Vendor in latest containers/storage opencontainers/selinux

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

vendor.conf

@@ -11,7 +11,7 @@ github.com/containerd/continuity master
 github.com/containernetworking/cni v0.7.0-alpha1
 github.com/containernetworking/plugins 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
 github.com/containers/image bd10b1b53b2976f215b3f2f848fb8e7cad779aeb
-github.com/containers/storage 41294c85d97bef688e18f710402895dbecde3308
+github.com/containers/storage 24f0de45708bc6e4c8062828cd03812aaebc30db https://github.com/rhatdan/storage
 github.com/containers/psgo 5dde6da0bc8831b35243a847625bcf18183bd1ee
 github.com/coreos/go-systemd v14
 github.com/cri-o/ocicni 2d2983e40c242322a56c22a903785e7f83eb378c
@@ -50,7 +50,7 @@ github.com/opencontainers/image-spec v1.0.0
 github.com/opencontainers/runc b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
 github.com/opencontainers/runtime-spec d810dbc60d8c5aeeb3d054bd1132fab2121968ce
 github.com/opencontainers/runtime-tools master
-github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a
+github.com/opencontainers/selinux 36a9bc45a08c85f2c52bd9eb32e20267876773bd
 github.com/ostreedev/ostree-go master
 github.com/pkg/errors v0.8.0
 github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2
@@ -76,7 +76,7 @@ golang.org/x/sys master
 golang.org/x/text f72d8390a633d5dfb0cc84043294db9f6c935756
 golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
 golang.org/x/sync master
-google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go
+google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go<
 gopkg.in/cheggaaa/pb.v1 v1.0.7
 gopkg.in/inf.v0 v0.9.0
 gopkg.in/mgo.v2 v2

vendor/github.com/containers/storage/containers.go

@@ -133,6 +133,20 @@ func copyContainer(c *Container) *Container {
 	}
 }
 
+func (c *Container) MountLabel() string {
+	if label, ok := c.Flags["MountLabel"].(string); ok {
+		return label
+	}
+	return ""
+}
+
+func (c *Container) ProcessLabel() string {
+	if label, ok := c.Flags["ProcessLabel"].(string); ok {
+		return label
+	}
+	return ""
+}
+
 func (r *containerStore) Containers() ([]Container, error) {
 	containers := make([]Container, len(r.containers))
 	for i := range r.containers {
@@ -297,7 +311,7 @@ func (r *containerStore) Create(id string, names []string, image, layer, metadat
 			BigDataSizes:   make(map[string]int64),
 			BigDataDigests: make(map[string]digest.Digest),
 			Created:        time.Now().UTC(),
-			Flags:          make(map[string]interface{}),
+			Flags:          copyStringInterfaceMap(options.Flags),
 			UIDMap:         copyIDMap(options.UIDMap),
 			GIDMap:         copyIDMap(options.GIDMap),
 		}

vendor/github.com/containers/storage/drivers/aufs/aufs.go

@@ -416,7 +416,7 @@ func atomicRemove(source string) error {
 
 // Get returns the rootfs path for the id.
 // This will mount the dir at its given path
-func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (a *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
 	a.locker.Lock(id)
 	defer a.locker.Unlock(id)
 	parents, err := a.getParentLayerPaths(id)
@@ -441,7 +441,7 @@ func (a *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (s
 	// If a dir does not have a parent ( no layers )do not try to mount
 	// just return the diff path to the data
 	if len(parents) > 0 {
-		if err := a.mount(id, m, mountLabel, parents); err != nil {
+		if err := a.mount(id, m, options.MountLabel, parents); err != nil {
 			return "", err
 		}
 	}

vendor/github.com/containers/storage/drivers/btrfs/btrfs.go

@@ -634,7 +634,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get the requested filesystem id.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
 	dir := d.subvolumesDirID(id)
 	st, err := os.Stat(dir)
 	if err != nil {

