opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-17 03:04:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Label host volume mounted content in machine as nfs_t

Browse Source 
While this is potentially a security problem, it solves the issues of
users sharing content from the host into containers and attempting to
relabel it. From a security point of view this means all content volume
mounted from the host into the podman machine on apple hypervisor is
read/write from an SELinux point of view if it is volume mounted into
the container. If the user attempts to use :Z or :z it will work and
relabel the content to be only usable bu the specify container.

Helps Fix: https://github.com/containers/podman/issues/21269

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2024-01-18 10:33:37 -05:00
parent 20b22f8f10
commit 75790b42b4
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/machine/applehv/machine.go
View File

@ -1145,6 +1145,7 @@ func generateSystemDFilesForVirtiofsMounts(mounts []machine.VirtIoFs) []ignition
mountUnit.Add("Mount", "What", "%s")
mountUnit.Add("Mount", "Where", "%s")
mountUnit.Add("Mount", "Type", "virtiofs")
mountUnit.Add("Mount", "Option", "defcontext=\"system_u:object_r:nfs_t:s0\"")
mountUnit.Add("Install", "WantedBy", "multi-user.target")
mountUnitFile, err := mountUnit.ToString()
if err != nil {