Pass mount_label into the image module for processing

Signed-off-by: Nwujing <wujing50@huawei.com>

src/daemon/executor/container_cb/execution_create.c

@@ -55,6 +55,7 @@
 #include "utils_string.h"
 #include "utils_timestamp.h"
 #include "utils_verify.h"
+#include "selinux_label.h"
 
 static int runtime_check(const char *name, bool *runtime_res)
 {
@@ -855,7 +856,7 @@ static int get_basic_spec(const container_create_request *request, const char *i
 }
 
 static int do_image_create_container_roofs_layer(const char *container_id, const char *image_type,
-                                                 const char *image_name, const char *rootfs,
+                                                 const char *image_name, const char *mount_label, const char *rootfs,
                                                  json_map_string_string *storage_opt, char **real_rootfs)
 {
     int ret = 0;
@@ -870,6 +871,7 @@ static int do_image_create_container_roofs_layer(const char *container_id, const
     request->container_id = util_strdup_s(container_id);
     request->image_name = util_strdup_s(image_name);
     request->image_type = util_strdup_s(image_type);
+    request->mount_label = util_strdup_s(mount_label);
     request->rootfs = util_strdup_s(rootfs);
     if (storage_opt != NULL) {
         request->storage_opt = util_common_calloc_s(sizeof(json_map_string_string));
@@ -895,6 +897,45 @@ out:
     return ret;
 }
 
+static int pack_security_config_to_v2_spec(const host_config *host_spec, container_config_v2_common_config *v2_spec)
+{
+    int ret = 0;
+    bool no_new_privileges = false;
+    char **label_opts = NULL;
+    size_t label_opts_len = 0;
+    char *seccomp_profile = NULL;
+    char *process_label = NULL;
+    char *mount_label = NULL;
+
+    ret = parse_security_opt(host_spec, &no_new_privileges, &label_opts, &label_opts_len, &seccomp_profile);
+    if (ret != 0) {
+        ERROR("Failed to parse security opt");
+        goto out;
+    }
+
+    v2_spec->seccomp_profile = seccomp_profile;
+    seccomp_profile = NULL;
+    v2_spec->no_new_privileges = no_new_privileges;
+
+    if (init_label((const char **)label_opts, label_opts_len, &process_label, &mount_label) != 0) {
+        ERROR("Failed to append label");
+        ret = -1;
+        goto out;
+    }
+
+    v2_spec->mount_label = mount_label;
+    mount_label = NULL;
+    v2_spec->process_label = process_label;
+    process_label = NULL;
+
+out:
+    util_free_array(label_opts);
+    free(seccomp_profile);
+    free(process_label);
+    free(mount_label);
+    return ret;
+}
+
 /*
  * request -> host_spec + container_spec
  * container_spec + image config
@@ -965,14 +1006,20 @@ int container_create_cb(const container_create_request *request, container_creat
 
     v2_spec->config = container_spec;
 
+    if (pack_security_config_to_v2_spec(host_spec, v2_spec) != 0) {
+        ERROR("Failed to pack security config");
+        cc = ISULAD_ERR_INPUT;
+        goto clean_container_root_dir;
+    }
+
     if (init_container_network_confs(id, runtime_root, host_spec, v2_spec) != 0) {
         ERROR("Init Network files failed");
         cc = ISULAD_ERR_INPUT;
         goto clean_container_root_dir;
     }
 
-    ret = do_image_create_container_roofs_layer(id, image_type, image_name, request->rootfs, host_spec->storage_opt,
-                                                &real_rootfs);
+    ret = do_image_create_container_roofs_layer(id, image_type, image_name, v2_spec->mount_label,
+                                                request->rootfs, host_spec->storage_opt, &real_rootfs);
     if (ret != 0) {
         ERROR("Can not create container %s rootfs layer", id);
         cc = ISULAD_ERR_EXEC;

src/daemon/modules/image/image.c

@@ -452,6 +452,8 @@ void free_im_prepare_request(im_prepare_request *request)
     request->rootfs = NULL;
     free(request->image_type);
     request->image_type = NULL;
+    free(request->mount_label);
+    request->mount_label = NULL;
 
     free(request->mount_label);
     request->mount_label = NULL;

src/daemon/modules/spec/specs.c

@@ -1919,10 +1919,6 @@ static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spe
                                container_config_v2_common_config *v2_spec)
 {
     int ret = 0;
-    bool no_new_privileges = false;
-    char **label_opts = NULL;
-    size_t label_opts_len = 0;
-    char *seccomp_profile = NULL;
 
     ret = generate_security_opt(host_spec);
     if (ret != 0) {
@@ -1943,36 +1939,26 @@ static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spe
         goto out;
     }
 
