Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/profiles/features/hardened
diff options
context:
space:
mode:
authorMagnus Granberg <zorry@gentoo.org>2017-10-07 16:32:35 +0200
committerMagnus Granberg <zorry@gentoo.org>2017-10-07 16:34:18 +0200
commite718e1dc1781b3bb5cd80233c217aea3b0e46755 (patch)
treeef9e4fbd40d7899e78dac08837b6a870473db1d0 /profiles/features/hardened
parentapp-text/aiksaurus: Drop proxied maintainer (diff)
downloadgentoo-e718e1dc1781b3bb5cd80233c217aea3b0e46755.tar.gz
gentoo-e718e1dc1781b3bb5cd80233c217aea3b0e46755.tar.bz2
gentoo-e718e1dc1781b3bb5cd80233c217aea3b0e46755.zip
profiles: add features/hardened for the new 17.0 profile
Diffstat (limited to 'profiles/features/hardened')
-rw-r--r--profiles/features/hardened/amd64/eapi1
-rw-r--r--profiles/features/hardened/amd64/make.defaults5
-rw-r--r--profiles/features/hardened/amd64/no-multilib/eapi1
-rw-r--r--profiles/features/hardened/amd64/no-multilib/make.defaults6
-rw-r--r--profiles/features/hardened/amd64/no-multilib/parent1
-rw-r--r--profiles/features/hardened/amd64/package.mask11
-rw-r--r--profiles/features/hardened/amd64/package.use12
-rw-r--r--profiles/features/hardened/amd64/package.use.force7
-rw-r--r--profiles/features/hardened/amd64/package.use.mask8
-rw-r--r--profiles/features/hardened/amd64/parent1
-rw-r--r--profiles/features/hardened/eapi1
-rw-r--r--profiles/features/hardened/make.defaults15
-rw-r--r--profiles/features/hardened/package.mask15
-rw-r--r--profiles/features/hardened/package.use.force7
-rw-r--r--profiles/features/hardened/package.use.mask11
-rw-r--r--profiles/features/hardened/packages6
-rw-r--r--profiles/features/hardened/use.force6
-rw-r--r--profiles/features/hardened/use.mask13
18 files changed, 127 insertions, 0 deletions
diff --git a/profiles/features/hardened/amd64/eapi b/profiles/features/hardened/amd64/eapi
new file mode 100644
index 000000000000..7ed6ff82de6b
--- /dev/null
+++ b/profiles/features/hardened/amd64/eapi
@@ -0,0 +1 @@
+5
diff --git a/profiles/features/hardened/amd64/make.defaults b/profiles/features/hardened/amd64/make.defaults
new file mode 100644
index 000000000000..10d89c63ebf8
--- /dev/null
+++ b/profiles/features/hardened/amd64/make.defaults
@@ -0,0 +1,5 @@
+# Copyright 1999-2012 Gentoo Foundation.
+# Distributed under the terms of the GNU General Public License v2
+
+USE="justify -pic"
+
diff --git a/profiles/features/hardened/amd64/no-multilib/eapi b/profiles/features/hardened/amd64/no-multilib/eapi
new file mode 100644
index 000000000000..7ed6ff82de6b
--- /dev/null
+++ b/profiles/features/hardened/amd64/no-multilib/eapi
@@ -0,0 +1 @@
+5
diff --git a/profiles/features/hardened/amd64/no-multilib/make.defaults b/profiles/features/hardened/amd64/no-multilib/make.defaults
new file mode 100644
index 000000000000..1dd0a2a0f7e0
--- /dev/null
+++ b/profiles/features/hardened/amd64/no-multilib/make.defaults
@@ -0,0 +1,6 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# We don't need to have pic on
+USE="-pic"
+
diff --git a/profiles/features/hardened/amd64/no-multilib/parent b/profiles/features/hardened/amd64/no-multilib/parent
new file mode 100644
index 000000000000..f3229c5b9876
--- /dev/null
+++ b/profiles/features/hardened/amd64/no-multilib/parent
@@ -0,0 +1 @@
+..
diff --git a/profiles/features/hardened/amd64/package.mask b/profiles/features/hardened/amd64/package.mask
new file mode 100644
index 000000000000..76612099e7c4
--- /dev/null
+++ b/profiles/features/hardened/amd64/package.mask
@@ -0,0 +1,11 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Cernlib has address space issues on amd64 and package is no
+# longer supported by upstream. Thus masking it and its reverse
+# dependencies.
+# See bug 426764.
+sci-physics/cernlib
+sci-physics/cernlib-montecarlo
+sci-physics/geant:3
+sci-physics/paw
diff --git a/profiles/features/hardened/amd64/package.use b/profiles/features/hardened/amd64/package.use
new file mode 100644
index 000000000000..0cef7f8d1d92
--- /dev/null
+++ b/profiles/features/hardened/amd64/package.use
@@ -0,0 +1,12 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Magnus Granberg <zorry@gentoo.org> (14 Jan, 2015)
+# We need to have the pic flag on.
+# Bugs 490276, 513464, 523736 and 512208.
+media-libs/x264 pic
+media-video/ffmpeg pic
+media-video/libav pic
+>=media-libs/mesa-10.1.6 pic
+media-libs/libpostproc pic
+>=media-libs/xvid-1.3.3 pic
diff --git a/profiles/features/hardened/amd64/package.use.force b/profiles/features/hardened/amd64/package.use.force
new file mode 100644
index 000000000000..ef833f2d1b51
--- /dev/null
+++ b/profiles/features/hardened/amd64/package.use.force
@@ -0,0 +1,7 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Magnus Granberg <zorry@gentoo.org> (14 Jan, 2015)
+# We need to have the pic flag on.
