experimental: support grsecurity patched kernels

Dockerfile

@@ -32,7 +32,7 @@ RUN echo "deb [arch=amd64,i386] http://repo.steampowered.com/steam/ precise stea
                        libnm-glib4:i386 libnm-util2:i386 libusb-1.0-0:i386 \
                        libnss3:i386 libgconf-2-4:i386 libxss1:i386 libcurl3:i386 \
                        libv8-dev:i386 \
-                       libcanberra-gtk-module:i386 libpulse0:i386 && \
+                       libcanberra-gtk-module:i386 libpulse0:i386 attr && \
     rm -f /etc/apt/sources.list.d/tmp-steam.list && \
     rm -rf /var/lib/apt/lists
 
@@ -92,7 +92,6 @@ RUN sed -i.orig '/^# en_US.UTF-8.*/s/^#.//g' /etc/locale.gen && \
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 
-
 # Create a user
 ENV USER user
 ENV UID 1000
@@ -100,15 +99,9 @@ ENV GROUPS audio,video
 ENV HOME /home/$USER
 RUN useradd -m -d $HOME -u $UID -G $GROUPS $USER
 
-USER $USER
 WORKDIR $HOME
 
 ENV STEAM_RUNTIME 0
 
-#
-# This part is very important, since this lets Steam choose proper nvidia drivers (32 or 64 bit)
-#
-# echo "$(find /usr/lib /usr/lib32 -maxdepth 1 -type d -name "*nvidia*" -print0 |tr '\0' ':' ; echo)"
-ENV LD_LIBRARY_PATH "/usr/lib/nvidia-361:/usr/lib/nvidia-361-prime:/usr/lib/nvidia-340:/usr/lib/nvidia-340-prime:/usr/lib/nvidia-304:/usr/lib32/nvidia-361:/usr/lib32/nvidia-340:/usr/lib32/nvidia-304"
-
-ENTRYPOINT [ "steam" ]
+COPY ./launch /launch
+ENTRYPOINT [ "/bin/sh", "/launch" ]

README.md

@@ -53,6 +53,27 @@ If you are getting `segmentation fault` error or Steam does not start, then you
 $ docker-compose run --rm steam --reset
 ```
 
+## Grsecurity notes
+
+### grsec: TPE
+
+Trusted Path Execution (TPE)
+
+This Steam docker image is working with the grsecurity patched kernel,  
+however it requires the following grsecurity flag enabled:
+
+- CONFIG_GRKERNSEC_TPE_INVERT
+- CONFIG_GRKERNSEC_TPE_TRUSTED_GID
+
+so that `/proc/sys/kernel/grsecurity/tpe_gid` is accessible for read by root.
+
+
+### grsec: PaX
+
+Currently it supports Half-Life (CS, ...), CS:GO as described in `launch` file 
+that you can edit yourself and rebuild this docker image.
+
+
 # Links
 
 Below is just bunch of links, someone might find them useful

docker-compose.yml

@@ -16,11 +16,11 @@ services:
       - data:/home
       # - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
     devices:
-      - /dev/nvidia0
-      - /dev/nvidiactl
-      - /dev/nvidia-uvm
+      # - /dev/nvidia0
+      # - /dev/nvidiactl
+      # - /dev/nvidia-uvm
       # uncomment this when running NVIDIA Driver >= 361
-      - /dev/nvidia-modeset
+      # - /dev/nvidia-modeset
       - /dev/dri
       # - /dev/snd
     environment:

launch

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# So that errors will be visible on `docker logs -f steam` command
+exec 2>&1
+
+#
+# befriend with grsec
+#
+# TODO: find a way how to set these attributes dynamically,
+#       since currently it will require Steam restart when new content is obtained.
+if [ -f /proc/sys/kernel/grsecurity/tpe_gid ]; then
+  groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
+  usermod -aG grsec-tpe $USER
+  setfattr -n user.pax.flags -v "m" \
+            /lib/i386-linux-gnu/ld-2.19.so \
+            $HOME/.local/share/Steam/ubuntu12_32/steam \
+            $HOME/.local/share/Steam/ubuntu12_32/steamwebhelper \
+            $HOME/.local/share/Steam/steamapps/common/Half-Life/hl_linux
+  # paxctl -c -v -m /lib/i386-linux-gnu/ld-2.19.so
+fi
+
+#
+# This part is very important, since this lets Steam choose proper nvidia drivers (32 or 64 bit)
+#
+# echo "$(find /usr/lib /usr/lib32 -maxdepth 1 -type d -name "*nvidia*" -print0 |tr '\0' ':' ; echo)"
+export LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:/usr/lib/i386-linux-gnu:/usr/lib/nvidia-361:/usr/lib/nvidia-361-prime:/usr/lib/nvidia-340:/usr/lib/nvidia-340-prime:/usr/lib/nvidia-304:/usr/lib32/nvidia-361:/usr/lib32/nvidia-340:/usr/lib32/nvidia-304:/usr/lib/x86_64-linux-gnu:/usr/lib/i386-linux-gnu"
+
+exec su -p user -c "steam $@"