From c3609ff4ca0c1e2c4b713db65a63faefca5786db Mon Sep 17 00:00:00 2001
From: Jacob Blain Christen <jacob@rancher.com>
Date: Fri, 20 Aug 2021 23:47:24 -0700
Subject: [PATCH] cri: filter selinux xattr for image volumes

Exclude the `security.selinux` xattr when copying content from layer
storage for image volumes. This allows for the already correct label
at the target location to be applied to the copied content, thus
enabling containers to write to volumes that they implicitly expect to be
able to write to.

- Fixes containerd/containerd#5090
- See rancher/rke2#690

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
---
 pkg/cri/opts/container.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cri/opts/container.go b/pkg/cri/opts/container.go
index 517d0c27d..472104b04 100644
--- a/pkg/cri/opts/container.go
+++ b/pkg/cri/opts/container.go
@@ -115,5 +115,5 @@ func copyExistingContents(source, destination string) error {
 	if len(dstList) != 0 {
 		return errors.Errorf("volume at %q is not initially empty", destination)
 	}
-	return fs.CopyDir(destination, source)
+	return fs.CopyDir(destination, source, fs.WithXAttrExclude("security.selinux"))
 }