check nil for selinuxLabel

Signed-off-by: Lifubang <lifubang@acmcoder.com>

libcontainer/setns_init_linux.go

@@ -11,6 +11,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/keys"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 
@@ -33,11 +34,18 @@ func (l *linuxSetnsInit) Init() error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 
+	// If config.json is modified after the container started, we should validate selinux again.
+	if l.config.ProcessLabel != "" && !selinux.GetEnabled() {
+		return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported")
+	}
+
 	if !l.config.Config.NoNewKeyring {
-		if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil {
-			return err
+		if l.config.ProcessLabel != "" {
+			if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil {
+				return err
+			}
+			defer label.SetKeyLabel("")
 		}
-		defer label.SetKeyLabel("")
 		// Do not inherit the parent's session keyring.
 		if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil {
 			// Same justification as in standart_init_linux.go as to why we
@@ -62,10 +70,12 @@ func (l *linuxSetnsInit) Init() error {
 			return err
 		}
 	}
-	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
-		return err
+	if l.config.ProcessLabel != "" {
+		if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+			return err
+		}
+		defer label.SetProcessLabel("")
 	}
-	defer label.SetProcessLabel("")
 	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
 	// do this before dropping capabilities; otherwise do it as late as possible
 	// just before execve so as few syscalls take place after it as possible.

libcontainer/standard_init_linux.go

@@ -48,10 +48,12 @@ func (l *linuxStandardInit) Init() error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 	if !l.config.Config.NoNewKeyring {
-		if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil {
-			return err
+		if l.config.ProcessLabel != "" {
+			if err := label.SetKeyLabel(l.config.ProcessLabel); err != nil {
+				return err
+			}
+			defer label.SetKeyLabel("")
 		}
-		defer label.SetKeyLabel("")
 		ringname, keepperms, newperms := l.getSessionRingParams()
 
 		// Do not inherit the parent's session keyring.
@@ -146,10 +148,12 @@ func (l *linuxStandardInit) Init() error {
 	if err := syncParentReady(l.pipe); err != nil {
 		return errors.Wrap(err, "sync ready")
 	}
-	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
-		return errors.Wrap(err, "set process label")
+	if l.config.ProcessLabel != "" {
+		if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+			return errors.Wrap(err, "set process label")
+		}
+		defer label.SetProcessLabel("")
 	}
-	defer label.SetProcessLabel("")
 	// Without NoNewPrivileges seccomp is a privileged operation, so we need to
 	// do this before dropping capabilities; otherwise do it as late as possible
 	// just before execve so as few syscalls take place after it as possible.