From 274837a3d1885f840e1f7c8ed08271135b7537dc Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Mon, 2 Jan 2017 03:35:11 +0000
Subject: [PATCH] add stage4 musl config

---
 .../package.keywords/stage4                   |  4 +
 .../package.mask/stage4                       |  1 +
 .../package.use/stage4                        |  1 +
 tools-musl/run-stage4.sh                      |  5 ++
 tools-musl/stage4-fsscript.sh                 | 81 +++++++++++++++++
 .../stage4-hardened-amd64-configured.spec     | 86 +++++++++++++++++++
 tools-musl/stage4-hardened-amd64.spec         | 86 +++++++++++++++++++
 7 files changed, 264 insertions(+)
 create mode 100644 tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4
 create mode 100644 tools-musl/portage.amd64.hardened-stage4/package.mask/stage4
 create mode 100644 tools-musl/portage.amd64.hardened-stage4/package.use/stage4
 create mode 100755 tools-musl/run-stage4.sh
 create mode 100755 tools-musl/stage4-fsscript.sh
 create mode 100644 tools-musl/stage4-hardened-amd64-configured.spec
 create mode 100644 tools-musl/stage4-hardened-amd64.spec

diff --git a/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4
new file mode 100644
index 00000000..a21cf483
--- /dev/null
+++ b/tools-musl/portage.amd64.hardened-stage4/package.keywords/stage4
@@ -0,0 +1,4 @@
+=sys-apps/portage-2.3.1 ~amd64
+=net-analyzer/macchanger-1.7.0-r1 ~amd64
+<sys-kernel/hardened-sources-4.5.0 ~amd64
+=sys-apps/busybox-1.26.0::musl
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4
new file mode 100644
index 00000000..38a688cd
--- /dev/null
+++ b/tools-musl/portage.amd64.hardened-stage4/package.mask/stage4
@@ -0,0 +1 @@
+>sys-kernel/hardened-sources-4.5.0
diff --git a/tools-musl/portage.amd64.hardened-stage4/package.use/stage4 b/tools-musl/portage.amd64.hardened-stage4/package.use/stage4
new file mode 100644
index 00000000..4b84ae65
--- /dev/null
+++ b/tools-musl/portage.amd64.hardened-stage4/package.use/stage4
@@ -0,0 +1 @@
+sys-boot/grub grub_platforms_pc
diff --git a/tools-musl/run-stage4.sh b/tools-musl/run-stage4.sh
new file mode 100755
index 00000000..e79acc79
--- /dev/null
+++ b/tools-musl/run-stage4.sh
@@ -0,0 +1,5 @@
+MUSL_DIR="$( cd "$( dirname ${BASH_SOURCE[0]} )" && pwd )"
+cp "${MUSL_DIR}"/stage4-hardened-amd64.spec "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec
+sed -i "s|@REPO_DIR@|${MUSL_DIR}|g" "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec
+
+catalyst -f "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec | tee -a "${MUSL_DIR}"/zzz.log
diff --git a/tools-musl/stage4-fsscript.sh b/tools-musl/stage4-fsscript.sh
new file mode 100755
index 00000000..f222b1f2
--- /dev/null
+++ b/tools-musl/stage4-fsscript.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Set timezone
+echo 'UTC' > /etc/timezone
+
+# Some rootfs stuff
+grep -v rootfs /proc/mounts > /etc/mtab
+
+# This is set in rackspaces prep, might help us
+echo 'net.ipv4.conf.eth0.arp_notify = 1' >> /etc/sysctl.conf
+echo 'vm.swappiness = 0' >> /etc/sysctl.conf
+
+# Let's configure our grub
+# Access on both regular tty and serial console
+mkdir /boot/grub
+cat >>/etc/default/grub <<EOF
+GRUB_TERMINAL='serial console'
+GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
+GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
+EOF
+grub-mkconfig -o /boot/grub/grub.cfg
