From ea73f5d820484d01f08f70a5b611c2ea94cee859 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Wed, 8 Feb 2023 16:18:48 +0200
Subject: [PATCH] container: Take SELinux labels into account

Take SELinux labels into account when mounting a file to the Dangerzone
container. Use the `:Z` flag (which is a no-op in non-SELinux systems)
to clear the existing SELinux label for a file, and apply one that
matches the container's.

Refs #335
---
 dangerzone/isolation_provider/container.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
index f8f537b..ff08101 100644
--- a/dangerzone/isolation_provider/container.py
+++ b/dangerzone/isolation_provider/container.py
@@ -260,9 +260,9 @@ class Container(IsolationProvider):
         ]
         extra_args = [
             "-v",
-            f"{document.input_filename}:/tmp/input_file",
+            f"{document.input_filename}:/tmp/input_file:Z",
             "-v",
-            f"{pixel_dir}:/dangerzone",
+            f"{pixel_dir}:/dangerzone:Z",
             "-e",
             f"ENABLE_TIMEOUTS={self.enable_timeouts}",
         ]
@@ -280,9 +280,9 @@ class Container(IsolationProvider):
             ]
             extra_args = [
                 "-v",
-                f"{pixel_dir}:/dangerzone",
+                f"{pixel_dir}:/dangerzone:Z",
                 "-v",
-                f"{safe_dir}:/safezone",
+                f"{safe_dir}:/safezone:Z",
                 "-e",
                 f"OCR={ocr}",
                 "-e",