Skip to content

Commit

Permalink
build: configure SELinux labels for Docker volumes (open-policy-agent…
Browse files Browse the repository at this point in the history
…#6055)

When SELinux is enforced the mounted volumes to spun Docker containers
are not writable unless the `:z` or `:Z` flag is set[1].

This opts not to share the mounts by using `:Z`.

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Fixes open-policy-agent#6054

Signed-off-by: Zoran Regvart <[email protected]>
Co-authored-by: Johan Fylling <[email protected]>
  • Loading branch information
zregvart and johanfylling authored Jun 29, 2023
1 parent 86ec33e commit a50c134
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 14 deletions.
14 changes: 7 additions & 7 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,7 @@ check-go-module:
docker run \
$(DOCKER_FLAGS) \
-w /src \
-v $(PWD):/src \
-v $(PWD):/src:Z \
-e 'GOPRIVATE=*' \
--tmpfs /src/.go \
golang:$(GOVERSION) \
Expand All @@ -503,14 +503,14 @@ endif
@$(DOCKER) run $(DOCKER_FLAGS) \
-e GITHUB_TOKEN=$(GITHUB_TOKEN) \
-e LAST_VERSION=$(LAST_VERSION) \
-v $(PWD):/_src \
-v $(PWD):/_src:Z \
cmd.cat/make/git/go/python3/perl \
/_src/build/gen-release-patch.sh --version=$(VERSION) --source-url=/_src

.PHONY: dev-patch
dev-patch:
@$(DOCKER) run $(DOCKER_FLAGS) \
-v $(PWD):/_src \
-v $(PWD):/_src:Z \
cmd.cat/make/git/go/python3/perl \
/_src/build/gen-dev-patch.sh --version=$(VERSION) --source-url=/_src

Expand Down Expand Up @@ -546,16 +546,16 @@ depr-build-windows: ensure-release-dir

depr-release:
$(DOCKER) run $(DOCKER_FLAGS) \
-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \
-v $(PWD):/_src \
-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR):Z \
-v $(PWD):/_src:Z \
-e TELEMETRY_URL=$(TELEMETRY_URL) \
$(RELEASE_BUILD_IMAGE) \
/_src/build/build-release.sh --version=$(VERSION) --output-dir=/$(RELEASE_DIR) --source-url=/_src

depr-release-local:
$(DOCKER) run $(DOCKER_FLAGS) \
-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \
-v $(PWD):/_src \
-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR):Z \
-v $(PWD):/_src:Z \
-e TELEMETRY_URL=$(TELEMETRY_URL) \
$(RELEASE_BUILD_IMAGE) \
/_src/build/build-release.sh --output-dir=/$(RELEASE_DIR) --source-url=/_src
6 changes: 3 additions & 3 deletions build/run-wasm-rego-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,9 @@ function generate_testcases {
docker run \
--name $TESTGEN_CONTAINER_NAME \
-u $(id -u):$(id -g) \
-v $PWD/.go/bin:/go/bin \
-v $PWD:/src \
-v $ASSETS:/assets \
-v $PWD/.go/bin:/go/bin:Z \
-v $PWD:/src:Z \
-v $ASSETS:/assets:Z \
-e GOCACHE=/src/.go/cache \
-w /src \
golang:$GOVERSION \
Expand Down
8 changes: 4 additions & 4 deletions wasm/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -66,17 +66,17 @@ push-builder:

.PHONY: build
build:
@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src $(WASM_BUILDER_IMAGE) \
@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src:Z $(WASM_BUILDER_IMAGE) \
make --no-builtin-rules $(WASM_OBJ_DIR)/opa.wasm $(WASM_OBJ_DIR)/callgraph.csv

.PHONY: test
test:
@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src $(WASM_BUILDER_IMAGE) make $(WASM_OBJ_DIR)/opa-test.wasm
@$(DOCKER) run $(DOCKER_FLAGS) -e VERBOSE -v $(CURDIR):/src -w /src node:14 node test.js $(WASM_OBJ_DIR)/opa-test.wasm
@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src:Z $(WASM_BUILDER_IMAGE) make $(WASM_OBJ_DIR)/opa-test.wasm
@$(DOCKER) run $(DOCKER_FLAGS) -e VERBOSE -v $(CURDIR):/src:Z -w /src node:14 node test.js $(WASM_OBJ_DIR)/opa-test.wasm

.PHONY: hack
hack:
@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src $(WASM_BUILDER_IMAGE)
@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src:Z $(WASM_BUILDER_IMAGE)

$(shell mkdir -p $(WASM_OBJ_DIR)/src/lib)
$(shell mkdir -p $(WASM_OBJ_DIR)/src/libmpdec)
Expand Down

0 comments on commit a50c134

Please sign in to comment.