From: Jakub Jirutka Date: Fri, 4 Sep 2015 23:32:12 +0000 (+0200) Subject: app-emulation/lxc: GRKERNSEC_SYSFS_RESTRICT is incompatible with unprivileged containers X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=refs%2Fremotes%2Fgithub%2Fpr%2F67;p=gentoo.git app-emulation/lxc: GRKERNSEC_SYSFS_RESTRICT is incompatible with unprivileged containers Since lxc-1.1.0 unprivileged containers fail to mount sysfs if GRKERNSEC_SYSFS_RESTRICT is enabled: lxc-start: conf.c: lxc_mount_auto_mounts: 819 Permission denied - \ error mounting sysfs on /var/lib/lxc/rootfs/sys/devices/virtual/net flags 0 --- diff --git a/app-emulation/lxc/lxc-1.1.0-r6.ebuild b/app-emulation/lxc/lxc-1.1.0-r6.ebuild index 57b24da958fa..3976c1f59e72 100644 --- a/app-emulation/lxc/lxc-1.1.0-r6.ebuild +++ b/app-emulation/lxc/lxc-1.1.0-r6.ebuild @@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC feature ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.1-r1.ebuild b/app-emulation/lxc/lxc-1.1.1-r1.ebuild index bd4c9cd5bc65..a4f137cfffbb 100644 --- a/app-emulation/lxc/lxc-1.1.1-r1.ebuild +++ b/app-emulation/lxc/lxc-1.1.1-r1.ebuild @@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC feature ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.2-r1.ebuild b/app-emulation/lxc/lxc-1.1.2-r1.ebuild index 50b4d5be5161..6e09da1edbbe 100644 --- a/app-emulation/lxc/lxc-1.1.2-r1.ebuild +++ b/app-emulation/lxc/lxc-1.1.2-r1.ebuild @@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC feature ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.2-r2.ebuild b/app-emulation/lxc/lxc-1.1.2-r2.ebuild index 50b4d5be5161..6e09da1edbbe 100644 --- a/app-emulation/lxc/lxc-1.1.2-r2.ebuild +++ b/app-emulation/lxc/lxc-1.1.2-r2.ebuild @@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC feature ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.2.ebuild b/app-emulation/lxc/lxc-1.1.2.ebuild index 8d89bca57533..542aca0ad518 100644 --- a/app-emulation/lxc/lxc-1.1.2.ebuild +++ b/app-emulation/lxc/lxc-1.1.2.ebuild @@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS ~!GRKERNSEC_PROC + ~!GRKERNSEC_SYSFS_RESTRICT " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC feature ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" +ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)