Skip to content

Commit

Permalink
Merge pull request #1655 from ggiguash/add_selinux_context
Browse files Browse the repository at this point in the history 
USHIFT-1050: Set textrel_shlib_t SELinux context on hadolint static executable
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot committed Apr 11, 2023
2 parents ad87f7a + e3c0233 commit 92483e3
Showing 1 changed file with 33 additions and 24 deletions.
57 changes: 33 additions & 24 deletions scripts/fetch_tools.sh
View file
Expand Up @@ -9,6 +9,8 @@ SCRIPT_DIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
DEST_DIR="${DEST_DIR:-${SCRIPT_DIR}/../_output/bin}"
[ -d "${DEST_DIR}" ] || mkdir -p "${DEST_DIR}"
DEST_DIR="$(realpath "${DEST_DIR}")"
WORK_DIR=$(mktemp -d)
trap 'rm -rfv ${WORK_DIR} &>/dev/null' EXIT

_install() {
local url="$1"
Expand All @@ -20,42 +22,39 @@ _install() {
[[ -e "${dest}" ]] && return 0
echo "Installing ${filename} to ${DEST_DIR}"

tmp=$(mktemp -d)
trap 'rm -rfv ${tmp} &>/dev/null' EXIT

filename="$(basename "${url}")"
echo -n "${checksum} -" >"${tmp}/checksum.txt"
echo -n "${checksum} -" >"${WORK_DIR}/checksum.txt"

curl -sSfL --retry 5 --retry-delay 3 -o "${tmp}/${filename}" "${url}"
curl -sSfL --retry 5 --retry-delay 3 -o "${WORK_DIR}/${filename}" "${url}"

if ! sha256sum -c "${tmp}/checksum.txt" < "${tmp}/${filename}" &>/dev/null; then
if ! sha256sum -c "${WORK_DIR}/checksum.txt" < "${WORK_DIR}/${filename}" &>/dev/null; then
echo " Checksum for ${filename} doesn't match"
echo " Expected: ${checksum}"
echo " Got: $(sha256sum < "${tmp}/${filename}" | cut -d' ' -f1)"
echo " Got: $(sha256sum < "${WORK_DIR}/${filename}" | cut -d' ' -f1)"
return 1
fi

# Check type of downloaded file - if it's not executable, then assume it is an archive and needs extracting
if [[ "$(file --brief --mime-type "${tmp}/${filename}")" != "application/x-executable" ]]; then
# Extract binary from the archive.
# --transform removes any leading dirs leaving just filenames so binary is extracted directly into ${tmp}
if [[ "$(file --brief --mime-type "${WORK_DIR}/${filename}")" != "application/x-executable" ]]; then
# Extract binary from the archive.
# --transform removes any leading dirs leaving just filenames so binary is extracted directly into ${WORK_DIR}
# --wildcards match binary's name so only that file is extracted
(cd "${tmp}" && tar xvf "${filename}" --transform 's,.*\/,,g' --wildcards "*/${initial_filename}" >/dev/null)
(cd "${WORK_DIR}" && tar xvf "${filename}" --transform 's,.*\/,,g' --wildcards "*/${initial_filename}" >/dev/null)
fi

chmod +x "${tmp}/${initial_filename}"
chmod +x "${WORK_DIR}/${initial_filename}"
mkdir -p "$(dirname "${dest}")"
mv "${tmp}/${initial_filename}" "${dest}"
mv "${WORK_DIR}/${initial_filename}" "${dest}"
}

get_golangci-lint() {
local ver="1.52.1"
declare -A checksums=(
["x86_64"]="f31a6dc278aff92843acdc2671f17c753c6e2cb374d573c336479e92daed161f"
["x86_64"]="f31a6dc278aff92843acdc2671f17c753c6e2cb374d573c336479e92daed161f"
["aarch64"]="30dbea4ddde140010981b491740b4dd9ba973ce53a1a2f447a5d57053efe51cf")

declare -A arch_map=(
["x86_64"]="amd64"
["x86_64"]="amd64"
["aarch64"]="arm64")