vendor/github.com/containers/storage/drivers/chown.go

@@ -114,7 +114,10 @@ func NewNaiveLayerIDMapUpdater(driver ProtoDriver) LayerIDMapUpdater {
 // same "container" IDs.
 func (n *naiveLayerIDMapUpdater) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMappings, mountLabel string) error {
 	driver := n.ProtoDriver
-	layerFs, err := driver.Get(id, mountLabel, nil, nil)
+	options := MountOpts{
+		MountLabel: mountLabel,
+	}
+	layerFs, err := driver.Get(id, options)
 	if err != nil {
 		return err
 	}

vendor/github.com/containers/storage/drivers/devmapper/driver.go

@@ -163,7 +163,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get mounts a device with given id into the root filesystem
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
 	d.locker.Lock(id)
 	defer d.locker.Unlock(id)
 	mp := path.Join(d.home, "mnt", id)
@@ -189,7 +189,7 @@ func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (s
 	}
 
 	// Mount the device
-	if err := d.DeviceSet.MountDevice(id, mp, mountLabel); err != nil {
+	if err := d.DeviceSet.MountDevice(id, mp, options.MountLabel); err != nil {
 		d.ctr.Decrement(mp)
 		return "", err
 	}

vendor/github.com/containers/storage/drivers/driver.go

@@ -42,6 +42,15 @@ type CreateOpts struct {
 	StorageOpt map[string]string
 }
 
+// MountOpts contains optional arguments for LayerStope.Mount() methods.
+type MountOpts struct {
+	// Mount label is the MAC Labels to assign to mount point (SELINUX)
+	MountLabel string
+	// UidMaps & GidMaps are the User Namespace mappings to be assigned to content in the mount point
+	UidMaps []idtools.IDMap
+	GidMaps []idtools.IDMap
+}
+
 // InitFunc initializes the storage driver.
 type InitFunc func(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (Driver, error)
 
@@ -68,7 +77,7 @@ type ProtoDriver interface {
 	// to by this id. You can optionally specify a mountLabel or "".
 	// Optionally it gets the mappings used to create the layer.
 	// Returns the absolute path to the mounted layered filesystem.
-	Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (dir string, err error)
+	Get(id string, options MountOpts) (dir string, err error)
 	// Put releases the system resources for the specified id,
 	// e.g, unmounting layered filesystem.
 	Put(id string) error

vendor/github.com/containers/storage/drivers/fsdiff.go

@@ -51,7 +51,10 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare
 		parentMappings = &idtools.IDMappings{}
 	}
 
-	layerFs, err := driver.Get(id, mountLabel, nil, nil)
+	options := MountOpts{
+		MountLabel: mountLabel,
+	}
+	layerFs, err := driver.Get(id, options)
 	if err != nil {
 		return nil, err
 	}
@@ -78,7 +81,7 @@ func (gdw *NaiveDiffDriver) Diff(id string, idMappings *idtools.IDMappings, pare
 		}), nil
 	}
 
-	parentFs, err := driver.Get(parent, mountLabel, nil, nil)
+	parentFs, err := driver.Get(parent, options)
 	if err != nil {
 		return nil, err
 	}
@@ -119,7 +122,10 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p
 		parentMappings = &idtools.IDMappings{}
 	}
 
-	layerFs, err := driver.Get(id, mountLabel, nil, nil)
+	options := MountOpts{
+		MountLabel: mountLabel,
+	}
+	layerFs, err := driver.Get(id, options)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +134,10 @@ func (gdw *NaiveDiffDriver) Changes(id string, idMappings *idtools.IDMappings, p
 	parentFs := ""
 
 	if parent != "" {
-		parentFs, err = driver.Get(parent, mountLabel, nil, nil)
+		options := MountOpts{
+			MountLabel: mountLabel,
+		}
+		parentFs, err = driver.Get(parent, options)
 		if err != nil {
 			return nil, err
 		}
@@ -149,7 +158,10 @@ func (gdw *NaiveDiffDriver) ApplyDiff(id string, applyMappings *idtools.IDMappin
 	}
 
