78 lines
2.5 KiB
Diff
78 lines
2.5 KiB
Diff
From 294b376928c2bb702e1c16e6a2b309ff3d8e9d6f Mon Sep 17 00:00:00 2001
|
|
From: Nalin Dahyabhai <nalin@redhat.com>
|
|
Date: Wed, 11 Jun 2025 20:42:30 +0530
|
|
Subject: [PATCH 2/2] run: handle relabeling bind mounts ourselves
|
|
|
|
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags)
|
|
directly, instead of letting the runtime handle the relabeling.
|
|
|
|
Bugs: bsc#1242445
|
|
|
|
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
|
---
|
|
run_linux.go | 30 ++++++++++++++++++++++++++++++
|
|
1 file changed, 30 insertions(+)
|
|
|
|
diff --git a/run_linux.go b/run_linux.go
|
|
index 5d040cbb9997..e3e65102bc35 100644
|
|
--- a/run_linux.go
|
|
+++ b/run_linux.go
|
|
@@ -542,6 +542,33 @@ rootless=%d
|
|
|
|
defer b.cleanupTempVolumes()
|
|
|
|
+ // Handle mount flags that request that the source locations for "bind" mountpoints be
|
|
+ // relabeled, and filter those flags out of the list of mount options we pass to the
|
|
+ // runtime.
|
|
+ for i := range spec.Mounts {
|
|
+ switch spec.Mounts[i].Type {
|
|
+ default:
|
|
+ continue
|
|
+ case "bind", "rbind":
|
|
+ // all good, keep going
|
|
+ }
|
|
+ zflag := ""
|
|
+ for _, opt := range spec.Mounts[i].Options {
|
|
+ if opt == "z" || opt == "Z" {
|
|
+ zflag = opt
|
|
+ }
|
|
+ }
|
|
+ if zflag == "" {
|
|
+ continue
|
|
+ }
|
|
+ spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool {
|
|
+ return opt == "z" || opt == "Z"
|
|
+ })
|
|
+ if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil {
|
|
+ return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err)
|
|
+ }
|
|
+ }
|
|
+
|
|
switch isolation {
|
|
case define.IsolationOCI:
|
|
var moreCreateArgs []string
|
|
@@ -1130,16 +1157,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string,
|
|
if err := relabel(host, mountLabel, true); err != nil {
|
|
return specs.Mount{}, err
|
|
}
|
|
+ options = slices.DeleteFunc(options, func(o string) bool { return o == "z" })
|
|
}
|
|
if foundZ {
|
|
if err := relabel(host, mountLabel, false); err != nil {
|
|
return specs.Mount{}, err
|
|
}
|
|
+ options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" })
|
|
}
|
|
if foundU {
|
|
if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil {
|
|
return specs.Mount{}, err
|
|
}
|
|
+ options = slices.DeleteFunc(options, func(o string) bool { return o == "U" })
|
|
}
|
|
if foundO {
|
|
if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") {
|
|
--
|
|
2.49.0
|
|
|