portage: Provide a base Portage configuration

Instead of requiring every Aimee OS project to carry around a full
Portage configuration tree, including patches, saved configurations,
etc., we now support a "layered" configuration system.  Aimee OS core
provides a base configuration that includes all settings, patches, etc.
common for all Aimee OS projects.  At build time, this base
configuration is combined with the project's configuration, which need
only specify USE flags, etc. for that specific project.  This should
make maintenance across multiple projects easier, and make getting a new
project started _significantly_ less cumbersome.

Makefile

@@ -6,7 +6,19 @@ export CONFIGDIR
 
 update.tar: $(IMAGESDIR)/update.tar.zstd
 
+$(O)/portage/.stamp: \
+		$(shell find portage -type f) \
+		$(shell find $(CONFIGDIR)/portage -type f)
+	rm -rf $(O)/portage
+	mkdir -p $(O)/portage/etc/portage
+	tar -C portage -c . | tar -C $(O)/portage/etc/portage -x
+	tar -C $(CONFIGDIR)/portage -c . | tar -C $(O)/portage/etc/portage -x
+	touch $@
+
+portage: $(O)/portage/.stamp
+
 $(O)/.prepared: \
+		$(O)/portage/.stamp \
 		prepare.sh \
 		setup-local-repo.sh
 	./prepare.sh
@@ -22,7 +34,7 @@ $(O)/.built: \
 		install.packages \
 		$(wildcard $(CONFIGDIR)/build.packages) \
 		$(CONFIGDIR)/install.packages \
-		$(shell find $(CONFIGDIR)/portage/target -type f) \
+		$(O)/portage/.stamp \
 		$(O)/.prepared
 	./build.sh
 	touch $(O)/.built
@@ -111,6 +123,7 @@ clean:
 	build \
 	grub \
 	kernel \
+	portage \
 	prepare \
 	sdcard.img \
 	squashfs \

build-rootfs.sh

@@ -29,7 +29,7 @@ cat \
     | xargs -ro \
 ${target}-emerge \
     --root=/mnt/gentoo \
-    --config-root="${CONFIGDIR}"/portage/target \
+    --config-root="${O}"/portage \
     -KvnuUDj \
     --rebuilt-binaries=y
 
@@ -37,7 +37,7 @@ if [ -f "${CONFIGDIR}"/installonly.packages ]; then
     < "${CONFIGDIR}"/installonly.packages xargs -ro \
     ${target}-emerge \
         --root=/mnt/gentoo \
-        --config-root="${CONFIGDIR}"/portage/target \
+        --config-root="${O}"/portage \
         -vnuUDj
 fi
 

build.sh

@@ -7,7 +7,7 @@ set -e
 
 unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
 
-export PORTAGE_CONFIGROOT="${CONFIGDIR}"/portage/target
+export PORTAGE_CONFIGROOT="${O}"/portage
 
 ${target}-emerge -vuUDj sys-apps/util-linux
 

portage/env/nobuildpkg

@@ -0,0 +1 @@
+FEATURES=-buildpkg

portage/make.conf/20-binpkgs.conf

@@ -0,0 +1,2 @@
+FEATURES="${FEATURES} binpkg-multi-instance buildpkg"
+EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg --binpkg-respect-use=y"

portage/make.conf/30-default-use.conf

@@ -0,0 +1 @@
+USE='-man -doc minimal pam zstd'

portage/make.conf/40-goarch.conf

@@ -0,0 +1,2 @@
+GOOS=linux
+GOARCH=${ARCH}

portage/make.conf/40-lang.conf

@@ -0,0 +1,3 @@
+LINGUAS=en
+L10N=en-US
+USE="${USE} -nls"

portage/make.conf/80-quiet.conf

@@ -0,0 +1,2 @@
+EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --quiet-build=y"
+FEATURES="${FEATURES} -news"

