main/docker: support disabling grsec chroot restrictions

2 files changed, 31 insertions, 11 deletions

diff --git a/main/docker/docker.init-ulimit-fix.patch b/main/docker/docker.init-ulimit-fix.patch
deleted file mode 100644
index 02e5e86e91..0000000000
--- a/main/docker/docker.init-ulimit-fix.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-index a9d21b17089a..8edfaef6378e 100755
---- a/contrib/init/openrc/docker.initd.orig
-+++ b/contrib/init/openrc/docker.initd
-@@ -12,7 +12,6 @@ start() {
- 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
- 
- 	ulimit -n 1048576
--	ulimit -u 1048576
- 
- 	ebegin "Starting docker daemon"
- 	start-stop-daemon --start --background \
diff --git a/main/docker/openrc-fixes.patch b/main/docker/openrc-fixes.patch
new file mode 100644
index 0000000000..701459910b
--- /dev/null
+++ b/main/docker/openrc-fixes.patch
@@ -0,0 +1,31 @@
+--- a/contrib/init/openrc/docker.initd	2015-02-10 17:14:37.000000000 -0100
++++ b/contrib/init/openrc/docker.initd	2015-03-31 10:17:15.500070311 -0200
+@@ -8,11 +8,18 @@
+ DOCKER_BINARY=${DOCKER_BINARY:-/usr/bin/docker}
+ DOCKER_OPTS=${DOCKER_OPTS:-}
+ 
++grsecdir=/proc/sys/kernel/grsecurity
++
+ start() {
+ 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
++	for i in $disable_grsec; do
++		if [ -e "$grsecdir/$i" ]; then
++			einfo " Disabling $i"
++			echo 0 > "$grsecdir/$i"
++		fi
++	done
+ 
+ 	ulimit -n 1048576
+-	ulimit -u 1048576
+ 
+ 	ebegin "Starting docker daemon"
+ 	start-stop-daemon --start --background \
+--- a/contrib/init/openrc/docker.confd	2015-02-10 17:14:37.000000000 -0100
++++ b/contrib/init/openrc/docker.confd	2015-03-31 14:52:47.323685914 -0200
+@@ -11,3 +11,6 @@
+ 
+ # any other random options you want to pass to docker
+ DOCKER_OPTS=""
++
++# disable grsecurity features
++#disable_grsec="chroot_deny_chmod chroot_deny_mknod"