main/docker: support disabling grsec chroot restrictions

3d3d5b5e · Natanael Copa · 5bfe5fdb · 5bfe5fdb · 3d3d5b5e
Commit 3d3d5b5e authored 9 years ago by Natanael Copa
--- a/main/docker/docker.init-ulimit-fix.patch
+++ b/main/docker/docker.init-ulimit-fix.patch
-index a9d21b17089a..8edfaef6378e 100755
--- a/contrib/init/openrc/docker.initd.orig
-+++ b/contrib/init/openrc/docker.initd
-@@ -12,7 +12,6 @@ start() {
- 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
- 	ulimit -n 1048576
-	ulimit -u 1048576
- 	ebegin "Starting docker daemon"
- 	start-stop-daemon --start --background \
--- a/main/docker/openrc-fixes.patch
+++ b/main/docker/openrc-fixes.patch
+--- a/contrib/init/openrc/docker.initd	2015-02-10 17:14:37.000000000 -0100
+++ b/contrib/init/openrc/docker.initd	2015-03-31 10:17:15.500070311 -0200
+@@ -8,11 +8,18 @@
+ DOCKER_BINARY=${DOCKER_BINARY:-/usr/bin/docker}
+ DOCKER_OPTS=${DOCKER_OPTS:-}
+grsecdir=/proc/sys/kernel/grsecurity
+
+ start() {
+ 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
+	for i in $disable_grsec; do
+		if [ -e "$grsecdir/$i" ]; then
+			einfo " Disabling $i"
+			echo 0 > "$grsecdir/$i"
+		fi
+	done
+ 	ulimit -n 1048576
+-	ulimit -u 1048576
+ 	ebegin "Starting docker daemon"
+ 	start-stop-daemon --start --background \
+--- a/contrib/init/openrc/docker.confd	2015-02-10 17:14:37.000000000 -0100
+++ b/contrib/init/openrc/docker.confd	2015-03-31 14:52:47.323685914 -0200
+@@ -11,3 +11,6 @@
+ # any other random options you want to pass to docker
+ DOCKER_OPTS=""
+
+# disable grsecurity features
+#disable_grsec="chroot_deny_chmod chroot_deny_mknod"