7 files changed, 44 insertions, 36 deletions

diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 51474471b..870d92ca9 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -49,7 +49,7 @@ func (c *Container) Inspect(size bool) (*define.InspectContainerData, error) {
 	return c.inspectLocked(size)
 }
 
-func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) (*define.InspectContainerData, error) {
+func (c *Container) getContainerInspectData(size bool, driverData *define.DriverData) (*define.InspectContainerData, error) {
 	config := c.config
 	runtimeInfo := c.state
 	ctrSpec, err := c.specFromState()
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index c61f7c159..9a93e2ffd 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -4,7 +4,6 @@ import (
 	"time"
 
 	"github.com/containers/image/v5/manifest"
-	"github.com/containers/podman/v2/libpod/driver"
 )
 
 // InspectContainerConfig holds further data about how a container was initially
@@ -635,7 +634,7 @@ type InspectContainerData struct {
 	EffectiveCaps   []string                    `json:"EffectiveCaps"`
 	BoundingCaps    []string                    `json:"BoundingCaps"`
 	ExecIDs         []string                    `json:"ExecIDs"`
-	GraphDriver     *driver.Data                `json:"GraphDriver"`
+	GraphDriver     *DriverData                 `json:"GraphDriver"`
 	SizeRw          *int64                      `json:"SizeRw,omitempty"`
 	SizeRootFs      int64                       `json:"SizeRootFs,omitempty"`
 	Mounts          []InspectMount              `json:"Mounts"`
@@ -700,3 +699,9 @@ type InspectExecProcess struct {
 	// User is the user the exec session was started as.
 	User string `json:"user"`
 }
+
+// DriverData handles the data for a storage driver
+type DriverData struct {
+	Name string            `json:"Name"`
+	Data map[string]string `json:"Data"`
+}
diff --git a/libpod/define/errors.go b/libpod/define/errors.go
index b96d36429..568f8e88d 100644
--- a/libpod/define/errors.go
+++ b/libpod/define/errors.go
@@ -2,6 +2,7 @@ package define
 
 import (
 	"errors"
+	"fmt"
 )
 
 var (
@@ -181,4 +182,16 @@ var (
 
 	// ErrNoNetwork indicates that a container has no net namespace, like network=none
 	ErrNoNetwork = errors.New("container has no network namespace")
+
+	// ErrSetSecurityAttribute indicates that a request to set a container's security attribute
+	// was not possible.
+	ErrSetSecurityAttribute = fmt.Errorf("%w: unable to assign security attribute", ErrOCIRuntime)
+
+	// ErrGetSecurityAttribute indicates that a request to get a container's security attribute
+	// was not possible.
+	ErrGetSecurityAttribute = fmt.Errorf("%w: unable to get security attribute", ErrOCIRuntime)
+
+	// ErrSecurityAttribute indicates that an error processing security attributes
+	// for the container
+	ErrSecurityAttribute = fmt.Errorf("%w: unable to process security attribute", ErrOCIRuntime)
 )
diff --git a/libpod/driver/driver.go b/libpod/driver/driver.go
index 85eda5a21..de71c1f6e 100644
--- a/libpod/driver/driver.go
+++ b/libpod/driver/driver.go
@@ -1,40 +1,17 @@
 package driver
 
 import (
-	cstorage "github.com/containers/storage"
+	"github.com/containers/podman/v2/libpod/define"
+	"github.com/containers/storage"
 )
 
