Merge pull request opencontainers#1756 from rhatdan/selinux1

Mrunal Patel · web-flow · commit 69663f0bd4b6 · 2018-03-09T11:51:51.000-08:00
Label the masked tmpfs with the mount label
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -778,10 +778,10 @@ func remountReadonly(m *configs.Mount) error {
 // mounts ( proc/kcore ).
 // For files, maskPath bind mounts /dev/null over the top of the specified path.
 // For directories, maskPath mounts read-only tmpfs over the top of the specified path.
-func maskPath(path string) error {
+func maskPath(path string, mountLabel string) error {
 	if err := unix.Mount("/dev/null", path, "", unix.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
 		if err == unix.ENOTDIR {
-			return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, "")
+			return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel))
 		}
 		return err
 	}
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -110,7 +110,7 @@ func (l *linuxStandardInit) Init() error {
 		}
 	}
 	for _, path := range l.config.Config.MaskPaths {
-		if err := maskPath(path); err != nil {
+		if err := maskPath(path, l.config.Config.MountLabel); err != nil {
 			return err
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -778,10 +778,10 @@ func remountReadonly(m *configs.Mount) error {`
`778`	`778`	`// mounts ( proc/kcore ).`
`779`	`779`	`// For files, maskPath bind mounts /dev/null over the top of the specified path.`
`780`	`780`	`// For directories, maskPath mounts read-only tmpfs over the top of the specified path.`
`781`		`-func maskPath(path string) error {`
	`781`	`+func maskPath(path string, mountLabel string) error {`
`782`	`782`	`if err := unix.Mount("/dev/null", path, "", unix.MS_BIND, ""); err != nil && !os.IsNotExist(err) {`
`783`	`783`	`if err == unix.ENOTDIR {`
`784`		`- return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, "")`
	`784`	`+ return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel))`
`785`	`785`	`}`
`786`	`786`	`return err`
`787`	`787`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ func (l *linuxStandardInit) Init() error {`
`110`	`110`	`}`
`111`	`111`	`}`
`112`	`112`	`for _, path := range l.config.Config.MaskPaths {`
`113`		`- if err := maskPath(path); err != nil {`
	`113`	`+ if err := maskPath(path, l.config.Config.MountLabel); err != nil {`
`114`	`114`	`return err`
`115`	`115`	`}`
`116`	`116`	`}`