check nil for selinuxLabel

Signed-off-by: Lifubang <[email protected]> Signed-off-by: lifubang <[email protected]>
opencontainers · Apr 3, 2019 · b1ea070 · b1ea070
1 parent da20211
commit b1ea070
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/exec.go b/exec.go
@@ -224,5 +224,5 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 		}
 		p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
 	}
-	return p, nil
+	return p, validateProcessSpec(p)
 }
diff --git a/utils_linux.go b/utils_linux.go
@@ -17,6 +17,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/specconv"
 	"github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 
 	"github.com/coreos/go-systemd/activation"
 	"github.com/pkg/errors"
@@ -387,6 +388,9 @@ func validateProcessSpec(spec *specs.Process) error {
 	if len(spec.Args) == 0 {
 		return fmt.Errorf("args must not be empty")
 	}
+	if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
+		return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported")
+	}
 	return nil
 }