GitList

@@ -156,7 +156,17 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
                      	return container, nil
+                     }
                     -func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) {
                     +func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) {
                     +	for _, opt := range hostConfig.SecurityOpt {
                     +		con := strings.Split(opt, "=")
                     +		if con[0] == "label" {
                     +			// Caller overrode SecurityOpts
                     +			return nil, nil
                     +		}
                     +	}
                     +	ipcMode := hostConfig.IpcMode
                     +	pidMode := hostConfig.PidMode
                     +	privileged := hostConfig.Privileged
                      	if ipcMode.IsHost() || pidMode.IsHost() || privileged {
                      		return label.DisableSecOpt(), nil
+                     	}

daemon/daemon_unix.go

History View file @ 881e20e

@@ -274,7 +274,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
 		}
 	}
 	var err error
-	opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
+	opts, err := daemon.generateSecurityOpt(hostConfig)
 	if err != nil {
 		return err
 	}

...	...	@@ -274,7 +274,7 @@ func (daemon Daemon) adaptContainerSettings(hostConfig containertypes.HostConf
274	274	}
275	275	}
276	276	var err error
277		- opts, err := daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
	277	+ opts, err := daemon.generateSecurityOpt(hostConfig)
278	278	if err != nil {
279	279	return err
280	280	}

If caller specifies label overrides, don't override security options