From 87a5299c83a191aac9267bdd7d9d58cc4bdbbb82 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Tue, 17 Oct 2023 15:55:40 +1000 Subject: [PATCH] chore: add SELinux option Z for all read-only volume mounts --- scripts/release_scripts/run_macaron.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/scripts/release_scripts/run_macaron.sh b/scripts/release_scripts/run_macaron.sh index 5aff8c691..54cb3c538 100755 --- a/scripts/release_scripts/run_macaron.sh +++ b/scripts/release_scripts/run_macaron.sh @@ -257,7 +257,7 @@ if [[ -n "${arg_defaults_path:-}" ]]; then argv_main+=("--defaults-path" "${MACARON_WORKSPACE}/defaults/${file_name}") defaults_path="$(ensure_absolute_path "${defaults_path}")" - mounts+=("-v" "${defaults_path}:${MACARON_WORKSPACE}/defaults/${file_name}:ro") + mounts+=("-v" "${defaults_path}:${MACARON_WORKSPACE}/defaults/${file_name}:ro,Z") fi # Determine the policy path to be mounted into ${MACARON_WORKSPACE}/policy/${file_name} @@ -268,7 +268,7 @@ if [[ -n "${arg_policy:-}" ]]; then argv_main+=("--policy" "${MACARON_WORKSPACE}/policy/${file_name}") policy="$(ensure_absolute_path "${policy}")" - mounts+=("-v" "${policy}:${MACARON_WORKSPACE}/policy/${file_name}:ro") + mounts+=("-v" "${policy}:${MACARON_WORKSPACE}/policy/${file_name}:ro,Z") fi # MACARON entrypoint - Analyze action argvs @@ -280,7 +280,7 @@ if [[ -n "${arg_template_path:-}" ]]; then argv_action+=("--template-path" "${MACARON_WORKSPACE}/template/${file_name}") template_path="$(ensure_absolute_path "${template_path}")" - mounts+=("-v" "${template_path}:${MACARON_WORKSPACE}/template/${file_name}:ro") + mounts+=("-v" "${template_path}:${MACARON_WORKSPACE}/template/${file_name}:ro,Z") fi # Determine the config path to be mounted into ${MACARON_WORKSPACE}/config/${file_name} @@ -291,7 +291,7 @@ if [[ -n "${arg_config_path:-}" ]]; then argv_action+=("--config-path" "${MACARON_WORKSPACE}/config/${file_name}") config_path="$(ensure_absolute_path "${config_path}")" - mounts+=("-v" "${config_path}:${MACARON_WORKSPACE}/config/${file_name}:ro") + mounts+=("-v" "${config_path}:${MACARON_WORKSPACE}/config/${file_name}:ro,Z") fi # Determine the sbom path to be mounted into ${MACARON_WORKSPACE}/sbom/${file_name} @@ -302,7 +302,7 @@ if [[ -n "${arg_sbom_path:-}" ]]; then argv_action+=("--sbom-path" "${MACARON_WORKSPACE}/sbom/${file_name}") sbom_path="$(ensure_absolute_path "${sbom_path}")" - mounts+=("-v" "${sbom_path}:${MACARON_WORKSPACE}/sbom/${file_name}:ro") + mounts+=("-v" "${sbom_path}:${MACARON_WORKSPACE}/sbom/${file_name}:ro,Z") fi # Determine the provenance expectation path to be mounted into ${MACARON_WORKSPACE}/prov_expectations/${file_name} @@ -313,7 +313,7 @@ if [[ -n "${arg_prov_exp:-}" ]]; then argv_action+=("--provenance-expectation" "${MACARON_WORKSPACE}/prov_expectations/${pe_name}") prov_exp="$(ensure_absolute_path "${prov_exp}")" - mounts+=("-v" "${prov_exp}:${MACARON_WORKSPACE}/prov_expectations/${pe_name}:ro") + mounts+=("-v" "${prov_exp}:${MACARON_WORKSPACE}/prov_expectations/${pe_name}:ro,Z") fi # MACARON entrypoint - verify-policy action argvs @@ -337,17 +337,17 @@ if [[ -n "${arg_datalog_policy_file:-}" ]]; then argv_action+=("--file" "${MACARON_WORKSPACE}/policy/${file_name}") datalog_policy_file="$(ensure_absolute_path "${datalog_policy_file}")" - mounts+=("-v" "${datalog_policy_file}:${MACARON_WORKSPACE}/policy/${file_name}:ro") + mounts+=("-v" "${datalog_policy_file}:${MACARON_WORKSPACE}/policy/${file_name}:ro,Z") fi # Determine that ~/.gradle/gradle.properties exists to be mounted into ${MACARON_WORKSPACE}/gradle.properties if [[ -f "$HOME/.gradle/gradle.properties" ]]; then - mounts+=("-v" "$HOME/.gradle/gradle.properties":"${MACARON_WORKSPACE}/gradle.properties:ro") + mounts+=("-v" "$HOME/.gradle/gradle.properties":"${MACARON_WORKSPACE}/gradle.properties:ro,Z") fi # Determine that ~/.m2/settings.xml exists to be mounted into ${MACARON_WORKSPACE}/settings.xml if [[ -f "$HOME/.m2/settings.xml" ]]; then - mounts+=("-v" "$HOME/.m2/settings.xml":"${MACARON_WORKSPACE}/settings.xml:ro") + mounts+=("-v" "$HOME/.m2/settings.xml":"${MACARON_WORKSPACE}/settings.xml:ro,Z") fi # Set up proxy.