Add support for Selinux mount context labels

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

config-linux.md

@@ -545,6 +545,16 @@ Its value is either slave, private, or shared.
     ]
 ```
 
+## Mount Label
+
+`mountLabel` will set the Selinux context for the mounts in the container.
+
+###### Example
+
+```json
+    "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
+```
+
 [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 [cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt
 [cgroup-v1-cpusets]: https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt

config.md

@@ -605,7 +605,8 @@ Here is a full example `config.json` for reference.
             "/proc/irq",
             "/proc/sys",
             "/proc/sysrq-trigger"
-        ]
+        ],
+        "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
     },
     "annotations": {
         "key1": "value1",

schema/schema-linux.json

@@ -330,6 +330,10 @@
             "readonlyPaths": {
                 "id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",
                 "$ref": "defs.json#/definitions/ArrayOfStrings"
+            },
+            "mountLabel": {
+                "id": "https://opencontainers.org/schema/bundle/linux/mountLabel",
+                "type": "string"
             }
         }
     }

specs-go/config.go

@@ -140,6 +140,8 @@ type Linux struct {
 	MaskedPaths []string `json:"maskedPaths,omitempty"`
 	// ReadonlyPaths sets the provided paths as RO inside the container.
 	ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
+	// MountLabel specifies the selinux context for the mounts in the container.
+	MountLabel string `json:"mountLabel,omitempty"`
 }
 
 // Namespace is the configuration for a Linux namespace