Merge pull request #213 from tymonx/feature/volume-bind-option-selinux

compose-spec · Jan 1, 2022 · 91ed80f · 91ed80f
2 parents 4a43a6c + 978e4cf
commit 91ed80f
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 6 deletions.
diff --git a/loader/volume.go b/loader/volume.go
@@ -92,7 +92,7 @@ func populateFieldFromBuffer(char rune, buffer []rune, volume *types.ServiceVolu
 			volume.Volume = &types.ServiceVolumeVolume{NoCopy: true}
 		default:
 			if isBindOption(option) {
-				volume.Bind = &types.ServiceVolumeBind{Propagation: option}
+				setBindOption(volume, option)
 			}
 			// ignore unknown options
 		}
@@ -109,13 +109,39 @@ var Propagations = []string{
 	types.PropagationSlave,
 }
 
+type setBindOptionFunc func(bind *types.ServiceVolumeBind, option string)
+
+var bindOptions = map[string]setBindOptionFunc{
+	types.PropagationRPrivate: setBindPropagation,
+	types.PropagationPrivate:  setBindPropagation,
+	types.PropagationRShared:  setBindPropagation,
+	types.PropagationShared:   setBindPropagation,
+	types.PropagationRSlave:   setBindPropagation,
+	types.PropagationSlave:    setBindPropagation,
+	types.SELinuxShared:       setBindSELinux,
+	types.SELinuxPrivate:      setBindSELinux,
+}
+
+func setBindPropagation(bind *types.ServiceVolumeBind, option string) {
+	bind.Propagation = option
+}
+
+func setBindSELinux(bind *types.ServiceVolumeBind, option string) {
+	bind.SELinux = option
+}
+
 func isBindOption(option string) bool {
-	for _, propagation := range Propagations {
-		if option == propagation {
-			return true
-		}
+	_, ok := bindOptions[option]
+
+	return ok
+}
+
+func setBindOption(volume *types.ServiceVolumeConfig, option string) {
+	if volume.Bind == nil {
+		volume.Bind = &types.ServiceVolumeBind{}
 	}
-	return false
+
+	bindOptions[option](volume.Bind, option)
 }
 
 func populateType(volume *types.ServiceVolumeConfig) {

diff --git a/loader/volume_test.go b/loader/volume_test.go
@@ -112,6 +112,38 @@ func TestParseVolumeWithBindOptions(t *testing.T) {
 	assert.Check(t, is.DeepEqual(expected, volume))
 }
 
+func TestParseVolumeWithBindOptionsSELinuxShared(t *testing.T) {
+	volume, err := ParseVolume("/source:/target:ro,z")
+	expected := types.ServiceVolumeConfig{
+		Type:     "bind",
+		Source:   "/source",
+		Target:   "/target",
+		ReadOnly: true,
+		Bind: &types.ServiceVolumeBind{
+			CreateHostPath: true,
+			SELinux:        "z",
+		},
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
+
+func TestParseVolumeWithBindOptionsSELinuxPrivate(t *testing.T) {
+	volume, err := ParseVolume("/source:/target:ro,Z")
+	expected := types.ServiceVolumeConfig{
+		Type:     "bind",
+		Source:   "/source",
+		Target:   "/target",
+		ReadOnly: true,
+		Bind: &types.ServiceVolumeBind{
+			CreateHostPath: true,
+			SELinux:        "Z",
+		},
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
+
 func TestParseVolumeWithBindOptionsWindows(t *testing.T) {
 	volume, err := ParseVolume("C:\\source\\foo:D:\\target:ro,rprivate")
 	expected := types.ServiceVolumeConfig{

diff --git a/types/types.go b/types/types.go
@@ -661,12 +661,21 @@ const (
 
 // ServiceVolumeBind are options for a service volume of type bind
 type ServiceVolumeBind struct {
+	SELinux        string `yaml:",omitempty" json:"selinux,omitempty"`
 	Propagation    string `yaml:",omitempty" json:"propagation,omitempty"`
 	CreateHostPath bool   `mapstructure:"create_host_path" yaml:"create_host_path,omitempty" json:"create_host_path,omitempty"`
 
 	Extensions map[string]interface{} `yaml:",inline" json:"-"`
 }
 
+// SELinux represents the SELinux re-labeling options.
+const (
+	// SELinuxShared option indicates that the bind mount content is shared among multiple containers
+	SELinuxShared string = "z"
+	// SELinuxPrivate option indicates that the bind mount content is private and unshared
+	SELinuxPrivate string = "Z"
+)
+
 // Propagation represents the propagation of a mount.
 const (
 	// PropagationRPrivate RPRIVATE