Date: Wednesday, June 25, 2014 @ 04:11:01 Author: thestinger Revision: 113529
enable container-compatible chroot restrictions by default Modified: linux-grsec/trunk/PKGBUILD linux-grsec/trunk/sysctl.conf -------------+ PKGBUILD | 2 +- sysctl.conf | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-06-24 21:19:53 UTC (rev 113528) +++ PKGBUILD 2014-06-25 02:11:01 UTC (rev 113529) @@ -38,7 +38,7 @@ 'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d' 'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182' '79359454c9d8446eb55add2b1cdbf8332bd67dafb01fefb5b1ca090225f64d18' - '763f9323cdefc9ddf74ffeffd856f9eaec4d8d4ef702c88ee1aab429c2d0b389') + 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31') _kernelname=${pkgbase#linux} Modified: sysctl.conf =================================================================== --- sysctl.conf 2014-06-24 21:19:53 UTC (rev 113528) +++ sysctl.conf 2014-06-25 02:11:01 UTC (rev 113529) @@ -44,21 +44,21 @@ #kernel.grsecurity.romount_protect = 1 # -# chroot restrictions (many of these will break containers) +# chroot restrictions (the commented options will break containers) # #kernel.grsecurity.chroot_caps = 1 #kernel.grsecurity.chroot_deny_chmod = 1 #kernel.grsecurity.chroot_deny_chroot = 1 -#kernel.grsecurity.chroot_deny_fchdir = 1 +kernel.grsecurity.chroot_deny_fchdir = 1 #kernel.grsecurity.chroot_deny_mknod = 1 #kernel.grsecurity.chroot_deny_mount = 1 #kernel.grsecurity.chroot_deny_pivot = 1 -#kernel.grsecurity.chroot_deny_shmat = 1 -#kernel.grsecurity.chroot_deny_sysctl = 1 -#kernel.grsecurity.chroot_deny_unix = 1 +kernel.grsecurity.chroot_deny_shmat = 1 +kernel.grsecurity.chroot_deny_sysctl = 1 +kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.chroot_enforce_chdir = 1 -#kernel.grsecurity.chroot_findtask = 1 +kernel.grsecurity.chroot_findtask = 1 #kernel.grsecurity.chroot_restrict_nice = 1 #