El 12/09/13 a las 16:31, Helge Kreutzmann escribió: > Package: pbuilder > Version: 0.213 > Severity: wishlist > > For people using self built kernels using grsecurity it would be nice > if you could document the chroot settings necessary. I could not > readily find this by searching on the net (i.e. google) but rather by > infering other cases to mine and trying out config settings. > > This information could go into README.Debian or one of the man pages. > > Most of the chroot restrictions may be set, but the following two must > not be set, otherwiese pbuilder will die with an error: > # CONFIG_GRKERNSEC_CHROOT_MOUNT is not set > # CONFIG_GRKERNSEC_CHROOT_CAPS is not set >
To note that Debian now includes linux-image-grsec packages, thanks to Yves-Alexis Perez. They have sysctl config enabled, and this is the only change in /etc/sysctl.d/grsec.conf that I needed: kernel.grsecurity.chroot_deny_chmod = 0 The pbuilder user inside the chroot needs also Trusted Path Exectution (TPE), c.f. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814738 Refs: http://www.corsac.net/?rub=blog&post=1517 Cheers, Santiago
signature.asc
Description: PGP signature