blob: 28dc497289762520684cec9bb02b2bba43cd49ff (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
#!/bin/sh
# Copyright 2013,2014 Sven Vermeulen <swift@gentoo.org>
# Copyright 2014-2021 Jason Zaman <perfinion@gentoo.org>
# Licensed under the GPL-3 license
# Prepare new policy release
TRANSLATE="s:\(${HARDENEDREFPOL%/}/\|${REFPOLRELEASE%/}/\):refpolicy/:g"
NEWVERSION="${1}"
# If remote requires a different username, it should be set in ~/.ssh/config
REMOTELOCATION="dev.gentoo.org:/home/perfinion/public_html/patches/selinux-base-policy"
usage() {
echo "Usage: $0 <newversion>"
echo ""
echo "Example: $0 2.20140311-r5"
echo ""
echo "The script will copy the live ebuilds towards the"
echo "<newversion>."
echo ""
echo "The following environment variables must be declared correctly for the script"
echo "to function properly:"
echo " - GENTOOX86 should point to the gentoo-x86 checkout"
echo " E.g. export GENTOOX86=\"/var/db/repos/gentoo\""
echo " - HARDENEDREFPOL should point to the hardened-refpolicy.git checkout"
echo " E.g. export HARDENEDREFPOL=\"/home/user/dev/hardened-refpolicy\""
echo " - REFPOLRELEASE should point to the current latest /release/ of the reference"
echo " policy (so NOT to a checkout), extracted somewhere on the file system."
echo " E.g. export REFPOLRELEASE=\"/home/user/local/refpolicy-20130424\""
}
assertDirEnvVar() {
VARNAME="${1}"
eval VARVALUE='$'${VARNAME}
if [ -z "${VARVALUE}" ] || [ ! -d "${VARVALUE}" ]
then
echo "Variable ${VARNAME} (value \"${VARVALUE}\") does not point to a valid directory."
exit 1
fi
}
# cleanTmp - Clean up TMPDIR
cleanTmp() {
if [ -z "${NOCLEAN}" ]
then
echo "Not cleaning TMPDIR (${TMPDIR}) upon request."
else
[ -d "${TMPDIR}" ] && [ -f "${TMPDIR}/.istempdir" ] && rm -rf "${TMPDIR}"
fi
}
die() {
printf "\n"
echo "!!! $*"
cleanTmp
exit 2
}
# buildpatch - Create the patch set to be applied for the new release
buildpatch() {
printf "Creating patch 0001-full-patch-against-stable-release.patch... "
diff -uNr -x ".git*" -x "CVS" -x "*.autogen*" -x "*.part" ${REFPOLRELEASE} ${HARDENEDREFPOL} | sed -e ${TRANSLATE} > ${TMPDIR}/0001-full-patch-against-stable-release.patch || die "Failed to create patch"
printf "done\n"
printf "Creating patch bundle for ${NEWVERSION}... "
cd ${TMPDIR} || die
tar cvjf patchbundle-selinux-base-policy-${NEWVERSION}.tar.bz2 *.patch > /dev/null 2>&1 || die "Failed to create patchbundle"
printf "done\n"
printf "Copying patch bundle into ${DISTDIR} location and dev.g.o... "
cp patchbundle-selinux-base-policy-${NEWVERSION}.tar.bz2 ${DISTDIR} || die "Failed to copy patchbundle to ${DISTDIR}"
scp patchbundle-selinux-base-policy-${NEWVERSION}.tar.bz2 ${REMOTELOCATION} > /dev/null 2>&1 || die "Failed to scopy patchbundle to ${REMOTELOCATION}"
printf "done\n"
}
# Create (or modify) the new ebuilds
createEbuilds() {
cd ${GENTOOX86}/sec-policy
printf "Removing old patchbundle references in Manifest (in case of rebuild)... "
for PKG in selinux-*
do
[[ -f "${PKG}/Manifest}" ]] || continue
sed -i -e "/patchbundle-selinux-base-policy-${NEWVERSION}/d" ${PKG}/Manifest || die "Failed to clear Manifest"
done
printf "done\n"
printf "Creating new ebuilds based on 9999 version... "
for PKG in selinux-*
do
[[ -f "${PKG}/${PKG}-9999.ebuild" ]] || continue
cp ${PKG}/${PKG}-9999.ebuild ${PKG}/${PKG}-${NEWVERSION}.ebuild || die "Failed to copy ebuild"
# Update copyright year
sed -i "s/Copyright 1999-20.. Gentoo .*/Copyright 1999-$(date '+%Y') Gentoo Authors/" \
${PKG}/${PKG}-${NEWVERSION}.ebuild || die "Failed to update header"
done
printf "done\n"
}
# Create and push tag for new release
tagRelease() {
printf "Creating tag ${NEWVERSION} in our repository... "
cd ${HARDENEDREFPOL} || die
git tag -a ${NEWVERSION} -m "Release set of ${NEWVERSION}" --sign > /dev/null 2>&1 || die "Failed to create tag"
printf "done\n"
}
if [ $# -ne 1 ]
then
usage
exit 3
fi
DISTDIR=$(portageq distdir)
# Assert that all needed information is available
assertDirEnvVar DISTDIR
assertDirEnvVar GENTOOX86
assertDirEnvVar HARDENEDREFPOL
assertDirEnvVar REFPOLRELEASE
TMPDIR=$(mktemp -dt refpol.XXXXXXXXXX)
touch ${TMPDIR}/.istempdir
# Build the patch
buildpatch
# Create ebuilds
createEbuilds
# Tag release
tagRelease
cat << EOF
The release has now been prepared.
Please go do the following to finish up:
In ${GENTOOX86}/sec-policy:
$ git add .
$ repoman --digest=y full
Then, before finally committing - do a run yourself, ensuring that the right
version is deployed of course:
# emerge -av1 @selinux-rebuild
Only then do:
$ repoman commit -m 'sec-policy: Release of SELinux policies ${NEWVERSION}'
$ git push --sign
In ${HARDENEDREFPOL} do:
$ git push origin --tags
EOF
cleanTmp
|