From 1aa4e4d4d183aa07ea7453e4be70d31eaa8edb13 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <rothberg@redhat.com>
Date: Wed, 22 Dec 2021 13:28:36 +0100
Subject: container creation: don't apply reserved annotations from image

Do not apply reserved annotations from the image to the container.
Reserved annotations are applied during container creation to retrieve
certain information (e.g., custom seccomp profile or autoremoval)
once a container has been created.

Context: #12671
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
---
 libpod/define/annotations.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'libpod/define')

diff --git a/libpod/define/annotations.go b/libpod/define/annotations.go
index f6b1c06ea..3964a1237 100644
--- a/libpod/define/annotations.go
+++ b/libpod/define/annotations.go
@@ -66,3 +66,15 @@ const (
 	// annotation.
 	InspectResponseFalse = "FALSE"
 )
+
+// IsReservedAnnotation returns true if the specified value corresponds to an
+// already reserved annotation that Podman sets during container creation.
+func IsReservedAnnotation(value string) bool {
+	switch value {
+	case InspectAnnotationCIDFile, InspectAnnotationAutoremove, InspectAnnotationVolumesFrom, InspectAnnotationPrivileged, InspectAnnotationPublishAll, InspectAnnotationInit, InspectAnnotationLabel, InspectAnnotationSeccomp, InspectAnnotationApparmor, InspectResponseTrue, InspectResponseFalse:
+		return true
+
+	default:
+		return false
+	}
+}
-- 
cgit v1.2.3-54-g00ecf