From 881e20ee0be4bf048fb3b7e7f4c12b076a1607bb Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 1 Feb 2017 16:52:36 -0500
Subject: [PATCH] If caller specifies label overrides, don't override security
 options

If a caller specifies an SELinux type or MCS Label and still wants to
share an IPC Namespace or the host namespace, we should allow them.
Currently we are ignoring the label specification if ipcmod=container
or pidmode=host.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 daemon/create.go      | 12 +++++++++++-
 daemon/daemon_unix.go |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/daemon/create.go b/daemon/create.go
index 8fc66e6260..e6d6a136bf 100644
--- a/daemon/create.go
+++ b/daemon/create.go
@@ -156,7 +156,17 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
 	return container, nil
 }
 
-func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) {
+func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) {
+	for _, opt := range hostConfig.SecurityOpt {
+		con := strings.Split(opt, "=")
+		if con[0] == "label" {
+			// Caller overrode SecurityOpts
+			return nil, nil
+		}
+	}
+	ipcMode := hostConfig.IpcMode
+	pidMode := hostConfig.PidMode
+	privileged := hostConfig.Privileged
 	if ipcMode.IsHost() || pidMode.IsHost() || privileged {
 		return label.DisableSecOpt(), nil
 	}
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index 6a961bae01..370e60b01f 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -274,7 +274,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
 		}
 	}
 	var err error
-	opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
+	opts, err := daemon.generateSecurityOpt(hostConfig)
 	if err != nil {
 		return err
 	}