search

linuxserver / docker-nextcloud

GNU General Public License v3.0
677 stars 128 forks source link

[FEAT] Add paxctl and set the correct flags on multiple binaries #429

Open thedeadliestcatch opened 2 months ago

thedeadliestcatch commented 2 months ago

Is this a new feature request?

Wanted change

I would like paxctl to be added to the packages available in the image. This can enable some hardened environments to set the appropriate flags in multiple ELF files/executables.

Like so:

RUN apk add --no-cache paxctl

The end-user can then configure these as needed (ex. for PHP JIT you would need RUN paxctl -cm /usr/bin/php).

Reason for change

Adds support for hardened environments that build/modify the image, without requiring external repository access.

Proposed code change

In Dockerfile:

RUN apk add --no-cache paxctl

github-actions[bot] commented 2 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

thedeadliestcatch commented 2 months ago

Note: attr/xattr tools can also be used but AFAIK xattrs in overlayfs are unreliable.

aptalca commented 2 months ago

I don't follow. What is adding paxctl supposed to accomplish by itself? I see. You want without requiring external repository access, but why?

thedeadliestcatch commented 2 months ago

~I don't follow. What is adding paxctl supposed to accomplish by itself?~ I see. You want without requiring external repository access, but why?

Because rebuilding images in systems that don't have external (as in "internet") access will be possible as the paxctl commands can run in a build stage without network access, but package installation does require it (so if it is not included then the build/adjustments will be impossible). I also noticed this could be an usable change for the base images anyway (there are other alpine based images in LS that also need paxctl adjustments to run in hardened environments).

There are many solutions to proxy docker for pulls, but they do not apply to the build process (ex. in a docker compose scenario), so if you attempt to download packages from external repos, the build will obviously fail.

TL;DR for the same reason you include/would include 'vi' in the images or any other quality of life tools that allow end-users to do some checks or customizations in the images.

LinuxServer-CI commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

thedeadliestcatch commented 1 month ago

Positively not stale.

LinuxServer-CI commented 4 days ago

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.