diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-11-08 08:52:45 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-11-08 08:52:45 +0000 |
commit | f2553494462afc74365b57f3e6101995719defff (patch) | |
tree | 6b290979f1a6256ea7e6f3f26e995ef316d9cdac /main/linux-grsec | |
parent | 6d4ec161f3096cd877e893d0d633d11f3fe07d7f (diff) | |
download | aports-f2553494462afc74365b57f3e6101995719defff.tar.bz2 aports-f2553494462afc74365b57f3e6101995719defff.tar.xz |
main/linux-grsec: lxc sysctl fix
Allow containers modify their /proc/sys/net without needing sys_admin
This is so they can enable ip_forward for their namespace
Diffstat (limited to 'main/linux-grsec')
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/sysctl_lxc.patch | 31 |
2 files changed, 36 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index c98b66b788..10511c93c8 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -7,7 +7,7 @@ case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -26,6 +26,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch fix-memory-map-for-PIE-applications.patch + sysctl_lxc.patch kernelconfig.x86 kernelconfig.x86_64 @@ -159,6 +160,7 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch +b3c0153d53e508e03d73b94d15b24a96 sysctl_lxc.patch cb5c938dccbee36cfb8bb7ee3546b8af kernelconfig.x86 daa81b89f18254155ac33c5239abf3a4 kernelconfig.x86_64" sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz @@ -171,6 +173,7 @@ dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch +9ba55b0f45d5aa97503e376a13be6d249a10f32e36687055b2fa1e5a39fa0584 sysctl_lxc.patch 3e6c4101bfb90b6a30173ef81cd0d0bea51d6a995fc045ca67db7fed271d969d kernelconfig.x86 da67ef700372d080bffb12a86f0a16c987dc79e18fdfb1a88d2704660239e5f0 kernelconfig.x86_64" sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz @@ -183,5 +186,6 @@ d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d71 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch +41071e21c59997604a380575d3c4171d35a12eaae6ddcf158d95e4fd5ccc69d61753cbd38b7bd08d879cce5bfea3fed2df15e5a3dca944f6f7cbd95d5d2daa23 sysctl_lxc.patch e81d6780a33f00d5ee03b069fc3610da2eda3ba43e515707ae67cd2d609a226b18e9ec446eeacd2afaafe6aa480bb30b9908cce41e0d90f1a3b41e7daf2034c5 kernelconfig.x86 01e38549e92a98f041cb7ee1fec04a35d55322eff718fce6cd5774b60d0db287478ca034309e3dbd06b0194a2ec4b67584ef281018c16681a0ac7ac0fdc7c3ba kernelconfig.x86_64" diff --git a/main/linux-grsec/sysctl_lxc.patch b/main/linux-grsec/sysctl_lxc.patch new file mode 100644 index 0000000000..56279aa03f --- /dev/null +++ b/main/linux-grsec/sysctl_lxc.patch @@ -0,0 +1,31 @@ +This patch allows guests to set /proc/sys/net/*/ip_forward without +needing CAP_SYS_ADMIN. + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 1e6dc7e..0a5638b 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -11,6 +11,7 @@ + #include <linux/namei.h> + #include <linux/mm.h> + #include <linux/module.h> ++#include <linux/nsproxy.h> + #include "internal.h" + + extern int gr_handle_chroot_sysctl(const int op); +@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, + dput(filp->f_path.dentry); + if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op)) + goto out; +- if (write && !capable(CAP_SYS_ADMIN)) +- goto out; ++ if (write) { ++ if (current->nsproxy->net_ns != table->extra2) { ++ if (!capable(CAP_SYS_ADMIN)) ++ goto out; ++ } else if (!nsown_capable(CAP_NET_ADMIN)) ++ goto out; ++ } + #endif + + /* careful: calling conventions are nasty here */ |