fix: Workaround AppArmor profile for passt (#1108)

.github/workflows/review.yml

@@ -0,0 +1,66 @@
+on:
+  pull_request:
+
+name: "Review"
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
+jobs:
+  review:
+    name: review
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Spelling
+        uses: reviewdog/action-misspell@v1
+        with:
+          locale: "US"
+          level: warning
+          pattern: |
+            *.md
+            *.sh
+          reporter: github-pr-review
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Hadolint
+        uses: reviewdog/action-hadolint@v1
+        with:
+          level: warning
+          reporter: github-pr-review
+          hadolint_ignore: DL3008 DL3003 DL3006 DL3013
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: YamlLint
+        uses: reviewdog/action-yamllint@v1
+        with:
+          level: warning
+          reporter: github-pr-review
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: ActionLint
+        uses: reviewdog/action-actionlint@v1
+        with:
+          level: warning
+          reporter: github-pr-review
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Shellformat
+        uses: reviewdog/action-shfmt@v1
+        with:
+          level: warning
+          shfmt_flags: "-i 2 -ci -bn"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Shellcheck
+        uses: reviewdog/action-shellcheck@v1
+        with:
+          level: warning
+          reporter: github-pr-review
+          shellcheck_flags: -x -e SC2001 -e SC2034 -e SC2064 -e SC2317 -e SC2153 -e SC2028          
+          github_token: ${{ secrets.GITHUB_TOKEN }}

readme.md

@@ -47,7 +47,7 @@ services:
 ##### Via Docker CLI:
 
 ```bash
-docker run -it --rm --name dsm -e "DISK_SIZE=256G" -p 5000:5000 --device=/dev/kvm --device=/dev/net/tun --cap-add NET_ADMIN -v "${PWD:-.}/dsm:/storage" --stop-timeout 120 vdsm/virtual-dsm
+docker run -it --rm --name dsm -e "DISK_SIZE=256G" -p 5000:5000 --device=/dev/kvm --device=/dev/net/tun --cap-add NET_ADMIN -v "${PWD:-.}/dsm:/storage" --stop-timeout 120 docker.io/vdsm/virtual-dsm
 ```
 
 ##### Via Kubernetes:

src/disk.sh

@@ -17,6 +17,14 @@ SYSTEM="$STORAGE/$BASE.system.img"
 [ ! -s "$BOOT" ] && error "Virtual DSM boot-image does not exist ($BOOT)" && exit 81
 [ ! -s "$SYSTEM" ] && error "Virtual DSM system-image does not exist ($SYSTEM)" && exit 82
 
+if ! setOwner "$BOOT"; then
+  error "Failed to set the owner for \"$BOOT\" !"
+fi
+
+if ! setOwner "$SYSTEM"; then
+  error "Failed to set the owner for \"$SYSTEM\" !"
+fi
+
 fmt2ext() {
   local DISK_FMT="$1"
 
@@ -338,23 +346,23 @@ checkFS () {
   DIR=$(dirname "$DISK_FILE")
   [ ! -d "$DIR" ] && return 0
 
-  if [[ "${FS,,}" == "overlay"* ]]; then
-    info "Warning: the filesystem of $DIR is OverlayFS, this usually means it was binded to an invalid path!"
+  if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
+    warn "the filesystem of $DIR is OverlayFS, this usually means it was binded to an invalid path!"
   fi
 
   if [[ "${FS,,}" == "fuse"* ]]; then
-    info "Warning: the filesystem of $DIR is FUSE, this extra layer will negatively affect performance!"
+    warn "the filesystem of $DIR is FUSE, this extra layer will negatively affect performance!"
   fi
 
   if ! supportsDirect "$FS"; then
-    info "Warning: the filesystem of $DIR is $FS, which does not support O_DIRECT mode, adjusting settings..."
+    warn "the filesystem of $DIR is $FS, which does not support O_DIRECT mode, adjusting settings..."
   fi
 
   if isCow "$FS"; then
     if [ -f "$DISK_FILE" ]; then
       FA=$(lsattr "$DISK_FILE")
       if [[ "$FA" != *"C"* ]]; then
-        info "Warning: COW (copy on write) is not disabled for $DISK_DESC image file $DISK_FILE, this is recommended on ${FS^^} filesystems!"
+        warn "COW (copy on write) is not disabled for $DISK_DESC image file $DISK_FILE, this is recommended on ${FS^^} filesystems!"
       fi
     fi
   fi
@@ -437,7 +445,7 @@ addDisk () {
 
