summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2019-09-16 08:39:39 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2019-09-16 09:56:43 -0400
commit405ef9bc5636b8940f93413231ed1e4299e3d4ac (patch)
tree19c24974ec46d5d5136b25250d86bb7be02984e2
parenta1970e1915fa99c1893bccd3a71a11d2bff77602 (diff)
downloadpodman-405ef9bc5636b8940f93413231ed1e4299e3d4ac.tar.gz
podman-405ef9bc5636b8940f93413231ed1e4299e3d4ac.tar.bz2
podman-405ef9bc5636b8940f93413231ed1e4299e3d4ac.zip
Add 'relabel' to --mount options
Currently if a user specifies a --mount option, their is no way to tell SELinux to relabel the mount point. This patch addes the relabel=shared and relabel=private options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--docs/podman-create.1.md9
-rw-r--r--docs/podman-run.1.md11
-rw-r--r--pkg/spec/storage.go18
3 files changed, 33 insertions, 5 deletions
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 996ef3863..c088f3e94 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -464,12 +464,16 @@ Tune a container's memory swappiness behavior. Accepts an integer between 0 and
Attach a filesystem mount to the container
-Current supported mount TYPES are bind, and tmpfs.
+Current supported mount TYPES are `bind`, `volume`, and `tmpfs`.
e.g.
type=bind,source=/path/on/host,destination=/path/in/container
+ type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
+
+ type=volume,source=vol1,destination=/path/in/container,ro=true
+
type=tmpfs,tmpfs-size=512M,destination=/path/in/container
Common Options:
@@ -483,8 +487,11 @@ Current supported mount TYPES are bind, and tmpfs.
Options specific to bind:
· bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
+
. bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
+ . relabel: shared, private.
+
Options specific to tmpfs:
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 0dbd4ea6f..d677f8262 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -475,13 +475,15 @@ Tune a container's memory swappiness behavior. Accepts an integer between 0 and
Attach a filesystem mount to the container
-Current supported mount TYPES are bind, and tmpfs.
+Current supported mount TYPES are `bind`, `volume`, and `tmpfs`.
e.g.
type=bind,source=/path/on/host,destination=/path/in/container
- type=bind,source=volume-name,destination=/path/in/container
+ type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
+
+ type=volume,source=vol1,destination=/path/in/container,ro=true
type=tmpfs,tmpfs-size=512M,destination=/path/in/container
@@ -495,9 +497,12 @@ Current supported mount TYPES are bind, and tmpfs.
Options specific to bind:
- · bind-propagation: Z, z, shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
+ · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
+
. bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
+ . relabel: shared, private.
+
Options specific to tmpfs:
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index bc0eaad6d..cc091dcee 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -389,7 +389,7 @@ func getBindMount(args []string) (spec.Mount, error) {
Type: TypeBind,
}
- var setSource, setDest, setRORW, setSuid, setDev, setExec bool
+ var setSource, setDest, setRORW, setSuid, setDev, setExec, setRelabel bool
for _, val := range args {
kv := strings.Split(val, "=")
@@ -467,6 +467,22 @@ func getBindMount(args []string) (spec.Mount, error) {
}
newMount.Destination = kv[1]
setDest = true
+ case "relabel":
+ if setRelabel {
+ return newMount, errors.Wrapf(optionArgError, "cannot pass 'relabel' option more than once")
+ }
+ setRelabel = true
+ if len(kv) != 2 {
+ return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+ }
+ switch kv[1] {
+ case "private":
+ newMount.Options = append(newMount.Options, "z")
+ case "shared":
+ newMount.Options = append(newMount.Options, "Z")
+ default:
+ return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+ }
default:
return newMount, errors.Wrapf(util.ErrBadMntOption, kv[0])
}