CMD_SQUASHFS=y
-CONFIG_LZO=y
-
-# CONFIG_DOS_PARTITION is not set
-CONFIG_USB_STORAGE=y
-CONFIG_USB_FUNCTION_MASS_STORAGE=y
-CONFIG_USB_EHCI_HCD=y
-CONFIG_USB_EHCI_GENERIC=y
-CONFIG_USB_OHCI_HCD=y
-
-CONFIG_USB_XHCI_BRCM=y
-
-CONFIG_NVME_PCI=y
-CONFIG_CMD_NVME=y
-CONFIG_NVME=y
-CONFIG_CMD_USB_MASS_STORAGE=y
-
-CONFIG_CMD_BOOTEFI=y
-CONFIG_EFI_LOADER=y
-
-CONFIG_LMB_MAX_REGIONS=16

portage/repos/aimee-os/metadata/layout.conf

@@ -1,2 +0,0 @@
-masters = gentoo
-thin-manifests = true

portage/repos/aimee-os/profiles/repo_name

@@ -1 +0,0 @@
-aimee-os

portage/repos/aimee-os/sec-policy/selinux-aimee-os/Manifest

@@ -1,2 +0,0 @@
-DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
-DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6