From af796eb59d8bdb62103a4a70c4f4bec06f37c270 Mon Sep 17 00:00:00 2001
From: gjpin <3874515+gjpin@users.noreply.github.com>
Date: Mon, 25 Oct 2021 12:48:49 +0100
Subject: [PATCH] Add support for container creation's selinux_opts attribute

---
 README.md      | 10 ++++++++++
 api/structs.go |  5 +++++
 config.go      |  2 ++
 driver.go      |  1 +
 driver_test.go | 17 ++++++++++++++++-
 5 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 70c16395..ee517deb 100644
--- a/README.md
+++ b/README.md
@@ -396,6 +396,16 @@ config {
 }
 ```
 
+* **selinux_opts** - (Optional)  A list of process labels the container will use.
+
+```
+config {
+  selinux_opts = [
+    "type:my_container.process"
+  ]
+}
+```
+
 * **sysctl** - (Optional)  A key-value map of sysctl configurations to set to the containers on start.
 
 ```hcl
diff --git a/api/structs.go b/api/structs.go
index 5bbc201a..c32a855b 100644
--- a/api/structs.go
+++ b/api/structs.go
@@ -840,6 +840,11 @@ type InspectContainerHostConfig struct {
 	// capabilities listed in the container's spec, compared against a set
 	// of default capabilities.
 	CapDrop []string `json:"CapDrop"`
+	// SelinuxProcessLabel is the process label the container will use.
+	// If SELinux is enabled and this is not specified, a label will be
+	// automatically generated if not specified.
+	// Optional.
+	SelinuxOpts []string `json:"SelinuxOpts"`
 	// Dns is a list of DNS nameservers that will be added to the
 	// container's resolv.conf
 	Dns []string `json:"Dns"`
diff --git a/config.go b/config.go
index 603d8101..7e45eeea 100644
--- a/config.go
+++ b/config.go
@@ -52,6 +52,7 @@ var (
 		"command":        hclspec.NewAttr("command", "string", false),
 		"cap_add":        hclspec.NewAttr("cap_add", "list(string)", false),
 		"cap_drop":       hclspec.NewAttr("cap_drop", "list(string)", false),
+		"selinux_opts":   hclspec.NewAttr("selinux_opts", "list(string)", false),
 		"cpu_hard_limit": hclspec.NewAttr("cpu_hard_limit", "bool", false),
 		"cpu_cfs_period": hclspec.NewAttr("cpu_cfs_period", "number", false),
 		"devices":        hclspec.NewAttr("devices", "list(string)", false),
@@ -130,6 +131,7 @@ type TaskConfig struct {
 	Volumes           []string           `codec:"volumes"`
 	CapAdd            []string           `codec:"cap_add"`
 	CapDrop           []string           `codec:"cap_drop"`
+	SelinuxOpts       []string           `codec:"selinux_opts"`
 	Command           string             `codec:"command"`
 	Devices           []string           `codec:"devices"`
 	Entrypoint        string             `codec:"entrypoint"`
diff --git a/driver.go b/driver.go
index 5b21a9d9..6dcfd3c5 100644
--- a/driver.go
+++ b/driver.go
@@ -484,6 +484,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	// Security config options
 	createOpts.ContainerSecurityConfig.CapAdd = driverConfig.CapAdd
 	createOpts.ContainerSecurityConfig.CapDrop = driverConfig.CapDrop
+	createOpts.ContainerSecurityConfig.SelinuxOpts = driverConfig.SelinuxOpts
 	createOpts.ContainerSecurityConfig.User = cfg.User
 	createOpts.ContainerSecurityConfig.Privileged = driverConfig.Privileged
 	createOpts.ContainerSecurityConfig.ReadOnlyFilesystem = driverConfig.ReadOnlyRootfs
diff --git a/driver_test.go b/driver_test.go
index 10adee5b..431756b2 100644
--- a/driver_test.go
+++ b/driver_test.go
@@ -1336,7 +1336,16 @@ func TestPodmanDriver_DefaultCaps(t *testing.T) {
 	require.Contains(t, inspectData.EffectiveCaps, "CAP_CHOWN")
 }
 
-// check modified capabilities (CapAdd/CapDrop)
+// check default process label
+func TestPodmanDriver_DefaultProcessLabel(t *testing.T) {
+	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
+	inspectData := startDestroyInspect(t, taskCfg, "defaultprocesslabel")
+
+	// a default container gets "disable" process label
+	require.Contains(t, inspectData.ProcessLabel, "label=disable")
+}
+
+// check modified capabilities (CapAdd/CapDrop/SelinuxOpts)
 func TestPodmanDriver_Caps(t *testing.T) {
 	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
 	// 	cap_add = [
@@ -1347,6 +1356,10 @@ func TestPodmanDriver_Caps(t *testing.T) {
 	//     "MKNOD",
 	//   ]
 	taskCfg.CapDrop = []string{"CHOWN"}
+	// 	selinux_opts = [
+	//     "disable",
+	//   ]
+	taskCfg.SelinuxOpts = []string{"disable"}
 
 	inspectData := startDestroyInspect(t, taskCfg, "caps")
 
@@ -1354,6 +1367,8 @@ func TestPodmanDriver_Caps(t *testing.T) {
 	require.Contains(t, inspectData.EffectiveCaps, "CAP_SYS_TIME")
 	// we dropped CAP_CHOWN, so we should NOT see it in inspect
 	require.NotContains(t, inspectData.EffectiveCaps, "CAP_CHOWN")
+	// we added "disable" process label, so we should see it in inspect
+	require.Contains(t, inspectData.ProcessLabel, "label=disable")
 }
 
 // check enabled tty option