+sed -r -i 's/loop[0-9]+p1/LABEL\=cloudimg-rootfs/g' /boot/grub/grub.cfg
+sed -i 's/root=.*\ ro/root=LABEL\=cloudimg-rootfs\ ro/' /boot/grub/grub.cfg
+
+# And the fstab
+echo 'LABEL=cloudimg-rootfs / ext4 defaults 0 0' > /etc/fstab
+
+# allow the console log
+sed -i 's/#s0/s0/g' /etc/inittab
+
+# let ipv6 use normal slaac
+sed -i 's/slaac/#slaac/g' /etc/dhcpcd.conf
+# don't let dhcpcd set domain name or hostname
+sed -i 's/domain_name\,\ domain_search\,\ host_name/domain_search/g' /etc/dhcpcd.conf
+
+# need to do this here because it clobbers an openrc owned file
+cat > /etc/conf.d/hostname << "EOL"
+# Set to the hostname of this machine
+if [ -f /etc/hostname ];then
+  hostname=$(cat /etc/hostname 2> /dev/null | cut -d"." -f1 2> /dev/null)
+else
+  hostname="localhost"
+fi
+EOL
+chmod 0644 /etc/conf.d/hostname
+chown root:root /etc/conf.d/hostname
+
+# set a nice default for /etc/resolv.conf
+cat > /etc/resolv.conf << EOL
+nameserver 8.8.8.8
+nameserver 2001:4860:4860::8888
+EOL
+
+# let's upgrade (security fixes and otherwise)
+USE="-build" emerge -uDNv --with-bdeps=y --buildpkg=y --jobs=2 @world
+USE="-build" emerge --verbose=n --depclean
+USE="-build" emerge -v --usepkg=n --buildpkg=y @preserved-rebuild
+etc-update --automode -5
+
+# Clean up portage
+emerge --verbose=n --depclean
+if [[ -a /usr/bin/eix ]]; then
+  eix-update
+fi
+emaint all -f
+eselect news read all
+eclean-dist --destructive
+sed -i '/^USE=\"\${USE}\ \ build\"$/d' /etc/portage/make.conf
+
+# clean up system
+passwd -d root
+passwd -l root
+for i in $(find /var/log -type f); do truncate -s 0 $i; done
+# remove foreign manpages
+find /usr/share/man/ -mindepth 1  -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
+
+# fine if this fails, aka non-hardened
+if [[ -x /usr/sbin/migrate-pax ]]; then
+  echo 'migraging pax'
+  /usr/sbin/migrate-pax -m
+fi
diff --git a/tools-musl/stage4-hardened-amd64-configured.spec b/tools-musl/stage4-hardened-amd64-configured.spec
new file mode 100644
index 00000000..ccbdc4f7
--- /dev/null
+++ b/tools-musl/stage4-hardened-amd64-configured.spec
@@ -0,0 +1,86 @@
+subarch: amd64
+target: stage4
+version_stamp: cloud-latest
+rel_type: default
+profile: hardened/linux/musl/amd64
+snapshot: current
+source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened
+portage_confdir: /root/releng/tools-musl/portage.amd64.hardened-stage4
+portage_overlay: /opt/overlays/musl
+
+stage4/use:
+	bash-completion
+	bindist
+	bzip2
+	idm
+	ipv6
+	mmx
+	sse
+	sse2
+	urandom
+
+stage4/packages:
+	app-admin/logrotate
+	app-admin/sudo
+	app-admin/syslog-ng
+	app-editors/vim
+	app-portage/eix
+	app-portage/gentoolkit
+	net-misc/dhcpcd
+	net-misc/iputils
+	sys-boot/grub
+	sys-apps/dmidecode
+	sys-apps/gptfdisk
+	sys-apps/iproute2
+	sys-apps/lsb-release
+	sys-apps/pciutils
+	sys-block/parted
+	sys-devel/bc
+	sys-power/acpid
+	sys-process/cronie
+stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh
+stage4/rcadd:
+	acpid|default
+	cronie|default
+	dhcpcd|default
+	net.lo|default
+	netmount|default
+	sshd|default
+	syslog-ng|default
+
+boot/kernel: gentoo
+boot/kernel/gentoo/sources: hardened-sources
+boot/kernel/gentoo/config: /root/releng/tools-musl/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config
+boot/kernel/gentoo/extraversion: openstack
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4
+
+# all of the cleanup...
