From b2f2d3a4291f6cbf731f1d492f3959c7cd2b97c3 Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Thu, 19 May 2016 17:43:22 +0200
Subject: [PATCH] add info about the grsec workarounds

---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 4c48c20..c57a515 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,13 @@ RUN apt-get install -yq keepass2 xdotool paxctl \
     && rm -rf /var/lib/apt/lists
 
 # make KeePass2 grsec friendly
+#
+# To build the Docker image, I currently had to disable the following grsec protections:
+# # grep -E "chroot_deny_chmod|chroot_deny_mknod|chroot_caps" /etc/sysctl.d/grsec.conf
+# kernel.grsecurity.chroot_deny_chmod = 0
+# kernel.grsecurity.chroot_deny_mknod = 0
+# kernel.grsecurity.chroot_caps = 0 (relates to a systemd package)
+#
 # m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
 # (runtime only, since xattrs are not preserved in Docker's final image)
 # RUN setfattr -n user.pax.flags -v "m" /usr/bin/mono-sgen