+# Bugs 358929
+app-emulation/open-vm-tools pic
diff --git a/profiles/features/hardened/amd64/package.use.mask b/profiles/features/hardened/amd64/package.use.mask
new file mode 100644
index 000000000000..50e34f0e46d0
--- /dev/null
+++ b/profiles/features/hardened/amd64/package.use.mask
@@ -0,0 +1,8 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Cernlib has address space issues on amd64 and package is no
+# longer supported by upstream. Thus masking it and its reverse
+# dependencies.
+# See bugs 426764, 556612.
+=sci-physics/geant-4.9.4* geant3
diff --git a/profiles/features/hardened/amd64/parent b/profiles/features/hardened/amd64/parent
new file mode 100644
index 000000000000..f3229c5b9876
--- /dev/null
+++ b/profiles/features/hardened/amd64/parent
@@ -0,0 +1 @@
+..
diff --git a/profiles/features/hardened/eapi b/profiles/features/hardened/eapi
new file mode 100644
index 000000000000..7ed6ff82de6b
--- /dev/null
+++ b/profiles/features/hardened/eapi
@@ -0,0 +1 @@
+5
diff --git a/profiles/features/hardened/make.defaults b/profiles/features/hardened/make.defaults
new file mode 100644
index 000000000000..f753f571b723
--- /dev/null
+++ b/profiles/features/hardened/make.defaults
@@ -0,0 +1,15 @@
+# Copyright 1999-2014 Gentoo Foundation.
+# Distributed under the terms of the GNU General Public License v2
+
+# Jorge Manuel B. S. Vicetto <jmbsvicetto@gentoo.org> (16 Nov 2011)
+# Rename STAGE1_USE to BOOTSTRAP_USE and stack it to the parent value
+BOOTSTRAP_USE="${BOOTSTRAP_USE} hardened pax_kernel pic xtpax -jit -orc"
+
+USE="hardened pax_kernel pic urandom xtpax -fortran -jit -orc"
+
+# Ian Stakenvicius, 2014-09-03
+# Set a variable just to indicate that the current profile is a hardened one
+# This variable can be leveraged in ebuilds for pkg_postinst messages that
+# indicate said package is, say, configured in a way that defeats the purpose
+# of running hardened.
+PROFILE_IS_HARDENED=1
diff --git a/profiles/features/hardened/package.mask b/profiles/features/hardened/package.mask
new file mode 100644
index 000000000000..af6a869977fc
--- /dev/null
+++ b/profiles/features/hardened/package.mask
@@ -0,0 +1,15 @@
+# Copyright 1999-2017 Gentoo Foundation.
+# Distributed under the terms of the GNU General Public License v2
+
+# We need newer then glibc 2.24
+<sys-libs/glibc-2.25
+
+# broken on hardened, use sys-apps/elfix to fix gnustack
+sys-devel/prelink
+# depends on prelink
+app-crypt/hmaccalc
+
+# OpenAFS kernel module is not compatible with hardened kernels
+# due to C99 struct init requirement by hardened kernels,
+# see bug 540196 comment 9.
+net-fs/openafs-kernel
diff --git a/profiles/features/hardened/package.use.force b/profiles/features/hardened/package.use.force
new file mode 100644
index 000000000000..697af381d682
--- /dev/null
+++ b/profiles/features/hardened/package.use.force
@@ -0,0 +1,7 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Needed for XATTR_PAX flags
+app-arch/tar xattr
+sys-apps/coreutils xattr
+sys-apps/portage xattr
diff --git a/profiles/features/hardened/package.use.mask b/profiles/features/hardened/package.use.mask
new file mode 100644
index 000000000000..e3320e1e4d9d
--- /dev/null
+++ b/profiles/features/hardened/package.use.mask
@@ -0,0 +1,11 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+sys-apps/hwloc gl
+
+sys-devel/gcc -hardened
+sys-libs/glibc -hardened
+
+# net-fs/openafs-kernel module can't be used on hardened,
+# see bug 540196.
+net-fs/openafs modules
diff --git a/profiles/features/hardened/packages b/profiles/features/hardened/packages
new file mode 100644
index 000000000000..2524abdd0c4f
--- /dev/null
+++ b/profiles/features/hardened/packages
@@ -0,0 +1,6 @@
+# Copyright 1999-2013 Gentoo Foundation.
+# Distributed under the terms of the GNU General Public License v2
+
+# This file extends the base packages file for all hardened profiles
+
+*sys-apps/elfix
diff --git a/profiles/features/hardened/use.force b/profiles/features/hardened/use.force
new file mode 100644
index 000000000000..35e56536ec64
--- /dev/null
+++ b/profiles/features/hardened/use.force
@@ -0,0 +1,6 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Make sure people don't accidentally turn of ssp/pie in important packages.
+pie
+ssp
diff --git a/profiles/features/hardened/use.mask b/profiles/features/hardened/use.mask
new file mode 100644
index 000000000000..e3999ad48706
--- /dev/null
+++ b/profiles/features/hardened/use.mask
@@ -0,0 +1,13 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+-hardened
+
+# precompiled headers are not compat with ASLR.
+pch
+
+# prelink is masked for hardened
+prelink
+
+# profile are incompatible when linking with pie
+profile