set process labels in pkg/spec

Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.

Fixes: containers#5087
Signed-off-by: Valentin Rothberg <[email protected]>

cmd/podman/shared/create.go

@@ -701,9 +701,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		Sysctl:         sysctl,
 	}
 
-	if err := secConfig.SetLabelOpts(runtime, pid, ipc); err != nil {
-		return nil, err
-	}
 	if err := secConfig.SetSecurityOpts(runtime, c.StringArray("security-opt")); err != nil {
 		return nil, err
 	}

pkg/spec/spec.go

@@ -241,23 +241,35 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	}
 
 	// SECURITY OPTS
+	var runtimeConfig *libpodconfig.Config
+
+	if runtime != nil {
+		runtimeConfig, err = runtime.GetConfig()
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs)
 
 	if !config.Security.Privileged {
 		g.SetProcessApparmorProfile(config.Security.ApparmorProfile)
 	}
 
-	blockAccessToKernelFilesystems(config, &g)
-
-	var runtimeConfig *libpodconfig.Config
-
-	if runtime != nil {
-		runtimeConfig, err = runtime.GetConfig()
-		if err != nil {
+	// Unless already set via the CLI, check if we need to disable process
+	// labels or set the defaults.
+	if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil {
+		if !runtimeConfig.EnableLabeling {
+			// Disabled in the config.
+			config.Security.LabelOpts = append(config.Security.LabelOpts, "disable")
+		} else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil {
+			// Defaults!
 			return nil, err
 		}
 	}
 
+	blockAccessToKernelFilesystems(config, &g)
+
 	// RESOURCES - PIDS
 	if config.Resources.PidsLimit > 0 {
 		// if running on rootless on a cgroupv1 machine or using the cgroupfs manager, pids