   if [[ "${DISK_SPACE,,}" == "max" || "${DISK_SPACE,,}" == "half" ]]; then
 
-    local SPARE=2147483648
+    local SPARE=1073741824
     FREE=$(df --output=avail -B 1 "$DIR" | tail -n 1)
 
     if [[ "${DISK_SPACE,,}" == "max" ]]; then
@@ -543,6 +551,12 @@ addDisk () {
 
   fi
 
+  if [ -f "$DISK_FILE" ]; then
+    if ! setOwner "$DISK_FILE"; then
+      error "Failed to set the owner for \"$DISK_FILE\" !"
+    fi
+  fi
+
   DISK_OPTS+=$(createDevice "$DISK_FILE" "$DISK_TYPE" "$DISK_INDEX" "$DISK_ADDRESS" "$DISK_FMT" "$DISK_IO" "$DISK_CACHE" "" "")
 
   return 0

src/install.sh

@@ -31,7 +31,6 @@ if [ -n "$URL" ] && [ ! -s "$FILE" ] && [ ! -d "$DIR" ]; then
   BASE=$(basename "$URL" .pat)
   if [ ! -s "$STORAGE/$BASE.system.img" ]; then
     BASE=$(basename "${URL%%\?*}" .pat)
-    BASE="${BASE//+/ }"
     printf -v BASE '%b' "${BASE//%/\\x}"
     BASE="${BASE//[!A-Za-z0-9._-]/_}"
   fi
@@ -66,7 +65,6 @@ fi
 
 if [ ! -s "$FILE" ]; then
   BASE=$(basename "${URL%%\?*}" .pat)
-  BASE="${BASE//+/ }"
   printf -v BASE '%b' "${BASE//%/\\x}"
   BASE="${BASE//[!A-Za-z0-9._-]/_}"
 fi
@@ -82,16 +80,16 @@ rm -f "$STORAGE/$BASE.system.img"
 # Check filesystem
 FS=$(stat -f -c %T "$STORAGE")
 
-if [[ "${FS,,}" == "overlay"* ]]; then
-  info "Warning: the filesystem of $STORAGE is OverlayFS, this usually means it was binded to an invalid path!"
+if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
+  warn "the filesystem of $STORAGE is OverlayFS, this usually means it was binded to an invalid path!"
 fi
 
 if [[ "${FS,,}" == "fuse"* ]]; then
-  info "Warning: the filesystem of $STORAGE is FUSE, this extra layer will negatively affect performance!"
+  warn "the filesystem of $STORAGE is FUSE, this extra layer will negatively affect performance!"
 fi
 
 if [[ "${FS,,}" == "ecryptfs" || "${FS,,}" == "tmpfs" ]]; then
-  info "Warning: the filesystem of $STORAGE is $FS, which does not support O_DIRECT mode, adjusting settings..."
+  warn "the filesystem of $STORAGE is $FS, which does not support O_DIRECT mode, adjusting settings..."
 fi
 
 if [[ "${FS,,}" == "fat"* || "${FS,,}" == "vfat"* || "${FS,,}" == "msdos"* ]]; then
@@ -100,6 +98,10 @@ fi
 
 if [[ "${FS,,}" != "exfat"* && "${FS,,}" != "ntfs"* && "${FS,,}" != "unknown"* ]]; then
   TMP="$STORAGE/tmp"
+  rm -rf "$TMP"
+  if ! makeDir "$TMP"; then
+    error "Failed to create directory \"$TMP\" !" && exit 93
+  fi
 else
   TMP="/tmp/dsm"
   TMP_SPACE=2147483648
@@ -108,10 +110,9 @@ else
   if (( TMP_SPACE > SPACE )); then
     error "Not enough free space inside the container, have $SPACE_MB available but need at least 2 GB." && exit 93
   fi
+  rm -rf "$TMP" && mkdir -p "$TMP"
 fi
 
-rm -rf "$TMP" && mkdir -p "$TMP"
-
 # Check free diskspace
 ROOT_SPACE=536870912
 SPACE=$(df --output=avail -B 1 / | tail -n 1)
@@ -224,6 +225,8 @@ if ! touch "$SYSTEM"; then
   error "Could not create file $SYSTEM for the system disk." && exit 98
 fi
 
+! setOwner "$SYSTEM" && error "Failed to set the owner for \"$SYSTEM\" !"
+
 if [[ "${FS,,}" == "btrfs" ]]; then
   { chattr +C "$SYSTEM"; } || :
   FA=$(lsattr "$SYSTEM")
@@ -256,7 +259,11 @@ PART="$TMP/partition.fdisk"
 sfdisk -q "$SYSTEM" < "$PART"
 
 MOUNT="$TMP/system"
-rm -rf "$MOUNT" && mkdir -p "$MOUNT"
+rm -rf "$MOUNT"
+
+if ! makeDir "$MOUNT"; then
+  error "Failed to create directory \"$MOUNT\" !" && exit 93
+fi
 
 MSG="Extracting system partition..."
 info "Install: $MSG" && html "$MSG"
@@ -291,6 +298,7 @@ fakeroot -- bash -c "set -Eeu;\
 
 rm -rf "$MOUNT"
 echo "$BASE" > "$STORAGE/dsm.ver"
+! setOwner "$STORAGE/dsm.ver" && error "Failed to set the owner for \"$STORAGE/dsm.ver\" !"
 
 if [[ "$URL" == "file://$STORAGE/$BASE.pat" ]]; then
   rm -f "$PAT"
@@ -298,7 +306,13 @@ else
   mv -f "$PAT" "$STORAGE/$BASE.pat"
 fi
 
+if [ -f "$STORAGE/$BASE.pat" ]; then
+  ! setOwner "$STORAGE/$BASE.pat" && error "Failed to set the owner for \"$STORAGE/$BASE.pat\" !"
+fi
+
 mv -f "$BOOT" "$STORAGE/$BASE.boot.img"
+! setOwner "$STORAGE/$BASE.boot.img" && error "Failed to set the owner for \"$STORAGE/$BASE.boot.img\" !"
+
 rm -rf "$TMP"
 
 return 0

src/network.sh

@@ -19,14 +19,16 @@ set -Eeuo pipefail
 : "${VM_NET_HOST:="VirtualDSM"}"
 : "${VM_NET_MASK:="255.255.255.0"}"
 
-: "${PASST:="passt"}"
+: "${PASST:="/run/passt"}"
 : "${PASST_MTU:=""}"
 : "${PASST_OPTS:=""}"
 : "${PASST_DEBUG:=""}"
+: "${PASST_PID:="/var/run/passt.pid"}"
 
 : "${DNSMASQ_OPTS:=""}"
 : "${DNSMASQ_DEBUG:=""}"
 : "${DNSMASQ:="/usr/sbin/dnsmasq"}"
+: "${DNSMASQ_PID:="/var/run/dnsmasq.pid"}"
 : "${DNSMASQ_CONF_DIR:="/etc/dnsmasq.d"}"
 
 ADD_ERR="Please add the following setting to your container:"
@@ -127,8 +129,8 @@ configureDNS() {
   [[ "${DNSMASQ_DISABLE:-}" == [Yy1]* ]] && return 0
   [[ "$DEBUG" == [Yy1]* ]] && echo "Starting dnsmasq daemon..."
 
-  local log="/var/log/dnsmasq.log"
-  rm -f "$log"
+  [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
+  rm -f "$DNSMASQ_PID"
 
   case "${NETWORK,,}" in
     "tap" | "tun" | "tuntap" | "y" )
@@ -162,6 +164,8 @@ configureDNS() {
   [ -f /etc/resolv.dnsmasq ] && DNSMASQ_OPTS+=" --resolv-file=/etc/resolv.dnsmasq"
 
   # Enable logging to file
+  local log="/var/log/dnsmasq.log"
+  rm -f "$log"
   DNSMASQ_OPTS+=" --log-facility=$log"
 
   DNSMASQ_OPTS=$(echo "$DNSMASQ_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
@@ -218,11 +222,14 @@ getUserPorts() {
 
     for hostport in ${exclude//,/ }; do
 
-      local val="${hostport///tcp}"
+      local port="${hostport///tcp}"
+      port="${port///udp}"
 
-      if [[ "$num" == "${val///udp}" ]]; then
+      if [[ "$num" == "$port" ]]; then
         num=""
-        warn "Could not assign port ${val///udp} to \"USER_PORTS\" because it is already in \"HOST_PORTS\"!"
+        if [[ "$port" != "$WEB_PORT" ]]; then
+          warn "Could not assign port $port to \"USER_PORTS\" because it is already in \"HOST_PORTS\"!"
+        fi
       fi
 
     done
@@ -306,12 +313,9 @@ configurePasst() {
   NETWORK="passt"
   [[ "$DEBUG" == [Yy1]* ]] && echo "Configuring user-mode networking..."
 
