From 86987b8038ddeb883048424884c908fb55a3e397 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Fri, 12 Apr 2019 13:12:38 +0000 Subject: Use the same SELinux label for CRIU log files The SELinux label for the CRIU dump.log was explicitly set in Podman. The label for the restore.log, however, not. This just moves the code to label the log file into a function and calls that functions during checkpoint and restore. Signed-off-by: Adrian Reber --- libpod/container_internal_linux.go | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) (limited to 'libpod') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index eeffa4705..f352b188e 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -504,17 +504,9 @@ func (c *Container) checkpointRestoreSupported() (err error) { return nil } -func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointOptions) (err error) { - if err := c.checkpointRestoreSupported(); err != nil { - return err - } - - if c.state.State != ContainerStateRunning { - return errors.Wrapf(ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State) - } - +func (c *Container) checkpointRestoreLabelLog(fileName string) (err error) { // Create the CRIU log file and label it - dumpLog := filepath.Join(c.bundlePath(), "dump.log") + dumpLog := filepath.Join(c.bundlePath(), fileName) logFile, err := os.OpenFile(dumpLog, os.O_CREATE, 0600) if err != nil { @@ -524,6 +516,21 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil { return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog) } + return nil +} + +func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointOptions) (err error) { + if err := c.checkpointRestoreSupported(); err != nil { + return err + } + + if c.state.State != ContainerStateRunning { + return errors.Wrapf(ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State) + } + + if err := c.checkpointRestoreLabelLog("dump.log"); err != nil { + return err + } if err := c.runtime.ociRuntime.checkpointContainer(c, options); err != nil { return err @@ -577,6 +584,10 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti return errors.Wrapf(err, "A complete checkpoint for this container cannot be found, cannot restore") } + if err := c.checkpointRestoreLabelLog("restore.log"); err != nil { + return err + } + // Read network configuration from checkpoint // Currently only one interface with one IP is supported. networkStatusFile, err := os.Open(filepath.Join(c.bundlePath(), "network.status")) -- cgit v1.2.3-54-g00ecf