Label all content inside of VM volume mounted from host as container_…

…file_t While this is potentially a security problem, it solves the issues of users sharing content from the host into containers and attempting to relabel it. From a security point of view this means all content volume mounted from the host into the podman machine on apple hypervisor is read/write from an SELinux point of view if it is volume mounted into the container. If the user attempts to use :Z it will work and relabel the content to be only usable bu the specify container. :z will continue to work, but will have no effect since the content is already labeled with a shared content label. Helps Fix: containers#21269 Signed-off-by: Daniel J Walsh <[email protected]>
rhatdan · Jan 18, 2024 · 1d7670a · 1d7670a
1 parent 20b22f8
commit 1d7670a
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/pkg/machine/applehv/machine.go b/pkg/machine/applehv/machine.go
@@ -1145,6 +1145,7 @@ func generateSystemDFilesForVirtiofsMounts(mounts []machine.VirtIoFs) []ignition
 		mountUnit.Add("Mount", "What", "%s")
 		mountUnit.Add("Mount", "Where", "%s")
 		mountUnit.Add("Mount", "Type", "virtiofs")
+		mountUnit.Add("Mount", "Option", "defcontext=\"system_u:object_r:container_file_t:s0\"")
 		mountUnit.Add("Install", "WantedBy", "multi-user.target")
 		mountUnitFile, err := mountUnit.ToString()
 		if err != nil {