-    ret = parse_security_opt(host_spec, &no_new_privileges, &label_opts, &label_opts_len, &seccomp_profile);
-    if (ret != 0) {
-        ERROR("Failed to parse security opt");
-        goto out;
-    }
-
     // merge external parameter
-    ret = merge_seccomp(oci_spec, seccomp_profile);
+    ret = merge_seccomp(oci_spec, v2_spec->seccomp_profile);
     if (ret != 0) {
         ERROR("Failed to merge user seccomp file");
         goto out;
     }
-    v2_spec->seccomp_profile = util_strdup_s(seccomp_profile);
 
-    ret = merge_no_new_privileges(oci_spec, no_new_privileges);
+    ret = merge_no_new_privileges(oci_spec, v2_spec->no_new_privileges);
     if (ret != 0) {
         ERROR("Failed to merge no new privileges");
         goto out;
     }
-    v2_spec->no_new_privileges = no_new_privileges;
 
-    ret = merge_selinux(oci_spec, v2_spec, (const char **)label_opts, label_opts_len);
+    ret = merge_selinux(oci_spec, v2_spec);
     if (ret != 0) {
         ERROR("Failed to merge selinux config");
         goto out;
     }
 
 out:
-    util_free_array(label_opts);
-    free(seccomp_profile);
     return ret;
 }
 

src/daemon/modules/spec/specs_security.c

@@ -32,7 +32,6 @@
 #include "isula_libutils/parse_common.h"
 #include "err_msg.h"
 #include "specs_extend.h"
-#include "selinux_label.h"
 #include "specs_api.h"
 #include "constants.h"
 #include "utils_array.h"
@@ -850,37 +849,16 @@ out:
     return ret;
 }
 
-int merge_selinux(oci_runtime_spec *oci_spec, container_config_v2_common_config *v2_spec, const char **label_opts,
-                  size_t label_opts_len)
+int merge_selinux(oci_runtime_spec *oci_spec, container_config_v2_common_config *v2_spec)
 {
-    char *process_label = NULL;
-    char *mount_label = NULL;
-
-    int ret = make_sure_oci_spec_process(oci_spec);
-    if (ret < 0) {
-        goto out;
-    }
-
-    if (init_label(label_opts, label_opts_len, &process_label, &mount_label) != 0) {
-        ERROR("Failed to append label");
-        ret = -1;
-        goto out;
-    }
-
-    if (mount_label != NULL) {
-        oci_spec->linux->mount_label = util_strdup_s(mount_label);
-        v2_spec->mount_label = util_strdup_s(mount_label);
+    if (make_sure_oci_spec_process(oci_spec) < 0) {
+        return -1;
     }
 
-    if (process_label != NULL) {
-        oci_spec->process->selinux_label = util_strdup_s(process_label);
-        v2_spec->process_label = util_strdup_s(process_label);
-    }
+    oci_spec->linux->mount_label = util_strdup_s(v2_spec->mount_label);
+    oci_spec->process->selinux_label = util_strdup_s(v2_spec->process_label);
 
-out:
-    free(process_label);
-    free(mount_label);
-    return ret;
+    return 0;
 }
 
 static int get_adds_cap_for_system_container(const host_config *host_spec, char ***adds, size_t *adds_len)

src/daemon/modules/spec/specs_security.h

@@ -33,7 +33,6 @@ int merge_sysctls(oci_runtime_spec *oci_spec, const json_map_string_string *sysc
 int merge_no_new_privileges(oci_runtime_spec *oci_spec, bool value);
 int adapt_settings_for_system_container(oci_runtime_spec *oci_spec, const host_config *host_spec);
 int merge_seccomp(oci_runtime_spec *oci_spec, const char *seccomp_profile);
-int merge_selinux(oci_runtime_spec *oci_spec, container_config_v2_common_config *v2_spec, const char **label_opts,
-                  size_t label_opts_len);
+int merge_selinux(oci_runtime_spec *oci_spec, container_config_v2_common_config *v2_spec);
 
 #endif