From 7ebbed7882ffa0634b6bbfcf77d9c0f05e051a14 Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Mon, 22 Aug 2016 19:55:14 +0200
Subject: [PATCH] bump firefox and java; refactor

---
 Dockerfile         | 36 ++++++++++--------------------------
 docker-compose.yml |  1 -
 launch             | 22 ++++++++++++++++++++++
 3 files changed, 32 insertions(+), 27 deletions(-)
 create mode 100644 launch

diff --git a/Dockerfile b/Dockerfile
index e815c0b..d67bcaf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && \
     apt-get -y upgrade && \
     apt-get -fy install && \
-    apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 paxctl \
+    apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 attr \
                        pulseaudio libgl1-mesa-glx x264 \
                        libpango1.0-0 libv4l-0 \
                        fonts-dejavu-core fonts-freefont-ttf fonts-guru-extra \
@@ -37,30 +37,13 @@ RUN echo "enable-shm = no" >> /etc/pulse/client.conf
 
 # Mozilla Firefox
 # Deps: bzip2 libgtk-3-0 libdbus-glib-1-2 libxt6
-ENV FIREFOX_VER 47.0.1
+ENV FIREFOX_VER 48.0.1
 ADD https://download-installer.cdn.mozilla.net/pub/firefox/releases/$FIREFOX_VER/linux-x86_64/en-US/firefox-$FIREFOX_VER.tar.bz2 /tmp/firefox.tar.bz2
 RUN cd /tmp && \
     mkdir /opt/mozilla && \
     tar xf firefox.tar.bz2 -C /opt/mozilla/ && \
-    rm -f firefox.tar.bz2
-
-# Make Mozilla Firefox grsec friendly
-# more info: https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29
-#
-# To build the Docker image, I currently had to disable the following grsec protections:
-# # grep -E "chroot_deny_chmod|chroot_deny_mknod|chroot_caps" /etc/sysctl.d/grsec.conf
-# kernel.grsecurity.chroot_deny_chmod = 0
-# kernel.grsecurity.chroot_deny_mknod = 0
-# kernel.grsecurity.chroot_caps = 0 (relates to a systemd package)
-#
-# (runtime only, since xattrs are not preserved in Docker's final image)
-# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
-# RUN setfattr -n user.pax.flags -v "m" /opt/mozilla/firefox/firefox
-#
-# (permanent change, by converting the binary headers PT_GNU_STACK into PT_PAX_FLAGS)
-# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
-RUN paxctl -c -v -m /opt/mozilla/firefox/firefox
-
+    rm -f firefox.tar.bz2 && \
+    chown -Rh root:root /opt/mozilla
 
 # Google Hangouts
 # Deps: libasound2 libgtk2.0-0 libpango1.0-0 libv4l-0
@@ -73,9 +56,9 @@ RUN cd /tmp && \
 # https://java.com/en/download/manual.jsp
 # https://www.java.com/verify
 ENV JAVA_VER 8
-ENV JAVA_JRE_UVER 91
-ENV JAVA_JRE_FVER 1.8.0_91
-ENV JAVA_BUNDLE_ID 207765
+ENV JAVA_JRE_UVER 101
+ENV JAVA_JRE_FVER 1.8.0_101
+ENV JAVA_BUNDLE_ID 211989
 ENV JAVA_FONTS "/usr/share/fonts/truetype"
 ENV _JAVA_OPTIONS "-Dawt.useSystemAAFontSettings=on \
                -Dswing.aatext=true \
@@ -92,6 +75,7 @@ ADD http://javadl.sun.com/webapps/download/AutoDL?BundleId=$JAVA_BUNDLE_ID /tmp/
 RUN mkdir -p /opt/java/64 && \
     tar xf /tmp/jre.tar.gz -C /opt/java/64/ && \
     rm -f /tmp/jre.tar.gz && \
+    chown -Rh root:root /opt/java/64/ && \
     cd /opt/java/64/ && \
     ln -sv jre${JAVA_JRE_FVER} jre && \
     ln -sv /opt/java/64/jre/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/ && \
@@ -107,10 +91,10 @@ ENV GROUPS video,audio
 ENV HOME /home/$USER
 RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -G $GROUPS $USER
 
-USER $USER
 WORKDIR $HOME
 
 # Java JRE requires /tmp directory to be writable
 VOLUME [ "/tmp" ]
 
-ENTRYPOINT [ "/opt/mozilla/firefox/firefox" ]
+COPY ./launch /launch
+ENTRYPOINT [ "/bin/bash", "/launch" ]
diff --git a/docker-compose.yml b/docker-compose.yml
index 314ee41..d07bff6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,6 @@ services:
   firefox:
     # docker build -t andrey01/firefox .
     image: andrey01/firefox
-    read_only: true
     network_mode: bridge
     devices:
       - /dev/dri
diff --git a/launch b/launch
new file mode 100644
index 0000000..ed4e7c0
--- /dev/null
+++ b/launch
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+#
+# Make errors visible upon `docker logs -f steam` command
+#
+exec 2>&1
+
+#
+# Befriend with grsecurity patched Linux kernel
+#
+if [ -r /proc/sys/kernel/grsecurity/tpe_gid ]; then
+  groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
+  usermod -aG grsec-tpe $USER
+  setfattr -n user.pax.flags -v "m" \
+            /opt/mozilla/firefox/firefox \
+            /opt/mozilla/firefox/plugin-container \
+            /opt/java/64/jre/bin/java \
+            /opt/java/64/jre/lib/amd64/libnpjp2.so
+            # /lib/x86_64-linux-gnu/ld-2.23.so
+fi
+
+su -s /bin/sh -p user -c "/opt/mozilla/firefox/firefox $@"