summaryrefslogtreecommitdiff
path: root/libpod/container_internal_linux.go
diff options
context:
space:
mode:
Diffstat (limited to 'libpod/container_internal_linux.go')
-rw-r--r--libpod/container_internal_linux.go27
1 files changed, 26 insertions, 1 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c0912dc0d..b77beaf64 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -98,6 +98,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
+ // Check if the spec file mounts contain the label Relabel flags z or Z.
+ // If they do, relabel the source directory and then remove the option.
+ for _, m := range g.Mounts() {
+ var options []string
+ for _, o := range m.Options {
+ switch o {
+ case "z":
+ fallthrough
+ case "Z":
+ if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
+ return nil, errors.Wrapf(err, "relabel failed %q", m.Source)
+ }
+
+ default:
+ options = append(options, o)
+ }
+ }
+ m.Options = options
+ }
+
+ g.SetProcessSelinuxLabel(c.ProcessLabel())
+ g.SetLinuxMountLabel(c.MountLabel())
// Remove the default /dev/shm mount to ensure we overwrite it
g.RemoveMount("/dev/shm")
@@ -107,7 +129,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
Type: "bind",
Source: srcPath,
Destination: dstPath,
- Options: []string{"rw", "bind", "private"},
+ Options: []string{"bind", "private"},
+ }
+ if c.IsReadOnly() {
+ newMount.Options = append(newMount.Options, "ro")
}
if !MountExists(g.Mounts(), dstPath) {
g.AddMount(newMount)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-25 03:22:26 +0000