build: configure SELinux labels for Docker volumes

When SELinux is enforced the mounted volumes to spun Docker containers are not writable unless the `:z` or `:Z` flag is set[1]. This opts not to share the mounts by using `:Z`. [1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label Fixes open-policy-agent#6054 Signed-off-by: Zoran Regvart <[email protected]>
zregvart · Jun 28, 2023 · ec98123 · ec98123
1 parent 917bc9c
commit ec98123
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 14 deletions.
diff --git a/Makefile b/Makefile
@@ -483,7 +483,7 @@ check-go-module:
 	docker run \
 	  $(DOCKER_FLAGS) \
 	  -w /src \
-	  -v $(PWD):/src \
+	  -v $(PWD):/src:Z \
 	  -e 'GOPRIVATE=*' \
 	  --tmpfs /src/.go \
 	  golang:$(GOVERSION) \
@@ -503,14 +503,14 @@ endif
 	@$(DOCKER) run $(DOCKER_FLAGS) \
 		-e GITHUB_TOKEN=$(GITHUB_TOKEN) \
 		-e LAST_VERSION=$(LAST_VERSION) \
-		-v $(PWD):/_src \
+		-v $(PWD):/_src:Z \
 		cmd.cat/make/git/go/python3/perl \
 		/_src/build/gen-release-patch.sh --version=$(VERSION) --source-url=/_src
 
 .PHONY: dev-patch
 dev-patch:
 	@$(DOCKER) run $(DOCKER_FLAGS) \
-		-v $(PWD):/_src \
+		-v $(PWD):/_src:Z \
 		cmd.cat/make/git/go/python3/perl \
 		/_src/build/gen-dev-patch.sh --version=$(VERSION) --source-url=/_src
 
@@ -546,16 +546,16 @@ depr-build-windows: ensure-release-dir
 
 depr-release:
 	$(DOCKER) run $(DOCKER_FLAGS) \
-		-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \
-		-v $(PWD):/_src \
+		-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR):Z \
+		-v $(PWD):/_src:Z \
 		-e TELEMETRY_URL=$(TELEMETRY_URL) \
 		$(RELEASE_BUILD_IMAGE) \
 		/_src/build/build-release.sh --version=$(VERSION) --output-dir=/$(RELEASE_DIR) --source-url=/_src
 
 depr-release-local:
 	$(DOCKER) run $(DOCKER_FLAGS) \
-		-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR) \
-		-v $(PWD):/_src \
+		-v $(PWD)/$(RELEASE_DIR):/$(RELEASE_DIR):Z \
+		-v $(PWD):/_src:Z \
 		-e TELEMETRY_URL=$(TELEMETRY_URL) \
 		$(RELEASE_BUILD_IMAGE) \
 		/_src/build/build-release.sh --output-dir=/$(RELEASE_DIR) --source-url=/_src
diff --git a/build/run-wasm-rego-tests.sh b/build/run-wasm-rego-tests.sh
@@ -45,9 +45,9 @@ function generate_testcases {
     docker run \
         --name $TESTGEN_CONTAINER_NAME \
         -u $(id -u):$(id -g) \
-        -v $PWD/.go/bin:/go/bin \
-        -v $PWD:/src \
-        -v $ASSETS:/assets \
+        -v $PWD/.go/bin:/go/bin:Z \
+        -v $PWD:/src:Z \
+        -v $ASSETS:/assets:Z \
         -e GOCACHE=/src/.go/cache \
         -w /src \
         golang:$GOVERSION \

diff --git a/wasm/Makefile b/wasm/Makefile
@@ -66,17 +66,17 @@ push-builder:
 
 .PHONY: build
 build:
-	@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src $(WASM_BUILDER_IMAGE) \
+	@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src:Z $(WASM_BUILDER_IMAGE) \
 	  make --no-builtin-rules $(WASM_OBJ_DIR)/opa.wasm $(WASM_OBJ_DIR)/callgraph.csv
 
 .PHONY: test
 test:
-	@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src $(WASM_BUILDER_IMAGE) make $(WASM_OBJ_DIR)/opa-test.wasm
-	@$(DOCKER) run $(DOCKER_FLAGS) -e VERBOSE -v $(CURDIR):/src -w /src node:14 node test.js $(WASM_OBJ_DIR)/opa-test.wasm
+	@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src:Z $(WASM_BUILDER_IMAGE) make $(WASM_OBJ_DIR)/opa-test.wasm
+	@$(DOCKER) run $(DOCKER_FLAGS) -e VERBOSE -v $(CURDIR):/src:Z -w /src node:14 node test.js $(WASM_OBJ_DIR)/opa-test.wasm
 
 .PHONY: hack
 hack:
-	@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src $(WASM_BUILDER_IMAGE)
+	@$(DOCKER) run $(DOCKER_FLAGS) -v $(CURDIR):/src:Z $(WASM_BUILDER_IMAGE)
 
 $(shell mkdir -p $(WASM_OBJ_DIR)/src/lib)
 $(shell mkdir -p $(WASM_OBJ_DIR)/src/libmpdec)