Allow Read-Only or Unlabelled Mounts

[Alexhuszagh]

Checklist

• I've looked through the issues and pull requests for similar reports

Describe your issue

Currently, if using podman (or likely any rootless container engine), attempting to mount a directory without having write permissions leads to an error (or any directory in /usr).

If done in /usr/ or /etc, we get Error: relabeling content in /usr is not allowed. Anywhere else without write permissions, we get: Error: lsetxattr /nix/store: operation not permitted.

What target(s) are you cross-compiling for?

No response

Which operating system is the host (e.g computer cross is on) running?

• macOS
• Windows
• Linux / BSD
• other OS (specify in description)

What architecture is the host?

• x86_64 / AMD64
• arm32
• arm64 (including Mac M1)

What container engine is cross using?

• docker
• podman
• other container engine (specify in description)

cross version

cross 0.2.4 (078eab5 2022-07-19)

Example

On a system with SELinux enabled (Fedora 36), add the following to Cross.toml, for a directory without read permissions

[build.env]
volumes = ["NIX=/nix/store"]

And then attempt to run it with the following:

# as a privileged user
$ sudo mkdir -p /nix/store
# as an unprivileged user
$ CROSS_CONTAINER_ENGINE=podman cross build --target aarch64-unknown-linux-gnu
Error: lsetxattr /nix/store: operation not permitted

Likewise, if we try to relabel in /usr, we get:

[build.env]
volumes = [ "MINGW=/usr/x86_64-w64-mingw32"]

# as a privileged user
$ sudo mkdir -p /usr/x86_64-w64-mingw32
# as an unprivileged user
$ CROSS_CONTAINER_ENGINE=podman cross build --target aarch64-unknown-linux-gnu
Error: relabeling content in /usr is not allowed

Additional information / notes

A solution would be to only allow read-only permissions in /usr or /etc if using podman (using the ro SELinux label rather than z), and allowing read-only labels for mounted volumes in the TOML configuration. Manually using the command and using ro allows the volume to be mounted, even in enforcing mode. Likewise, using no labels also allows the volume to mounted (although attempting to modify data within these volumes will likely be denied).

The best approach would likely be:

1. Check if any mount is in /etc or /usr.
2. If using podman, warn user at cross level a single time that /usr and /etc mounts are not allowed with SELinux labels: must use unlabeled mounts.
3. Allow volume configuration to enable unlabelled or read-only mounts.

The last one is likely tricky, since we currently don't support SELinux syntax. A good approach might be:

[build.env]
volumes = [ 
    "MINGW=/usr/x86_64-w64-mingw32:ro", # uses read-only label
    "NIX=/nix/store:",   # no label explicitly specified
]

This could also allow users to specify the Z (private, mounted volume) or z (shared, mounted volume) flags explicitly. Backwards compatibility concerns: this might break compatibility with folders that have : in their filename. We could also potentially have an table-or-string format for these volumes.

[[build.env.volumes]]
volume = "/usr/x86_64-w64-mingw32"
flag = "ro"

[[build.env.volumes]]
volume = "NIX=/nix/store"
flag = ""

And this would allow use to specify volumes as a string or object, with the flag defaulting to z if a string is used or not provided.

Related Issues/PRs

• Cross not compatible with SELinux #112
• Support mounting on SELinux #251
• Fix SELinux labels to allow shared use. #962
• Can't cross compile to armv7 from Fedora36 + podman #1010