Valve/Proton
1
0
Fork 0
mirror of https://github.com/ValveSoftware/Proton.git synced 2025-07-06 17:25:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add option to disable SELinux labeling for container volumes.

Browse Source 
Adds --disable-labeling to configure.sh. Passing this option
passes --security-opt label=disable to the container, which
disables SELinux labeling.
This commit is contained in:
brndd 2024-08-24 08:29:48 +03:00
parent 962bbc4e74
commit e4d042f465
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.in
View File

@ -1150,6 +1150,10 @@ else
override DOCKER_OPTS := $(CCACHE_ENV) -e CCACHE_DISABLE=1 $(DOCKER_OPTS) override DOCKER_OPTS := $(CCACHE_ENV) -e CCACHE_DISABLE=1 $(DOCKER_OPTS)
endif endif
ifeq ($(DISABLE_LABELING),1)
override DOCKER_OPTS := --security-opt label=disable $(DOCKER_OPTS)
endif
export CARGO_HOME := $(if $(CARGO_HOME),$(CARGO_HOME),$(HOME)/.cargo) export CARGO_HOME := $(if $(CARGO_HOME),$(CARGO_HOME),$(HOME)/.cargo)
override DOCKER_OPTS := -v $(CARGO_HOME):$(CARGO_HOME)$(CONTAINER_MOUNT_OPTS) -e CARGO_HOME=$(CARGO_HOME) $(DOCKER_OPTS) override DOCKER_OPTS := -v $(CARGO_HOME):$(CARGO_HOME)$(CONTAINER_MOUNT_OPTS) -e CARGO_HOME=$(CARGO_HOME) $(DOCKER_OPTS)

13
configure.sh
View File

@ -55,14 +55,19 @@ check_container_engine() {
return 1 return 1
fi fi
label_opt=""
if [[ -n $arg_disable_labeling ]]; then
label_opt="--security-opt label=disable"
fi
touch permission_check touch permission_check
local inner_uid="$($1 run -v "$(pwd):/test$CONTAINER_MOUNT_OPTS" \ local inner_uid="$($1 run -v "$(pwd):/test$CONTAINER_MOUNT_OPTS" \
$label_opt \
--rm $2 \ --rm $2 \
stat --format "%u" /test/permission_check 2>&1)" stat --format "%u" /test/permission_check 2>&1)"
rm permission_check rm permission_check
if [[ $inner_uid == *"Permission denied"* ]]; then if [[ $inner_uid == *"Permission denied"* ]]; then
err "The container cannot access files. Are you using SELinux?" err "The container cannot access files. If you're using SELinux, try passing --disable-labeling or --relabel-volumes."
die "Please read README.md and check your $1 setup works." die "Please read README.md and check your $1 setup works."
elif [ "$inner_uid" -eq 0 ]; then elif [ "$inner_uid" -eq 0 ]; then
# namespace maps the user as root or the build is performed as host's root # namespace maps the user as root or the build is performed as host's root
@ -164,6 +169,9 @@ function configure() {
if [[ -n "$arg_docker_opts" ]]; then if [[ -n "$arg_docker_opts" ]]; then
echo "DOCKER_OPTS := $arg_docker_opts" echo "DOCKER_OPTS := $arg_docker_opts"
fi fi
if [[ -n "$arg_disable_labeling" ]]; then
echo "DISABLE_LABELING := 1"
fi
if [[ -n "$CONTAINER_MOUNT_OPTS" ]]; then if [[ -n "$CONTAINER_MOUNT_OPTS" ]]; then
echo "CONTAINER_MOUNT_OPTS := $CONTAINER_MOUNT_OPTS" echo "CONTAINER_MOUNT_OPTS := $CONTAINER_MOUNT_OPTS"
fi fi
@ -191,6 +199,7 @@ arg_protonsdk_image=""
arg_build_name="" arg_build_name=""
arg_container_engine="" arg_container_engine=""
arg_docker_opts="" arg_docker_opts=""
arg_disable_labeling=""
arg_relabel_volumes="" arg_relabel_volumes=""
arg_enable_ccache="" arg_enable_ccache=""
arg_enable_bear="" arg_enable_bear=""
@ -238,6 +247,8 @@ function parse_args() {
val_used=1 val_used=1
elif [[ $arg = --relabel-volumes ]]; then elif [[ $arg = --relabel-volumes ]]; then
arg_relabel_volumes="1" arg_relabel_volumes="1"
elif [[ $arg = --disable-labeling ]]; then
arg_disable_labeling="1"
elif [[ $arg = --enable-ccache ]]; then elif [[ $arg = --enable-ccache ]]; then
arg_enable_ccache="1" arg_enable_ccache="1"
elif [[ $arg = --enable-bear ]]; then elif [[ $arg = --enable-bear ]]; then