app-emulation/lxc (looks like all versions, but I've only tested 1.1.5 and 2.0.1) checks the kernel configuration and warns if some GRSecurity options are set. It does not currently warn about CONFIG_GRKERNSEC_CHROOT_FINDTASK. However, if that option is enabled, a process injected into the container using "lxc-attach" will only be able to see processes started in its session, not e.g. processes started by init when the container booted. This makes it impossible to call init scripts from an lxc-attach:ed shell, since the init scripts think all their processes have crashed. Please add "~!GRKERNSEC_CHROOT_FINDTASK" to the CONFIG_CHECK expression in app-emulation/lxc.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f63fbe792e3f4db205f04df2376a5aa0f92de494 commit f63fbe792e3f4db205f04df2376a5aa0f92de494 Author: Nils Freydank <holgersson@posteo.de> AuthorDate: 2018-08-21 21:45:23 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-22 12:24:57 +0000 app-emulation/lxc: Bump to 3.0.2. Closes: https://bugs.gentoo.org/583886 Closes: https://bugs.gentoo.org/657816 Closes: https://bugs.gentoo.org/663780 Package-Manager: Portage-2.3.48, Repoman-2.3.10 Closes: https://github.com/gentoo/gentoo/pull/9651 app-emulation/lxc/Manifest | 1 + app-emulation/lxc/lxc-3.0.2.ebuild | 158 +++++++++++++++++++++++++++++++++++++ app-emulation/lxc/metadata.xml | 1 + 3 files changed, 160 insertions(+)
