feat: use github.com/gardenlinux/seccomp_fake_xattr to enable selinux…

… on selinux builds
gardenlinux · Apr 15, 2024 · 4fce6a5 · 4fce6a5
1 parent f1864b0
commit 4fce6a5
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -28,5 +28,9 @@ RUN mv /aws_kms_pkcs11.so "/usr/lib/$(uname -m)-linux-gnu/pkcs11/aws_kms_pkcs11.
 COPY builder /builder
 RUN mkdir /builder/cert
 COPY setup_namespace /usr/sbin/setup_namespace
+RUN curl -sSLf https://github.com/gardenlinux/seccomp_fake_xattr/releases/download/latest/seccomp_fake_xattr-$(uname -m).tar.gz \
+	| gzip -d \
+	| tar -xO seccomp_fake_xattr-$(uname -m)/fake_xattr > /usr/bin/fake_xattr \
+	&& chmod +x /usr/bin/fake_xattr
 RUN echo 'root:1:65535' | tee /etc/subuid /etc/subgid > /dev/null
 ENTRYPOINT [ "/usr/sbin/setup_namespace" ]
diff --git a/setup_namespace b/setup_namespace
@@ -7,5 +7,5 @@ if [ "${1-}" = --second-stage ]; then
 	mount -t tmpfs -o size=4G tmpfs /tmp
 	"$@"
 else
-	unshare --map-root-user --map-users auto --map-groups auto --mount "$0" --second-stage "$@"
+	unshare --map-root-user --map-users auto --map-groups auto --mount fake_xattr "$0" --second-stage "$@"
 fi