Add new field to libpod to indicate whether or not to use labelling

Also update some missing fields libpod.conf obtions in man pages.

Fix sort order of security options and add a note about disabling
labeling.

When a process requests a new label.  libpod needs to reserve all
labels to make sure that their are no conflicts.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1406
Approved by: mheon

11 files changed, 84 insertions, 25 deletions

diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index ce62bd278..6842a9f77 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -317,7 +317,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 			}
 		}
 	}
-	config.ProcessLabel, config.MountLabel, err = label.InitLabels(labelOpts)
+	config.LabelOpts = labelOpts
 	return err
 }
 
diff --git a/docs/libpod.conf.5.md b/docs/libpod.conf.5.md
index e881c4296..198e927ee 100644
--- a/docs/libpod.conf.5.md
+++ b/docs/libpod.conf.5.md
@@ -59,6 +59,9 @@ libpod to manage containers.
   The default namespace is "", which corresponds to no namespace. When no namespace is set, all
   containers and pods are visible.
 
+**label**="true|false"
+  Indicates whether the containers should use label separation.
+
 ## FILES
   `/usr/share/containers/libpod.conf`, default libpod configuration path
 
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 8cbe64a3e..01e072005 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -506,6 +506,8 @@ Security Options
 "seccomp=unconfined" : Turn off seccomp confinement for the container
 "seccomp=profile.json :  White listed syscalls seccomp Json file to be used as a seccomp filter
 
+Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file.
+
 **--shm-size**=""
 
 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.
@@ -736,7 +738,7 @@ $ podman create --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
 **/etc/subgid**
 
 ## SEE ALSO
-subgid(5), subuid(5)
+subgid(5), subuid(5), libpod.conf(5)
 
 ## HISTORY
 October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 0960125a3..a4c47f5de 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -528,6 +528,8 @@ Security Options
 - `seccomp=unconfined` : Turn off seccomp confinement for the container
 - `seccomp=profile.json` :  White listed syscalls seccomp Json file to be used as a seccomp filter
 
+Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file.
+
 **--shm-size**=""
 
 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.
@@ -1025,7 +1027,7 @@ $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
 **/etc/subgid**
 
 ## SEE ALSO
-subgid(5), subuid(5)
+subgid(5), subuid(5), libpod.conf(5)
 
 ## HISTORY
 October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/libpod.conf b/libpod.conf
index dcfeb67cc..2976cec02 100644
--- a/libpod.conf
+++ b/libpod.conf
@@ -88,3 +88,6 @@ pause_command = "/pause"
 # significant memory usage if a container has many ports forwarded to it.
 # Disabling this can save memory.
 #enable_port_reservation = true
+
+# Default libpod support for container labeling
+# label=true
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index f9e161cb3..b77beaf64 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -98,6 +98,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		}
 	}
 
+	// Check if the spec file mounts contain the label Relabel flags z or Z.
+	// If they do, relabel the source directory and then remove the option.
+	for _, m := range g.Mounts() {
+		var options []string
+		for _, o := range m.Options {
+			switch o {
+			case "z":
+				fallthrough
+			case "Z":
+				if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
+					return nil, errors.Wrapf(err, "relabel failed %q", m.Source)
+				}
+
+			default:
+				options = append(options, o)
+			}
+		}
+		m.Options = options
+	}
+
+	g.SetProcessSelinuxLabel(c.ProcessLabel())
+	g.SetLinuxMountLabel(c.MountLabel())
 	// Remove the default /dev/shm mount to ensure we overwrite it
 	g.RemoveMount("/dev/shm")
 
diff --git a/libpod/options.go b/libpod/options.go
index 1a29c0705..977f3f4c2 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -373,15 +373,17 @@ func WithPrivileged(privileged bool) CtrCreateOption {
 	}
 }
 
-// WithSELinuxLabels sets the mount label for SELinux.
-func WithSELinuxLabels(processLabel, mountLabel string) CtrCreateOption {
+// WithSecLabels sets the labels for SELinux.
+func WithSecLabels(labelOpts []string) CtrCreateOption {
 	return func(ctr *Container) error {
 		if ctr.valid {
 			return ErrCtrFinalized
 		}
-
-		ctr.config.ProcessLabel = processLabel
-		ctr.config.MountLabel = mountLabel
+		var err error
+		ctr.config.ProcessLabel, ctr.config.MountLabel, err = ctr.runtime.initLabels(labelOpts)
+		if err != nil {
+			return errors.Wrapf(err, "failed to init labels")
+		}
 		return nil
 	}
 }
diff --git a/libpod/runtime.go b/libpod/runtime.go
index c69854a17..fbd4c7529 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -172,6 +172,8 @@ type RuntimeConfig struct {
 	// However, this can cause significant memory usage if a container has
 	// many ports forwarded to it. Disabling this can save memory.
 	EnablePortReservation bool `toml:"enable_port_reservation"`
+	// EnableLabeling indicates wether libpod will support container labeling
+	EnableLabeling bool `toml:"label"`
 }
 
 var (
@@ -209,6 +211,7 @@ var (
 		InfraCommand:          DefaultInfraCommand,
 		InfraImage:            DefaultInfraImage,
 		EnablePortReservation: true,
+		EnableLabeling:        true,
 	}
 )
 
