Merge pull request #5225 from vrothberg/fix-5087

config: use built-in TOML merge and adhere to label setting

1 files changed, 19 insertions, 7 deletions

diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index b2a152a2d..21b6bc3b3 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -241,23 +241,35 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	}
 
 	// SECURITY OPTS
+	var runtimeConfig *libpodconfig.Config
+
+	if runtime != nil {
+		runtimeConfig, err = runtime.GetConfig()
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs)
 
 	if !config.Security.Privileged {
 		g.SetProcessApparmorProfile(config.Security.ApparmorProfile)
 	}
 
-	blockAccessToKernelFilesystems(config, &g)
-
-	var runtimeConfig *libpodconfig.Config
-
-	if runtime != nil {
-		runtimeConfig, err = runtime.GetConfig()
-		if err != nil {
+	// Unless already set via the CLI, check if we need to disable process
+	// labels or set the defaults.
+	if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil {
+		if !runtimeConfig.EnableLabeling {
+			// Disabled in the config.
+			config.Security.LabelOpts = append(config.Security.LabelOpts, "disable")
+		} else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil {
+			// Defaults!
 			return nil, err
 		}
 	}
 
+	blockAccessToKernelFilesystems(config, &g)
+
 	// RESOURCES - PIDS
 	if config.Resources.PidsLimit > 0 {
 		// if running on rootless on a cgroupv1 machine or using the cgroupfs manager, pids