fix: enabled z volumes bind flag only on linux with SELinux

supabase · Sep 14, 2024 · 7e1776d · 7e1776d
1 parent fda30db
commit 7e1776d
Show file tree

Hide file tree

Showing 10 changed files with 49 additions and 17 deletions.
diff --git a/internal/db/test/test.go b/internal/db/test/test.go
@@ -43,7 +43,7 @@ func Run(ctx context.Context, testFiles []string, config pgconn.Config, fsys afe
 		return errors.Errorf("failed to resolve absolute path: %w", err)
 	}
 	dstPath := "/tmp"
-	binds := []string{fmt.Sprintf("%s:%s:ro,z", srcPath, dstPath)}
+	binds := []string{fmt.Sprintf("%s:%s:%s", srcPath, dstPath, utils.GetVolumeBindMode("ro"))}
 	// Enable pgTAP if not already exists
 	alreadyExists := false
 	options = append(options, func(cc *pgx.ConnConfig) {

diff --git a/internal/functions/deploy/bundle.go b/internal/functions/deploy/bundle.go
@@ -100,8 +100,8 @@ func GetBindMounts(cwd, hostFuncDir, hostOutputDir, hostEntrypointDir, hostImpor
 	binds := []string{
 		// Reuse deno cache directory, ie. DENO_DIR, between container restarts
 		// https://denolib.gitbook.io/guide/advanced/deno_dir-code-fetch-and-cache
-		utils.EdgeRuntimeId + ":/root/.cache/deno:rw,z",
-		hostFuncDir + ":" + dockerFuncDir + ":ro,z",
+		utils.EdgeRuntimeId + ":/root/.cache/deno:" + utils.GetVolumeBindMode("rw"),
+		hostFuncDir + ":" + dockerFuncDir + ":" + utils.GetVolumeBindMode("ro"),
 	}
 	if len(hostOutputDir) > 0 {
 		if !filepath.IsAbs(hostOutputDir) {
@@ -112,7 +112,7 @@ func GetBindMounts(cwd, hostFuncDir, hostOutputDir, hostEntrypointDir, hostImpor
 		}
 		if !strings.HasPrefix(hostOutputDir, hostFuncDir) {
 			dockerOutputDir := utils.ToDockerPath(hostOutputDir)
-			binds = append(binds, hostOutputDir+":"+dockerOutputDir+":rw,z")
+			binds = append(binds, hostOutputDir+":"+dockerOutputDir+":"+utils.GetVolumeBindMode("rw"))
 		}
 	}
 	// Allow entrypoints outside the functions directory
@@ -126,7 +126,7 @@ func GetBindMounts(cwd, hostFuncDir, hostOutputDir, hostEntrypointDir, hostImpor
 		if !strings.HasPrefix(hostEntrypointDir, hostFuncDir) &&
 			!strings.HasPrefix(hostEntrypointDir, hostOutputDir) {
 			dockerEntrypointDir := utils.ToDockerPath(hostEntrypointDir)
-			binds = append(binds, hostEntrypointDir+":"+dockerEntrypointDir+":ro,z")
+			binds = append(binds, hostEntrypointDir+":"+dockerEntrypointDir+":"+utils.GetVolumeBindMode("ro"))
 		}
 	}
 	// Imports outside of ./supabase/functions will be bound by absolute path
@@ -140,7 +140,7 @@ func GetBindMounts(cwd, hostFuncDir, hostOutputDir, hostEntrypointDir, hostImpor
 		}
 		modules := importMap.BindHostModules()
 		dockerImportMapPath := utils.ToDockerPath(hostImportMapPath)
-		modules = append(modules, hostImportMapPath+":"+dockerImportMapPath+":ro,z")
+		modules = append(modules, hostImportMapPath+":"+dockerImportMapPath+":"+utils.GetVolumeBindMode("ro"))
 		// Remove any duplicate mount points
 		for _, mod := range modules {
 			hostPath := strings.Split(mod, ":")[0]

diff --git a/internal/functions/download/download.go b/internal/functions/download/download.go
@@ -173,9 +173,9 @@ func extractOne(ctx context.Context, slug, eszipPath string) error {
 	binds := []string{
 		// Reuse deno cache directory, ie. DENO_DIR, between container restarts
 		// https://denolib.gitbook.io/guide/advanced/deno_dir-code-fetch-and-cache
-		utils.EdgeRuntimeId + ":/root/.cache/deno:rw,z",
-		hostEszipPath + ":" + dockerEszipPath + ":ro,z",
-		hostFuncDirPath + ":" + utils.DockerDenoDir + ":rw,z",
+		utils.EdgeRuntimeId + ":/root/.cache/deno:" + utils.GetVolumeBindMode("rw"),
+		hostEszipPath + ":" + dockerEszipPath + ":" + utils.GetVolumeBindMode("ro"),
+		hostFuncDirPath + ":" + utils.DockerDenoDir + ":" + utils.GetVolumeBindMode("rw"),
 	}
 