+stage4/unmerge:
+	sys-kernel/genkernel
+	sys-kernel/hardened-sources
+
+stage4/empty:
+	/root/.ccache
+	/tmp
+	/usr/portage/distfiles
+	/usr/src
+	/var/cache/edb/dep
+	/var/cache/genkernel
+	/var/cache/portage/distfiles
+	/var/empty
+	/var/run
+	/var/state
+	/var/tmp
+
+stage4/rm:
+	/etc/*-
+	/etc/*.old
+	/etc/ssh/ssh_host_*
+	/root/.*history
+	/root/.lesshst
+	/root/.ssh/known_hosts
+	/root/.viminfo
+	# Remove any generated stuff by genkernel
+	/usr/share/genkernel
+	# This is 3MB of crap for each copy
+	/usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
diff --git a/tools-musl/stage4-hardened-amd64.spec b/tools-musl/stage4-hardened-amd64.spec
new file mode 100644
index 00000000..e8b30e97
--- /dev/null
+++ b/tools-musl/stage4-hardened-amd64.spec
@@ -0,0 +1,86 @@
+subarch: amd64
+target: stage4
+version_stamp: cloud-latest
+rel_type: default
+profile: hardened/linux/musl/amd64
+snapshot: current
+source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened
+portage_confdir: @REPO_DIR@/portage.amd64.hardened-stage4
+portage_overlay: /opt/overlays/musl
+
+stage4/use:
+	bash-completion
+	bindist
+	bzip2
+	idm
+	ipv6
+	mmx
+	sse
+	sse2
+	urandom
+
+stage4/packages:
+	app-admin/logrotate
+	app-admin/sudo
+	app-admin/syslog-ng
+	app-editors/vim
+	app-portage/eix
+	app-portage/gentoolkit
+	net-misc/dhcpcd
+	net-misc/iputils
+	sys-boot/grub
+	sys-apps/dmidecode
+	sys-apps/gptfdisk
+	sys-apps/iproute2
+	sys-apps/lsb-release
+	sys-apps/pciutils
+	sys-block/parted
+	sys-devel/bc
+	sys-power/acpid
+	sys-process/cronie
+stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh
+stage4/rcadd:
+	acpid|default
+	cronie|default
+	dhcpcd|default
+	net.lo|default
+	netmount|default
+	sshd|default
+	syslog-ng|default
+
+boot/kernel: gentoo
+boot/kernel/gentoo/sources: hardened-sources
+boot/kernel/gentoo/config: @REPO_DIR@/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config
+boot/kernel/gentoo/extraversion: openstack
+boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4
+
+# all of the cleanup...
+stage4/unmerge:
+	sys-kernel/genkernel
+	sys-kernel/hardened-sources
+
+stage4/empty:
+	/root/.ccache
+	/tmp
+	/usr/portage/distfiles
+	/usr/src
+	/var/cache/edb/dep
+	/var/cache/genkernel
+	/var/cache/portage/distfiles
+	/var/empty
+	/var/run
+	/var/state
+	/var/tmp
+
+stage4/rm:
+	/etc/*-
+	/etc/*.old
+	/etc/ssh/ssh_host_*
+	/root/.*history
+	/root/.lesshst
+	/root/.ssh/known_hosts
+	/root/.viminfo
+	# Remove any generated stuff by genkernel
+	/usr/share/genkernel
+	# This is 3MB of crap for each copy
+	/usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz