container/podman
container/podman
1
0
Fork 0
mirror of https://github.com/containers/podman synced 2024-10-21 17:53:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Provide correct SELinux mount-label for restored container

Browse source 
Restoring a container from a checkpoint archive creates a complete
new root file-system. This file-system needs to have the correct SELinux
label or most things in that restored container will fail. Running
processes are not as problematic as newly exec()'d process (internally
or via 'podman exec').

This patch tells the storage setup which label should be used to mount
the container's root file-system.

Signed-off-by: Adrian Reber <areber@redhat.com>
This commit is contained in:
Adrian Reber 2019-06-25 12:36:05 +00:00
parent 94e2a0cd63
commit 220e169cc1
No known key found for this signature in database
GPG key ID: 82C9378ED3C4906A
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
libpod/container_internal.go
View file

@ -351,6 +351,16 @@ func (c *Container) setupStorage(ctx context.Context) error {
},
LabelOpts: c.config.LabelOpts,
}
if c.restoreFromCheckpoint {
// If restoring from a checkpoint, the root file-system
// needs to be mounted with the same SELinux labels as
// it was mounted previously.
if options.Flags == nil {
options.Flags = make(map[string]interface{})
}
options.Flags["ProcessLabel"] = c.config.ProcessLabel
options.Flags["MountLabel"] = c.config.MountLabel
}
if c.config.Privileged {
privOpt := func(opt string) bool {
for _, privopt := range []string{"nodev", "nosuid", "noexec"} {