-  local log="/var/log/passt.log"
+  local log="/tmp/passt.log"
   rm -f "$log"
 
-  local pid="/var/run/dnsmasq.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-
   local ip="$IP"
   [ -n "$VM_NET_IP" ] && ip="$VM_NET_IP"
 
@@ -343,7 +347,7 @@ configurePasst() {
 
   PASST_OPTS+=" -H $VM_NET_HOST"
   PASST_OPTS+=" -M $GATEWAY_MAC"
-  PASST_OPTS+=" -P /var/run/passt.pid"
+  PASST_OPTS+=" -P  $PASST_PID"
   PASST_OPTS+=" -l $log"
   PASST_OPTS+=" -q"
 
@@ -355,6 +359,8 @@ configurePasst() {
   PASST_OPTS=$(echo "$PASST_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
   [[ "$DEBUG" == [Yy1]* ]] && printf "Passt arguments:\n\n%s\n\n" "${PASST_OPTS// -/$'\n-'}"
 
+  [ ! -f "$PASST" ] && cp /usr/bin/passt* /run
+
   if ! $PASST ${PASST_OPTS:+ $PASST_OPTS} >/dev/null 2>&1; then
 
     rm -f "$log"
@@ -394,7 +400,6 @@ configureNAT() {
 
   # Create the necessary file structure for /dev/net/tun
   if [ ! -c /dev/net/tun ]; then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
     [ ! -d /dev/net ] && mkdir -m 755 /dev/net
     if mknod /dev/net/tun c 10 200; then
       chmod 666 /dev/net/tun
@@ -402,6 +407,7 @@ configureNAT() {
   fi
 
   if [ ! -c /dev/net/tun ]; then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "$tuntap" && return 1
   fi
 
@@ -409,6 +415,7 @@ configureNAT() {
   if [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
     { sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1; rc=$?; } || :
     if (( rc != 0 )) || [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
+      [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
       warn "IP forwarding is disabled. $ADD_ERR --sysctl net.ipv4.ip_forward=1"
       return 1
     fi
@@ -435,6 +442,7 @@ configureNAT() {
   { ip link add dev "$VM_NET_BRIDGE" type bridge ; rc=$?; } || :
 
   if (( rc != 0 )); then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "failed to create bridge. $ADD_ERR --cap-add NET_ADMIN" && return 1
   fi
 
@@ -449,6 +457,7 @@ configureNAT() {
 
   # QEMU Works with taps, set tap to the bridge created
   if ! ip tuntap add dev "$VM_NET_TAP" mode tap; then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "$tuntap" && return 1
   fi
 
@@ -489,8 +498,11 @@ configureNAT() {
     fi
   fi
 
-  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
-    warn "$tables" && return 1
+  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE > /dev/null 2>&1; then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
+    if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
+      warn "$tables" && return 1
+    fi
   fi
 
   # shellcheck disable=SC2086
@@ -524,13 +536,11 @@ configureNAT() {
 
 closeBridge() {
 
-  local pid="/var/run/dnsmasq.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-  rm -f "$pid"
+  [ -s "$PASST_PID" ] && pKill "$(<"$PASST_PID")"
+  rm -f "$PASST_PID"
 
-  pid="/var/run/passt.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-  rm -f "$pid"
+  [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
+  rm -f "$DNSMASQ_PID"
 
   case "${NETWORK,,}" in
     "user"* | "passt" | "slirp" ) return 0 ;;
@@ -586,9 +596,9 @@ closeNetwork() {
 cleanUp() {
 