 	// Mount the root filesystem so we can apply the diff/layer.
-	layerFs, err := driver.Get(id, mountLabel, nil, nil)
+	mountOpts := MountOpts{
+		MountLabel: mountLabel,
+	}
+	layerFs, err := driver.Get(id, mountOpts)
 	if err != nil {
 		return
 	}
@@ -189,7 +201,10 @@ func (gdw *NaiveDiffDriver) DiffSize(id string, idMappings *idtools.IDMappings,
 		return
 	}
 
-	layerFs, err := driver.Get(id, mountLabel, nil, nil)
+	options := MountOpts{
+		MountLabel: mountLabel,
+	}
+	layerFs, err := driver.Get(id, options)
 	if err != nil {
 		return
 	}

vendor/github.com/containers/storage/drivers/overlay/overlay.go

@@ -642,11 +642,11 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get creates and mounts the required file system for the given id and returns the mount path.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) {
-	return d.get(id, mountLabel, false, uidMaps, gidMaps)
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (_ string, retErr error) {
+	return d.get(id, false, options)
 }
 
-func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMaps []idtools.IDMap) (_ string, retErr error) {
+func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountOpts) (_ string, retErr error) {
 	d.locker.Lock(id)
 	defer d.locker.Unlock(id)
 	dir := d.dir(id)
@@ -740,7 +740,7 @@ func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMa
 	if d.options.mountOptions != "" {
 		opts = fmt.Sprintf("%s,%s", d.options.mountOptions, opts)
 	}
-	mountData := label.FormatMountLabel(opts, mountLabel)
+	mountData := label.FormatMountLabel(opts, options.MountLabel)
 	mountFunc := unix.Mount
 	mountTarget := mergedDir
 
@@ -753,7 +753,7 @@ func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMa
 	if d.options.mountProgram != "" {
 		mountFunc = func(source string, target string, mType string, flags uintptr, label string) error {
 			if !disableShifting {
-				label = d.optsAppendMappings(label, uidMaps, gidMaps)
+				label = d.optsAppendMappings(label, options.UidMaps, options.GidMaps)
 			}
 
 			mountProgram := exec.Command(d.options.mountProgram, "-o", label, target)
@@ -763,7 +763,7 @@ func (d *Driver) get(id, mountLabel string, disableShifting bool, uidMaps, gidMa
 	} else if len(mountData) > pageSize {
 		//FIXME: We need to figure out to get this to work with additional stores
 		opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), path.Join(id, "diff"), path.Join(id, "work"))
-		mountData = label.FormatMountLabel(opts, mountLabel)
+		mountData = label.FormatMountLabel(opts, options.MountLabel)
 		if len(mountData) > pageSize {
 			return "", fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData))
 		}
@@ -952,7 +952,10 @@ func (d *Driver) UpdateLayerIDMap(id string, toContainer, toHost *idtools.IDMapp
 	}
 
 	// Mount the new layer and handle ownership changes and possible copy_ups in it.
-	layerFs, err := d.get(id, mountLabel, true, nil, nil)
+	options := graphdriver.MountOpts{
+		MountLabel: mountLabel,
+	}
+	layerFs, err := d.get(id, true, options)
 	if err != nil {
 		return err
 	}

vendor/github.com/containers/storage/drivers/vfs/driver.go

@@ -137,7 +137,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts, ro bool
 		label.SetFileLabel(dir, mountLabel)
 	}
 	if parent != "" {
-		parentDir, err := d.Get(parent, "", nil, nil)
+		parentDir, err := d.Get(parent, graphdriver.MountOpts{})
 		if err != nil {
 			return fmt.Errorf("%s: %s", parent, err)
 		}
@@ -179,7 +179,7 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get returns the directory for the given id.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (_ string, retErr error) {
 	dir := d.dir(id)
 	if st, err := os.Stat(dir); err != nil {
 		return "", err

vendor/github.com/containers/storage/drivers/windows/windows.go

@@ -362,9 +362,9 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get returns the rootfs path for the id. This will mount the dir at its given path.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
 	panicIfUsedByLcow()
-	logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, mountLabel)
+	logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, options.MountLabel)
 	var dir string
 
 	rID, err := d.resolveID(id)
@@ -620,7 +620,7 @@ func (d *Driver) DiffSize(id string, idMappings *idtools.IDMappings, parent stri
 		return
 	}
 
