From 3baea39187fdb015ceb6a6fbc35d152f3e37c415 Mon Sep 17 00:00:00 2001
From: Erik Wilson <Erik.E.Wilson@gmail.com>
Date: Fri, 21 Feb 2020 14:53:22 -0700
Subject: [PATCH 1/5] Enable selinux for containerd

---
 pkg/agent/templates/templates.go | 1 +
 scripts/build                    | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/pkg/agent/templates/templates.go b/pkg/agent/templates/templates.go
index a1d8940535f8..6c108a91e301 100644
--- a/pkg/agent/templates/templates.go
+++ b/pkg/agent/templates/templates.go
@@ -20,6 +20,7 @@ const ContainerdConfigTemplate = `
 [plugins.cri]
   stream_server_address = "127.0.0.1"
   stream_server_port = "10010"
+  enable_selinux = true
 
 {{- if .IsRunningInUserNS }}
   disable_cgroup = true
diff --git a/scripts/build b/scripts/build
index 72d3c07eceb2..302e6adc5148 100755
--- a/scripts/build
+++ b/scripts/build
@@ -36,6 +36,7 @@ LDFLAGS="
 STATIC="
     -extldflags '-static'
 "
+RUNC_TARGET="static"
 
 if [ "$DQLITE" = "true" ]; then
     DQLITE_TAGS="dqlite"
@@ -45,13 +46,14 @@ fi
 STATIC_SQLITE="
     -extldflags '-static -lm -ldl -lz -lpthread $DQLITE_STATIC_SQLITE'
 "
-TAGS="ctrd apparmor seccomp no_btrfs netcgo osusergo providerless $DQLITE_TAGS"
+TAGS="ctrd apparmor seccomp selinux no_btrfs netcgo osusergo providerless $DQLITE_TAGS"
 
 if [ "$STATIC_BUILD" != "true" ]; then
     STATIC="
 "
     STATIC_SQLITE="
 "
+    RUNC_TARGET=""
 else
     TAGS="static_build libsqlite3 $TAGS"
 fi
@@ -109,13 +111,16 @@ ln -s containerd ./bin/ctr
 # echo Building containerd
 # CGO_ENABLED=0 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC" -o bin/containerd ./cmd/containerd/
 echo Building runc
-make EXTRA_LDFLAGS="-w -s" BUILDTAGS="apparmor seccomp" -C ./vendor/github.com/opencontainers/runc static
+rm -f ./vendor/github.com/opencontainers/runc/runc
+make EXTRA_LDFLAGS="-w -s" BUILDTAGS="apparmor seccomp selinux" -C ./vendor/github.com/opencontainers/runc $RUNC_TARGET
 cp -f ./vendor/github.com/opencontainers/runc/runc ./bin/runc
 
 echo Building containerd-shim
+rm -f ./vendor/github.com/containerd/containerd/bin/containerd-shim
 make -C ./vendor/github.com/containerd/containerd bin/containerd-shim
 cp -f ./vendor/github.com/containerd/containerd/bin/containerd-shim ./bin/containerd-shim
 
 echo Building containerd-shim-runc-v2
+rm -f ./vendor/github.com/containerd/containerd/bin/containerd-shim-runc-v2
 make -C ./vendor/github.com/containerd/containerd bin/containerd-shim-runc-v2
 cp -f ./vendor/github.com/containerd/containerd/bin/containerd-shim-runc-v2 ./bin/containerd-shim-runc-v2

From 2505369ab302452e37f2a47f325043012cb691e3 Mon Sep 17 00:00:00 2001
From: Erik Wilson <Erik.E.Wilson@gmail.com>
Date: Fri, 21 Feb 2020 14:54:30 -0700
Subject: [PATCH 2/5] Vendor files from containerd/cri/pull/1246

---
 go.mod                                        |  3 +-
 go.sum                                        |  4 +-
 .../cri/pkg/server/container_create.go        | 35 ++++++++-
 .../containerd/cri/pkg/server/helpers.go      | 60 ++++++++-------
 .../containerd/cri/pkg/server/sandbox_run.go  | 23 +++++-
 .../containerd/cri/pkg/server/service.go      |  6 +-
 .../cri/pkg/store/container/container.go      |  9 ++-
 .../cri/pkg/store/container/metadata.go       |  2 +
 .../containerd/cri/pkg/store/label/label.go   | 76 +++++++++++++++++++
 .../cri/pkg/store/sandbox/metadata.go         |  2 +
 .../cri/pkg/store/sandbox/sandbox.go          |  9 ++-
 vendor/modules.txt                            |  3 +-
 12 files changed, 191 insertions(+), 41 deletions(-)
 create mode 100644 vendor/github.com/containerd/cri/pkg/store/label/label.go

diff --git a/go.mod b/go.mod
index d124411827cc..e344432d0e79 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ replace (
 	github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
 	github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s1
 	github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
-	github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.3
+	github.com/containerd/cri => github.com/erikwilson/rancher-cri v1.11.1-0.20200221204331-01cec633ed04
 	github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
 	github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
 	github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
@@ -124,6 +124,5 @@ require (
 	k8s.io/component-base v0.0.0
 	k8s.io/cri-api v0.0.0
 	k8s.io/klog v1.0.0
-	k8s.io/kubelet v0.0.0
 	k8s.io/kubernetes v1.16.0
 )
diff --git a/go.sum b/go.sum
index 29b176dbfcb8..80b0a59db5a9 100644
--- a/go.sum
+++ b/go.sum
@@ -229,6 +229,8 @@ github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/erikwilson/rancher-cri v1.11.1-0.20200221204331-01cec633ed04 h1:t4+xCLqiYyA8BGUDnu54QzaLwO94Iqa2VtSwSPIQjmk=
+github.com/erikwilson/rancher-cri v1.11.1-0.20200221204331-01cec633ed04/go.mod h1:GfpXQiZC0mC9ik1rXKuispIvYhBGnXun3El0abjeUYI=
 github.com/euank/go-kmsg-parser v2.0.0+incompatible h1:cHD53+PLQuuQyLZeriD1V/esuG4MuU0Pjs5y6iknohY=
 github.com/euank/go-kmsg-parser v2.0.0+incompatible/go.mod h1:MhmAMZ8V4CYH4ybgdRwPr2TU5ThnS43puaKEMpja1uw=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -707,8 +709,6 @@ github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODl
 github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk=
 github.com/rancher/containerd v1.3.3-k3s1 h1:j8NGZdXKsZd2ne0XQg6OBfMJ/NkY/Qri6QhscGrJp2M=
 github.com/rancher/containerd v1.3.3-k3s1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
-github.com/rancher/cri v1.3.0-k3s.3 h1:j/Sq2LMyg6gBn2MS1j5dEudpdL+UYVH7ubbewUCXkS0=
-github.com/rancher/cri v1.3.0-k3s.3/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
 github.com/rancher/cri-tools v1.17.0-k3s1 h1:jfu97FowbraTDc7b6fxWtO+dq+DU2oW+ABBQSEFiRb0=
 github.com/rancher/cri-tools v1.17.0-k3s1/go.mod h1:bRTZttsvk+nCG8tSFs8D6UUx8CkMXR5TAsRLS0fXAqI=
 github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk=
diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go
index d35fff30cbac..cf6a6acd6aa7 100644
--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go
+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go
@@ -39,6 +39,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
@@ -173,6 +174,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 		return nil, errors.Wrapf(err, "failed to generate container %q spec", id)
 	}
 
+	meta.ProcessLabel = spec.Process.SelinuxLabel
+	if config.GetLinux().GetSecurityContext().GetPrivileged() {
+		// If privileged don't set the SELinux label but still record it on the container so
+		// the unused MCS label can be release later
+		spec.Process.SelinuxLabel = ""
+	}
+	defer func() {
+		if retErr != nil {
+			_ = label.ReleaseLabel(spec.Process.SelinuxLabel)
+		}
+	}()
+
 	log.G(ctx).Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec))
 
 	// Set snapshotter before any other options.
@@ -324,7 +337,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
 
 func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxPid uint32, config *runtime.ContainerConfig,
 	sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount,
-	ociRuntime config.Runtime) (*runtimespec.Spec, error) {
+	ociRuntime config.Runtime) (retSpec *runtimespec.Spec, retErr error) {
 
 	specOpts := []oci.SpecOpts{
 		customopts.WithoutRunMount,
@@ -366,11 +379,27 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	specOpts = append(specOpts, oci.WithEnv(env))
 
 	securityContext := config.GetLinux().GetSecurityContext()
-	selinuxOpt := securityContext.GetSelinuxOptions()
-	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
+	labelOptions := toLabel(securityContext.GetSelinuxOptions())
+	if len(labelOptions) == 0 {
+		// Use pod level SELinux config
+		if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil {
+			labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	processLabel, mountLabel, err := label.InitLabels(labelOptions)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions())
 	}
+	defer func() {
+		if retErr != nil {
+			_ = label.ReleaseLabel(processLabel)
+		}
+	}()
+
 	specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
 
 	if !c.config.DisableProcMount {
diff --git a/vendor/github.com/containerd/cri/pkg/server/helpers.go b/vendor/github.com/containerd/cri/pkg/server/helpers.go
index 1d1565704716..4ec03ca33cb0 100644
--- a/vendor/github.com/containerd/cri/pkg/server/helpers.go
+++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go
@@ -298,47 +298,55 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config *
 	return &newImage, nil
 }
 
-func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error) {
-	if selinuxOpt == nil {
-		return "", "", nil
+func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
+	if selinuxOptions == nil {
+		return nil
 	}
 
-	// Should ignored selinuxOpts if they are incomplete.
-	if selinuxOpt.GetUser() == "" ||
-		selinuxOpt.GetRole() == "" ||
-		selinuxOpt.GetType() == "" {
-		return "", "", nil
+	if selinuxOptions.User != "" {
+		labels = append(labels, "user:"+selinuxOptions.User)
 	}
-
-	// make sure the format of "level" is correct.
-	ok, err := checkSelinuxLevel(selinuxOpt.GetLevel())
-	if err != nil || !ok {
-		return "", "", err
+	if selinuxOptions.Role != "" {
+		labels = append(labels, "role:"+selinuxOptions.Role)
+	}
+	if selinuxOptions.Type != "" {
+		labels = append(labels, "type:"+selinuxOptions.Type)
+	}
+	if selinuxOptions.Level != "" {
+		labels = append(labels, "level:"+selinuxOptions.Level)
 	}
 
-	labelOpts := fmt.Sprintf("%s:%s:%s:%s",
-		selinuxOpt.GetUser(),
-		selinuxOpt.GetRole(),
-		selinuxOpt.GetType(),
-		selinuxOpt.GetLevel())
+	return
+}
 
-	options, err := label.DupSecOpt(labelOpts)
-	if err != nil {
-		return "", "", err
+func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) {
+	return initLabels(toLabel(selinuxOpts))
+}
+
+func initLabels(options []string) (string, string, error) {
+	for _, opt := range options {
+		if strings.HasPrefix(opt, "level:") {
+			if err := checkSelinuxLevel(strings.TrimPrefix(opt, "level:")); err != nil {
+				return "", "", err
+			}
+		}
 	}
 	return label.InitLabels(options)
 }
 
-func checkSelinuxLevel(level string) (bool, error) {
+func checkSelinuxLevel(level string) error {
 	if len(level) == 0 {
-		return true, nil
+		return nil
 	}
 
 	matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
-	if err != nil || !matched {
-		return false, errors.Wrapf(err, "the format of 'level' %q is not correct", level)
+	if err != nil {
+		return errors.Wrapf(err, "the format of 'level' %q is not correct", level)
+	}
+	if !matched {
+		return fmt.Errorf("the format of 'level' %q is not correct", level)
 	}
-	return true, nil
+	return nil
 }
 
 // isInCRIMounts checks whether a destination is in CRI mount list.
diff --git a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
index 9d64819afab2..24cdf5f03a71 100644
--- a/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
+++ b/vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
@@ -34,6 +34,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
@@ -158,6 +159,18 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 		return nil, errors.Wrap(err, "failed to generate sandbox container spec")
 	}
 	log.G(ctx).Debugf("Sandbox container %q spec: %#+v", id, spew.NewFormatter(spec))
+	sandbox.ProcessLabel = spec.Process.SelinuxLabel
+	defer func() {
+		if retErr != nil {
+			_ = label.ReleaseLabel(sandbox.ProcessLabel)
+		}
+	}()
+
+	if securityContext.GetPrivileged() {
+		// If privileged don't set selinux label, but we still record the MCS label so that
+		// the unused label can be freed later.
+		spec.Process.SelinuxLabel = ""
+	}
 
 	var specOpts []oci.SpecOpts
 	userstr, err := generateUserString(
@@ -328,7 +341,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 }
 
 func (c *criService) generateSandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
-	imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (*runtimespec.Spec, error) {
+	imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (retSpec *runtimespec.Spec, retErr error) {
 	// Creates a spec Generator with the default spec.
 	// TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
 	specOpts := []oci.SpecOpts{
@@ -403,11 +416,15 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 		},
 	}))
 
-	selinuxOpt := securityContext.GetSelinuxOptions()
-	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
+	processLabel, mountLabel, err := initLabelsFromOpt(securityContext.GetSelinuxOptions())
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions())
 	}
+	defer func() {
+		if retErr != nil && processLabel != "" {
+			_ = label.ReleaseLabel(processLabel)
+		}
+	}()
 
 	supplementalGroups := securityContext.GetSupplementalGroups()
 	specOpts = append(specOpts,
diff --git a/vendor/github.com/containerd/cri/pkg/server/service.go b/vendor/github.com/containerd/cri/pkg/server/service.go
index 87b2b3ea21a5..5b4d826a087f 100644
--- a/vendor/github.com/containerd/cri/pkg/server/service.go
+++ b/vendor/github.com/containerd/cri/pkg/server/service.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/plugin"
+	"github.com/containerd/cri/pkg/store/label"
 	cni "github.com/containerd/go-cni"
 	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
 	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
@@ -104,14 +105,15 @@ type criService struct {
 // NewCRIService returns a new instance of CRIService
 func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIService, error) {
 	var err error
+	labels := label.NewStore()
 	c := &criService{
 		config:             config,
 		client:             client,
 		apparmorEnabled:    runcapparmor.IsEnabled() && !config.DisableApparmor,
 		seccompEnabled:     runcseccomp.IsEnabled(),
 		os:                 osinterface.RealOS{},
-		sandboxStore:       sandboxstore.NewStore(),
-		containerStore:     containerstore.NewStore(),
+		sandboxStore:       sandboxstore.NewStore(labels),
+		containerStore:     containerstore.NewStore(labels),
 		imageStore:         imagestore.NewStore(client),
 		snapshotStore:      snapshotstore.NewStore(),
 		sandboxNameIndex:   registrar.NewRegistrar(),
diff --git a/vendor/github.com/containerd/cri/pkg/store/container/container.go b/vendor/github.com/containerd/cri/pkg/store/container/container.go
index 444eb33b21d3..544678f8934a 100644
--- a/vendor/github.com/containerd/cri/pkg/store/container/container.go
+++ b/vendor/github.com/containerd/cri/pkg/store/container/container.go
@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 
@@ -101,13 +102,15 @@ type Store struct {
 	lock       sync.RWMutex
 	containers map[string]Container
 	idIndex    *truncindex.TruncIndex
+	labels     *label.Store
 }
 