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index a0b576bcd..6c487e367 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/stringid"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/ulule/deepcopier"
@@ -77,6 +78,7 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
 		ctr.config.Namespace = r.config.Namespace
 	}
 
+	ctr.runtime = r
 	for _, option := range options {
 		if err := option(ctr); err != nil {
 			return nil, errors.Wrapf(err, "error running container create option")
@@ -85,7 +87,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
 
 	ctr.valid = true
 	ctr.state.State = ContainerStateConfigured
-	ctr.runtime = r
 
 	var pod *Pod
 	if ctr.config.Pod != "" {
@@ -327,6 +328,10 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool)
 		}
 	}
 
+	if r.config.EnableLabeling {
+		label.ReleaseLabel(c.ProcessLabel())
+		r.reserveLabels()
+	}
 	// Delete the container
 	// Only do this if we're not ContainerStateConfigured - if we are,
 	// we haven't been created in the runtime yet
@@ -460,3 +465,28 @@ func (r *Runtime) GetLatestContainer() (*Container, error) {
 	}
 	return ctrs[lastCreatedIndex], nil
 }
+
+// reserveLabels walks the list o fcontainers and reserves the label, so new containers will not
+// get them.
+// TODO Performance wise this should only run if the state has changed since the last time it was run.
+func (r *Runtime) reserveLabels() error {
+	containers, err := r.state.AllContainers()
+	if err != nil {
+		return err
+	}
+	for _, ctr := range containers {
+		label.ReserveLabel(ctr.ProcessLabel())
+	}
+	return nil
+}
+
+// initLabels allocates an new label to return to the caller
+func (r *Runtime) initLabels(labelOpts []string) (string, string, error) {
+	if !r.config.EnableLabeling {
+		return "", "", nil
+	}
+	if err := r.reserveLabels(); err != nil {
+		return "", "", errors.Wrapf(err, "unable to reserve labels")
+	}
+	return label.InitLabels(labelOpts)
+}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index a441b4019..328e3763c 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -15,7 +15,6 @@ import (
 	"github.com/docker/go-connections/nat"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -126,12 +125,11 @@ type CreateConfig struct {
 	UtsMode            namespaces.UTSMode    //uts
 	Volumes            []string              //volume
 	VolumesFrom        []string
-	WorkDir            string //workdir
-	MountLabel         string //SecurityOpts
-	ProcessLabel       string //SecurityOpts
-	NoNewPrivs         bool   //SecurityOpts
-	ApparmorProfile    string //SecurityOpts
-	SeccompProfilePath string //SecurityOpts
+	WorkDir            string   //workdir
+	LabelOpts          []string //SecurityOpts
+	NoNewPrivs         bool     //SecurityOpts
+	ApparmorProfile    string   //SecurityOpts
+	SeccompProfilePath string   //SecurityOpts
 	SecurityOpts       []string
 	Rootfs             string
 	LocalVolumes       []string //Keeps track of the built-in volumes of container used in the --volumes-from flag
@@ -179,14 +177,10 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e
 			options = append(options, "rw")
 		}
 		if foundz {
-			if err := label.Relabel(spliti[0], c.MountLabel, true); err != nil {
-				return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
-			}
+			options = append(options, "z")
 		}
 		if foundZ {
-			if err := label.Relabel(spliti[0], c.MountLabel, false); err != nil {
-				return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
-			}
+			options = append(options, "Z")
 		}
 		if rootProp == "" {
 			options = append(options, "rprivate")
@@ -449,7 +443,7 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime) ([]lib
 	useImageVolumes := c.ImageVolumeType == "bind"
 	// Gather up the options for NewContainer which consist of With... funcs
 	options = append(options, libpod.WithRootFSFromImage(c.ImageID, c.Image, useImageVolumes))
-	options = append(options, libpod.WithSELinuxLabels(c.ProcessLabel, c.MountLabel))
+	options = append(options, libpod.WithSecLabels(c.LabelOpts))
 	options = append(options, libpod.WithConmonPidFile(c.ConmonPidFile))
 	options = append(options, libpod.WithLabels(c.Labels))
 	options = append(options, libpod.WithUser(c.User))
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 3634b0b33..e115bba7f 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -211,8 +211,6 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 	// SECURITY OPTS
 	g.SetProcessNoNewPrivileges(config.NoNewPrivs)
 	g.SetProcessApparmorProfile(config.ApparmorProfile)
-	g.SetProcessSelinuxLabel(config.ProcessLabel)
-	g.SetLinuxMountLabel(config.MountLabel)
 
 	if canAddResources {
 		blockAccessToKernelFilesystems(config, &g)