Add new field to libpod to indicate whether or not to use labelling

Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
2025-08-06 03:19:52 +08:00 · 2018-09-18 09:06:40 -04:00
parent 2cbb8c216a
commit fbfcc7842e
11 changed files with 84 additions and 25 deletions
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@ -11,6 +11,7 @@ import (
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/stringid"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/ulule/deepcopier"
@ -77,6 +78,7 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
 		ctr.config.Namespace = r.config.Namespace
 	}

+	ctr.runtime = r
 	for _, option := range options {
 		if err := option(ctr); err != nil {
 			return nil, errors.Wrapf(err, "error running container create option")
@ -85,7 +87,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..

 	ctr.valid = true
 	ctr.state.State = ContainerStateConfigured
-	ctr.runtime = r

 	var pod *Pod
 	if ctr.config.Pod != "" {
@ -327,6 +328,10 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool)
 		}
 	}

+	if r.config.EnableLabeling {
+		label.ReleaseLabel(c.ProcessLabel())
+		r.reserveLabels()
+	}
 	// Delete the container
 	// Only do this if we're not ContainerStateConfigured - if we are,
 	// we haven't been created in the runtime yet
@ -460,3 +465,28 @@ func (r *Runtime) GetLatestContainer() (*Container, error) {
 	}
 	return ctrs[lastCreatedIndex], nil
 }
+
+// reserveLabels walks the list o fcontainers and reserves the label, so new containers will not
+// get them.
+// TODO Performance wise this should only run if the state has changed since the last time it was run.
+func (r *Runtime) reserveLabels() error {
+	containers, err := r.state.AllContainers()
+	if err != nil {
+		return err
+	}
+	for _, ctr := range containers {
+		label.ReserveLabel(ctr.ProcessLabel())
+	}
+	return nil
+}
+
+// initLabels allocates an new label to return to the caller
+func (r *Runtime) initLabels(labelOpts []string) (string, string, error) {
+	if !r.config.EnableLabeling {
+		return "", "", nil
+	}
+	if err := r.reserveLabels(); err != nil {
+		return "", "", errors.Wrapf(err, "unable to reserve labels")
+	}
+	return label.InitLabels(labelOpts)
+}