   # Clean up old files
+  rm -f "$PASST_PID"
+  rm -f "$DNSMASQ_PID"
   rm -f /etc/resolv.dnsmasq
-  rm -f /var/run/passt.pid
-  rm -f /var/run/dnsmasq.pid
 
   if [[ -d "/sys/class/net/$VM_NET_TAP" ]]; then
     info "Lingering interface will be removed..."
@@ -628,7 +638,7 @@ getInfo() {
     [ -d "/sys/class/net/net1" ] && VM_NET_DEV="net1"
     [ -d "/sys/class/net/net2" ] && VM_NET_DEV="net2"
     [ -d "/sys/class/net/net3" ] && VM_NET_DEV="net3"
-    # Automaticly detect the default network interface
+    # Automatically detect the default network interface
     [ -z "$VM_NET_DEV" ] && VM_NET_DEV=$(awk '$2 == 00000000 { print $1 }' /proc/net/route)
     [ -z "$VM_NET_DEV" ] && VM_NET_DEV="eth0"
   fi
@@ -697,7 +707,7 @@ getInfo() {
   [ -z "$MTU" ] && MTU="0"
 
   if [[ "${ADAPTER,,}" != "virtio-net-pci" ]]; then
-    if [[ "$MTU" != "0" && "$MTU" != "1500" ]]; then
+    if [[ "$MTU" != "0" ]] && [ "$MTU" -lt "1500" ]; then
       warn "MTU size is $MTU, but cannot be set for $ADAPTER adapters!" && MTU="0"
     fi
   fi
@@ -710,6 +720,7 @@ getInfo() {
       # Generate MAC address based on Docker container ID in hostname
       VM_NET_MAC=$(echo "$HOST" | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:11:32:\3:\4:\5/')
       echo "${VM_NET_MAC^^}" > "$file"
+      ! setOwner "$file" && error "Failed to set the owner for \"$file\" !"
     fi
   fi
 
@@ -727,13 +738,6 @@ getInfo() {
 
   GATEWAY_MAC=$(echo "$VM_NET_MAC" | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')
 
-  if [[ "$PODMAN" == [Yy1]* && "$DHCP" != [Yy1]* ]]; then
-    if [ -z "$NETWORK" ] || [[ "${NETWORK^^}" == "Y" ]]; then
-      # By default Podman has no permissions for NAT networking
-      NETWORK="user"
-    fi
-  fi
-
   if [[ "$DEBUG" == [Yy1]* ]]; then
     line="Host: $HOST  IP: $IP  Gateway: $GATEWAY  Interface: $VM_NET_DEV  MAC: $VM_NET_MAC  MTU: $mtu"
     [[ "$MTU" != "0" && "$MTU" != "$mtu" ]] && line+=" ($MTU)"
@@ -795,8 +799,12 @@ else
 
         closeBridge
         NETWORK="user"
-        msg="falling back to user-mode networking!"
-        msg="failed to setup NAT networking, $msg"
+
+        if [[ "$ROOTLESS" != [Yy1]* || "$DEBUG" == [Yy1]* ]]; then
+          msg="falling back to user-mode networking!"
+          msg="failed to setup NAT networking, $msg"
+          warn "$msg"
+        fi
 
       fi ;;
 
@@ -828,7 +836,7 @@ else
     "passt" | "slirp" )
 
       if [ -z "$USER_PORTS" ]; then
-        info "Notice: because user-mode networking is active, if you need to expose ports, add them to the \"USER_PORTS\" variable."
+        info "Notice: because user-mode networking is active, when you need to forward custom ports to DSM, add them to the \"USER_PORTS\" variable."
       fi ;;
 
   esac

src/proc.sh

@@ -33,9 +33,8 @@ if [[ "$KVM" != [Nn]* ]]; then
   KVM_OPTS=",accel=kvm -enable-kvm -global kvm-pit.lost_tick_policy=discard"
 
   if ! grep -qw "sse4_2" <<< "$flags"; then
-    info "Your CPU does not have the SSE4 instruction set that Virtual DSM requires, it will be emulated..."
-    [ -z "$CPU_MODEL" ] && CPU_MODEL="qemu64"
-    CPU_FEATURES+=",+ssse3,+sse4.1,+sse4.2"
+    error "Your CPU does not have the SSE4 instruction set that Virtual DSM requires!"
+    [[ "$DEBUG" != [Yy1]* ]] && exit 88
   fi
 
   if [ -z "$CPU_MODEL" ]; then

src/reset.sh

@@ -24,19 +24,40 @@ trap 'error "Status $? while: $BASH_COMMAND (line $LINENO/$BASH_LINENO)"' ERR
 
