add info about the grsec workarounds

2016-05-19 17:44:06 +02:00 · 2016-05-19 17:44:06 +02:00 · be8cb26430
commit be8cb26430
parent b7b8e99e25
1 changed files with 6 additions and 0 deletions
--- a/6
+++ b/6
@ -15,6 +15,12 @@ RUN apt-get update \

 # Make HipChat grsec friendly
 #
+# To build the Docker image, I currently had to disable the following grsec protections:
+# # grep -E "chroot_deny_chmod|chroot_deny_mknod|chroot_caps" /etc/sysctl.d/grsec.conf
+# kernel.grsecurity.chroot_deny_chmod = 0
+# kernel.grsecurity.chroot_deny_mknod = 0
+# kernel.grsecurity.chroot_caps = 0 (relates to a systemd package)
+#
 # (runtime only, since xattrs are not preserved in Docker's final image)
 # m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
 # RUN setfattr -n user.pax.flags -v "m" /opt/HipChat4/lib/HipChat.bin /opt/HipChat4/lib/QtWebEngineProcess.bin