make tor grsec friendly

Dockerfile

@@ -10,7 +10,7 @@ RUN apt-get update && \
     apt-get -y dist-upgrade && \
     apt-get -fy install && \
     apt-get -y install xz-utils libdbus-glib-1-2 libgtk2.0-0 libxt6 \
-                       libgl1-mesa-glx pulseaudio && \
+                       libgl1-mesa-glx pulseaudio attr && \
     rm -rf /var/lib/apt/lists
 
 # bzip2 libgtk-3-0 libasound2 libpango1.0-0 libv4l-0 libgl1-mesa-glx x264
@@ -40,9 +40,9 @@ RUN cd /tmp && \
     rm -f tor.tar.xz && \
     chown -Rh $USER:$USER $HOME
 
-USER $USER
 WORKDIR $HOME
 
 VOLUME [ "/tmp", "$HOME/tor-browser" ]
 
-ENTRYPOINT [ "./tor-browser/Browser/start-tor-browser" ]
+COPY ./launch /launch
+ENTRYPOINT [ "/bin/bash", "/launch" ]

docker-compose.yml

@@ -4,12 +4,11 @@ services:
   tor:
     # docker build -t andrey01/tor .
     image: andrey01/tor
-    read_only: true
     network_mode: bridge
     volumes:
       - /tmp/.X11-unix:/tmp/.X11-unix:ro
       - $XDG_RUNTIME_DIR/pulse:/run/user/1000/pulse:ro
-      - $HOME/Downloads:/home/user/tor-browser_en-US/Browser/Downloads
+      - $HOME/Downloads:/home/user/tor-browser/Browser/Downloads
     environment:
       - DISPLAY=unix$DISPLAY
       - PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native

launch

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -x
+#
+# Make errors visible upon `docker logs -f steam` command
+#
+exec 2>&1
+
+#
+# Befriend with grsecurity patched Linux kernel
+#
+if [ -r /proc/sys/kernel/grsecurity/tpe_gid ]; then
+  groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
+  usermod -aG grsec-tpe $USER
+  setfattr -n user.pax.flags -v "rm" \
+        $HOME/tor-browser/Browser/firefox \
+        $HOME/tor-browser/Browser/TorBrowser/Tor/tor
+fi
+
+su -s /bin/sh -p $USER -c "cd ./tor-browser/Browser && ./start-tor-browser"