 	return utils.DockerRunOnceWithConfig(

diff --git a/internal/start/start.go b/internal/start/start.go
@@ -316,7 +316,7 @@ EOF
 			if utils.Docker.DaemonHost() != client.DefaultDockerHost {
 				fmt.Fprintln(os.Stderr, utils.Yellow("WARNING:"), "analytics requires mounting default docker socket:", parsed.Host)
 			}
-			binds = append(binds, fmt.Sprintf("%[1]s:%[1]s:ro,z", parsed.Host))
+			binds = append(binds, fmt.Sprintf("%[1]s:%[1]s:"+utils.GetVolumeBindMode("ro"), parsed.Host))
 		}
 		if _, err := utils.DockerStart(
 			ctx,
@@ -386,7 +386,7 @@ EOF
 				}
 			}
 			dockerPath := path.Join(nginxEmailTemplateDir, id+filepath.Ext(hostPath))
-			binds = append(binds, fmt.Sprintf("%s:%s:rw,z", hostPath, dockerPath))
+			binds = append(binds, fmt.Sprintf("%s:%s:%s", hostPath, dockerPath, utils.GetVolumeBindMode("rw")))
 		}
 
 		dockerPort := uint16(8000)

diff --git a/internal/utils/deno.go b/internal/utils/deno.go
@@ -271,15 +271,15 @@ func (m *ImportMap) BindHostModules() []string {
 			continue
 		}
 		dockerPath := ToDockerPath(hostPath)
-		binds = append(binds, hostPath+":"+dockerPath+":ro,z")
+		binds = append(binds, hostPath+":"+dockerPath+":"+GetVolumeBindMode("ro"))
 	}
 	for _, mapping := range m.Scopes {
 		for _, hostPath := range mapping {
 			if !filepath.IsAbs(hostPath) || strings.HasPrefix(hostPath, hostFuncDir) {
 				continue
 			}
 			dockerPath := ToDockerPath(hostPath)
-			binds = append(binds, hostPath+":"+dockerPath+":ro,z")
+			binds = append(binds, hostPath+":"+dockerPath+":"+GetVolumeBindMode("ro"))
 		}
 	}
 	return binds

diff --git a/internal/utils/deno_test.go b/internal/utils/deno_test.go
@@ -76,9 +76,9 @@ func TestBindModules(t *testing.T) {
 		mods := importMap.BindHostModules()
 		// Check error
 		assert.ElementsMatch(t, mods, []string{
-			"/tmp/:/tmp/:ro,z",
-			cwd + "/common:" + cwd + "/common:ro,z",
-			cwd + "/supabase/tests:" + cwd + "/supabase/tests:ro,z",
+			"/tmp/:/tmp/:" + GetVolumeBindMode("ro"),
+			cwd + "/common:" + cwd + "/common:" + GetVolumeBindMode("ro"),
+			cwd + "/supabase/tests:" + cwd + "/supabase/tests:" + GetVolumeBindMode("ro"),
 		})
 	})
 

diff --git a/internal/utils/docker.go b/internal/utils/docker.go
@@ -454,6 +454,10 @@ func DockerExecOnceWithStream(ctx context.Context, containerId, workdir string,
 	return err
 }
 
+func GetVolumeBindMode(mode string) string {
+	return getVolumeBindMode(mode)
+}
+
 var portErrorPattern = regexp.MustCompile("Bind for (.*) failed: port is already allocated")
 
 func parsePortBindError(err error) string {

diff --git a/internal/utils/docker_darwin.go b/internal/utils/docker_darwin.go
@@ -9,3 +9,7 @@ var extraHosts []string
 func isUserDefined(mode container.NetworkMode) bool {
 	return mode.IsUserDefined()
 }
+
+func getVolumeBindMode(mode string) string {
+	return mode
+}
diff --git a/internal/utils/docker_linux.go b/internal/utils/docker_linux.go
@@ -2,11 +2,31 @@
 
 package utils
 
-import "github.com/docker/docker/api/types/container"
+import (
+	"os"
+	"runtime"
+
+	"github.com/docker/docker/api/types/container"
+)
 
 // Allows containers to resolve host network: https://stackoverflow.com/a/62431165
 var extraHosts = []string{DinDHost + ":host-gateway"}
 
 func isUserDefined(mode container.NetworkMode) bool {
 	return mode.IsUserDefined()
 }
+
+func isSELinuxEnabled() bool {
+	if runtime.GOOS != "linux" {
+		return false
+	}
+	_, err := os.Stat("/sys/fs/selinux")
+	return err == nil
+}
+
+func getVolumeBindMode(mode string) string {
+	if isSELinuxEnabled() {
+		return mode + ",z"
+	}
+	return mode
+}
diff --git a/internal/utils/docker_windows.go b/internal/utils/docker_windows.go
@@ -13,3 +13,7 @@ func isUserDefined(mode container.NetworkMode) bool {
 	// Host network requires explicit check on windows: https://github.com/supabase/cli/pull/952
 	return mode.IsUserDefined() && mode.UserDefined() != network.NetworkHost
 }
+
+func getVolumeBindMode(mode string) string {
+	return mode
+}