 # Helper variables
 
-PODMAN="N"
+ROOTLESS="N"
+PRIVILEGED="N"
 ENGINE="Docker"
 PROCESS="${APP,,}"
 PROCESS="${PROCESS// /-}"
 
 if [ -f "/run/.containerenv" ]; then
-  PODMAN="Y"
-  ENGINE="Podman"
+  ENGINE="${container:-}"
+  if [[ "${ENGINE,,}" == *"podman"* ]]; then
+    ROOTLESS="Y"
+    ENGINE="Podman"
+  else
+    [ -z "$ENGINE" ] && ENGINE="Kubernetes"
+  fi
 fi
 
 echo "❯ Starting $APP for $ENGINE v$(</run/version)..."
 echo "❯ For support visit $SUPPORT"
 
+# Get the capability bounding set
+CAP_BND=$(grep '^CapBnd:' /proc/$$/status | awk '{print $2}')
+CAP_BND=$(printf "%d" "0x${CAP_BND}")
+
+# Get the last capability number
+LAST_CAP=$(cat /proc/sys/kernel/cap_last_cap)
+
+# Calculate the maximum capability value
+MAX_CAP=$(((1 << (LAST_CAP + 1)) - 1))
+
+if [ "${CAP_BND}" -eq "${MAX_CAP}" ]; then
+  ROOTLESS="N"
+  PRIVILEGED="Y"
+fi
+
 INFO="/run/shm/msg.html"
 PAGE="/run/shm/index.html"
 TEMPLATE="/var/www/index.html"
@@ -78,8 +99,7 @@ fi
 
 # Check folder
 
-if [[ "${COMMIT:-}" == [Yy1]* ]]; then
-  STORAGE="/local"
+if [[ "${STORAGE,,}" != "/storage" ]]; then
   mkdir -p "$STORAGE"
 fi
 
@@ -88,7 +108,9 @@ if [ ! -d "$STORAGE" ]; then
 fi
 
 if [ ! -w "$STORAGE" ]; then
-  error "Storage folder ($STORAGE) is not writeable!" && exit 13
+  msg="Storage folder ($STORAGE) is not writeable!"
+  msg+=" If SELinux is active, you need to add the \":Z\" flag to the bind mount."
+  error "$msg" && exit 13
 fi
 
 # Check filesystem
@@ -165,6 +187,10 @@ if [[ "$KVM" != [Nn]* ]]; then
         if ! grep -qw "vmx\|svm" <<< "$flags"; then
           KVM_ERR="(not enabled in BIOS)"
         fi
+        if ! grep -qw "sse4_2" <<< "$flags"; then
+          error "Your CPU does not have the SSE4 instruction set that Virtual DSM requires!"
+          [[ "$DEBUG" != [Yy1]* ]] && exit 88
+        fi
       fi
     fi
   fi

src/utils.sh

@@ -67,6 +67,37 @@ fKill() {
   return 0
 }
 
+setOwner() {
+  local file="$1"
+  local dir uid gid
+
+  [ ! -f "$file" ] && return 1
+
+  dir=$(dirname -- "$file")
+  uid=$(stat -c '%u' "$dir")
+  gid=$(stat -c '%g' "$dir")
+
+  ! chown "$uid:$gid" "$file" && return 1
+
+  return 0
+}
+
+makeDir() {
+  local path="$1"
+  local dir uid gid
+
+  [ -d "$path" ] && return 0
+  ! mkdir -p "$path" && return 1
+
+  dir=$(dirname -- "$path")
+  uid=$(stat -c '%u' "$dir")
+  gid=$(stat -c '%g' "$dir")
+
+  ! chown "$uid:$gid" "$path" && return 1
+
+  return 0
+}
+
 escape () {
   local s
   s=${1//&/\&}
@@ -123,11 +154,11 @@ cpu() {
   fi
 
   cpu="${cpu// CPU/}"
-  cpu="${cpu// [0-9] Core}"
-  cpu="${cpu// [0-9][0-9] Core}"
   cpu="${cpu// [0-9][0-9][0-9] Core}"
-  cpu="${cpu//[0-9]th Gen }"
+  cpu="${cpu// [0-9][0-9] Core}"
+  cpu="${cpu// [0-9] Core}"
   cpu="${cpu//[0-9][0-9]th Gen }"
+  cpu="${cpu//[0-9]th Gen }"
   cpu="${cpu// Processor/}"
   cpu="${cpu// Quad core/}"
   cpu="${cpu// Dual core/}"