[FEAT] Add paxctl and set the correct flags on multiple binaries

[thedeadliestcatch]

Is this a new feature request?

• I have searched the existing issues

Wanted change

I would like paxctl to be added to the packages available in the image. This can enable some hardened environments to set the appropriate flags in multiple ELF files/executables.

Like so:

RUN apk add --no-cache paxctl

The end-user can then configure these as needed (ex. for PHP JIT you would need RUN paxctl -cm /usr/bin/php).

Reason for change

Adds support for hardened environments that build/modify the image, without requiring external repository access.

Proposed code change

In Dockerfile:

RUN apk add --no-cache paxctl

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[thedeadliestcatch]

Note: attr/xattr tools can also be used but AFAIK xattrs in overlayfs are unreliable.

[aptalca]

I don't follow. What is adding paxctl supposed to accomplish by itself?
I see. You want without requiring external repository access, but why?

[thedeadliestcatch]

I don't follow. What is adding paxctl supposed to accomplish by itself? I see. You want without requiring external repository access, but why?

Because rebuilding images in systems that don't have external (as in "internet") access will be possible as the paxctl commands can run in a build stage without network access, but package installation does require it (so if it is not included then the build/adjustments will be impossible). I also noticed this could be an usable change for the base images anyway (there are other alpine based images in LS that also need paxctl adjustments to run in hardened environments).

There are many solutions to proxy docker for pulls, but they do not apply to the build process (ex. in a docker compose scenario), so if you attempt to download packages from external repos, the build will obviously fail.

TL;DR for the same reason you include/would include 'vi' in the images or any other quality of life tools that allow end-users to do some checks or customizations in the images.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[thedeadliestcatch]

Positively not stale.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[thedeadliestcatch]

@aptalca Any updates?

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.