local arch="${arch_map[${ARCH}]}"
Expand All @@ -70,7 +69,7 @@ get_golangci-lint() {
get_shellcheck() {
local ver="v0.9.0"
declare -A checksums=(
["x86_64"]="700324c6dd0ebea0117591c6cc9d7350d9c7c5c287acbad7630fa17b1d4d9e2f"
["x86_64"]="700324c6dd0ebea0117591c6cc9d7350d9c7c5c287acbad7630fa17b1d4d9e2f"
["aarch64"]="179c579ef3481317d130adebede74a34dbbc2df961a70916dd4039ebf0735fae")

declare -A arch_map=(
Expand All @@ -88,11 +87,11 @@ get_shellcheck() {
get_kuttl() {
local ver="0.15.0"
declare -A checksums=(
["x86_64"]="f6edcf22e238fc71b5aa389ade37a9efce596017c90f6994141c45215ba0f862"
["x86_64"]="f6edcf22e238fc71b5aa389ade37a9efce596017c90f6994141c45215ba0f862"
["aarch64"]="a3393f2824e632a9aa0f17fdd5c763f9b633f7a7d3f58696e94885c6b3b8af96")

declare -A arch_map=(
["x86_64"]="x86_64"
["x86_64"]="x86_64"
["aarch64"]="arm64")

local arch="${arch_map[${ARCH}]}"
Expand All @@ -106,11 +105,11 @@ get_kuttl() {
get_yq() {
local ver="4.26.1"
declare -A checksums=(
["x86_64"]="4d3afe5ddf170ac7e70f4c23eea2969eca357947b56d5d96b8516bdf9ce56577"
["x86_64"]="4d3afe5ddf170ac7e70f4c23eea2969eca357947b56d5d96b8516bdf9ce56577"
["aarch64"]="837a659c5a04599f3ee7300b85bf6ccabdfd7ce39f5222de27281e0ea5bcc477")

declare -A arch_map=(
["x86_64"]="amd64"
["x86_64"]="amd64"
["aarch64"]="arm64")

local arch="${arch_map[${ARCH}]}"
Expand All @@ -124,11 +123,11 @@ get_yq() {
get_hadolint() {
local ver="2.12.0"
declare -A checksums=(
["x86_64"]="56de6d5e5ec427e17b74fa48d51271c7fc0d61244bf5c90e828aab8362d55010"
["x86_64"]="56de6d5e5ec427e17b74fa48d51271c7fc0d61244bf5c90e828aab8362d55010"
["aarch64"]="5798551bf19f33951881f15eb238f90aef023f11e7ec7e9f4c37961cb87c5df6")

declare -A arch_map=(
["x86_64"]="x86_64"
["x86_64"]="x86_64"
["aarch64"]="arm64")

local arch="${arch_map[${ARCH}]}"
Expand All @@ -137,6 +136,16 @@ get_hadolint() {
local url="https://github.com/hadolint/hadolint/releases/download/v${ver}/hadolint-Linux-${arch}"

_install "${url}" "${checksum}" "${filename}" "hadolint-Linux-${arch}"

# SELinux context change is required on some systems to prevent the following error
#
# SELinux is preventing <exename> from execmod access on the file.
# If you want to allow all unconfined executables to use libraries requiring text relocation
# that are not labeled textrel_shlib_t, then you must tell SELinux about this by enabling the
# 'selinuxuser_execmod' boolean.
if selinuxenabled ; then
chcon -t textrel_shlib_t "${DEST_DIR}/${filename}"
fi
}

get_lichen() {
Expand Down Expand Up @@ -170,7 +179,7 @@ tools_to_install=()
if echo "$@" | grep -q all; then
readarray -t tools_to_install <<<"${tool_getters}"
else
for arg in "$@"; do
for arg in "$@"; do
if ! echo "${tool_getters}" | grep -q "${arg}" || [ "$(echo "${tool_getters}" | grep "${arg}")" != "${arg}" ]; then
usage "Unknown tool: ${arg}"
fi
Expand Down

0 comments on commit 92483e3

Please sign in to comment.