[gentoo-commits] repo/gentoo:master commit in: app-emulation/lxc/

Mon, 05 Oct 2015 10:14:12 -0700 

commit:     a226893bb48e8979b054b1b8cb463402a8d58e27
Author:     Jakub Jirutka <jakub <AT> jirutka <DOT> cz>
AuthorDate: Fri Sep  4 23:32:12 2015 +0000
Commit:     Markos Chandras <hwoarang <AT> gentoo <DOT> org>
CommitDate: Fri Sep  4 23:32:12 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a226893b

app-emulation/lxc: GRKERNSEC_SYSFS_RESTRICT is incompatible with unprivileged 
containers

Since lxc-1.1.0 unprivileged containers fail to mount sysfs if
GRKERNSEC_SYSFS_RESTRICT is enabled:

    lxc-start: conf.c: lxc_mount_auto_mounts: 819 Permission denied - \
    error mounting sysfs on /var/lib/lxc/rootfs/sys/devices/virtual/net flags 0

 app-emulation/lxc/lxc-1.1.0-r6.ebuild | 2 ++
 app-emulation/lxc/lxc-1.1.1-r1.ebuild | 2 ++
 app-emulation/lxc/lxc-1.1.2-r1.ebuild | 2 ++
 app-emulation/lxc/lxc-1.1.2-r2.ebuild | 2 ++
 app-emulation/lxc/lxc-1.1.2.ebuild    | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/app-emulation/lxc/lxc-1.1.0-r6.ebuild 
b/app-emulation/lxc/lxc-1.1.0-r6.ebuild
index 57b24da..3976c1f 100644
--- a/app-emulation/lxc/lxc-1.1.0-r6.ebuild
+++ b/app-emulation/lxc/lxc-1.1.0-r6.ebuild
@@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
        ~!GRKERNSEC_CHROOT_CHMOD
        ~!GRKERNSEC_CHROOT_CAPS
        ~!GRKERNSEC_PROC
+       ~!GRKERNSEC_SYSFS_RESTRICT
 "
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for 
pts inside container"
@@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  
some GRSEC feature
 ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is 
incompatible with unprivileged containers"
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC 
feature is incompatible with unprivileged containers"
 
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
 

diff --git a/app-emulation/lxc/lxc-1.1.1-r1.ebuild 
b/app-emulation/lxc/lxc-1.1.1-r1.ebuild
index bd4c9cd..a4f137c 100644
--- a/app-emulation/lxc/lxc-1.1.1-r1.ebuild
+++ b/app-emulation/lxc/lxc-1.1.1-r1.ebuild
@@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
        ~!GRKERNSEC_CHROOT_CHMOD
        ~!GRKERNSEC_CHROOT_CAPS
        ~!GRKERNSEC_PROC
+       ~!GRKERNSEC_SYSFS_RESTRICT
 "
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for 
pts inside container"
@@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  
some GRSEC feature
 ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is 
incompatible with unprivileged containers"
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC 
feature is incompatible with unprivileged containers"
 
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
 

diff --git a/app-emulation/lxc/lxc-1.1.2-r1.ebuild 
b/app-emulation/lxc/lxc-1.1.2-r1.ebuild
index 50b4d5b..6e09da1 100644
--- a/app-emulation/lxc/lxc-1.1.2-r1.ebuild
+++ b/app-emulation/lxc/lxc-1.1.2-r1.ebuild
@@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
        ~!GRKERNSEC_CHROOT_CHMOD
        ~!GRKERNSEC_CHROOT_CAPS
        ~!GRKERNSEC_PROC
+       ~!GRKERNSEC_SYSFS_RESTRICT
 "
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for 
pts inside container"
@@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  
some GRSEC feature
 ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is 
incompatible with unprivileged containers"
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC 
feature is incompatible with unprivileged containers"
 
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
 

diff --git a/app-emulation/lxc/lxc-1.1.2-r2.ebuild 
b/app-emulation/lxc/lxc-1.1.2-r2.ebuild
index 50b4d5b..6e09da1 100644
--- a/app-emulation/lxc/lxc-1.1.2-r2.ebuild
+++ b/app-emulation/lxc/lxc-1.1.2-r2.ebuild
@@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
        ~!GRKERNSEC_CHROOT_CHMOD
        ~!GRKERNSEC_CHROOT_CAPS
        ~!GRKERNSEC_PROC
+       ~!GRKERNSEC_SYSFS_RESTRICT
 "
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for 
pts inside container"
@@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  
some GRSEC feature
 ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is 
incompatible with unprivileged containers"
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC 
feature is incompatible with unprivileged containers"
 
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)
 

diff --git a/app-emulation/lxc/lxc-1.1.2.ebuild 
b/app-emulation/lxc/lxc-1.1.2.ebuild
index 8d89bca..542aca0 100644
--- a/app-emulation/lxc/lxc-1.1.2.ebuild
+++ b/app-emulation/lxc/lxc-1.1.2.ebuild
@@ -62,6 +62,7 @@ CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE
        ~!GRKERNSEC_CHROOT_CHMOD
        ~!GRKERNSEC_CHROOT_CAPS
        ~!GRKERNSEC_PROC
+       ~!GRKERNSEC_SYSFS_RESTRICT
 "
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:  needed for 
pts inside container"
@@ -91,6 +92,7 @@ ERROR_GRKERNSEC_CHROOT_PIVOT="CONFIG_GRKERNSEC_CHROOT_PIVOT:  
some GRSEC feature
 ERROR_GRKERNSEC_CHROOT_CHMOD="CONFIG_GRKERNSEC_CHROOT_CHMOD:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_CHROOT_CAPS="CONFIG_GRKERNSEC_CHROOT_CAPS:  some GRSEC 
features make LXC unusable see postinst notes"
 ERROR_GRKERNSEC_PROC="CONFIG_GRKERNSEC_PROC:  this GRSEC feature is 
incompatible with unprivileged containers"
+ERROR_GRKERNSEC_SYSFS_RESTRICT="CONFIG_GRKERNSEC_SYSFS_RESTRICT:  this GRSEC 
feature is incompatible with unprivileged containers"
 
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS NEWS README doc/FAQ.txt)

Reply via email to