diff options
Diffstat (limited to 'profiles/hardened')
28 files changed, 296 insertions, 0 deletions
diff --git a/profiles/hardened/linux/13.0/amd64/make.defaults b/profiles/hardened/linux/13.0/amd64/make.defaults new file mode 100644 index 00000000..61b0126e --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/make.defaults @@ -0,0 +1,10 @@ +# Copyright 1999-2012 Gentoo Foundation. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/make.defaults,v 1.7 2012/06/16 11:44:13 jlec Exp $ + +USE="justify -pic" + +CFLAGS="-O2 -pipe" +CXXFLAGS="${CFLAGS}" +FFLAGS="${CFLAGS}" +FCFLAGS="${CFLAGS}" diff --git a/profiles/hardened/linux/13.0/amd64/no-multilib/make.defaults b/profiles/hardened/linux/13.0/amd64/no-multilib/make.defaults new file mode 100644 index 00000000..6361e853 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/no-multilib/make.defaults @@ -0,0 +1,8 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/no-multilib/make.defaults,v 1.2 2011/11/17 01:14:26 jmbsvicetto Exp $ + +ARCH="amd64" +ACCEPT_KEYWORDS="${ARCH}" + +MULTILIB_ABIS="amd64" diff --git a/profiles/hardened/linux/13.0/amd64/no-multilib/package.mask b/profiles/hardened/linux/13.0/amd64/no-multilib/package.mask new file mode 100644 index 00000000..eab68843 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/no-multilib/package.mask @@ -0,0 +1,14 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/no-multilib/package.mask,v 1.6 2012/12/23 10:55:48 patrick Exp $ + +# These are broken as reported by Halcy0n, Aug, 23, 2011 +games-action/shadowgrounds-bin +games-action/shadowgrounds-survivor-bin + +# needs x86-compat +media-sound/aucdtect + +# 32bit only +dev-lang/rebol-bin +dev-lang/rebol diff --git a/profiles/hardened/linux/13.0/amd64/no-multilib/package.use.mask b/profiles/hardened/linux/13.0/amd64/no-multilib/package.use.mask new file mode 100644 index 00000000..35b4ede7 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/no-multilib/package.use.mask @@ -0,0 +1,6 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/no-multilib/package.use.mask,v 1.1 2011/08/23 19:40:04 halcy0n Exp $ + +# Intel Integrated Primitive (sci-libs/ipp) support +media-libs/opencv ipp diff --git a/profiles/hardened/linux/13.0/amd64/no-multilib/parent b/profiles/hardened/linux/13.0/amd64/no-multilib/parent new file mode 100644 index 00000000..52bcba73 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/no-multilib/parent @@ -0,0 +1,2 @@ +.. +../../../../../features/64bit-native diff --git a/profiles/hardened/linux/13.0/amd64/no-multilib/selinux/parent b/profiles/hardened/linux/13.0/amd64/no-multilib/selinux/parent new file mode 100644 index 00000000..2190e979 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/no-multilib/selinux/parent @@ -0,0 +1,2 @@ +.. +../../../../../../features/selinux diff --git a/profiles/hardened/linux/13.0/amd64/no-multilib/use.mask b/profiles/hardened/linux/13.0/amd64/no-multilib/use.mask new file mode 100644 index 00000000..1aaf5cd5 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/no-multilib/use.mask @@ -0,0 +1,7 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/no-multilib/use.mask,v 1.1 2012/02/10 21:52:56 mattst88 Exp $ + +# Matt Turner <mattst88@gentoo.org) (10 Feb 2012) +# mask d3d since wine is 32-bit +d3d diff --git a/profiles/hardened/linux/13.0/amd64/package.mask b/profiles/hardened/linux/13.0/amd64/package.mask new file mode 100644 index 00000000..60a4b1f8 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/package.mask @@ -0,0 +1,15 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/package.mask,v 1.4 2012/11/20 04:18:17 zorry Exp $ + +# Magnus Granberg <zorry@gentoo.org> (20 Nov 2012) +# Newer then 300.00 is patched but we still have RWX in the libs. +# We mask X for we still need to make the doc for revdep-pax else +# hell will rule. +# Bug 433121 +<=x11-drivers/nvidia-drivers-300.00 +#media-video/nvidia-settings +#dev-util/nvidia-cuda-sdk + +# Depends on x11-drivers/nvidia-drivers +#dev-python/pyopencl diff --git a/profiles/hardened/linux/13.0/amd64/package.use b/profiles/hardened/linux/13.0/amd64/package.use new file mode 100644 index 00000000..9bd09a8d --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/package.use @@ -0,0 +1,19 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/package.use,v 1.3 2011/03/25 16:19:06 blueness Exp $ + +# Magnus Granberg <zorry@gentoo.org> (06 Mar 2011) +# We will have pic enable on older package but not +# new one. This will be removed when newer get +# stable and older package is not in portage tree +# any longer. Tracker bug #348050 +<media-libs/mesa-7.10.1 pic +<media-libs/xvid-1.3.0 pic +<dev-lang/php-5.3.5-r1 pic + +# Magnus Grenberg <zorry@gentoo.org> (17 Mar 2011) +# Bug 358929 the pic flag need to be on don't know way. +# Anthony Basile <blueness@gentoo.org> +# Bug 348050 comment 5 - fixed mispelling +app-emulation/open-vm-tools pic + diff --git a/profiles/hardened/linux/13.0/amd64/package.use.mask b/profiles/hardened/linux/13.0/amd64/package.use.mask new file mode 100644 index 00000000..ef4cbf01 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/package.use.mask @@ -0,0 +1,31 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/package.use.mask,v 1.23 2012/11/29 21:20:47 zorry Exp $ + +# When you add an entry to the top of this file, add your name, the date, and +# an explanation of why something is getting masked. Please be extremely +# careful not to commit atoms that are not valid, as it can cause large-scale +# breakage, especially if it ends up in the daily snapshot. +# +## Example: +## +## # Dev E. Loper <developer@gentoo.org> (28 Jun 2012) +## # Masking foo USE flag until we can get the +## # foo stuff to work properly again (bug 12345) +## =media-video/mplayer-0.90_pre5 foo +## =media-video/mplayer-0.90_pre5-r1 foo + +# Kacper Kowalik <xarthisius@gentoo.org> (29 Jul 2011) +# mask assembler as it currently doesn't work +dev-lang/path64 assembler + +# Magnus Granberg <zorry@gentoo.org> (20 Nov 2012) +# mask X for we still mis the docs for revdep-pax +# else hell will rule. (RWX in the libs) +# Bug 433121 +# also mask tools as it requires X -zerochaos +x11-drivers/nvidia-drivers X tools + +# Magnus Granberg <zorry@gentoo.org> (29 Nov 2012) +# Bug #444786 disable nvidia on app-admin/conky +app-admin/conky nvidia diff --git a/profiles/hardened/linux/13.0/amd64/parent b/profiles/hardened/linux/13.0/amd64/parent new file mode 100644 index 00000000..33dcf172 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/parent @@ -0,0 +1,4 @@ +../../../../base +../../../../default/linux +../../../../arch/amd64 +.. diff --git a/profiles/hardened/linux/13.0/amd64/selinux/parent b/profiles/hardened/linux/13.0/amd64/selinux/parent new file mode 100644 index 00000000..933e6792 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/selinux/parent @@ -0,0 +1,2 @@ +.. +../../../../../features/selinux diff --git a/profiles/hardened/linux/13.0/amd64/use.mask b/profiles/hardened/linux/13.0/amd64/use.mask new file mode 100644 index 00000000..1a7f4296 --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/use.mask @@ -0,0 +1,11 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/use.mask,v 1.7 2012/11/27 02:03:24 zerochaos Exp $ + +# Rick Farina <zerochaos@gentoo.org> 26 Nov 2012 +video_cards_nvidia +# removing mask on nvidia use flag as it is used by monitoring tools +# which may be desireable for cuda users +#nvidia +# adjusting use flag mask as nvidia-drivers are usable for cuda at least +#cuda diff --git a/profiles/hardened/linux/13.0/amd64/x32/make.defaults b/profiles/hardened/linux/13.0/amd64/x32/make.defaults new file mode 100644 index 00000000..ab350e0b --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/x32/make.defaults @@ -0,0 +1,5 @@ +# Copyright 1999-2012 Gentoo Foundation. