Skip to content

Relabel bind mounts for SELinux #1196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Relabel bind mounts for SELinux #1196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 42 additions & 9 deletions files/common/scripts/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,26 +39,59 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
[[ -t 0 ]] && DOCKER_RUN_OPTIONS+=("-it")
[[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}")

selinux_relabel() {
if ! selinuxenabled 2>/dev/null; then
# SELinux is not enabled, no processing
printf "%s " "$@"
return
fi

local arg volume
volume=false
for arg; do
if $volume; then
if [[ "$arg" =~ .*:.*:.* ]]; then
printf "%s,z " "$arg"
else
printf "%s:z " "$arg"
fi
volume=false
elif [ "$arg" = --volume ] || [ "$arg" = "-v" ]; then
printf "%s " "$arg"
# Process the next argument
volume=true
else
printf "%s " "$arg"
volume=false
fi
if [[ "$arg" =~ ^type=bind ]]; then
printf -- "--mount type=bind can't be configured for SELinux\nPlease convert '%s' to --volume\n" "$arg" 1>&2
fi
done
}

# $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the
# following command only
# shellcheck disable=SC2086
# selinux_relabel's output must not be quoted, so SC2046 is disabled
# shellcheck disable=SC2046,SC2086
"${CONTAINER_CLI}" run \
--rm \
"${DOCKER_RUN_OPTIONS[@]}" \
--init \
--sig-proxy=true \
--cap-add=SYS_ADMIN \
${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
$(selinux_relabel ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock}) \
-e DOCKER_HOST=${DOCKER_SOCKET_HOST:-unix:///var/run/docker.sock} \
$CONTAINER_OPTIONS \
--env-file <(env | grep -v ${ENV_BLOCKLIST}) \
-e IN_BUILD_CONTAINER=1 \
-e TZ="${TIMEZONE:-$TZ}" \
--mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \
--mount "type=volume,source=go,destination=/go" \
--mount "type=volume,source=gocache,destination=/gocache" \
--mount "type=volume,source=cache,destination=/home/.cache" \
--mount "type=volume,source=crates,destination=/home/.cargo/registry" \
--mount "type=volume,source=git-crates,destination=/home/.cargo/git" \
${CONDITIONAL_HOST_MOUNTS} \
$(selinux_relabel \
--volume "${MOUNT_SOURCE}:${MOUNT_DEST}" \
--mount "type=volume,source=go,destination=/go" \
--mount "type=volume,source=gocache,destination=/gocache" \
--mount "type=volume,source=cache,destination=/home/.cache" \
--mount "type=volume,source=crates,destination=/home/.cargo/registry" \
--mount "type=volume,source=git-crates,destination=/home/.cargo/git" \
${CONDITIONAL_HOST_MOUNTS}) \
-w "${MOUNT_DEST}" "${IMG}" "$@"
13 changes: 8 additions & 5 deletions files/common/scripts/setup_env.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,24 +120,27 @@ done
CONDITIONAL_HOST_MOUNTS="${CONDITIONAL_HOST_MOUNTS:-} "
container_kubeconfig=''

# When adding volumes, bind mounts must use --volume so that they
# can be configured for SELinux labeling

# docker conditional host mount (needed for make docker push)
if [[ -d "${HOME}/.docker" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.docker,destination=/config/.docker,readonly "
CONDITIONAL_HOST_MOUNTS+="--volume ${HOME}/.docker:/config/.docker:ro "
fi

# gcloud conditional host mount (needed for docker push with the gcloud auth configure-docker)
if [[ -d "${HOME}/.config/gcloud" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.config/gcloud,destination=/config/.config/gcloud,readonly "
CONDITIONAL_HOST_MOUNTS+="--volume ${HOME}/.config/gcloud:/config/.config/gcloud:ro "
fi

# gitconfig conditional host mount (needed for git commands inside container)
if [[ -f "${HOME}/.gitconfig" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.gitconfig,destination=/home/.gitconfig,readonly "
CONDITIONAL_HOST_MOUNTS+="--volume ${HOME}/.gitconfig:/home/.gitconfig:ro "
fi

# .netrc conditional host mount (needed for git commands inside container)
if [[ -f "${HOME}/.netrc" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.netrc,destination=/home/.netrc,readonly "
CONDITIONAL_HOST_MOUNTS+="--volume ${HOME}/.netrc:/home/.netrc:ro "
fi

# echo ${CONDITIONAL_HOST_MOUNTS}
Expand All @@ -153,7 +156,7 @@ add_KUBECONFIG_if_exists () {

kubeconfig_random="$(od -vAn -N4 -tx /dev/random | tr -d '[:space:]' | cut -c1-8)"
container_kubeconfig+="/config/${kubeconfig_random}:"
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${local_config},destination=/config/${kubeconfig_random} "
CONDITIONAL_HOST_MOUNTS+="--volume ${local_config}:/config/${kubeconfig_random} "
fi
}

Expand Down