From 78ef1b565ae26608f11a81f2b60e4a8e404ef9c3 Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Sat, 5 Sep 2015 01:24:40 +0200 Subject: [PATCH] app-emulation/lxc: GRKERNSEC_PROC is incompatible with unprivileged containers LXC uses newuidmap/newgidmap from the shadow package to map UIDs/GIDs for unprivileged containers and this doesn't play well with GRKERNSEC_PROC. You can read more details in https://github.com/shadow-maint/shadow/commit/884895ae25f4e684b8ca75ac03e775370f43a63d --- app-emulation/lxc/lxc-1.0.6-r1.ebuild | 2 ++ app-emulation/lxc/lxc-1.0.7.ebuild | 2 ++ app-emulation/lxc/lxc-1.1.0-r6.ebuild | 2 ++ app-emulation/lxc/lxc-1.1.1-r1.ebuild | 2 ++ app-emulation/lxc/lxc-1.1.2-r1.ebuild | 2 ++ app-emulation/lxc/lxc-1.1.2-r2.ebuild | 2 ++ app-emulation/lxc/lxc-1.1.2.ebuild | 2 ++ 7 files changed, 14 insertions(+) diff --git a/app-emulation/lxc/lxc-1.0.6-r1.ebuild b/app-emulation/lxc/lxc-1.0.6-r1.ebuild index a9b43e5f41be..5fcb85720ea2 100644 --- a/app-emulation/lxc/lxc-1.0.6-r1.ebuild +++ b/app-emulation/lxc/lxc-1.0.6-r1.ebuild @@ -56,6 +56,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -77,6 +78,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE=":CONFIG_GRKERNSEC_CHROOT_DOUBLE some GRSEC featur ERROR_GRKERNSEC_CHROOT_PIVOT=":CONFIG_GRKERNSEC_CHROOT_PIVOT some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD=":CONFIG_GRKERNSEC_CHROOT_CHMOD some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS=":CONFIG_GRKERNSEC_CHROOT_CAPS some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC=":CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.0.7.ebuild b/app-emulation/lxc/lxc-1.0.7.ebuild index bb1af21dbb2a..e7628969e2df 100644 --- a/app-emulation/lxc/lxc-1.0.7.ebuild +++ b/app-emulation/lxc/lxc-1.0.7.ebuild @@ -56,6 +56,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -77,6 +78,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE=":CONFIG_GRKERNSEC_CHROOT_DOUBLE some GRSEC featur ERROR_GRKERNSEC_CHROOT_PIVOT=":CONFIG_GRKERNSEC_CHROOT_PIVOT some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD=":CONFIG_GRKERNSEC_CHROOT_CHMOD some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS=":CONFIG_GRKERNSEC_CHROOT_CAPS some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC=":CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.0-r6.ebuild b/app-emulation/lxc/lxc-1.1.0-r6.ebuild index 5551bc9bf6cb..57b24da958fa 100644 --- a/app-emulation/lxc/lxc-1.1.0-r6.ebuild +++ b/app-emulation/lxc/lxc-1.1.0-r6.ebuild @@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.1-r1.ebuild b/app-emulation/lxc/lxc-1.1.1-r1.ebuild index fbdb0894ed30..bd4c9cd5bc65 100644 --- a/app-emulation/lxc/lxc-1.1.1-r1.ebuild +++ b/app-emulation/lxc/lxc-1.1.1-r1.ebuild @@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.2-r1.ebuild b/app-emulation/lxc/lxc-1.1.2-r1.ebuild index 8dd8dd28e7ff..50b4d5be5161 100644 --- a/app-emulation/lxc/lxc-1.1.2-r1.ebuild +++ b/app-emulation/lxc/lxc-1.1.2-r1.ebuild @@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.2-r2.ebuild b/app-emulation/lxc/lxc-1.1.2-r2.ebuild index 8dd8dd28e7ff..50b4d5be5161 100644 --- a/app-emulation/lxc/lxc-1.1.2-r2.ebuild +++ b/app-emulation/lxc/lxc-1.1.2-r2.ebuild @@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) diff --git a/app-emulation/lxc/lxc-1.1.2.ebuild b/app-emulation/lxc/lxc-1.1.2.ebuild index 660348e4851e..8d89bca57533 100644 --- a/app-emulation/lxc/lxc-1.1.2.ebuild +++ b/app-emulation/lxc/lxc-1.1.2.ebuild @@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE ~!GRKERNSEC_CHROOT_PIVOT ~!GRKERNSEC_CHROOT_CHMOD ~!GRKERNSEC_CHROOT_CAPS + ~!GRKERNSEC_PROC " ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" @@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" +ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) -- 2.26.2