diff --git a/exec.go b/exec.go index 62ab4662..7fc04402 100644 --- a/exec.go +++ b/exec.go @@ -224,5 +224,5 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) { } p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid)) } - return p, nil + return p, validateProcessSpec(p) } diff --git a/utils_linux.go b/utils_linux.go index ce50db14..b05e7b60 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -17,6 +17,7 @@ import ( "github.com/opencontainers/runc/libcontainer/specconv" "github.com/opencontainers/runc/libcontainer/utils" "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" "github.com/coreos/go-systemd/activation" "github.com/pkg/errors" @@ -387,6 +388,9 @@ func validateProcessSpec(spec *specs.Process) error { if len(spec.Args) == 0 { return fmt.Errorf("args must not be empty") } + if spec.SelinuxLabel != "" && !selinux.GetEnabled() { + return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported") + } return nil }