libpod.conf: adhere to label setting

When creating the security config, also check the setting in the libpod.conf (unless set via the CLI). Fixes: containers#5087 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg · Feb 17, 2020 · a4834d7 · a4834d7
1 parent f2ee618
commit a4834d7
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/pkg/spec/security.go b/pkg/spec/security.go
@@ -63,6 +63,12 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
 
 // SetSecurityOpts the the security options (labels, apparmor, seccomp, etc.).
 func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts []string) error {
+	libpodConfig, err := runtime.GetConfig()
+	if err != nil {
+		return err
+	}
+
+	labelSet := false
 	for _, opt := range securityOpts {
 		if opt == "no-new-privileges" {
 			c.NoNewPrivs = true
@@ -75,6 +81,7 @@ func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts [
 			switch con[0] {
 			case "label":
 				c.LabelOpts = append(c.LabelOpts, con[1])
+				labelSet = true
 			case "apparmor":
 				c.ApparmorProfile = con[1]
 			case "seccomp":
@@ -85,6 +92,10 @@ func (c *SecurityConfig) SetSecurityOpts(runtime *libpod.Runtime, securityOpts [
 		}
 	}
 
+	if !labelSet && !libpodConfig.EnableLabeling {
+		c.LabelOpts = append(c.LabelOpts, "disable")
+	}
+
 	if c.SeccompProfilePath == "" {
 		var err error
 		c.SeccompProfilePath, err = libpod.DefaultSeccompPath()