opencontainers
diff --git a/‎Godeps/Godeps.json‎
Lines changed: 10 additions & 0 deletions b/‎Godeps/Godeps.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎cmd/runtimetest/main.go‎
Lines changed: 23 additions & 0 deletions b/‎cmd/runtimetest/main.go‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎validate/validate_linux.go‎
Lines changed: 7 additions & 0 deletions b/‎validate/validate_linux.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎validation/linux_mount_label/linux_mount_label.go‎
Lines changed: 17 additions & 0 deletions b/‎validation/linux_mount_label/linux_mount_label.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎vendor/github.com/opencontainers/selinux/LICENSE‎
Lines changed: 201 additions & 0 deletions b/‎vendor/github.com/opencontainers/selinux/LICENSE‎
Lines changed: 201 additions & 0 deletions
@@ -24,6 +24,7 @@ import (
 	"github.com/opencontainers/runtime-tools/cmd/runtimetest/mount"
 	rfc2119 "github.com/opencontainers/runtime-tools/error"
 	"github.com/opencontainers/runtime-tools/specerror"
+	"github.com/opencontainers/selinux/go-selinux/label"
 
 	"golang.org/x/sys/unix"
 )
@@ -1196,6 +1197,27 @@ func (c *complianceTester) validatePosixMounts(spec *rspec.Spec) error {
 	return mountErrs
 }
 
+func (c *complianceTester) validateMountLabel(spec *rspec.Spec) error {
+	if spec.Linux == nil || spec.Linux.MountLabel == "" {
+		c.harness.Skip(1, "linux.mountlabel not set")
+		return nil
+	}
+
+	for _, mount := range spec.Mounts {
+		fileLabel, err := label.FileLabel(mount.Destination)
+		if err != nil {
+			return fmt.Errorf("Failed to get mountLabel of %v", mount.Destination)
+		}
+		c.harness.Ok(spec.Linux.MountLabel == fileLabel, "has expected mountlabel")
+		c.harness.YAML(map[string]string{
+			"expected": spec.Linux.MountLabel,
+			"actual":   fileLabel,
+		})
+	}
+
+	return nil
+}
+
 func run(context *cli.Context) error {
 	logLevelString := context.String("log-level")
 	logLevel, err := logrus.ParseLevel(logLevelString)
@@ -1256,6 +1278,7 @@ func run(context *cli.Context) error {
 		c.validateSysctls,
 		c.validateUIDMappings,
 		c.validateGIDMappings,
+		c.validateMountLabel,
 	}
 
 	validations := defaultValidations
 
@@ -16,6 +16,7 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
@@ -226,5 +227,11 @@ func (v *Validator) CheckLinux() (errs error) {
 		}
 	}
 
+	if v.spec.Linux.MountLabel != "" {
+		if err := label.Validate(v.spec.Linux.MountLabel); err != nil {
+			errs = multierror.Append(errs, fmt.Errorf("mountLabel %v is invalid", v.spec.Linux.MountLabel))
+		}
+	}
+
 	return
 }
@@ -0,0 +1,17 @@
+package main
+
+import (
+	"github.com/opencontainers/runtime-tools/validation/util"
+)
+
+func main() {
+	g, err := util.GetDefaultGenerator()
+	if err != nil {
+		util.Fatal(err)
+	}
+	g.SetLinuxMountLabel("system_u:object_r:svirt_sandbox_file_t:s0:c715,c811")
+	err = util.RuntimeInsideValidate(g, nil, nil)
+	if err != nil {
+		util.Fatal(err)
+	}
+}
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ import (`
`16`	`16`	`rspec "github.com/opencontainers/runtime-spec/specs-go"`
`17`	`17`	`osFilepath "github.com/opencontainers/runtime-tools/filepath"`
`18`	`18`	`"github.com/opencontainers/runtime-tools/specerror"`
	`19`	`+ "github.com/opencontainers/selinux/go-selinux/label"`
`19`	`20`	`"github.com/sirupsen/logrus"`
`20`	`21`	`)`
`21`	`22`
`@@ -226,5 +227,11 @@ func (v *Validator) CheckLinux() (errs error) {`
`226`	`227`	`}`
`227`	`228`	`}`
`228`	`229`
	`230`	`+ if v.spec.Linux.MountLabel != "" {`
	`231`	`+ if err := label.Validate(v.spec.Linux.MountLabel); err != nil {`
	`232`	`+ errs = multierror.Append(errs, fmt.Errorf("mountLabel %v is invalid", v.spec.Linux.MountLabel))`
	`233`	`+ }`
	`234`	`+ }`
	`235`	`+`
`229`	`236`	`return`
`230`	`237`	`}`