8 files changed, 60 insertions, 25 deletions
diff --git a/libpod/container.go b/libpod/container.go
index f18f36160..c15633d34 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -410,14 +410,15 @@ func (c *Container) Spec() *spec.Spec {
 // config does not exist (e.g., because the container was never started) return
 // the spec from the config.
 func (c *Container) specFromState() (*spec.Spec, error) {
-	spec := c.config.Spec
+	returnSpec := c.config.Spec
 
 	if f, err := os.Open(c.state.ConfigPath); err == nil {
+		returnSpec = new(spec.Spec)
 		content, err := ioutil.ReadAll(f)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error reading container config")
 		}
-		if err := json.Unmarshal([]byte(content), &spec); err != nil {
+		if err := json.Unmarshal([]byte(content), &returnSpec); err != nil {
 			return nil, errors.Wrapf(err, "error unmarshalling container config")
 		}
 	} else {
@@ -427,7 +428,7 @@ func (c *Container) specFromState() (*spec.Spec, error) {
 		}
 	}
 
-	return spec, nil
+	return returnSpec, nil
 }
 
 // ID returns the container's ID
diff --git a/libpod/container_easyjson.go b/libpod/container_easyjson.go
index 8bf5cb64f..61ee83231 100644
--- a/libpod/container_easyjson.go
+++ b/libpod/container_easyjson.go
@@ -1,6 +1,6 @@
 // +build  seccomp   ostree selinux  varlink exclude_graphdriver_devicemapper
 
-// Code generated by easyjson for marshaling/unmarshaling. DO NOT EDIT.
+// Code generated by easyjson for marshaling/unmarshaling. DO NOT EDIT .
 
 package libpod
 
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 04d67b1aa..89ca59bbb 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -393,7 +393,9 @@ func resetState(state *containerState) error {
 	state.PID = 0
 	state.Mountpoint = ""
 	state.Mounted = false
-	state.State = ContainerStateConfigured
+	if state.State != ContainerStateExited {
+		state.State = ContainerStateConfigured
+	}
 	state.ExecSessions = make(map[string]*ExecSession)
 	state.NetworkStatus = nil
 	state.BindMounts = make(map[string]string)
@@ -531,7 +533,7 @@ func (c *Container) isStopped() (bool, error) {
 	if err != nil {
 		return true, err
 	}
-	return (c.state.State == ContainerStateStopped || c.state.State == ContainerStateExited), nil
+	return (c.state.State != ContainerStateRunning && c.state.State != ContainerStatePaused), nil
 }
 
 // save container state to the database
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 2f03d45ea..9c343d051 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -227,7 +227,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 			Options:     []string{"bind", "private"},
 		}
 		if c.IsReadOnly() && dstPath != "/dev/shm" {
-			newMount.Options = append(newMount.Options, "ro")
+			newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
 		}
 		if !MountExists(g.Mounts(), dstPath) {
 			g.AddMount(newMount)
diff --git a/libpod/image/image.go b/libpod/image/image.go
index 2e12adb70..8b650f25f 100644
--- a/libpod/image/image.go
+++ b/libpod/image/image.go
@@ -824,9 +824,9 @@ func (i *Image) Inspect(ctx context.Context) (*inspect.ImageData, error) {
 		return nil, err
 	}
 
-	var repoDigests []string
-	for _, name := range i.Names() {
-		repoDigests = append(repoDigests, strings.SplitN(name, ":", 2)[0]+"@"+i.Digest().String())
+	repoDigests, err := i.RepoDigests()
+	if err != nil {
+		return nil, err
 	}
 
 	driver, err := i.DriverData()
diff --git a/libpod/image/prune.go b/libpod/image/prune.go
index 6a1f160d5..8602c222c 100644
--- a/libpod/image/prune.go
+++ b/libpod/image/prune.go
@@ -1,9 +1,11 @@
 package image
 
+import "github.com/pkg/errors"
+
 // GetPruneImages returns a slice of images that have no names/unused
-func (ir *Runtime) GetPruneImages() ([]*Image, error) {
+func (ir *Runtime) GetPruneImages(all bool) ([]*Image, error) {
 	var (
-		unamedImages []*Image
+		pruneImages []*Image
 	)
 	allImages, err := ir.GetImages()
 	if err != nil {
@@ -11,16 +13,35 @@ func (ir *Runtime) GetPruneImages() ([]*Image, error) {
 	}
 	for _, i := range allImages {
 		if len(i.Names()) == 0 {
-			unamedImages = append(unamedImages, i)
+			pruneImages = append(pruneImages, i)
 			continue
 		}
-		containers, err := i.Containers()
-		if err != nil {
-			return nil, err
+		if all {
+			containers, err := i.Containers()
+			if err != nil {
+				return nil, err
+			}
+			if len(containers) < 1 {
+				pruneImages = append(pruneImages, i)
+			}
 		}
-		if len(containers) < 1 {
-			unamedImages = append(unamedImages, i)
+	}
+	return pruneImages, nil
+}
+
+// PruneImages prunes dangling and optionally all unused images from the local
+// image store
+func (ir *Runtime) PruneImages(all bool) ([]string, error) {
+	var prunedCids []string
+	pruneImages, err := ir.GetPruneImages(all)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to get images to prune")
+	}
+	for _, p := range pruneImages {
+		if err := p.Remove(true); err != nil {
+			return nil, errors.Wrap(err, "failed to prune image")
 		}
+		prunedCids = append(prunedCids, p.ID())
 	}
-	return unamedImages, nil
+	return prunedCids, nil
 }
diff --git a/libpod/oci.go b/libpod/oci.go
index 31c1a7e85..a1894b52f 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -357,18 +357,25 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res
 		// Set the label of the conmon process to be level :s0
 		// This will allow the container processes to talk to fifo-files
 		// passed into the container by conmon
-		var plabel string
+		var (
+			plabel string
+			con    selinux.Context
+		)
 		plabel, err = selinux.CurrentLabel()
 		if err != nil {
 			childPipe.Close()
 			return errors.Wrapf(err, "Failed to get current SELinux label")
 		}
 
-		c := selinux.NewContext(plabel)
+		con, err = selinux.NewContext(plabel)
+		if err != nil {
+			return errors.Wrapf(err, "Failed to get new context from SELinux label")
+		}
+
 		runtime.LockOSThread()
-		if c["level"] != "s0" && c["level"] != "" {
-			c["level"] = "s0"
-			if err = label.SetProcessLabel(c.Get()); err != nil {
+		if con["level"] != "s0" && con["level"] != "" {
+			con["level"] = "s0"
+			if err = label.SetProcessLabel(con.Get()); err != nil {
 				runtime.UnlockOSThread()
 				return err
 			}
diff --git a/libpod/runtime.go b/libpod/runtime.go
index facbe5d66..11c90166d 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -772,7 +772,11 @@ func (r *Runtime) refreshRootless() error {
 	// Take advantage of a command that requires a new userns
 	// so that we are running as the root user and able to use refresh()
 	cmd := exec.Command(os.Args[0], "info")
-	return cmd.Run()
+	err := cmd.Run()
+	if err != nil {
+		return errors.Wrapf(err, "Error running %s info while refreshing state", os.Args[0])
+	}
+	return nil
 }
 
 // Reconfigures the runtime after a reboot