From 69134b167c1cd95a4b7a6d0b933c7d6adaf23ac4 Mon Sep 17 00:00:00 2001 From: Bob Sun Date: Tue, 22 Aug 2017 10:49:16 -0700 Subject: [PATCH 1/3] Update the Docker script to disable security options Disable seccomp and apparmor to compile Redox with Docker image. --- docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 93cc9d7..2647c67 100644 --- a/docker/README.md +++ b/docker/README.md @@ -24,6 +24,6 @@ On selinux systems, replace #4 with: ``` docker run --cap-add MKNOD --cap-add SYS_ADMIN \ -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" \ - --device /dev/fuse -v "$(pwd):/home/user/src" --security-opt label=disable \ + --device /dev/fuse -v "$(pwd):/home/user/src" --security-opt seccomp=unconfined apparmor=unconfined \ --rm redox make fetch all ``` From b70934506a893495055bb5b28d17d08dd134bd88 Mon Sep 17 00:00:00 2001 From: Bob Sun Date: Tue, 22 Aug 2017 11:03:47 -0700 Subject: [PATCH 2/3] Fix a typo in Docker script README.md. --- docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 2647c67..a0696ed 100644 --- a/docker/README.md +++ b/docker/README.md @@ -24,6 +24,6 @@ On selinux systems, replace #4 with: ``` docker run --cap-add MKNOD --cap-add SYS_ADMIN \ -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" \ - --device /dev/fuse -v "$(pwd):/home/user/src" --security-opt seccomp=unconfined apparmor=unconfined \ + --device /dev/fuse -v "$(pwd):/home/user/src" --security-opt seccomp=unconfined --security-opt apparmor=unconfined \ --rm redox make fetch all ``` From f6c3b992e73cb1ab99af6c2dbb10a22bbd310573 Mon Sep 17 00:00:00 2001 From: Bob Sun Date: Wed, 23 Aug 2017 13:09:24 -0700 Subject: [PATCH 3/3] Update docker script for SELinux, seccomp and AppArmor enabled systems --- docker/README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docker/README.md b/docker/README.md index a0696ed..3a1f31b 100644 --- a/docker/README.md +++ b/docker/README.md @@ -20,10 +20,17 @@ To unpack: 4. Builds Redox using the `redox` image. The arguments allow the container to use `fuse` and ensure the resulting files are owned by the current user. 5. Runs Redox. -On selinux systems, replace #4 with: +For SELinux, seccomp, and AppArmor enabled systems, please add following commands to #4 accordingly: +``` +--security-opt label=disable // disable SELinux +--security-opt seccomp=unconfined // disable seccomp +--security-opt apparmor=unconfined // disable AppArmor +``` + +E.g., on SELinux systems, replace #4 with: ``` docker run --cap-add MKNOD --cap-add SYS_ADMIN \ -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" \ - --device /dev/fuse -v "$(pwd):/home/user/src" --security-opt seccomp=unconfined --security-opt apparmor=unconfined \ + --device /dev/fuse -v "$(pwd):/home/user/src" --security-opt label=disable \ --rm redox make fetch all ```