From c134a9befa59fd5ab670a9c250f74cb3e4c88844 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Mon, 24 Feb 2020 09:53:42 -0700
Subject: [PATCH] Use spec's mountLabel when mounting the rootfs

In NewContainer if a SnapshotKey is used and the spec has
a mountLabel specified, that mountLabel should be used to mount
the rootfs.

Signed-off-by: Darren Shepherd <darren@rancher.com>
---
 container.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/container.go b/container.go
index fd880d0e0..187934ead 100644
--- a/container.go
+++ b/container.go
@@ -36,6 +36,7 @@ import (
 	prototypes "github.com/gogo/protobuf/types"
 	ver "github.com/opencontainers/image-spec/specs-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
 
@@ -242,7 +243,17 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N
 		if err != nil {
 			return nil, err
 		}
+		spec, err := c.Spec(ctx)
+		if err != nil {
+			return nil, err
+		}
 		for _, m := range mounts {
+			if spec.Linux != nil && spec.Linux.MountLabel != "" {
+				context := label.FormatMountLabel("", spec.Linux.MountLabel)
+				if context != "" {
+					m.Options = append(m.Options, context)
+				}
+			}
 			request.Rootfs = append(request.Rootfs, &types.Mount{
 				Type:    m.Type,
 				Source:  m.Source,