Bug#722587: pbuilder: Please document grsecurity requirements
Santiago Ruano Rincón
santiagorr at riseup.net
Mon Apr 11 13:07:31 UTC 2016
El 12/09/13 a las 16:31, Helge Kreutzmann escribió:
> Package: pbuilder
> Version: 0.213
> Severity: wishlist
>
> For people using self built kernels using grsecurity it would be nice
> if you could document the chroot settings necessary. I could not
> readily find this by searching on the net (i.e. google) but rather by
> infering other cases to mine and trying out config settings.
>
> This information could go into README.Debian or one of the man pages.
>
> Most of the chroot restrictions may be set, but the following two must
> not be set, otherwiese pbuilder will die with an error:
> # CONFIG_GRKERNSEC_CHROOT_MOUNT is not set
> # CONFIG_GRKERNSEC_CHROOT_CAPS is not set
>
To note that Debian now includes linux-image-grsec packages, thanks to
Yves-Alexis Perez. They have sysctl config enabled, and this is the only
change in /etc/sysctl.d/grsec.conf that I needed:
kernel.grsecurity.chroot_deny_chmod = 0
The pbuilder user inside the chroot needs also Trusted Path Exectution
(TPE), c.f. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814738
Refs: http://www.corsac.net/?rub=blog&post=1517
Cheers,
Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20160411/ca567201/attachment.sig>
More information about the Pbuilder-maint
mailing list