From 405ef9bc5636b8940f93413231ed1e4299e3d4ac Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 16 Sep 2019 08:39:39 -0400
Subject: Add 'relabel' to --mount options

Currently if a user specifies a --mount option, their is no way to tell SELinux
to relabel the mount point.

This patch addes the relabel=shared and relabel=private options.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 pkg/spec/storage.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'pkg')

diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index bc0eaad6d..cc091dcee 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -389,7 +389,7 @@ func getBindMount(args []string) (spec.Mount, error) {
 		Type: TypeBind,
 	}
 
-	var setSource, setDest, setRORW, setSuid, setDev, setExec bool
+	var setSource, setDest, setRORW, setSuid, setDev, setExec, setRelabel bool
 
 	for _, val := range args {
 		kv := strings.Split(val, "=")
@@ -467,6 +467,22 @@ func getBindMount(args []string) (spec.Mount, error) {
 			}
 			newMount.Destination = kv[1]
 			setDest = true
+		case "relabel":
+			if setRelabel {
+				return newMount, errors.Wrapf(optionArgError, "cannot pass 'relabel' option more than once")
+			}
+			setRelabel = true
+			if len(kv) != 2 {
+				return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+			}
+			switch kv[1] {
+			case "private":
+				newMount.Options = append(newMount.Options, "z")
+			case "shared":
+				newMount.Options = append(newMount.Options, "Z")
+			default:
+				return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+			}
 		default:
 			return newMount, errors.Wrapf(util.ErrBadMntOption, kv[0])
 		}
-- 
cgit v1.2.3-54-g00ecf