portage/package.env/linux-firmware

@@ -0,0 +1 @@
+sys-kernel/linux-firmware nobuildpkg

portage/package.env/raspberrypi-firmware

@@ -0,0 +1 @@
+sys-boot/raspberrypi-firmware nobuildpkg

portage/package.use/awk

@@ -0,0 +1 @@
+app-alternatives/awk -gawk busybox

portage/package.use/busybox

@@ -0,0 +1 @@
+sys-apps/busybox savedconfig

portage/package.use/firmware

@@ -0,0 +1 @@
+sys-kernel/linux-firmware compress compress-xz savedconfig

portage/package.use/python

@@ -0,0 +1 @@
+dev-lang/python -ensurepip

portage/package.use/u-boot

@@ -0,0 +1 @@
+sys-boot/u-boot savedconfig

portage/patches/sec-policy/selinux-base-policy

@@ -0,0 +1 @@
+selinux-base

portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch

@@ -0,0 +1,24 @@
+From 21d7cfbc3969ddea86e7dcc2dd15f8009ffcabe6 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Fri, 3 Mar 2023 15:04:28 -0600
+Subject: [PATCH] systemd: Fixes for systemd-resolved
+
+---
+ refpolicy/policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
+index da64b11..9013931 100644
+--- a/refpolicy/policy/modules/system/systemd.te
++++ b/refpolicy/policy/modules/system/systemd.te
+@@ -236,6 +236,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+ 
+ type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
+ files_runtime_file(systemd_resolved_runtime_t)
++init_mountpoint(systemd_resolved_runtime_t)
+ 
+ type systemd_stdio_bridge_t;
+ type systemd_stdio_bridge_exec_t;
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch

@@ -0,0 +1,24 @@
+From 1a7dfe6699484a6b7808cc02df7354b146b07a36 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sat, 4 Mar 2023 09:57:44 -0600
+Subject: [PATCH] mount: Allow mounting on etc_t
+
+---
+ refpolicy/policy/modules/system/mount.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
+index 22a4766..f405615 100644
+--- a/refpolicy/policy/modules/system/mount.te
++++ b/refpolicy/policy/modules/system/mount.te
+@@ -92,6 +92,7 @@ files_manage_etc_runtime_files(mount_t)
+ files_etc_filetrans_etc_runtime(mount_t, file)
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
++files_mounton_etc_dirs(mount_t)
+ # These rules need to be generalized.  Only admin, initrc should have it:
+ files_relabelto_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch

@@ -0,0 +1,24 @@
+From b24010882565c3ea5f9ab9b3007648f1e4d2e603 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sat, 4 Mar 2023 10:16:13 -0600
+Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
+
+---
+ refpolicy/policy/modules/kernel/kernel.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
+index 56dbd5a..0dff529 100644
+--- a/refpolicy/policy/modules/kernel/kernel.te
++++ b/refpolicy/policy/modules/kernel/kernel.te
+@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
+ 
+ # Other possible mount points for the root fs are in files
+ allow kernel_t unlabeled_t:dir mounton;
++files_mountpoint(unlabeled_t)
+ # Kernel-generated traffic e.g., TCP resets on
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch

@@ -0,0 +1,24 @@
+From 6e4feac42f7c646e3353e0747767f1226f6c513e Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Mon, 6 Mar 2023 12:10:19 -0600
+Subject: [PATCH] Allow systemd-journald list cgroup directories
+
+---
+ refpolicy/policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
+index 227dc67..0c6f372 100644
+--- a/refpolicy/policy/modules/system/logging.te
++++ b/refpolicy/policy/modules/system/logging.te
+@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+ 
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_list_cgroup_dirs(syslogd_t)
+ 
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+ 
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch

@@ -0,0 +1,76 @@
+From 3e580c1cc3c31745c180dfd69bfd913ef1333c63 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Fri, 10 Mar 2023 12:39:41 -0600
+Subject: [PATCH] Allow systemd to create directories
+
+This allows use of the `RuntimeDirectory`, `StateDirectory`, etc. unit
+settings.
+---
+ refpolicy/policy/modules/kernel/files.if | 18 ++++++++++++++++++
+ refpolicy/policy/modules/system/init.te  | 14 ++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
+index 6fe764a..add9b6d 100644
+--- a/refpolicy/policy/modules/kernel/files.if
++++ b/refpolicy/policy/modules/kernel/files.if
+@@ -564,6 +564,24 @@ interface(`files_manage_non_security_dirs',`
+ 	allow $1 non_security_file_type:dir manage_dir_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Allow attempts to setattr any directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_non_security_dirs',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	allow $1 non_security_file_type:dir { read setattr };
++')
++
+ ########################################
+ ## <summary>
+ ##	Create non-security directories.
+diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
+index 9997215..554a04d 100644
+--- a/refpolicy/policy/modules/system/init.te
++++ b/refpolicy/policy/modules/system/init.te
+@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
+ ## </desc>
+ gen_tunable(init_mounton_non_security, false)
+ 
++## <desc>
++## <p>
++## Enable init create, setattr, mounton on non_security_file_type
++## </p>
++## </desc>
++gen_tunable(init_create_dirs, true)
++
+ attribute init_mountpoint_type;
+ attribute init_path_unit_loc_type;
+ attribute init_script_domain_type;
+@@ -625,6 +632,13 @@ ifdef(`init_systemd',`
+ 		unconfined_create_keys(init_t)
+ 		unconfined_write_keys(init_t)
+ 	')
++
++	tunable_policy(`init_create_dirs',`
++	    files_create_non_security_dirs(init_t)
++	    files_mounton_non_security(init_t)
++	    files_setattr_non_security_dirs(init_t)
++	')
++
+ ',`
+ 	tunable_policy(`init_upstart',`
+ 		corecmd_shell_domtrans(init_t, initrc_t)
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch

