From dfda635128ee571a31fa9a5a4bac709d3501481d Mon Sep 17 00:00:00 2001
From: Andrew McDermott <amcdermo@redhat.com>
Date: Thu, 8 Aug 2024 10:19:50 +0100
Subject: [PATCH] Add SELinux context option to volume mounts in build-images
 target

Add the `:z` option to the volume mounts for the Go cache directory in
the `build-images` Makefile target. This ensures that the mounted volume
is correctly relabelled with a private SELinux context, making the
content accessible only to the single container using it.

The `:z` option is necessary for the following reasons:

1. SELinux requires explicit context labelling for volumes to ensure
   proper access control.

2. Use `:z` (private context) to enhance security by preventing other
   containers from accessing the Go cache volume, which is only needed
   by the container performing the build process.

Without this change, builds fail on systems with SELinux enabled because
the container lacks the necessary permissions to access the unlabelled
host directory. The `:z` option corrects this by providing the
appropriate SELinux context.

We do not use `:Z` (shared context) because the Go cache is intended for
use by a single container at a time, and `:z` provides stricter access
control suited for this scenario.

This change is appropriate for both Docker and Podman, as both container
engines support the `:z` and `:Z` options for setting SELinux context on
volume mounts.

Signed-off-by: Andrew McDermott <amcdermo@redhat.com>
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index a244ada16..0fd3ff030 100644
--- a/Makefile
+++ b/Makefile
@@ -338,13 +338,13 @@ build-images: ## Build bpfman-agent and bpfman-operator images.
 	  --build-arg TARGETPLATFORM=linux/$(GOARCH) \
 	  --build-arg TARGETARCH=$(GOARCH) \
 	  --build-arg BUILDPLATFORM=linux/amd64 \
-	  $(if $(filter $(OCI_BIN),podman),--volume "$(LOCAL_GOCACHE_PATH):$(CONTAINER_GOCACHE_PATH)") \
+	  $(if $(filter $(OCI_BIN),podman),--volume "$(LOCAL_GOCACHE_PATH):$(CONTAINER_GOCACHE_PATH):z") \
 	  -f Containerfile.bpfman-operator .
 	$(OCI_BIN) buildx build --load -t ${BPFMAN_AGENT_IMG} \
 	  --build-arg TARGETPLATFORM=linux/$(GOARCH) \
 	  --build-arg TARGETARCH=$(GOARCH) \
 	  --build-arg BUILDPLATFORM=linux/amd64 \
-	  $(if $(filter $(OCI_BIN),podman),--volume "$(LOCAL_GOCACHE_PATH):$(CONTAINER_GOCACHE_PATH)") \
+	  $(if $(filter $(OCI_BIN),podman),--volume "$(LOCAL_GOCACHE_PATH):$(CONTAINER_GOCACHE_PATH):z") \
 	  -f Containerfile.bpfman-agent .
 
 .PHONY: push-images