diff --git a/README.md b/README.md index c469d33f..82d9c811 100644 --- a/README.md +++ b/README.md @@ -222,6 +222,18 @@ engine with `--container-engine=`. You can enable ccache with `--enable-cache` flag. This will mount your `$CCACHE_DIR` or `$HOME/.ccache` inside the container. +If SELinux is in use, the Proton build container may fail to access your +user's files. This is caused by [SELinux's filesystem labels][selinux-labels]. +You may pass the --relabel-volumes switch to configure to cause the +[container engine to relabel its bind-mounts][bind-mounts] and allow access +to those files from within the container. This can be dangerous when used +with system directories. Proceed with caution and refer your container +engine's manual. + +[selinux-labels]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files +[bind-mounts]: https://docs.docker.com/storage/bind-mounts/ + + Example: mkdir build && cd build diff --git a/build/makefile_base.mak b/build/makefile_base.mak index c9f14bc0..2ce91a25 100644 --- a/build/makefile_base.mak +++ b/build/makefile_base.mak @@ -58,7 +58,7 @@ CCACHE_ENV := $(patsubst %,-e %,$(shell env|cut -d= -f1|grep '^CCACHE_')) ifeq ($(ENABLE_CCACHE),1) CCACHE_BIN := ccache export CCACHE_DIR := $(if $(CCACHE_DIR),$(CCACHE_DIR),$(HOME)/.ccache) - DOCKER_OPTS := -v $(CCACHE_DIR):$(CCACHE_DIR) $(CCACHE_ENV) -e CCACHE_DIR=$(CCACHE_DIR) $(DOCKER_OPTS) + DOCKER_OPTS := -v $(CCACHE_DIR):$(CCACHE_DIR)$(CONTAINER_MOUNT_OPTS) $(CCACHE_ENV) -e CCACHE_DIR=$(CCACHE_DIR) $(DOCKER_OPTS) else export CCACHE_DISABLE := 1 DOCKER_OPTS := $(CCACHE_ENV) -e CCACHE_DISABLE=1 $(DOCKER_OPTS) @@ -72,7 +72,7 @@ ifeq ($(CONTAINER_ENGINE),) CONTAINER_ENGINE := docker endif -DOCKER_BASE = $(CONTAINER_ENGINE) run --rm -v $(SRC):$(SRC) -v $(OBJ):$(OBJ) \ +DOCKER_BASE = $(CONTAINER_ENGINE) run --rm -v $(SRC):$(SRC)$(CONTAINER_MOUNT_OPTS) -v $(OBJ):$(OBJ)$(CONTAINER_MOUNT_OPTS) \ -w $(OBJ) -e MAKEFLAGS \ $(DOCKER_OPTS) $(STEAMRT_IMAGE) diff --git a/configure.sh b/configure.sh index 307e28a7..ac2a16f2 100755 --- a/configure.sh +++ b/configure.sh @@ -57,6 +57,8 @@ dependency_afdko() { fi } +CONTAINER_MOUNT_OPTS="" + check_container_engine() { info "Making sure that the container engine is working." if ! cmd $arg_container_engine run --rm $arg_protonsdk_image; then @@ -64,12 +66,15 @@ check_container_engine() { fi touch permission_check - local inner_uid="$($arg_container_engine run -v "$(pwd):/test" \ + local inner_uid="$($arg_container_engine run -v "$(pwd):/test$CONTAINER_MOUNT_OPTS" \ --rm $arg_protonsdk_image \ - stat --format "%u" /test/permission_check)" + stat --format "%u" /test/permission_check 2>&1)" rm permission_check - if [ "$inner_uid" -eq 0 ]; then + if [[ $inner_uid == *"Permission denied"* ]]; then + err "The container cannot access files. Are you using SELinux?" + die "Please read README.md and check your $arg_container_engine setup works." + elif [ "$inner_uid" -eq 0 ]; then # namespace maps the user as root or the build is performed as host's root ROOTLESS_CONTAINER=1 elif [ "$inner_uid" -eq "$(id -u)" ]; then @@ -130,6 +135,10 @@ function configure() { die "Missing dependencies, cannot continue." fi + if [[ -n "$arg_relabel_volumes" ]]; then + CONTAINER_MOUNT_OPTS=:Z + fi + if [[ -n "$arg_container_engine" ]]; then check_container_engine fi @@ -154,6 +163,9 @@ function configure() { if [[ -n "$arg_docker_opts" ]]; then echo "DOCKER_OPTS := $arg_docker_opts" fi + if [[ -n "$CONTAINER_MOUNT_OPTS" ]]; then + echo "CONTAINER_MOUNT_OPTS := $CONTAINER_MOUNT_OPTS" + fi if [[ -n "$arg_enable_ccache" ]]; then echo "ENABLE_CCACHE := 1" fi @@ -179,6 +191,7 @@ arg_no_protonsdk="" arg_build_name="" arg_container_engine="docker" arg_docker_opts="" +arg_relabel_volumes="" arg_enable_ccache="" arg_help="" invalid_args="" @@ -222,6 +235,8 @@ function parse_args() { elif [[ $arg = --docker-opts ]]; then arg_docker_opts="$val" val_used=1 + elif [[ $arg = --relabel-volumes ]]; then + arg_relabel_volumes="1" elif [[ $arg = --enable-ccache ]]; then arg_enable_ccache="1" elif [[ $arg = --proton-sdk-image ]]; then @@ -280,6 +295,8 @@ usage() { "$1" "" "$1" " --docker-opts='' Extra options to pass to Docker when invoking the runtime." "$1" "" + "$1" " --relabel-volumes Bind-mounted volumes will be relabeled. Use with caution." + "$1" "" "$1" " --enable-ccache Mount \$CCACHE_DIR or \$HOME/.ccache inside of the container and use ccache for the build." "$1" "" "$1" " Steam Runtime"