fix: fix dlopen default and add mprotect

PierreJeanjacquot · PierreJeanjacquot · commit d0bdc82e5ed0 · 2025-06-25T16:19:43.000+02:00
diff --git a/.github/workflows/sconify.yml b/.github/workflows/sconify.yml
@@ -16,7 +16,7 @@ on:
         type: string
         required: true
       image-tag:
-        description: "Tag of docker image to sconify "
+        description: "Tag of docker image to sconify"
         type: string
         required: true
       scontain-username:
@@ -51,10 +51,14 @@ on:
         description: "Enclave heap size (default 1G)"
         type: string
         default: "1G"
+      mprotect:
+        description: "Scone mprotect mode (0:disable; 1:enable; default 0)"
+        type: number
+        default: 0
       dlopen:
-        description: "Scoen dlopen mode (default 1)"
+        description: "Scone dlopen mode (0:disable; 1:enable; default 0)"
         type: number
-        default: 1
+        default: 0
       sconify-debug:
         description: "Create Scone debug image (default true)"
         type: boolean
@@ -145,6 +149,8 @@ jobs:
           [[ -n '${{ inputs.heap }}' ]] && SCONIFY_CMD+=" --heap=${{ inputs.heap }}"
           # --dlopen option
           [[ -n '${{ inputs.dlopen }}' ]] && SCONIFY_CMD+=" --dlopen=${{ inputs.dlopen }}"
+          # --mprotect option
+          [[ -n '${{ inputs.mprotect }}' ]] && SCONIFY_CMD+=" --mprotect=${{ inputs.mprotect }}"
           # DEBUG
           # --verbose --no-color options
           SCONIFY_CMD+=" --verbose --no-color"
diff --git a/sconify/README.md b/sconify/README.md
@@ -36,10 +36,12 @@ The workflow performs the following actions:
 | **fs-file**           | [SCONE] Path of files to add to the binary file system (use multiline to add multiple files)             | No           | -                                |
 | **host-path**         | [SCONE] Host path, served directly from the host file system (use multiline to add multiple path)        | No           | -                                |
 | **heap**              | [SCONE] Enclave heap size                                                                                | No           | 1G                               |
-| **dlopen**            | [SCONE] Scone dlopen mode (0:disable; 1:enable and require authentication; 2:debug only)                 | No           | 1                                |
-| **sconify-debug**     | Create Scone debug image                                                                                 | No           | true                             |
-| **sconify-prod**      | Create Scone production image                                                                            | No           | true                             |
-| **runner**            | Runner to use (overrides `runs-on`) ⚠️ the specified runner must feature Ubuntu OS and docker CE         | No           | ubuntu-latest                    |
+| **dlopen**            | [SCONE] Scone dlopen mode (0:disable; 1:enable)                                                          | No           | 0                                |
+| **mprotect**          | [SCONE] Scone mprotect mode (0:disable; 1:enable)                                                        | No           | 0                                |
+
+| **sconify-debug** | Create Scone debug image | No | true |
+| **sconify-prod** | Create Scone production image | No | true |
+| **runner** | Runner to use (overrides `runs-on`) ⚠️ the specified runner must feature Ubuntu OS and docker CE | No | ubuntu-latest |
 
 > ℹ️ for more details about [SCONE] options see [Scone's documentation](https://sconedocs.github.io/ee_sconify_image/#all-supported-options)
 
@@ -109,6 +111,7 @@ jobs:
       fs-dir: /app
       heap: 1G
       dlopen: 1
+      mprotect: 1
       docker-username: ${{ vars.DOCKER_USERNAME }}
       scontain-username: ${{ vars.SCONTAIN_USERNAME }}
     secrets:
