executor: Add common selinux label to containers in same executor ses…

…sion

Following commit ensures that all the builders share same selinux label
if they are created by a common parent Executor session.

Reason: There are use-cases when a particular stage from the same
executor sessions is requested to be accessed as a mount into another stage.
In such cases it is not a good idea to recreate and remount the stage
instead all stages can share common selinux label making it more convinient
to reuse the mountpoint.

Signed-off-by: Aditya Rajan <[email protected]>

buildah.go

@@ -327,6 +327,10 @@ type BuilderOptions struct {
 	// OciDecryptConfig contains the config that can be used to decrypt an image if it is
 	// encrypted if non-nil. If nil, it does not attempt to decrypt an image.
 	OciDecryptConfig *encconfig.DecryptConfig
+	// ProcessLabel is the SELinux process label associated with the container
+	ProcessLabel string
+	// MountLabel is the SELinux mount label associated with the container
+	MountLabel string
 }
 
 // ImportOptions are used to initialize a Builder from an existing container

imagebuildah/executor.go

@@ -31,6 +31,7 @@ import (
 	"github.com/containers/storage/pkg/archive"
 	digest "github.com/opencontainers/go-digest"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/openshift/imagebuilder"
 	"github.com/openshift/imagebuilder/dockerfile/parser"
 	"github.com/pkg/errors"
@@ -126,6 +127,8 @@ type Executor struct {
 	secrets                        map[string]string
 	sshsources                     map[string]*sshagent.Source
 	logPrefix                      string
+	processLabel                   string // Common processLabel shared across all containers in various stages
+	mountLabel                     string // Common mountLabel shared across all containers in various stages
 }
 
 type imageTypeAndHistoryAndDiffIDs struct {
@@ -190,6 +193,12 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o
 		writer = ioutil.Discard
 	}
 
+	// common processLabel and mountLabel shared acrosss all containers in the build
+	processLabel, mountLabel, err := label.InitLabels(options.CommonBuildOpts.LabelOpts)
+	if err != nil {
+		return nil, err
+	}
+
 	var rusageLogFile io.Writer
 
 	if options.LogRusage && !options.Quiet {
@@ -270,6 +279,8 @@ func newExecutor(logger *logrus.Logger, logPrefix string, store storage.Store, o
 		secrets:                        secrets,
 		sshsources:                     sshsources,
 		logPrefix:                      logPrefix,
+		processLabel:                   processLabel,
+		mountLabel:                     mountLabel,
 	}
 	if exec.err == nil {
 		exec.err = os.Stderr

imagebuildah/stage_executor.go

@@ -609,6 +609,8 @@ func (s *StageExecutor) prepare(ctx context.Context, from string, initializeIBCo
 		MaxPullRetries:        s.executor.maxPullPushRetries,
 		PullRetryDelay:        s.executor.retryPullPushDelay,
 		OciDecryptConfig:      s.executor.ociDecryptConfig,
+		ProcessLabel:          s.executor.processLabel,
+		MountLabel:            s.executor.mountLabel,
 	}
 
 	builder, err = buildah.NewBuilder(ctx, s.executor.store, builderOptions)

new.go

@@ -216,9 +216,15 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
 
 	conflict := 100
 	for {
+
+		flags := map[string]interface{}{
+			"ProcessLabel": options.ProcessLabel,
+			"MountLabel":   options.MountLabel,
+		}
 		coptions := storage.ContainerOptions{
 			LabelOpts:        options.CommonBuildOpts.LabelOpts,
 			IDMappingOptions: newContainerIDMappingOptions(options.IDMappingOptions),
+			Flags:            flags,
 			Volatile:         true,
 		}
 		container, err = store.CreateContainer("", []string{tmpName}, imageID, "", "", &coptions)