From a1e7dd939de76c7bc15173a3d16012a2996853de Mon Sep 17 00:00:00 2001
From: Jacob Blain Christen <jacob@rancher.com>
Date: Mon, 9 Nov 2020 11:24:24 -0700
Subject: [PATCH] cri: selinuxrelabel=false for /dev/shm w/ host ipc

This is a followup to #4699 that addresses an oversight that could cause
the CRI to relabel the host /dev/shm, which should be a no-op in most
cases. Additionally, fixes unit tests to make correct assertions for
/dev/shm relabeling.

Discovered while applying the changes for #4699 to containerd/cri 1.4:
https://github.com/containerd/cri/pull/1605

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
---
 pkg/cri/server/container_create_linux.go      |  2 +-
 pkg/cri/server/container_create_linux_test.go | 21 +++++++++++--------
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
index f6555eea8..6c4eaeb0b 100644
--- a/pkg/cri/server/container_create_linux.go
+++ b/pkg/cri/server/container_create_linux.go
@@ -102,7 +102,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			ContainerPath:  devShm,
 			HostPath:       sandboxDevShm,
 			Readonly:       false,
-			SelinuxRelabel: true,
+			SelinuxRelabel: sandboxDevShm != devShm,
 		})
 	}
 	return mounts
diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go
index 6cad5f5c1..be6811e28 100644
--- a/pkg/cri/server/container_create_linux_test.go
+++ b/pkg/cri/server/container_create_linux_test.go
@@ -455,9 +455,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      true,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -480,9 +481,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -553,9 +555,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},