@@ -0,0 +1,25 @@
+From 936c142431d96fec0474fa3c5b27e41f5906a3d0 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Tue, 14 Mar 2023 13:40:23 -0500
+Subject: [PATCH] Allow init to setattr on char devices
+
+This is required for local logins to work.
+---
+ refpolicy/policy/modules/system/init.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
+index 554a04d..cd8ed37 100644
+--- a/refpolicy/policy/modules/system/init.te
++++ b/refpolicy/policy/modules/system/init.te
+@@ -392,6 +392,7 @@ ifdef(`init_systemd',`
+ 	dev_create_urand_dev(init_t)
+ 	# systemd writes to /dev/watchdog on shutdown
+ 	dev_write_watchdog(init_t)
++	dev_setattr_all_chr_files(init_t)
+ 
+ 	domain_read_all_domains_state(init_t)
+ 	# for starting systemd --user in the right domain:
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0007-podman-Allow-crun-to-chown-stdio-sockets.patch

@@ -0,0 +1,33 @@
+From 5595c5c29e6038da5e5a61b1f38c231e2ca4301e Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Thu, 23 Mar 2023 09:44:02 -0500
+Subject: [PATCH] podman: Allow crun to chown stdio sockets
+
+Podman (actually `crun`) fails to launch containers as systemd units
+with this error:
+
+    fchown std stream 1: Permission denied
+
+The error is caused by this AVC denial:
+
+    AVC avc:  denied  { setattr } for  pid=262 comm="crun" name="UNIX-STREAM" dev="sockfs" ino=9811 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
+---
+ refpolicy/policy/modules/services/podman.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index d929bb2..7649298 100644
+--- a/refpolicy/policy/modules/services/podman.te
++++ b/refpolicy/policy/modules/services/podman.te
+@@ -75,6 +75,8 @@ ifdef(`init_systemd',`
+ 	init_start_transient_units(podman_t)
+ 	init_stop_transient_units(podman_t)
+ 
++	init_rw_stream_sockets(podman_t)
++
+ 	# podman can read logs from containers which are
+ 	# sent to the system journal
+ 	logging_search_logs(podman_t)
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0008-systemd-Allow-quadlet-to-read-container-configs.patch

@@ -0,0 +1,28 @@
+From d7001620adab1780ae51fc916f8eee824ecd6709 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Thu, 23 Mar 2023 10:45:11 -0500
+Subject: [PATCH] systemd: Allow quadlet to read container configs
+
+---
+ refpolicy/policy/modules/system/systemd.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
+index 9013931..54868ea 100644
+--- a/refpolicy/policy/modules/system/systemd.te
++++ b/refpolicy/policy/modules/system/systemd.te
+@@ -582,6 +582,11 @@ optional_policy(`
+ 	zfs_read_config(systemd_generator_t)
+ ')
+ 
++optional_policy(`
++	# needed by podman-system-generator
++	container_read_config(systemd_generator_t)
++')
++
+ #######################################
+ #
+ # systemd-homed policy
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch

@@ -0,0 +1,24 @@
+From 04e3b1f3f91ad10b5fc69b59bba0e24f360905fa Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 14:56:02 -0500
+Subject: [PATCH] podman: Allow podman to use fd inherited from init
+
+---
+ refpolicy/policy/modules/services/podman.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index 7649298..e622f25 100644
+--- a/refpolicy/policy/modules/services/podman.te
++++ b/refpolicy/policy/modules/services/podman.te
+@@ -76,6 +76,7 @@ ifdef(`init_systemd',`
+ 	init_stop_transient_units(podman_t)
+ 
+ 	init_rw_stream_sockets(podman_t)
++	init_use_fds(podman_t)
+ 
+ 	# podman can read logs from containers which are
+ 	# sent to the system journal
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch

