If caller specifies label overrides, don't override security options

If a caller specifies an SELinux type or MCS Label and still wants to share an IPC Namespace or the host namespace, we should allow them. Currently we are ignoring the label specification if ipcmod=container or pidmode=host. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-02-01 16:52:36 -05:00 · 2017-02-01 16:52:36 -05:00 · 881e20ee0b
commit 881e20ee0b
parent f148ad38e5
2 changed files with 12 additions and 2 deletions
--- a/daemon/create.go
+++ b/daemon/create.go
@ -156,7 +156,17 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
 	return container, nil
 }

-func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) {
+func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) {
+	for _, opt := range hostConfig.SecurityOpt {
+		con := strings.Split(opt, "=")
+		if con[0] == "label" {
+			// Caller overrode SecurityOpts
+			return nil, nil
+		}
+	}
+	ipcMode := hostConfig.IpcMode
+	pidMode := hostConfig.PidMode
+	privileged := hostConfig.Privileged
 	if ipcMode.IsHost() || pidMode.IsHost() || privileged {
 		return label.DisableSecOpt(), nil
 	}
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@ -274,7 +274,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
 		}
 	}
 	var err error
-	opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
+	opts, err := daemon.generateSecurityOpt(hostConfig)
 	if err != nil {
 		return err
 	}