opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-18 03:33:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add support for selecting kvm and systemd labels

Browse Source 
In order to better support kata containers and systemd containers
container-selinux has added new types. Podman should execute the
container with an SELinux process label to match the container type.

Traditional Container process : container_t
KVM Container Process: containre_kvm_t
PID 1 Init process: container_init_t

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2020-04-15 14:48:53 -04:00
parent 195cb11276
commit c4ca3c71ff
14 changed files with 117 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
libpod/container_internal.go
View File

@ -19,6 +19,7 @@ import (
"github.com/containers/libpod/pkg/hooks"
"github.com/containers/libpod/pkg/hooks/exec"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/util"
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/mount"
@ -430,7 +431,22 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.IDMappings.UIDMap = containerInfo.UIDMap
c.config.IDMappings.GIDMap = containerInfo.GIDMap
c.config.ProcessLabel = containerInfo.ProcessLabel
processLabel := containerInfo.ProcessLabel
switch {
case c.ociRuntime.SupportsKVM():
processLabel, err = util.SELinuxKVMLabel(processLabel)
if err != nil {
return err
}
case c.config.Systemd:
processLabel, err = util.SELinuxInitLabel(processLabel)
if err != nil {
return err
}
}
c.config.ProcessLabel = processLabel
c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir
c.state.RunDir = containerInfo.RunDir