@@ -0,0 +1,28 @@
+From c59490d5823a17de62697cce367fbbb99156f424 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 14:59:28 -0500
+Subject: [PATCH] Allow podman to validate security contexts
+
+Addresses this AVC denial:
+
+    avc:  denied  { write } for  pid=244 comm="podman" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0
+---
+ refpolicy/policy/modules/services/podman.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index e622f25..243880f 100644
+--- a/refpolicy/policy/modules/services/podman.te
++++ b/refpolicy/policy/modules/services/podman.te
+@@ -64,6 +64,8 @@ container_manage_sock_files(podman_t)
+ 
+ podman_spec_rangetrans_conmon(podman_t, s0)
+ 
++selinux_validate_context(podman_t)
++
+ ifdef(`init_systemd',`
+ 	init_dbus_chat(podman_t)
+ 	init_setsched(podman_t)
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch

@@ -0,0 +1,38 @@
+From 6d997d50fe41abc68b8828cac4fa7ce1d7bbd2f1 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 15:03:40 -0500
+Subject: [PATCH] podman: Allow conmon to signal containers
+
+Addresses these AVC denials:
+
+    avc:  denied  { kill } for  pid=274 comm="conmon" capability=5  scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:podman_conmon_t:s0 tclass=capability permissive=0
+    avc:  denied  { signal } for  pid=278 comm="conmon" scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:container_t:s0:c273,c333 tclass=process permissive=0
+---
+ refpolicy/policy/modules/services/podman.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index 243880f..0d64e19 100644
+--- a/refpolicy/policy/modules/services/podman.te
++++ b/refpolicy/policy/modules/services/podman.te
+@@ -196,7 +196,7 @@ ifdef(`init_systemd',`
+ # podman conmon local policy
+ #
+ 
+-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
++allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
+ dontaudit podman_conmon_t self:capability net_admin;
+ 
+ podman_domtrans(podman_conmon_t)
+@@ -219,6 +219,8 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
+ container_manage_engine_tmp_files(podman_conmon_t)
+ container_manage_engine_tmp_sock_files(podman_conmon_t)
+ 
++container_signal_all_containers(podman_conmon_t)
++
+ ifdef(`init_systemd',`
+ 	init_get_transient_units_status(podman_conmon_t)
+ 	init_start_transient_units(podman_conmon_t)
+-- 
+2.40.1
+

portage/patches/sec-policy/selinux-container

@@ -0,0 +1 @@
+selinux-base

portage/patches/sec-policy/selinux-podman

@@ -0,0 +1 @@
+selinux-base

prepare.sh

@@ -31,11 +31,12 @@ if [ -d /usr/${target}/usr/lib/pkgconfig ] \
 fi
 
 if [ ! -f portage/make.conf/10-crossdev.conf ]; then
+    mkdir -p "${O}"/portage/etc/portage/make.conf
     sed -r \
         -e 's: ?-pam::' \
         -e '/PKGDIR=/d' \
         /usr/${target}/etc/portage/make.conf \
-        > "${CONFIGDIR}"/portage/target/etc/portage/make.conf/10-crossdev.conf
+        > "${O}"/portage/etc/portage/make.conf/10-crossdev.conf
 fi
 
 ln -snf /var/db/repos/gentoo/profiles/${profile} \
@@ -51,9 +52,7 @@ USE='pam build' \
 ${target}-emerge -bknvj sys-apps/util-linux
 
 # Set the Portage profile
+mkdir -p "${O}"/portage/etc/portage
 ln -snf \
     /var/db/repos/gentoo/profiles/${profile} \
-    ${CONFIGDIR}/portage/target/etc/portage/make.profile
-ln -snf \
-    $(realpath /etc/portage/make.profile) \
-    ${CONFIGDIR}/portage/host/etc/portage/make.profile
+    ${O}/portage/etc/portage/make.profile

rebuild-pkg.sh

@@ -7,6 +7,6 @@ set -e
 
 unset MAKEFLAGS MAKEOVERRIDES MAKELEVEL
 
-export PORTAGE_CONFIGROOT="${CONFIGDIR}"/portage/target
+export PORTAGE_CONFIGROOT="${O}"/portage
 
 ${target}-emerge -bkv1j --usepkg-exclude="$*" "$@"

setup-local-repo.sh

@@ -5,9 +5,9 @@ set -e
 
 . "${CONFIGDIR:=${PWD}}"/config
 
-mkdir -p "${CONFIGDIR}"/portage/target/etc/portage/repos.conf
+mkdir -p "${O}"/portage/etc/portage/repos.conf
 
-cat > "${CONFIGDIR}"/portage/target/etc/portage/repos.conf/aimee-os.conf <<EOF
+cat > "${O}"/portage/etc/portage/repos.conf/aimee-os.conf <<EOF
 [aimee-os]
 location = ${PWD}/repos/aimee-os
 auto-sync = no