Commit fc259ef2 authored by Steve Azzopardi's avatar Steve Azzopardi

Fix SELinux volume mounting

The regex does not match the following specification `/src:/dst:Z|z`
which is a legit specification for SELinux
https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
both `Z` and `z` mean different things and have a different meaning to
the case sensitivity is important.

closes gitlab-org/gitlab-runner#4276
parent 37fa3db8
Pipeline #63445437 passed with stages
in 97 minutes and 50 seconds
......@@ -11,7 +11,7 @@ const (
linuxSource = `((?P<source>((` + linuxDir + `)|(` + linuxVolumeName + `))):)?`
linuxDestination = `(?P<destination>(?:` + linuxDir + `))`
linuxMode = `(:(?P<mode>(?i)ro|rw))?`
linuxMode = `(:(?P<mode>(?i)ro|rw|z))?`
)
type linuxParser struct {
......
......@@ -32,10 +32,26 @@ func TestLinuxParser_ParseVolume(t *testing.T) {
volumeSpec: "/source:/destination:rw",
expectedParts: &Volume{Source: "/source", Destination: "/destination", Mode: "rw"},
},
"read only": {
volumeSpec: "/source:/destination:ro",
expectedParts: &Volume{Source: "/source", Destination: "/destination", Mode: "ro"},
},
"volume case sensitive": {
volumeSpec: "/Source:/Destination:rw",
expectedParts: &Volume{Source: "/Source", Destination: "/Destination", Mode: "rw"},
},
"support SELinux label bind mount content is shared among multiple containers": {
volumeSpec: "/source:/destination:z",
expectedParts: &Volume{Source: "/source", Destination: "/destination", Mode: "z"},
},
"support SELinux label bind mount content is private and unshare": {
volumeSpec: "/source:/destination:Z",
expectedParts: &Volume{Source: "/source", Destination: "/destination", Mode: "Z"},
},
"unsupported mode": {
volumeSpec: "/source:/destination:T",
expectedError: NewInvalidVolumeSpecErr("/source:/destination:T"),
},
"too much colons": {
volumeSpec: "/source:/destination:rw:something",
expectedError: NewInvalidVolumeSpecErr("/source:/destination:rw:something"),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment