Package: src:linux-grsec Version: 4.9.65-2+grsecunoff1~bpo9+1 Severity: normal
Dear Maintainer, It seems that the grsec_sysfs_restrict boot-time option is either unavailable or ineffective in some way. This makes unprivileged LXC containers unusable on a grsec enabled system. The issue is exactly as described here: https://forum.alpinelinux.org/forum/pax-grsecurity/unprivileged-lxc-and-grsecurity-kernel However, it seems that booting with grsec_sysfs_restrict=0 is ignored. I can boot the kernel with grsec_sysfs_restrict=0 set, and the listed sysctls set to 0, but lxc-create still fails with the error given in that forum post. It's fairly easy to reproduce the problem. Install lxc, and: $ cat /etc/subuid root:200000:65536 $ cat /etc/subgid root:200000:65536 $ cat /etc/lxc/default.conf lxc.network.type = empty lxc.id_map = u 0 200000 65536 lxc.id_map = g 0 200000 65536 $ sudo lxc-create -n example -t download [sudo] password for someone: newuidmap: Target process 2182 is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:64044 error mapping child setgid: Invalid argument lxc-create: lxccontainer.c: create_run_template: 1297 container creation template for example failed lxc-create: tools/lxc_create.c: main: 318 Error creating container example -- Package-specific info: ** Version: Linux version 4.9.0-4-grsec-amd64 (cor...@debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-2+grsecunoff1~bpo9+1 (2017-12-09) ** Command line: -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-grsec-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-image-4.9.0-4-grsec-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.130 ii kmod 23-2 ii linux-base 4.5 ii linux-grsec-base 13~bpo9+1 Versions of packages linux-image-4.9.0-4-grsec-amd64 recommends: ii attr 1:2.4.47-2+b2 ii firmware-linux-free 3.4 ii gradm2 3.1~201701031918-2 ii irqbalance 1.1.0-2.3 ii paxctl 0.9-1+b1 Versions of packages linux-image-4.9.0-4-grsec-amd64 suggests: pn debian-kernel-handbook <none> ii grub-efi-amd64 2.02~beta3-5 pn linux-doc-4.9 <none> Versions of packages linux-image-4.9.0-4-grsec-amd64 is related to: pn firmware-amd-graphics <none> pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> pn firmware-linux-nonfree <none> pn firmware-misc-nonfree <none> pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> pn firmware-realtek <none> pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information
