Vendor in latest opencontainers/selinux

This will now verify labels passed in by the user.
Will also prevent users from accidently relabeling their homedir.

podman run -ti -v ~/home/user:Z fedora sh

Is not a good idea.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 10 insertions, 2 deletions

diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index d98b78bd4..93f38d2db 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -172,7 +172,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 		if err != nil {
 			return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
 		}
-		labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		if err != nil {
+			return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+		}
+		labelOpts = append(labelOpts, secopts...)
 	}
 
 	if config.IpcMode.IsHost() {
@@ -182,7 +186,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 		if err != nil {
 			return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
 		}
-		labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		if err != nil {
+			return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+		}
+		labelOpts = append(labelOpts, secopts...)
 	}
 
 	for _, opt := range securityOpts {