-	layerFs, err := d.Get(id, "", nil, nil)
+	layerFs, err := d.Get(id, graphdriver.MountOpts{})
 	if err != nil {
 		return
 	}

vendor/github.com/containers/storage/drivers/zfs/zfs.go

@@ -360,15 +360,15 @@ func (d *Driver) Remove(id string) error {
 }
 
 // Get returns the mountpoint for the given id after creating the target directories if necessary.
-func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (d *Driver) Get(id string, options graphdriver.MountOpts) (string, error) {
 	mountpoint := d.mountPath(id)
 	if count := d.ctr.Increment(mountpoint); count > 1 {
 		return mountpoint, nil
 	}
 
 	filesystem := d.zfsPath(id)
-	options := label.FormatMountLabel(d.options.mountOptions, mountLabel)
-	logrus.Debugf(`[zfs] mount("%s", "%s", "%s")`, filesystem, mountpoint, options)
+	opts := label.FormatMountLabel(d.options.mountOptions, options.MountLabel)
+	logrus.Debugf(`[zfs] mount("%s", "%s", "%s")`, filesystem, mountpoint, opts)
 
 	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
 	if err != nil {
@@ -381,7 +381,7 @@ func (d *Driver) Get(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (s
 		return "", err
 	}
 
-	if err := mount.Mount(filesystem, mountpoint, "zfs", options); err != nil {
+	if err := mount.Mount(filesystem, mountpoint, "zfs", opts); err != nil {
 		d.ctr.Decrement(mountpoint)
 		return "", fmt.Errorf("error creating zfs mount of %s to %s: %v", filesystem, mountpoint, err)
 	}

vendor/github.com/containers/storage/layers.go

@@ -21,6 +21,7 @@ import (
 	"github.com/containers/storage/pkg/system"
 	"github.com/containers/storage/pkg/truncindex"
 	digest "github.com/opencontainers/go-digest"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/vbatts/tar-split/tar/asm"
 	"github.com/vbatts/tar-split/tar/storage"
@@ -210,7 +211,7 @@ type LayerStore interface {
 	// layers, it should not be written to.  An SELinux label to be applied to the
 	// mount can be specified to override the one configured for the layer.
 	// The mappings used by the container can be specified.
-	Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error)
+	Mount(id string, options drivers.MountOpts) (string, error)
 
 	// Unmount unmounts a layer when it is no longer in use.
 	Unmount(id string, force bool) (bool, error)
@@ -294,6 +295,9 @@ func (r *layerStore) Load() error {
 	mounts := make(map[string]*Layer)
 	compressedsums := make(map[digest.Digest][]string)
 	uncompressedsums := make(map[digest.Digest][]string)
+	if r.lockfile.IsReadWrite() {
+		label.ClearLabels()
+	}
 	if err = json.Unmarshal(data, &layers); len(data) == 0 || err == nil {
 		idlist = make([]string, 0, len(layers))
 		for n, layer := range layers {
@@ -312,6 +316,9 @@ func (r *layerStore) Load() error {
 			if layer.UncompressedDigest != "" {
 				uncompressedsums[layer.UncompressedDigest] = append(uncompressedsums[layer.UncompressedDigest], layer.ID)
 			}
+			if layer.MountLabel != "" {
+				label.ReserveLabel(layer.MountLabel)
+			}
 		}
 	}
 	if shouldSave && !r.IsReadWrite() {
@@ -552,6 +559,9 @@ func (r *layerStore) Put(id string, parentLayer *Layer, names []string, mountLab
 	} else {
 		parentMappings = &idtools.IDMappings{}
 	}
+	if mountLabel != "" {
+		label.ReserveLabel(mountLabel)
+	}
 	idMappings := idtools.NewIDMappingsFromMaps(moreOptions.UIDMap, moreOptions.GIDMap)
 	opts := drivers.CreateOpts{
 		MountLabel: mountLabel,
@@ -649,7 +659,7 @@ func (r *layerStore) Mounted(id string) (int, error) {
 	return layer.MountCount, nil
 }
 
