diff options
author | Matthew Heon <mheon@redhat.com> | 2021-05-13 14:41:38 -0400 |
---|---|---|
committer | Matthew Heon <mheon@redhat.com> | 2021-05-17 09:10:59 -0400 |
commit | 6efca0bbac4346be1c9693c5ef5c592f2fc21035 (patch) | |
tree | 5bb6d35178cb634b982cf013c1f59ad539711f7d /libpod/container_internal_linux.go | |
parent | 3bdbe3ce969ac510b8d4ee44da4578da9fed659c (diff) | |
download | podman-6efca0bbac4346be1c9693c5ef5c592f2fc21035.tar.gz podman-6efca0bbac4346be1c9693c5ef5c592f2fc21035.tar.bz2 podman-6efca0bbac4346be1c9693c5ef5c592f2fc21035.zip |
Ensure that :Z/:z/:U can be used with named volumes
Docker allows relabeling of any volume passed in via -v, even
including named volumes. This normally isn't an issue at all,
given named volumes get the right label for container access
automatically, but this becomes an issue when volume plugins are
involved - these aren't managed by Podman, and may well be
unaware of SELinux labelling. We could automatically relabel
these volumes on creation, but I'm still reluctant to do that
(feels like it could break things). Instead, let's allow :z and
:Z to be used with named volumes, so users can explicitly request
relabel of a volume plugin-backed volume.
We also get :U at the same time. I don't see any real need for it
but it also doesn't seem to hurt, so I didn't bother disabling
it.
Fixes #10273
Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'libpod/container_internal_linux.go')
-rw-r--r-- | libpod/container_internal_linux.go | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 7d57e8965..3fa2817f7 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -359,6 +359,25 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { return nil, err } + // Add named volumes + for _, namedVol := range c.config.NamedVolumes { + volume, err := c.runtime.GetVolume(namedVol.Name) + if err != nil { + return nil, errors.Wrapf(err, "error retrieving volume %s to add to container %s", namedVol.Name, c.ID()) + } + mountPoint, err := volume.MountPoint() + if err != nil { + return nil, err + } + volMount := spec.Mount{ + Type: "bind", + Source: mountPoint, + Destination: namedVol.Dest, + Options: namedVol.Options, + } + g.AddMount(volMount) + } + // Check if the spec file mounts contain the options z, Z or U. // If they have z or Z, relabel the source directory and then remove the option. // If they have U, chown the source directory and them remove the option. @@ -392,25 +411,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { g.SetProcessSelinuxLabel(c.ProcessLabel()) g.SetLinuxMountLabel(c.MountLabel()) - // Add named volumes - for _, namedVol := range c.config.NamedVolumes { - volume, err := c.runtime.GetVolume(namedVol.Name) - if err != nil { - return nil, errors.Wrapf(err, "error retrieving volume %s to add to container %s", namedVol.Name, c.ID()) - } - mountPoint, err := volume.MountPoint() - if err != nil { - return nil, err - } - volMount := spec.Mount{ - Type: "bind", - Source: mountPoint, - Destination: namedVol.Dest, - Options: namedVol.Options, - } - g.AddMount(volMount) - } - // Add bind mounts to container for dstPath, srcPath := range c.state.BindMounts { newMount := spec.Mount{ |