-// Data handles the data for a storage driver
-type Data struct {
-	Name string            `json:"Name"`
-	Data map[string]string `json:"Data"`
-}
-
-// GetDriverName returns the name of the driver for the given store
-func GetDriverName(store cstorage.Store) (string, error) {
-	driver, err := store.GraphDriver()
-	if err != nil {
-		return "", err
-	}
-	return driver.String(), nil
-}
-
-// GetDriverMetadata returns the metadata regarding the driver for the layer in the given store
-func GetDriverMetadata(store cstorage.Store, layerID string) (map[string]string, error) {
+// GetDriverData returns information on a given store's running graph driver.
+func GetDriverData(store storage.Store, layerID string) (*define.DriverData, error) {
 	driver, err := store.GraphDriver()
 	if err != nil {
 		return nil, err
 	}
-	return driver.Metadata(layerID)
-}
-
-// GetDriverData returns the Data struct with information of the driver used by the store
-func GetDriverData(store cstorage.Store, layerID string) (*Data, error) {
-	name, err := GetDriverName(store)
-	if err != nil {
-		return nil, err
-	}
-	metaData, err := GetDriverMetadata(store, layerID)
+	metaData, err := driver.Metadata(layerID)
 	if err != nil {
 		return nil, err
 	}
@@ -42,8 +19,8 @@ func GetDriverData(store cstorage.Store, layerID string) (*Data, error) {
 		delete(metaData, "MergedDir")
 	}
 
-	return &Data{
-		Name: name,
+	return &define.DriverData{
+		Name: driver.String(),
 		Data: metaData,
 	}, nil
 }
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 39d740b7a..d732aecfe 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -29,6 +29,7 @@ import (
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
+	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/libpod/driver"
 	"github.com/containers/podman/v2/libpod/events"
 	"github.com/containers/podman/v2/pkg/inspect"
@@ -970,7 +971,7 @@ func (i *Image) toImageRef(ctx context.Context) (types.Image, error) {
 }
 
 // DriverData gets the driver data from the store on a layer
-func (i *Image) DriverData() (*driver.Data, error) {
+func (i *Image) DriverData() (*define.DriverData, error) {
 	return driver.GetDriverData(i.imageruntime.store, i.TopLayer())
 }
 
diff --git a/libpod/oci_util.go b/libpod/oci_util.go
index 2ba85c4b3..d40cf13bd 100644
--- a/libpod/oci_util.go
+++ b/libpod/oci_util.go
@@ -126,5 +126,17 @@ func getOCIRuntimeError(runtimeMsg string) error {
 		}
 		return errors.Wrapf(define.ErrOCIRuntimeNotFound, "%s", strings.Trim(errStr, "\n"))
 	}
+	if match := regexp.MustCompile("`/proc/[a-z0-9-].+/attr.*`").FindString(runtimeMsg); match != "" {
+		errStr := match
+		if includeFullOutput {
+			errStr = runtimeMsg
+		}
+		if strings.HasSuffix(match, "/exec`") {
+			return errors.Wrapf(define.ErrSetSecurityAttribute, "%s", strings.Trim(errStr, "\n"))
+		} else if strings.HasSuffix(match, "/current`") {
+			return errors.Wrapf(define.ErrGetSecurityAttribute, "%s", strings.Trim(errStr, "\n"))
+		}
+		return errors.Wrapf(define.ErrSecurityAttribute, "%s", strings.Trim(errStr, "\n"))
+	}
 	return errors.Wrapf(define.ErrOCIRuntime, "%s", strings.Trim(runtimeMsg, "\n"))
 }
diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go
index 27bff46a0..67c6a5c03 100644
--- a/pkg/inspect/inspect.go
+++ b/pkg/inspect/inspect.go
@@ -4,7 +4,7 @@ import (
 	"time"
 
 	"github.com/containers/image/v5/manifest"
-	"github.com/containers/podman/v2/libpod/driver"
+	"github.com/containers/podman/v2/libpod/define"
 	"github.com/opencontainers/go-digest"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -25,7 +25,7 @@ type ImageData struct {
 	Os           string                        `json:"Os"`
 	Size         int64                         `json:"Size"`
 	VirtualSize  int64                         `json:"VirtualSize"`
-	GraphDriver  *driver.Data                  `json:"GraphDriver"`
+	GraphDriver  *define.DriverData            `json:"GraphDriver"`
 	RootFS       *RootFS                       `json:"RootFS"`
 	Labels       map[string]string             `json:"Labels"`
 	Annotations  map[string]string             `json:"Annotations"`