adding hardened stackable profile

11 files changed, 135 insertions, 0 deletions

diff --git a/profiles/hardened/packages b/profiles/hardened/packages
new file mode 100644
index 000000000000..dd65a40f2b51
--- /dev/null
+++ b/profiles/hardened/packages
@@ -0,0 +1,5 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/packages,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+# This file extends the base packages file for the hardened profile.
diff --git a/profiles/hardened/parent b/profiles/hardened/parent
new file mode 100644
index 000000000000..850ce9482b2b
--- /dev/null
+++ b/profiles/hardened/parent
@@ -0,0 +1,5 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/parent,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+base
diff --git a/profiles/hardened/use.mask b/profiles/hardened/use.mask
new file mode 100644
index 000000000000..4e62b28dade7
--- /dev/null
+++ b/profiles/hardened/use.mask
@@ -0,0 +1,7 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/use.mask,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+# Chris PeBenito <pebenito@gentoo.org>
+# must use a SELinux profile
+selinux
diff --git a/profiles/hardened/virtuals b/profiles/hardened/virtuals
new file mode 100644
index 000000000000..14ca8550e0a3
--- /dev/null
+++ b/profiles/hardened/virtuals
@@ -0,0 +1,7 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/virtuals,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+virtual/kernel				sys-kernel/linux
+virtual/os-headers			sys-kernel/linux-headers
+virtual/modutils			sys-apps/modutils
diff --git a/profiles/hardened/x86/make.defaults b/profiles/hardened/x86/make.defaults
new file mode 100644
index 000000000000..576d98f993e9
--- /dev/null
+++ b/profiles/hardened/x86/make.defaults
@@ -0,0 +1,9 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/make.defaults,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+ARCH="x86"
+GRP_STAGE23_USE="x86 berkdb crypt readline nls ssl tcpd zlib pam pic"
+USE="x86 hardened berkdb crypt readline nls ssl tcpd zlib pam pic"
+FEATURES="sandbox sfperms strict"
+
diff --git a/profiles/hardened/x86/packages b/profiles/hardened/x86/packages
new file mode 100644
index 000000000000..0b2c74065152
--- /dev/null
+++ b/profiles/hardened/x86/packages
@@ -0,0 +1,46 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/packages,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+# IMPORTANT: In order to parse this new format, you need Portage 1.6 or later!
+
+# OK; you're staring at this file and you have no idea what these stars are
+# for.  Here's the scoop.  An initial "*" marks a package that is part of the
+# official "base" system profile.  If there's a "*", then "emerge system" will
+# use the line in its calculations of what "should" be installed for this
+# profile.  Lines without a "*" prefix will be ignored for profile
+# calculations.
+
+# Now, this is new: *all* lines (star or no star) will be used as a special
+# package *inclusion* mask.  For example, the line *=sys-devel/gcc-2.95.3-r1
+# will cause Portage to totally ignore all gcc ebuilds other than
+# gcc-2.95.3-r1.  >=, <=, <, > and ~ can be used to offer a bit more
+# flexibility.  For example, >=sys-libs/glibc-2.2.4 will cause emerge to ignore
+# all glibc ebuilds with a version less than 2.2.4.  This allows us to have
+# profile-specific package.mask settings.  *All* lines are used for this
+# masking process, whether they are prefixed with a * or not.  And if a generic
+# dep is used, like "sys-apps/foo", then all versions of foo are included.  If
+# there is no entry, then all versions of an app are included.  The key thing
+# to note is that this file does not need to end up being an exhaustive list
+# of portage packages; just the ones critical to this profile.
+
+# So, what happens to /usr/portage/profiles/package.mask?  It's still around,
+# and still useful.  But it should mainly be used for broken ebuilds only.
+# package.mask continues to function as normal, masking out ebuilds from *all*
+# system profiles.
+
+# Which to use?  Use the profile-specific stuff to "lock down" specific
+# versions of ebuilds.  Gentoo Linux 1.0_rc6 uses certain known-compatible
+# versions of binutils, gcc and glibc, so we lock them down here.  This
+# prevents the user from shooting himself/herself in the foot by installing a
+# wacky version.
+
+*>=sys-devel/binutils-2.13.90.0.4
+
+>=x11-base/xfree-4.1.0-r2
+
+*sys-devel/bin86
+*>=sys-devel/libtool-1.4.1-r4
+*sys-libs/pwdb
+*sys-fs/devfsd
+
diff --git a/profiles/hardened/x86/packages.build b/profiles/hardened/x86/packages.build
new file mode 100644
index 000000000000..ac73ca0ca31f
--- /dev/null
+++ b/profiles/hardened/x86/packages.build
@@ -0,0 +1,36 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/packages.build,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+app-arch/bzip2
+app-arch/gzip
+app-arch/tar
+app-editors/nano
+app-shells/bash
+dev-lang/python
+net-misc/rsync
+net-misc/wget
+sys-apps/baselayout
+sys-apps/coreutils
+sys-apps/debianutils
+sys-apps/diffutils
+sys-apps/file
+sys-apps/fileutils
+sys-apps/findutils
+sys-apps/gawk
+sys-apps/grep
+sys-apps/less
+sys-apps/net-tools
+sys-apps/portage
+sys-apps/sed
+sys-apps/texinfo
+sys-apps/textutils
+sys-devel/binutils
+sys-devel/bison
+sys-devel/flex
+sys-devel/gcc
+sys-devel/gettext
+sys-devel/make
+sys-devel/patch
+sys-libs/glibc
+
diff --git a/profiles/hardened/x86/parent b/profiles/hardened/x86/parent
new file mode 100644
index 000000000000..93055d46d0d4
--- /dev/null
+++ b/profiles/hardened/x86/parent
@@ -0,0 +1,6 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/parent,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+default
+
diff --git a/profiles/hardened/x86/use.defaults b/profiles/hardened/x86/use.defaults
new file mode 100644
index 000000000000..5be6b8e508bb
--- /dev/null
+++ b/profiles/hardened/x86/use.defaults
@@ -0,0 +1,4 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/use.defaults,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
diff --git a/profiles/hardened/x86/use.mask b/profiles/hardened/x86/use.mask
new file mode 100644
index 000000000000..17dd37fb6c14
--- /dev/null
+++ b/profiles/hardened/x86/use.mask
@@ -0,0 +1,4 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/use.mask,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
diff --git a/profiles/hardened/x86/virtuals b/profiles/hardened/x86/virtuals
new file mode 100644
index 000000000000..76b9a3a15b43
--- /dev/null
+++ b/profiles/hardened/x86/virtuals
@@ -0,0 +1,6 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/x86/virtuals,v 1.1 2004/03/16 21:19:20 zhen Exp $
+
+virtual/bootloader			sys-boot/grub
+virtual/linux-sources		sys-kernel/gentoo-sources