add sysctl to disable some grsec features

features that would prevent debootstrap from working on the host
2018-01-22 22:04:36 -05:00 · 2018-01-22 22:04:36 -05:00 · 4966a01f76
commit 4966a01f76
parent 01e0829a91
2 changed files with 16 additions and 0 deletions
--- a/meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend
@ -5,12 +5,19 @@ SRC_URI += "\
    file://locale.conf \
    file://environment.sh \
    file://fstab \
+    file://99-grsec-debootstrap.conf \
 "

 do_install_append () {
    install -m 0755 -d ${D}/storage
+    install -m 0755 -d ${D}/var/lib/machines
    install -m 0755 -d ${D}${sysconfdir}/profile.d
    install -m 0644 ${WORKDIR}/locale.conf ${D}${sysconfdir}/locale.conf
    install -m 0644 ${WORKDIR}/environment.sh ${D}${sysconfdir}/profile.d/environment.sh
    install -m 0644 ${WORKDIR}/fstab ${D}${sysconfdir}/fstab
+
+    # disable some pax and grsecurity features so that debootstrap will work
+    # this should be removed later
+    install -d ${D}${libdir}/sysctl.d
+    install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/
 }
--- a/meta-citadel-distro/recipes-core/base-files/files/99-grsec-debootstrap.conf
+++ b/meta-citadel-distro/recipes-core/base-files/files/99-grsec-debootstrap.conf
@ -0,0 +1,9 @@
+
+# disable some pax and grsecurity features so that debootstrap will work
+# this should be removed later
+
+kernel.grsecurity.chroot_caps = 0
+kernel.grsecurity.chroot_deny_chmod = 0
+kernel.grsecurity.chroot_deny_mknod = 0
+kernel.grsecurity.chroot_deny_mount = 0
+kernel.pax.softmode = 1