experimental: support grsecurity patched kernels
This commit is contained in:
parent
be327012f1
commit
6a6132e8d6
13
Dockerfile
13
Dockerfile
@ -32,7 +32,7 @@ RUN echo "deb [arch=amd64,i386] http://repo.steampowered.com/steam/ precise stea
|
|||||||
libnm-glib4:i386 libnm-util2:i386 libusb-1.0-0:i386 \
|
libnm-glib4:i386 libnm-util2:i386 libusb-1.0-0:i386 \
|
||||||
libnss3:i386 libgconf-2-4:i386 libxss1:i386 libcurl3:i386 \
|
libnss3:i386 libgconf-2-4:i386 libxss1:i386 libcurl3:i386 \
|
||||||
libv8-dev:i386 \
|
libv8-dev:i386 \
|
||||||
libcanberra-gtk-module:i386 libpulse0:i386 && \
|
libcanberra-gtk-module:i386 libpulse0:i386 attr && \
|
||||||
rm -f /etc/apt/sources.list.d/tmp-steam.list && \
|
rm -f /etc/apt/sources.list.d/tmp-steam.list && \
|
||||||
rm -rf /var/lib/apt/lists
|
rm -rf /var/lib/apt/lists
|
||||||
|
|
||||||
@ -92,7 +92,6 @@ RUN sed -i.orig '/^# en_US.UTF-8.*/s/^#.//g' /etc/locale.gen && \
|
|||||||
ENV LANG en_US.UTF-8
|
ENV LANG en_US.UTF-8
|
||||||
ENV LC_ALL en_US.UTF-8
|
ENV LC_ALL en_US.UTF-8
|
||||||
|
|
||||||
|
|
||||||
# Create a user
|
# Create a user
|
||||||
ENV USER user
|
ENV USER user
|
||||||
ENV UID 1000
|
ENV UID 1000
|
||||||
@ -100,15 +99,9 @@ ENV GROUPS audio,video
|
|||||||
ENV HOME /home/$USER
|
ENV HOME /home/$USER
|
||||||
RUN useradd -m -d $HOME -u $UID -G $GROUPS $USER
|
RUN useradd -m -d $HOME -u $UID -G $GROUPS $USER
|
||||||
|
|
||||||
USER $USER
|
|
||||||
WORKDIR $HOME
|
WORKDIR $HOME
|
||||||
|
|
||||||
ENV STEAM_RUNTIME 0
|
ENV STEAM_RUNTIME 0
|
||||||
|
|
||||||
#
|
COPY ./launch /launch
|
||||||
# This part is very important, since this lets Steam choose proper nvidia drivers (32 or 64 bit)
|
ENTRYPOINT [ "/bin/sh", "/launch" ]
|
||||||
#
|
|
||||||
# echo "$(find /usr/lib /usr/lib32 -maxdepth 1 -type d -name "*nvidia*" -print0 |tr '\0' ':' ; echo)"
|
|
||||||
ENV LD_LIBRARY_PATH "/usr/lib/nvidia-361:/usr/lib/nvidia-361-prime:/usr/lib/nvidia-340:/usr/lib/nvidia-340-prime:/usr/lib/nvidia-304:/usr/lib32/nvidia-361:/usr/lib32/nvidia-340:/usr/lib32/nvidia-304"
|
|
||||||
|
|
||||||
ENTRYPOINT [ "steam" ]
|
|
||||||
|
21
README.md
21
README.md
@ -53,6 +53,27 @@ If you are getting `segmentation fault` error or Steam does not start, then you
|
|||||||
$ docker-compose run --rm steam --reset
|
$ docker-compose run --rm steam --reset
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Grsecurity notes
|
||||||
|
|
||||||
|
### grsec: TPE
|
||||||
|
|
||||||
|
Trusted Path Execution (TPE)
|
||||||
|
|
||||||
|
This Steam docker image is working with the grsecurity patched kernel,
|
||||||
|
however it requires the following grsecurity flag enabled:
|
||||||
|
|
||||||
|
- CONFIG_GRKERNSEC_TPE_INVERT
|
||||||
|
- CONFIG_GRKERNSEC_TPE_TRUSTED_GID
|
||||||
|
|
||||||
|
so that `/proc/sys/kernel/grsecurity/tpe_gid` is accessible for read by root.
|
||||||
|
|
||||||
|
|
||||||
|
### grsec: PaX
|
||||||
|
|
||||||
|
Currently it supports Half-Life (CS, ...), CS:GO as described in `launch` file
|
||||||
|
that you can edit yourself and rebuild this docker image.
|
||||||
|
|
||||||
|
|
||||||
# Links
|
# Links
|
||||||
|
|
||||||
Below is just bunch of links, someone might find them useful
|
Below is just bunch of links, someone might find them useful
|
||||||
|
@ -16,11 +16,11 @@ services:
|
|||||||
- data:/home
|
- data:/home
|
||||||
# - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
|
# - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
|
||||||
devices:
|
devices:
|
||||||
- /dev/nvidia0
|
# - /dev/nvidia0
|
||||||
- /dev/nvidiactl
|
# - /dev/nvidiactl
|
||||||
- /dev/nvidia-uvm
|
# - /dev/nvidia-uvm
|
||||||
# uncomment this when running NVIDIA Driver >= 361
|
# uncomment this when running NVIDIA Driver >= 361
|
||||||
- /dev/nvidia-modeset
|
# - /dev/nvidia-modeset
|
||||||
- /dev/dri
|
- /dev/dri
|
||||||
# - /dev/snd
|
# - /dev/snd
|
||||||
environment:
|
environment:
|
||||||
|
28
launch
Normal file
28
launch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# So that errors will be visible on `docker logs -f steam` command
|
||||||
|
exec 2>&1
|
||||||
|
|
||||||
|
#
|
||||||
|
# befriend with grsec
|
||||||
|
#
|
||||||
|
# TODO: find a way how to set these attributes dynamically,
|
||||||
|
# since currently it will require Steam restart when new content is obtained.
|
||||||
|
if [ -f /proc/sys/kernel/grsecurity/tpe_gid ]; then
|
||||||
|
groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
|
||||||
|
usermod -aG grsec-tpe $USER
|
||||||
|
setfattr -n user.pax.flags -v "m" \
|
||||||
|
/lib/i386-linux-gnu/ld-2.19.so \
|
||||||
|
$HOME/.local/share/Steam/ubuntu12_32/steam \
|
||||||
|
$HOME/.local/share/Steam/ubuntu12_32/steamwebhelper \
|
||||||
|
$HOME/.local/share/Steam/steamapps/common/Half-Life/hl_linux
|
||||||
|
# paxctl -c -v -m /lib/i386-linux-gnu/ld-2.19.so
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# This part is very important, since this lets Steam choose proper nvidia drivers (32 or 64 bit)
|
||||||
|
#
|
||||||
|
# echo "$(find /usr/lib /usr/lib32 -maxdepth 1 -type d -name "*nvidia*" -print0 |tr '\0' ':' ; echo)"
|
||||||
|
export LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:/usr/lib/i386-linux-gnu:/usr/lib/nvidia-361:/usr/lib/nvidia-361-prime:/usr/lib/nvidia-340:/usr/lib/nvidia-340-prime:/usr/lib/nvidia-304:/usr/lib32/nvidia-361:/usr/lib32/nvidia-340:/usr/lib32/nvidia-304:/usr/lib/x86_64-linux-gnu:/usr/lib/i386-linux-gnu"
|
||||||
|
|
||||||
|
exec su -p user -c "steam $@"
|
Loading…
Reference in New Issue
Block a user