-func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDMap) (string, error) {
+func (r *layerStore) Mount(id string, options drivers.MountOpts) (string, error) {
 	if !r.IsReadWrite() {
 		return "", errors.Wrapf(ErrStoreIsReadOnly, "not allowed to update mount locations for layers at %q", r.mountspath())
 	}
@@ -661,16 +671,16 @@ func (r *layerStore) Mount(id, mountLabel string, uidMaps, gidMaps []idtools.IDM
 		layer.MountCount++
 		return layer.MountPoint, r.Save()
 	}
-	if mountLabel == "" {
-		mountLabel = layer.MountLabel
+	if options.MountLabel == "" {
+		options.MountLabel = layer.MountLabel
 	}
 
-	if (uidMaps != nil || gidMaps != nil) && !r.driver.SupportsShifting() {
-		if !reflect.DeepEqual(uidMaps, layer.UIDMap) || !reflect.DeepEqual(gidMaps, layer.GIDMap) {
+	if (options.UidMaps != nil || options.GidMaps != nil) && !r.driver.SupportsShifting() {
+		if !reflect.DeepEqual(options.UidMaps, layer.UIDMap) || !reflect.DeepEqual(options.GidMaps, layer.GIDMap) {
 			return "", fmt.Errorf("cannot mount layer %v: shifting not enabled", layer.ID)
 		}
 	}
-	mountpoint, err := r.driver.Get(id, mountLabel, uidMaps, gidMaps)
+	mountpoint, err := r.driver.Get(id, options)
 	if mountpoint != "" && err == nil {
 		if layer.MountPoint != "" {
 			delete(r.bymount, layer.MountPoint)
@@ -839,6 +849,7 @@ func (r *layerStore) Delete(id string) error {
 		os.Remove(r.tspath(id))
 		delete(r.byid, id)
 		r.idindex.Delete(id)
+		mountLabel := layer.MountLabel
 		if layer.MountPoint != "" {
 			delete(r.bymount, layer.MountPoint)
 		}
@@ -857,6 +868,18 @@ func (r *layerStore) Delete(id string) error {
 				r.layers = append(r.layers[:toDeleteIndex], r.layers[toDeleteIndex+1:]...)
 			}
 		}
+		if mountLabel != "" {
+			var found bool
+			for _, candidate := range r.layers {
+				if candidate.MountLabel == mountLabel {
+					found = true
+					break
+				}
+			}
+			if !found {
+				label.ReleaseLabel(mountLabel)
+			}
+		}
 		if err = r.Save(); err != nil {
 			return err
 		}
@@ -957,7 +980,7 @@ func (r *layerStore) newFileGetter(id string) (drivers.FileGetCloser, error) {
 	if getter, ok := r.driver.(drivers.DiffGetterDriver); ok {
 		return getter.DiffGetter(id)
 	}
-	path, err := r.Mount(id, "", nil, nil)
+	path, err := r.Mount(id, drivers.MountOpts{})
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/containers/storage/pkg/archive/example_changes.go

