Bug#888702: marked as done (linux-image-4.9.0-4-grsec-amd64: grsec_sysfs_restrict does not appear to be available)

Sun, 15 Apr 2018 08:48:57 -0700 

Your message dated Sun, 15 Apr 2018 15:47:34 +0000
with message-id <e1f7jsm-0001b4...@fasolo.debian.org>
and subject line Bug#895433: Removed package(s) from unstable
has caused the Debian Bug report #888702,
regarding linux-image-4.9.0-4-grsec-amd64: grsec_sysfs_restrict does not appear 
to be available
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888702
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: src:linux-grsec
Version: 4.9.65-2+grsecunoff1~bpo9+1
Severity: normal

Dear Maintainer,

It seems that the grsec_sysfs_restrict boot-time option is either
unavailable or ineffective in some way. This makes unprivileged LXC
containers unusable on a grsec enabled system. The issue is exactly
as described here:

https://forum.alpinelinux.org/forum/pax-grsecurity/unprivileged-lxc-and-grsecurity-kernel

However, it seems that booting with grsec_sysfs_restrict=0 is ignored. I
can boot the kernel with grsec_sysfs_restrict=0 set, and the listed
sysctls set to 0, but lxc-create still fails with the error given in
that forum post.

It's fairly easy to reproduce the problem. Install lxc, and:

$ cat /etc/subuid
root:200000:65536

$ cat /etc/subgid
root:200000:65536

$ cat /etc/lxc/default.conf
lxc.network.type = empty
lxc.id_map = u 0 200000 65536
lxc.id_map = g 0 200000 65536

$ sudo lxc-create -n example -t download
[sudo] password for someone:
newuidmap: Target process 2182 is owned by a different user: uid:0 pw_uid:0 
st_uid:0, gid:0 pw_gid:0 st_gid:64044
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: create_run_template: 1297 container creation 
template for example failed
lxc-create: tools/lxc_create.c: main: 318 Error creating container example

-- Package-specific info:
** Version:
Linux version 4.9.0-4-grsec-amd64 (cor...@debian.org) (gcc version 6.3.0 
20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-2+grsecunoff1~bpo9+1 
(2017-12-09)

** Command line:

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-grsec-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-4.9.0-4-grsec-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.130
ii  kmod                                    23-2
ii  linux-base                              4.5
ii  linux-grsec-base                        13~bpo9+1

Versions of packages linux-image-4.9.0-4-grsec-amd64 recommends:
ii  attr                 1:2.4.47-2+b2
ii  firmware-linux-free  3.4
ii  gradm2               3.1~201701031918-2
ii  irqbalance           1.1.0-2.3
ii  paxctl               0.9-1+b1

Versions of packages linux-image-4.9.0-4-grsec-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-efi-amd64          2.02~beta3-5
pn  linux-doc-4.9           <none>

Versions of packages linux-image-4.9.0-4-grsec-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 4.9.65-2+grsecunoff1+rm

Dear submitter,

as the package linux-grsec has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/895433

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Reply via email to