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/amd64/x32/make.defaults,v 1.1 2012/08/31 17:49:11 vapier Exp $ + +CHOST="x86_64-pc-linux-gnux32" diff --git a/profiles/hardened/linux/13.0/amd64/x32/parent b/profiles/hardened/linux/13.0/amd64/x32/parent new file mode 100644 index 00000000..318c9a0e --- /dev/null +++ b/profiles/hardened/linux/13.0/amd64/x32/parent @@ -0,0 +1,3 @@ +.. +../../../../../features/multilib/ +../../../../../arch/amd64/x32/ diff --git a/profiles/hardened/linux/13.0/make.defaults b/profiles/hardened/linux/13.0/make.defaults new file mode 100644 index 00000000..cdedd1a5 --- /dev/null +++ b/profiles/hardened/linux/13.0/make.defaults @@ -0,0 +1,9 @@ +# Copyright 1999-2012 Gentoo Foundation. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/make.defaults,v 1.17 2012/06/26 13:36:21 blueness Exp $ + +# Jorge Manuel B. S. Vicetto <jmbsvicetto@gentoo.org> (16 Nov 2011) +# Rename STAGE1_USE to BOOTSTRAP_USE and stack it to the parent value +BOOTSTRAP_USE="${BOOTSTRAP_USE} hardened pax_kernel pic -jit -orc" + +USE="-fortran hardened -jit pax_kernel pic urandom -orc" diff --git a/profiles/hardened/linux/13.0/package.mask b/profiles/hardened/linux/13.0/package.mask new file mode 100644 index 00000000..c88a41a0 --- /dev/null +++ b/profiles/hardened/linux/13.0/package.mask @@ -0,0 +1,29 @@ +# Copyright 1999-2012 Gentoo Foundation. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/package.mask,v 1.39 2012/12/27 11:19:04 pinkbyte Exp $ + +# Hardened versions of gcc-4.0* through gcc-4.2* are not available. +=sys-devel/gcc-4.0* +=sys-devel/gcc-4.1* +=sys-devel/gcc-4.2* + +# Hardened >=sys-devel/gcc-4.4.3-r3 >=gcc-4.4.4-r1 available. +=sys-devel/gcc-4.4.2* + +# =sys-devel/gdb-7.0 is not hardened-ready according to xake & Zorry. +# sys-devel/gdb-7.1 works fine +# 2010-03-26 zorry +=sys-devel/gdb-7.0* + +# Can't be used on hardened. See upstream, +# http://developer.skype.com/jira/browse/SCL-616 +media-sound/skype-call-recorder +net-im/skype +net-im/skypetab-ng +dev-python/skype4py + +# >=sci-libs/acml-3.6 requires gcc-4.2. +>=sci-libs/acml-3.6 + +# broken on hardened, use sys-apps/elfix to fix gnustack +sys-devel/prelink diff --git a/profiles/hardened/linux/13.0/package.use.force b/profiles/hardened/linux/13.0/package.use.force new file mode 100644 index 00000000..9fcc9c56 --- /dev/null +++ b/profiles/hardened/linux/13.0/package.use.force @@ -0,0 +1,7 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/package.use.force,v 1.1 2011/08/24 18:11:30 xarthisius Exp $ + +# Kacper Kowalik <xarthisius@gentoo.org> (24 Aug 2011) +# Force hardened flag to make repoman happy +app-emulation/wine hardened diff --git a/profiles/hardened/linux/13.0/package.use.mask b/profiles/hardened/linux/13.0/package.use.mask new file mode 100644 index 00000000..b120869f --- /dev/null +++ b/profiles/hardened/linux/13.0/package.use.mask @@ -0,0 +1,12 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/package.use.mask,v 1.13 2012/07/19 13:38:40 anarchy Exp $ + +sys-devel/gcc -hardened +sys-libs/glibc -hardened + +# bug 407689 +media-tv/xbmc profile + +# Have no way to disable jit in esr release. +=www-client/firefox-10* pgo diff --git a/profiles/hardened/linux/13.0/packages b/profiles/hardened/linux/13.0/packages new file mode 100644 index 00000000..5bec5fc1 --- /dev/null +++ b/profiles/hardened/linux/13.0/packages @@ -0,0 +1,7 @@ +# Copyright 1999-2011 Gentoo Foundation. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/packages,v 1.2 2011/07/03 22:28:58 blueness Exp $ + +# This file extends the base packages file for all hardened profiles + +*sys-apps/paxctl diff --git a/profiles/hardened/linux/13.0/parent b/profiles/hardened/linux/13.0/parent new file mode 100644 index 00000000..a1a92de4 --- /dev/null +++ b/profiles/hardened/linux/13.0/parent @@ -0,0 +1 @@ +../../../releases/13.0 diff --git a/profiles/hardened/linux/13.0/use.mask b/profiles/hardened/linux/13.0/use.mask new file mode 100644 index 00000000..ada1a499 --- /dev/null +++ b/profiles/hardened/linux/13.0/use.mask @@ -0,0 +1,16 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/use.mask,v 1.18 2013/01/12 12:36:18 zorry Exp $ + +-hardened + +emul-linux-x86 + +# tcc is x86-only +tcc + +# precompiled headers are not compat with ASLR. +pch + +# prelink is masked for hardened +prelink diff --git a/profiles/hardened/linux/13.0/x86/make.defaults b/profiles/hardened/linux/13.0/x86/make.defaults new file mode 100644 index 00000000..e55210b1 --- /dev/null +++ b/profiles/hardened/linux/13.0/x86/make.defaults @@ -0,0 +1,27 @@ +# Copyright 1999-2012 Gentoo Foundation. