linux: honor mount-label for the notify socket

Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Jun 26, 2020 · 1a53815 · 1a53815
1 parent 34694c0
commit 1a53815
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -51,6 +51,7 @@
 #include <inttypes.h>
 #include <sys/personality.h>
 #include <net/if.h>
+#include <sys/xattr.h>
 
 #include <yajl/yajl_tree.h>
 #include <yajl/yajl_gen.h>
@@ -1631,8 +1632,19 @@ do_finalize_notify_socket (libcrun_container_t *container, libcrun_error_t *err)
   if (UNLIKELY (ret < 0))
     return ret;
 
+#ifdef HAVE_FGETXATTR
+  if (container->container_def->linux->mount_label)
+    {
+      cleanup_free char *socket_path_file = NULL;
+      xasprintf (&socket_path_file, "%s/notify", host_notify_socket_path);
+      /* Ignore the error, the worse that can happen is that the container fails to notify it is ready.  */
+      (void) setxattr (socket_path_file, "security.selinux", container->container_def->linux->mount_label,
+                       strlen (container->container_def->linux->mount_label), 0);
+    }
+#endif
+
   ret = do_mount (container, host_notify_socket_path, -1, container_notify_socket_path_dir, NULL,
-                  MS_BIND | MS_REC | MS_PRIVATE, NULL, 0, err);
+                  MS_BIND | MS_REC | MS_PRIVATE, NULL, false, err);
   if (UNLIKELY (ret < 0))
    return ret;