 // NewStore creates a container store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		containers: make(map[string]Container),
 		idIndex:    truncindex.NewTruncIndex([]string{}),
+		labels:     labels,
 	}
 }
 
@@ -119,6 +122,9 @@ func (s *Store) Add(c Container) error {
 	if _, ok := s.containers[c.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(c.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(c.ID); err != nil {
 		return err
 	}
@@ -165,6 +171,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.containers[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.containers, id)
 }
diff --git a/vendor/github.com/containerd/cri/pkg/store/container/metadata.go b/vendor/github.com/containerd/cri/pkg/store/container/metadata.go
index 73d64a8f57c8..d0747e43ee8f 100644
--- a/vendor/github.com/containerd/cri/pkg/store/container/metadata.go
+++ b/vendor/github.com/containerd/cri/pkg/store/container/metadata.go
@@ -61,6 +61,8 @@ type Metadata struct {
 	// StopSignal is the system call signal that will be sent to the container to exit.
 	// TODO(random-liu): Add integration test for stop signal.
 	StopSignal string
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.
diff --git a/vendor/github.com/containerd/cri/pkg/store/label/label.go b/vendor/github.com/containerd/cri/pkg/store/label/label.go
new file mode 100644
index 000000000000..6124df7888ec
--- /dev/null
+++ b/vendor/github.com/containerd/cri/pkg/store/label/label.go
@@ -0,0 +1,76 @@
+package label
+
+import (
+	"sync"
+
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+type Store struct {
+	sync.Mutex
+	levels   map[string]int
+	Releaser func(string)
+	Reserver func(string)
+}
+
+func NewStore() *Store {
+	return &Store{
+		levels:   map[string]int{},
+		Releaser: selinux.ReleaseLabel,
+		Reserver: selinux.ReserveLabel,
+	}
+}
+
+func (s *Store) Reserve(label string) error {
+	s.Lock()
+	defer s.Unlock()
+
+	context, err := selinux.NewContext(label)
+	if err != nil {
+		return err
+	}
+
+	level := context["level"]
+	// no reason to count empty
+	if level == "" {
+		return nil
+	}
+
+	if _, ok := s.levels[level]; !ok {
+		s.Reserver(label)
+	}
+
+	s.levels[level]++
+	return nil
+}
+
+func (s *Store) Release(label string) {
+	s.Lock()
+	defer s.Unlock()
+
+	context, err := selinux.NewContext(label)
+	if err != nil {
+		return
+	}
+
+	level := context["level"]
+	if level == "" {
+		return
+	}
+
+	count, ok := s.levels[level]
+	if !ok {
+		return
+	}
+	switch {
+	case count == 1:
+		s.Releaser(label)
+		delete(s.levels, level)
+	case count < 1:
+		delete(s.levels, level)
+	case count > 1:
+		s.levels[level] = count - 1
+	}
+
+	return
+}
diff --git a/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go b/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go
index 68f5fd881d9e..3d15d4658d23 100644
--- a/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go
+++ b/vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go
@@ -61,6 +61,8 @@ type Metadata struct {
 	RuntimeHandler string
 	// CNIresult resulting configuration for attached network namespace interfaces
 	CNIResult *cni.CNIResult
+	// ProcessLabel is the SELinux process label for the container
+	ProcessLabel string
 }
 
 // MarshalJSON encodes Metadata into bytes in json format.
diff --git a/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go b/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go
index 2fc01c5b35f8..03a71cbc36c0 100644
--- a/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go
+++ b/vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go
@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd"
+	"github.com/containerd/cri/pkg/store/label"
 	"github.com/docker/docker/pkg/truncindex"
 
 	"github.com/containerd/cri/pkg/netns"
@@ -62,13 +63,15 @@ type Store struct {
 	lock      sync.RWMutex
 	sandboxes map[string]Sandbox
 	idIndex   *truncindex.TruncIndex
+	labels    *label.Store
 }
 
