| 1 |
commit: 78ef1b565ae26608f11a81f2b60e4a8e404ef9c3 |
| 2 |
Author: Jakub Jirutka <jakub <AT> jirutka <DOT> cz> |
| 3 |
AuthorDate: Fri Sep 4 23:24:40 2015 +0000 |
| 4 |
Commit: Markos Chandras <hwoarang <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Fri Sep 4 23:24:40 2015 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78ef1b56 |
| 7 |
|
| 8 |
app-emulation/lxc: GRKERNSEC_PROC is incompatible with unprivileged containers |
| 9 |
|
| 10 |
LXC uses newuidmap/newgidmap from the shadow package to map UIDs/GIDs |
| 11 |
for unprivileged containers and this doesn't play well with |
| 12 |
GRKERNSEC_PROC. You can read more details in |
| 13 |
https://github.com/shadow-maint/shadow/commit/884895ae25f4e684b8ca75ac03e775370f43a63d |
| 14 |
|
| 15 |
app-emulation/lxc/lxc-1.0.6-r1.ebuild | 2 ++ |
| 16 |
app-emulation/lxc/lxc-1.0.7.ebuild | 2 ++ |
| 17 |
app-emulation/lxc/lxc-1.1.0-r6.ebuild | 2 ++ |
| 18 |
app-emulation/lxc/lxc-1.1.1-r1.ebuild | 2 ++ |
| 19 |
app-emulation/lxc/lxc-1.1.2-r1.ebuild | 2 ++ |
| 20 |
app-emulation/lxc/lxc-1.1.2-r2.ebuild | 2 ++ |
| 21 |
app-emulation/lxc/lxc-1.1.2.ebuild | 2 ++ |
| 22 |
7 files changed, 14 insertions(+) |
| 23 |
|
| 24 |
diff --git a/app-emulation/lxc/lxc-1.0.6-r1.ebuild b/app-emulation/lxc/lxc-1.0.6-r1.ebuild |
| 25 |
index a9b43e5..5fcb857 100644 |
| 26 |
--- a/app-emulation/lxc/lxc-1.0.6-r1.ebuild |
| 27 |
+++ b/app-emulation/lxc/lxc-1.0.6-r1.ebuild |
| 28 |
@@ -56,6 +56,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 29 |
~!GRKERNSEC_CHROOT_PIVOT |
| 30 |
~!GRKERNSEC_CHROOT_CHMOD |
| 31 |
~!GRKERNSEC_CHROOT_CAPS |
| 32 |
+ ~!GRKERNSEC_PROC |
| 33 |
" |
| 34 |
|
| 35 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 36 |
@@ -77,6 +78,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE=":CONFIG_GRKERNSEC_CHROOT_DOUBLE some GRSEC featur |
| 37 |
ERROR_GRKERNSEC_CHROOT_PIVOT=":CONFIG_GRKERNSEC_CHROOT_PIVOT some GRSEC features make LXC unusable see postinst notes" |
| 38 |
ERROR_GRKERNSEC_CHROOT_CHMOD=":CONFIG_GRKERNSEC_CHROOT_CHMOD some GRSEC features make LXC unusable see postinst notes" |
| 39 |
ERROR_GRKERNSEC_CHROOT_CAPS=":CONFIG_GRKERNSEC_CHROOT_CAPS some GRSEC features make LXC unusable see postinst notes" |
| 40 |
+ERROR_GRKERNSEC_PROC=":CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 41 |
|
| 42 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 43 |
|
| 44 |
|
| 45 |
diff --git a/app-emulation/lxc/lxc-1.0.7.ebuild b/app-emulation/lxc/lxc-1.0.7.ebuild |
| 46 |
index bb1af21..e762896 100644 |
| 47 |
--- a/app-emulation/lxc/lxc-1.0.7.ebuild |
| 48 |
+++ b/app-emulation/lxc/lxc-1.0.7.ebuild |
| 49 |
@@ -56,6 +56,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 50 |
~!GRKERNSEC_CHROOT_PIVOT |
| 51 |
~!GRKERNSEC_CHROOT_CHMOD |
| 52 |
~!GRKERNSEC_CHROOT_CAPS |
| 53 |
+ ~!GRKERNSEC_PROC |
| 54 |
" |
| 55 |
|
| 56 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 57 |
@@ -77,6 +78,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE=":CONFIG_GRKERNSEC_CHROOT_DOUBLE some GRSEC featur |
| 58 |
ERROR_GRKERNSEC_CHROOT_PIVOT=":CONFIG_GRKERNSEC_CHROOT_PIVOT some GRSEC features make LXC unusable see postinst notes" |
| 59 |
ERROR_GRKERNSEC_CHROOT_CHMOD=":CONFIG_GRKERNSEC_CHROOT_CHMOD some GRSEC features make LXC unusable see postinst notes" |
| 60 |
ERROR_GRKERNSEC_CHROOT_CAPS=":CONFIG_GRKERNSEC_CHROOT_CAPS some GRSEC features make LXC unusable see postinst notes" |
| 61 |
+ERROR_GRKERNSEC_PROC=":CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 62 |
|
| 63 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 64 |
|
| 65 |
|
| 66 |
diff --git a/app-emulation/lxc/lxc-1.1.0-r6.ebuild b/app-emulation/lxc/lxc-1.1.0-r6.ebuild |
| 67 |
index 5551bc9..57b24da 100644 |
| 68 |
--- a/app-emulation/lxc/lxc-1.1.0-r6.ebuild |
| 69 |
+++ b/app-emulation/lxc/lxc-1.1.0-r6.ebuild |
| 70 |
@@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 71 |
~!GRKERNSEC_CHROOT_PIVOT |
| 72 |
~!GRKERNSEC_CHROOT_CHMOD |
| 73 |
~!GRKERNSEC_CHROOT_CAPS |
| 74 |
+ ~!GRKERNSEC_PROC |
| 75 |
" |
| 76 |
|
| 77 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 78 |
@@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu |
| 79 |
ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 80 |
ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 81 |
ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 82 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 83 |
|
| 84 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 85 |
|
| 86 |
|
| 87 |
diff --git a/app-emulation/lxc/lxc-1.1.1-r1.ebuild b/app-emulation/lxc/lxc-1.1.1-r1.ebuild |
| 88 |
index fbdb089..bd4c9cd 100644 |
| 89 |
--- a/app-emulation/lxc/lxc-1.1.1-r1.ebuild |
| 90 |
+++ b/app-emulation/lxc/lxc-1.1.1-r1.ebuild |
| 91 |
@@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 92 |
~!GRKERNSEC_CHROOT_PIVOT |
| 93 |
~!GRKERNSEC_CHROOT_CHMOD |
| 94 |
~!GRKERNSEC_CHROOT_CAPS |
| 95 |
+ ~!GRKERNSEC_PROC |
| 96 |
" |
| 97 |
|
| 98 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 99 |
@@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu |
| 100 |
ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 101 |
ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 102 |
ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 103 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 104 |
|
| 105 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 106 |
|
| 107 |
|
| 108 |
diff --git a/app-emulation/lxc/lxc-1.1.2-r1.ebuild b/app-emulation/lxc/lxc-1.1.2-r1.ebuild |
| 109 |
index 8dd8dd2..50b4d5b 100644 |
| 110 |
--- a/app-emulation/lxc/lxc-1.1.2-r1.ebuild |
| 111 |
+++ b/app-emulation/lxc/lxc-1.1.2-r1.ebuild |
| 112 |
@@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 113 |
~!GRKERNSEC_CHROOT_PIVOT |
| 114 |
~!GRKERNSEC_CHROOT_CHMOD |
| 115 |
~!GRKERNSEC_CHROOT_CAPS |
| 116 |
+ ~!GRKERNSEC_PROC |
| 117 |
" |
| 118 |
|
| 119 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 120 |
@@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu |
| 121 |
ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 122 |
ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 123 |
ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 124 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 125 |
|
| 126 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 127 |
|
| 128 |
|
| 129 |
diff --git a/app-emulation/lxc/lxc-1.1.2-r2.ebuild b/app-emulation/lxc/lxc-1.1.2-r2.ebuild |
| 130 |
index 8dd8dd2..50b4d5b 100644 |
| 131 |
--- a/app-emulation/lxc/lxc-1.1.2-r2.ebuild |
| 132 |
+++ b/app-emulation/lxc/lxc-1.1.2-r2.ebuild |
| 133 |
@@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 134 |
~!GRKERNSEC_CHROOT_PIVOT |
| 135 |
~!GRKERNSEC_CHROOT_CHMOD |
| 136 |
~!GRKERNSEC_CHROOT_CAPS |
| 137 |
+ ~!GRKERNSEC_PROC |
| 138 |
" |
| 139 |
|
| 140 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 141 |
@@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu |
| 142 |
ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 143 |
ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 144 |
ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 145 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 146 |
|
| 147 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
| 148 |
|
| 149 |
|
| 150 |
diff --git a/app-emulation/lxc/lxc-1.1.2.ebuild b/app-emulation/lxc/lxc-1.1.2.ebuild |
| 151 |
index 660348e..8d89bca 100644 |
| 152 |
--- a/app-emulation/lxc/lxc-1.1.2.ebuild |
| 153 |
+++ b/app-emulation/lxc/lxc-1.1.2.ebuild |
| 154 |
@@ -61,6 +61,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE |
| 155 |
~!GRKERNSEC_CHROOT_PIVOT |
| 156 |
~!GRKERNSEC_CHROOT_CHMOD |
| 157 |
~!GRKERNSEC_CHROOT_CAPS |
| 158 |
+ ~!GRKERNSEC_PROC |
| 159 |
" |
| 160 |
|
| 161 |
ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES: needed for pts inside container" |
| 162 |
@@ -89,6 +90,7 @@ ERROR_GRKERNSEC_CHROOT_DOUBLE="CONFIG_GRKERNSEC_CHROOT_DOUBLE: some GRSEC featu |
| 163 |
ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT: some GRSEC features make LXC unusable see postinst notes" |
| 164 |
ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD: some GRSEC features make LXC unusable see postinst notes" |
| 165 |
ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS: some GRSEC features make LXC unusable see postinst notes" |
| 166 |
+ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC: this GRSEC feature is incompatible with unprivileged containers" |
| 167 |
|
| 168 |
DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt) |
Archives