@@ -0,0 +1,97 @@
+// +build ignore
+
+// Simple tool to create an archive stream from an old and new directory
+//
+// By default it will stream the comparison of two temporary directories with junk files
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/containers/storage/pkg/archive"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	flDebug  = flag.Bool("D", false, "debugging output")
+	flNewDir = flag.String("newdir", "", "")
+	flOldDir = flag.String("olddir", "", "")
+	log      = logrus.New()
+)
+
+func main() {
+	flag.Usage = func() {
+		fmt.Println("Produce a tar from comparing two directory paths. By default a demo tar is created of around 200 files (including hardlinks)")
+		fmt.Printf("%s [OPTIONS]\n", os.Args[0])
+		flag.PrintDefaults()
+	}
+	flag.Parse()
+	log.Out = os.Stderr
+	if (len(os.Getenv("DEBUG")) > 0) || *flDebug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	var newDir, oldDir string
+
+	if len(*flNewDir) == 0 {
+		var err error
+		newDir, err = ioutil.TempDir("", "storage-test-newDir")
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer os.RemoveAll(newDir)
+		if _, err := prepareUntarSourceDirectory(100, newDir, true); err != nil {
+			log.Fatal(err)
+		}
+	} else {
+		newDir = *flNewDir
+	}
+
+	if len(*flOldDir) == 0 {
+		oldDir, err := ioutil.TempDir("", "storage-test-oldDir")
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer os.RemoveAll(oldDir)
+	} else {
+		oldDir = *flOldDir
+	}
+
+	changes, err := archive.ChangesDirs(newDir, oldDir)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	a, err := archive.ExportChanges(newDir, changes)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer a.Close()
+
+	i, err := io.Copy(os.Stdout, a)
+	if err != nil && err != io.EOF {
+		log.Fatal(err)
+	}
+	fmt.Fprintf(os.Stderr, "wrote archive of %d bytes", i)
+}
+
+func prepareUntarSourceDirectory(numberOfFiles int, targetPath string, makeLinks bool) (int, error) {
+	fileData := []byte("fooo")
+	for n := 0; n < numberOfFiles; n++ {
+		fileName := fmt.Sprintf("file-%d", n)
+		if err := ioutil.WriteFile(path.Join(targetPath, fileName), fileData, 0700); err != nil {
+			return 0, err
+		}
+		if makeLinks {
+			if err := os.Link(path.Join(targetPath, fileName), path.Join(targetPath, fileName+"-link")); err != nil {
+				return 0, err
+			}
+		}
+	}
+	totalSize := numberOfFiles * len(fileData)
+	return totalSize, nil
+}

vendor/github.com/containers/storage/store.go

@@ -25,6 +25,7 @@ import (
 	"github.com/containers/storage/pkg/stringid"
 	"github.com/containers/storage/pkg/stringutils"
 	digest "github.com/opencontainers/go-digest"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
 
@@ -251,6 +252,8 @@ type Store interface {
 
 	// Mount attempts to mount a layer, image, or container for access, and
 	// returns the pathname if it succeeds.
+	// Note if the mountLabel == "", the default label for the container
+	// will be used.
 	//
 	// Note that we do some of this work in a child process.  The calling
 	// process's main() function needs to import our pkg/reexec package and
@@ -497,6 +500,8 @@ type ContainerOptions struct {
 	// container's layer will inherit settings from the image's top layer
 	// or, if it is not being created based on an image, the Store object.
 	IDMappingOptions
+	LabelOpts []string
+	Flags     map[string]interface{}
 }
 
 type store struct {
@@ -1175,7 +1180,26 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 			},
 		}
 	}
-	clayer, err := rlstore.Create(layer, imageTopLayer, nil, "", nil, layerOptions, true)
+	if options.Flags == nil {
+		options.Flags = make(map[string]interface{})
+	}
+	plabel, _ := options.Flags["ProcessLabel"].(string)
+	mlabel, _ := options.Flags["MountLabel"].(string)
+	if (plabel == "" && mlabel != "") ||
+		(plabel != "" && mlabel == "") {
+		return nil, errors.Errorf("ProcessLabel and Mountlabel must either not be specified or both specified")
+	}
+
+	if plabel == "" {
+		processLabel, mountLabel, err := label.InitLabels(options.LabelOpts)
+		if err != nil {
+			return nil, err
+		}
+		options.Flags["ProcessLabel"] = processLabel
+		options.Flags["MountLabel"] = mountLabel
+	}
+
+	clayer, err := rlstore.Create(layer, imageTopLayer, nil, options.Flags["MountLabel"].(string), nil, layerOptions, true)
 	if err != nil {
 		return nil, err
 	}
@@ -1189,13 +1213,11 @@ func (s *store) CreateContainer(id string, names []string, image, layer, metadat
 	if modified, err := rcstore.Modified(); modified || err != nil {
 		rcstore.Load()
 	}
-	options = &ContainerOptions{
-		IDMappingOptions: IDMappingOptions{
+	options.IDMappingOptions = IDMappingOptions{
 		HostUIDMapping: len(options.UIDMap) == 0,
 		HostGIDMapping: len(options.GIDMap) == 0,
 		UIDMap:         copyIDMap(options.UIDMap),
 		GIDMap:         copyIDMap(options.GIDMap),
-		},
 	}
 	container, err := rcstore.Create(id, names, imageID, layer, metadata, options)
 	if err != nil || container == nil {
@@ -2273,7 +2295,12 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
 		rlstore.Load()
 	}
 	if rlstore.Exists(id) {
-		return rlstore.Mount(id, mountLabel, uidMap, gidMap)
+		options := drivers.MountOpts{
+			MountLabel: mountLabel,
+			UidMaps:    uidMap,
+			GidMaps:    gidMap,
+		}
+		return rlstore.Mount(id, options)
 	}
 	return "", ErrLayerUnknown
 }

