BACKPORT: Ensure that SELinux Options are set when seccomp is already…

… set Upstream reference: moby@4c10c2d Signed-off-by: Mrunal Patel <mrunalp@gmail.com> Signed-off-by: Antonio Murdaca <runcom@redhat.com>
projectatomic · Jan 11, 2017 · 07f6dff · 07f6dff
1 parent 0bb4919
commit 07f6dff
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
@@ -247,12 +247,11 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
 		hostConfig.ShmSize = container.DefaultSHMSize
 	}
 	var err error
-	if hostConfig.SecurityOpt == nil {
-		hostConfig.SecurityOpt, err = daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
-		if err != nil {
-			return err
-		}
+	opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
+	if err != nil {
+		return err
 	}
+	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, opts...)
 	if hostConfig.MemorySwappiness == nil {
 		defaultSwappiness := int64(-1)
 		hostConfig.MemorySwappiness = &defaultSwappiness

diff --git a/daemon/start.go b/daemon/start.go
@@ -73,8 +73,10 @@ func (daemon *Daemon) ContainerStart(name string, hostConfig *containertypes.Hos
 	}
 	// Adapt for old containers in case we have updates in this function and
 	// old containers never have chance to call the new function in create stage.
-	if err := daemon.adaptContainerSettings(container.HostConfig, false); err != nil {
-		return err
+	if hostConfig != nil {
+		if err := daemon.adaptContainerSettings(container.HostConfig, false); err != nil {
+			return err
+		}
 	}
 
 	return daemon.containerStart(container)