experimental: support grsecurity patched kernels

This commit is contained in:
Andy 2016-08-05 23:02:44 +02:00
parent be327012f1
commit 6a6132e8d6
Signed by: arno
GPG Key ID: 368DDA2E9A471EAC
4 changed files with 56 additions and 14 deletions

View File

@ -32,7 +32,7 @@ RUN echo "deb [arch=amd64,i386] http://repo.steampowered.com/steam/ precise stea
libnm-glib4:i386 libnm-util2:i386 libusb-1.0-0:i386 \ libnm-glib4:i386 libnm-util2:i386 libusb-1.0-0:i386 \
libnss3:i386 libgconf-2-4:i386 libxss1:i386 libcurl3:i386 \ libnss3:i386 libgconf-2-4:i386 libxss1:i386 libcurl3:i386 \
libv8-dev:i386 \ libv8-dev:i386 \
libcanberra-gtk-module:i386 libpulse0:i386 && \ libcanberra-gtk-module:i386 libpulse0:i386 attr && \
rm -f /etc/apt/sources.list.d/tmp-steam.list && \ rm -f /etc/apt/sources.list.d/tmp-steam.list && \
rm -rf /var/lib/apt/lists rm -rf /var/lib/apt/lists
@ -92,7 +92,6 @@ RUN sed -i.orig '/^# en_US.UTF-8.*/s/^#.//g' /etc/locale.gen && \
ENV LANG en_US.UTF-8 ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8 ENV LC_ALL en_US.UTF-8
# Create a user # Create a user
ENV USER user ENV USER user
ENV UID 1000 ENV UID 1000
@ -100,15 +99,9 @@ ENV GROUPS audio,video
ENV HOME /home/$USER ENV HOME /home/$USER
RUN useradd -m -d $HOME -u $UID -G $GROUPS $USER RUN useradd -m -d $HOME -u $UID -G $GROUPS $USER
USER $USER
WORKDIR $HOME WORKDIR $HOME
ENV STEAM_RUNTIME 0 ENV STEAM_RUNTIME 0
# COPY ./launch /launch
# This part is very important, since this lets Steam choose proper nvidia drivers (32 or 64 bit) ENTRYPOINT [ "/bin/sh", "/launch" ]
#
# echo "$(find /usr/lib /usr/lib32 -maxdepth 1 -type d -name "*nvidia*" -print0 |tr '\0' ':' ; echo)"
ENV LD_LIBRARY_PATH "/usr/lib/nvidia-361:/usr/lib/nvidia-361-prime:/usr/lib/nvidia-340:/usr/lib/nvidia-340-prime:/usr/lib/nvidia-304:/usr/lib32/nvidia-361:/usr/lib32/nvidia-340:/usr/lib32/nvidia-304"
ENTRYPOINT [ "steam" ]

View File

@ -53,6 +53,27 @@ If you are getting `segmentation fault` error or Steam does not start, then you
$ docker-compose run --rm steam --reset $ docker-compose run --rm steam --reset
``` ```
## Grsecurity notes
### grsec: TPE
Trusted Path Execution (TPE)
This Steam docker image is working with the grsecurity patched kernel,
however it requires the following grsecurity flag enabled:
- CONFIG_GRKERNSEC_TPE_INVERT
- CONFIG_GRKERNSEC_TPE_TRUSTED_GID
so that `/proc/sys/kernel/grsecurity/tpe_gid` is accessible for read by root.
### grsec: PaX
Currently it supports Half-Life (CS, ...), CS:GO as described in `launch` file
that you can edit yourself and rebuild this docker image.
# Links # Links
Below is just bunch of links, someone might find them useful Below is just bunch of links, someone might find them useful

View File

@ -16,11 +16,11 @@ services:
- data:/home - data:/home
# - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro # - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
devices: devices:
- /dev/nvidia0 # - /dev/nvidia0
- /dev/nvidiactl # - /dev/nvidiactl
- /dev/nvidia-uvm # - /dev/nvidia-uvm
# uncomment this when running NVIDIA Driver >= 361 # uncomment this when running NVIDIA Driver >= 361
- /dev/nvidia-modeset # - /dev/nvidia-modeset
- /dev/dri - /dev/dri
# - /dev/snd # - /dev/snd
environment: environment:

28
launch Normal file
View File

@ -0,0 +1,28 @@
#!/bin/sh
# So that errors will be visible on `docker logs -f steam` command
exec 2>&1
#
# befriend with grsec
#
# TODO: find a way how to set these attributes dynamically,
# since currently it will require Steam restart when new content is obtained.
if [ -f /proc/sys/kernel/grsecurity/tpe_gid ]; then
groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
usermod -aG grsec-tpe $USER
setfattr -n user.pax.flags -v "m" \
/lib/i386-linux-gnu/ld-2.19.so \
$HOME/.local/share/Steam/ubuntu12_32/steam \
$HOME/.local/share/Steam/ubuntu12_32/steamwebhelper \
$HOME/.local/share/Steam/steamapps/common/Half-Life/hl_linux
# paxctl -c -v -m /lib/i386-linux-gnu/ld-2.19.so
fi
#
# This part is very important, since this lets Steam choose proper nvidia drivers (32 or 64 bit)
#
# echo "$(find /usr/lib /usr/lib32 -maxdepth 1 -type d -name "*nvidia*" -print0 |tr '\0' ':' ; echo)"
export LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:/usr/lib/i386-linux-gnu:/usr/lib/nvidia-361:/usr/lib/nvidia-361-prime:/usr/lib/nvidia-340:/usr/lib/nvidia-340-prime:/usr/lib/nvidia-304:/usr/lib32/nvidia-361:/usr/lib32/nvidia-340:/usr/lib32/nvidia-304:/usr/lib/x86_64-linux-gnu:/usr/lib/i386-linux-gnu"
exec su -p user -c "steam $@"