vendor/github.com/containers/storage/vendor.conf

@@ -8,7 +8,7 @@ github.com/mattn/go-shellwords 753a2322a99f87c0eff284980e77f53041555bc6
 github.com/mistifyio/go-zfs c0224de804d438efd11ea6e52ada8014537d6062
 github.com/opencontainers/go-digest master
 github.com/opencontainers/runc 6c22e77604689db8725fa866f0f2ec0b3e8c3a07
-github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d
+github.com/opencontainers/selinux 36a9bc45a08c85f2c52bd9eb32e20267876773bd
 github.com/pborman/uuid 1b00554d822231195d1babd97ff4a781231955c9
 github.com/pkg/errors master
 github.com/pmezard/go-difflib v1.0.0

vendor/github.com/opencontainers/selinux/go-selinux/label/label.go

@@ -48,6 +48,11 @@ func GetPidLabel(pid int) (string, error) {
 func Init() {
 }
 
+// ClearLabels clears all reserved labels
+func ClearLabels() {
+	return
+}
+
 func ReserveLabel(label string) error {
 	return nil
 }

vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go

@@ -24,17 +24,22 @@ var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be use
 // the container.  A list of options can be passed into this function to alter
 // the labels.  The labels returned will include a random MCS String, that is
 // guaranteed to be unique.
-func InitLabels(options []string) (string, string, error) {
+func InitLabels(options []string) (plabel string, mlabel string, Err error) {
 	if !selinux.GetEnabled() {
 		return "", "", nil
 	}
 	processLabel, mountLabel := selinux.ContainerLabels()
 	if processLabel != "" {
+		defer func() {
+			if Err != nil {
+				ReleaseLabel(mountLabel)
+			}
+		}()
 		pcon := selinux.NewContext(processLabel)
 		mcon := selinux.NewContext(mountLabel)
 		for _, opt := range options {
 			if opt == "disable" {
-				return "", "", nil
+				return "", mountLabel, nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
 				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
@@ -156,6 +161,11 @@ func Init() {
 	selinux.GetEnabled()
 }
 
+// ClearLabels will clear all reserved labels
+func ClearLabels() {
+	selinux.ClearLabels()
+}
+
 // ReserveLabel will record the fact that the MCS label has already been used.
 // This will prevent InitLabels from using the MCS label in a newly created
 // container

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -409,6 +409,13 @@ func NewContext(label string) Context {
 	return c
 }
 
+// ClearLabels clears all reserved labels
+func ClearLabels() {
+	state.Lock()
+	state.mcsList = make(map[string]bool)
+	state.Unlock()
+}
+
 // ReserveLabel reserves the MLS/MCS level component of the specified label
 func ReserveLabel(label string) {
 	if len(label) != 0 {

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -107,6 +107,11 @@ func NewContext(label string) Context {
 	return c
 }
 
+// ClearLabels clears all reserved MLS/MCS levels
+func ClearLabels() {
+	return
+}
+
 // ReserveLabel reserves the MLS/MCS level component of the specified label
 func ReserveLabel(label string) {
 	return