From ffdc9d568cac35ce273ca9ada6952e3812ae26c6 Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Thu, 19 May 2016 17:53:41 +0200
Subject: [PATCH] make firefox grsec friendly

---
 Dockerfile         | 20 +++++++++++++++++++-
 docker-compose.yml |  2 +-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3caf5e8..1cc805a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,7 +9,7 @@ RUN apt-get update && \
     apt-get -y upgrade && \
     apt-get -y dist-upgrade && \
     apt-get -fy install && \
-    apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 \
+    apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 paxctl \
                        pulseaudio libgl1-mesa-glx x264 \
                        libpango1.0-0 libv4l-0 \
                        fonts-opensymbol ttf-ubuntu-font-family \
@@ -42,6 +42,24 @@ RUN cd /tmp && \
     tar xf firefox.tar.bz2 -C /opt/mozilla/ && \
     rm -f firefox.tar.bz2
 
+# Make Mozilla Firefox grsec friendly
+# more info: https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29
+#
+# To build the Docker image, I currently had to disable the following grsec protections:
+# # grep -E "chroot_deny_chmod|chroot_deny_mknod|chroot_caps" /etc/sysctl.d/grsec.conf
+# kernel.grsecurity.chroot_deny_chmod = 0
+# kernel.grsecurity.chroot_deny_mknod = 0
+# kernel.grsecurity.chroot_caps = 0 (relates to a systemd package)
+#
+# (runtime only, since xattrs are not preserved in Docker's final image)
+# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
+# RUN setfattr -n user.pax.flags -v "m" /opt/mozilla/firefox/firefox
+#
+# (permanent change, by converting the binary headers PT_GNU_STACK into PT_PAX_FLAGS)
+# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
+RUN paxctl -c -v -m /opt/mozilla/firefox/firefox
+
+
 # Google Hangouts
 # Deps: libasound2 libgtk2.0-0 libpango1.0-0 libv4l-0
 ADD https://dl.google.com/linux/direct/google-talkplugin_current_amd64.deb /tmp/google-talkplugin.deb
diff --git a/docker-compose.yml b/docker-compose.yml
index 5a768a8..744ad34 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,7 +19,7 @@ services:
       - data:/home/user
       - $HOME/Downloads:/home/user/Downloads
       - /var/run/cups:/var/run/cups:ro
-      # - /tmp/krb5cc_1000:/tmp/krb5cc_1000:ro
+      - /tmp/krb5cc_1000:/tmp/krb5cc_1000:ro
     environment:
       - DISPLAY=unix$DISPLAY
       - PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native