main/docker: support disabling grsec chroot restrictions

2026-01-06 09:11:38 +01:00 · 2015-03-31 14:56:34 +02:00 · 2015-03-31 14:56:34 +02:00 · 3d3d5b5eb3
commit 3d3d5b5eb3
parent 5bfe5fdb8a
2 changed files with 31 additions and 11 deletions
--- a/main/docker/docker.init-ulimit-fix.patch
+++ b/main/docker/docker.init-ulimit-fix.patch
@ -1,11 +0,0 @@
-index a9d21b17089a..8edfaef6378e 100755
--- a/contrib/init/openrc/docker.initd.orig
-+++ b/contrib/init/openrc/docker.initd
-@@ -12,7 +12,6 @@ start() {
- 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
- 
- 	ulimit -n 1048576
-	ulimit -u 1048576
- 
- 	ebegin "Starting docker daemon"
- 	start-stop-daemon --start --background \
--- a/main/docker/openrc-fixes.patch
+++ b/main/docker/openrc-fixes.patch
@ -0,0 +1,31 @@
+--- a/contrib/init/openrc/docker.initd	2015-02-10 17:14:37.000000000 -0100
+++ b/contrib/init/openrc/docker.initd	2015-03-31 10:17:15.500070311 -0200
+@@ -8,11 +8,18 @@
+ DOCKER_BINARY=${DOCKER_BINARY:-/usr/bin/docker}
+ DOCKER_OPTS=${DOCKER_OPTS:-}
+ 
+grsecdir=/proc/sys/kernel/grsecurity
+
+ start() {
+ 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
+	for i in $disable_grsec; do
+		if [ -e "$grsecdir/$i" ]; then
+			einfo " Disabling $i"
+			echo 0 > "$grsecdir/$i"
+		fi
+	done
+ 
+ 	ulimit -n 1048576
+-	ulimit -u 1048576
+ 
+ 	ebegin "Starting docker daemon"
+ 	start-stop-daemon --start --background \
+--- a/contrib/init/openrc/docker.confd	2015-02-10 17:14:37.000000000 -0100
+++ b/contrib/init/openrc/docker.confd	2015-03-31 14:52:47.323685914 -0200
+@@ -11,3 +11,6 @@
+ 
+ # any other random options you want to pass to docker
+ DOCKER_OPTS=""
+
+# disable grsecurity features
+#disable_grsec="chroot_deny_chmod chroot_deny_mknod"