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/x86/make.defaults,v 1.13 2012/10/15 15:58:18 chithanh Exp $ + +ARCH="x86" +ACCEPT_KEYWORDS="x86" + +CHOST="i686-pc-linux-gnu" +CFLAGS="-march=i686 -O2 -pipe" +CXXFLAGS="${CFLAGS}" +FFLAGS="${CFLAGS}" +FCFLAGS="${CFLAGS}" + +USE="nptl" + +# 2006/08/18 - Donnie Berkholz <dberkholz@gentoo.org> +# Defaults for video drivers +VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel \ + mach64 mga nsc nv r128 radeon rendition s3 s3virge savage \ + siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware \ + voodoo" + +# 2006/12/21 - Andrej Kacian <ticho@gentoo.org> +# Defaults for audio drivers +ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 \ + emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m \ + maestro3 trident usb-audio via82xx via82xx-modem ymfpci" diff --git a/profiles/hardened/linux/13.0/x86/package.mask b/profiles/hardened/linux/13.0/x86/package.mask new file mode 100644 index 00000000..02519508 --- /dev/null +++ b/profiles/hardened/linux/13.0/x86/package.mask @@ -0,0 +1,15 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/x86/package.mask,v 1.8 2012/11/27 01:20:13 zerochaos Exp $ + +# Rick Farina <zerochaos@gentoo.org> (26 Nov 2012) +# Newer then 300.00 is patched but we still have RWX in the libs. +# We mask X for we still need to make the doc for revdep-pax else +# hell will rule. Propogating change from amd64. +# Bug 433121 +<=x11-drivers/nvidia-drivers-300.00 +#media-video/nvidia-settings +#dev-util/nvidia-cuda-sdk + +# Depends on x11-drivers/nvidia-drivers +#dev-python/pyopencl diff --git a/profiles/hardened/linux/13.0/x86/package.use.mask b/profiles/hardened/linux/13.0/x86/package.use.mask new file mode 100644 index 00000000..010e4be3 --- /dev/null +++ b/profiles/hardened/linux/13.0/x86/package.use.mask @@ -0,0 +1,17 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/x86/package.use.mask,v 1.19 2012/12/27 11:17:38 pinkbyte Exp $ + +# cyrus-sasl doesn't work w/ USE=berkdb (#192753) +dev-libs/cyrus-sasl berkdb + +# Rick Farina <zerochaos@gentoo.org> (26 Nov 2012) +# mask X and tools for we still miss the docs for revdep-pax +# else hell will rule. (RWX in the libs) +# Propogating changes from amd64. +# Bug 433121 +x11-drivers/nvidia-drivers X tools + +# Magnus Granberg <zorry@gentoo.org> (29 Nov 2012) +# Bug #444786 disable nvidia on app-admin/conky +app-admin/conky nvidia diff --git a/profiles/hardened/linux/13.0/x86/parent b/profiles/hardened/linux/13.0/x86/parent new file mode 100644 index 00000000..4b1f003b --- /dev/null +++ b/profiles/hardened/linux/13.0/x86/parent @@ -0,0 +1,4 @@ +../../../../base +../../../../default/linux +../../../../arch/x86 +.. diff --git a/profiles/hardened/linux/13.0/x86/selinux/parent b/profiles/hardened/linux/13.0/x86/selinux/parent new file mode 100644 index 00000000..933e6792 --- /dev/null +++ b/profiles/hardened/linux/13.0/x86/selinux/parent @@ -0,0 +1,2 @@ +.. +../../../../../features/selinux diff --git a/profiles/hardened/linux/13.0/x86/use.mask b/profiles/hardened/linux/13.0/x86/use.mask new file mode 100644 index 00000000..e12e5c6a --- /dev/null +++ b/profiles/hardened/linux/13.0/x86/use.mask @@ -0,0 +1,11 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/profiles/hardened/linux/x86/use.mask,v 1.7 2012/11/27 02:03:24 zerochaos Exp $ + +# Rick Farina <zerochaos@gentoo.org> 26 Nov 2012 +video_cards_nvidia +# removing mask on nvidia use flag as it is used by monitoring tools +# which may be desireable for cuda users +#nvidia +# adjusting use flag mask as nvidia-drivers are usable for cuda at least +#cuda |