From 3098181437f8872ca7605675908b1b0e63ffe4ac Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Thu, 19 May 2016 13:52:47 +0200
Subject: [PATCH] make keepass2 grsec friendly

---
 Dockerfile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9171e15..4c48c20 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,9 +5,19 @@ MAINTAINER Andrey Arapov <andrey.arapov@nixaid.com>
 ENV DEBIAN_FRONTEND noninteractive
 
 RUN apt-get update
-RUN apt-get install -yq keepass2 xdotool \
+RUN apt-get install -yq keepass2 xdotool paxctl \
     && rm -rf /var/lib/apt/lists
 
+# make KeePass2 grsec friendly
+# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
+# (runtime only, since xattrs are not preserved in Docker's final image)
+# RUN setfattr -n user.pax.flags -v "m" /usr/bin/mono-sgen
+#
+# (permanent change, by converting the binary headers PT_GNU_STACK into PT_PAX_FLAGS)
+# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
+RUN paxctl -c -v -m /usr/bin/mono-sgen
+
+
 ENV USER user
 ENV UID 1000
 ENV HOME /home/$USER