Merge pull request #30652 from rhatdan/selinux

If caller specifies label overrides, don't override security options
2017-03-28 10:24:47 -04:00 · 2017-03-28 10:24:47 -04:00 · b6cb416051
commit b6cb416051
parent 917cb0d9d0 881e20ee0b
2 changed files with 12 additions and 2 deletions
--- a/daemon/create.go
+++ b/daemon/create.go
@ -156,7 +156,17 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
 	return container, nil
 }

-func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) {
+func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) {
+	for _, opt := range hostConfig.SecurityOpt {
+		con := strings.Split(opt, "=")
+		if con[0] == "label" {
+			// Caller overrode SecurityOpts
+			return nil, nil
+		}
+	}
+	ipcMode := hostConfig.IpcMode
+	pidMode := hostConfig.PidMode
+	privileged := hostConfig.Privileged
 	if ipcMode.IsHost() || pidMode.IsHost() || privileged {
 		return label.DisableSecOpt(), nil
 	}
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@ -274,7 +274,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
 		}
 	}
 	var err error
-	opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
+	opts, err := daemon.generateSecurityOpt(hostConfig)
 	if err != nil {
 		return err
 	}