 // NewStore creates a sandbox store.
-func NewStore() *Store {
+func NewStore(labels *label.Store) *Store {
 	return &Store{
 		sandboxes: make(map[string]Sandbox),
 		idIndex:   truncindex.NewTruncIndex([]string{}),
+		labels:    labels,
 	}
 }
 
@@ -79,6 +82,9 @@ func (s *Store) Add(sb Sandbox) error {
 	if _, ok := s.sandboxes[sb.ID]; ok {
 		return store.ErrAlreadyExist
 	}
+	if err := s.labels.Reserve(sb.ProcessLabel); err != nil {
+		return err
+	}
 	if err := s.idIndex.Add(sb.ID); err != nil {
 		return err
 	}
@@ -125,6 +131,7 @@ func (s *Store) Delete(id string) {
 		// So we need to return if there are error.
 		return
 	}
+	s.labels.Release(s.sandboxes[id].ProcessLabel)
 	s.idIndex.Delete(id) // nolint: errcheck
 	delete(s.sandboxes, id)
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b99f92f07805..68871f9190f2 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -288,7 +288,7 @@ github.com/containerd/continuity/pathdriver
 github.com/containerd/continuity/proto
 github.com/containerd/continuity/syscallx
 github.com/containerd/continuity/sysx
-# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.3
+# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/erikwilson/rancher-cri v1.11.1-0.20200221204331-01cec633ed04
 github.com/containerd/cri
 github.com/containerd/cri/pkg/annotations
 github.com/containerd/cri/pkg/api/runtimeoptions/v1
@@ -306,6 +306,7 @@ github.com/containerd/cri/pkg/server/io
 github.com/containerd/cri/pkg/store
 github.com/containerd/cri/pkg/store/container
 github.com/containerd/cri/pkg/store/image
+github.com/containerd/cri/pkg/store/label
 github.com/containerd/cri/pkg/store/sandbox
 github.com/containerd/cri/pkg/store/snapshot
 github.com/containerd/cri/pkg/util

From c0011646400616df1eeb615437184cb1fdc72824 Mon Sep 17 00:00:00 2001
From: Erik Wilson <Erik.E.Wilson@gmail.com>
Date: Fri, 21 Feb 2020 14:56:12 -0700
Subject: [PATCH 3/5] WIP - Use default containerd paths

---
 pkg/agent/config/config.go                    | 20 ++++++++++---------
 pkg/ctr/main.go                               |  2 +-
 .../cri-tools/cmd/crictl/main_unix.go         |  2 +-
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go
index 8a19c0969bd2..58bc4a7d3b23 100644
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@@ -423,15 +423,17 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 	nodeConfig.AgentConfig.IPSECPSK = controlConfig.IPSECPSK
 	nodeConfig.AgentConfig.StrongSwanDir = filepath.Join(envInfo.DataDir, "strongswan")
 	nodeConfig.CACerts = info.CACerts
-	nodeConfig.Containerd.Config = filepath.Join(envInfo.DataDir, "etc/containerd/config.toml")
-	nodeConfig.Containerd.Root = filepath.Join(envInfo.DataDir, "containerd")
-	nodeConfig.Containerd.Opt = filepath.Join(envInfo.DataDir, "containerd")
-	if !envInfo.Debug {
-		nodeConfig.Containerd.Log = filepath.Join(envInfo.DataDir, "containerd/containerd.log")
-	}
-	nodeConfig.Containerd.State = "/run/k3s/containerd"
-	nodeConfig.Containerd.Address = filepath.Join(nodeConfig.Containerd.State, "containerd.sock")
-	nodeConfig.Containerd.Template = filepath.Join(envInfo.DataDir, "etc/containerd/config.toml.tmpl")
+
+	nodeConfig.Containerd.Config = "/etc/containerd/config.toml"
+	nodeConfig.Containerd.Root = "/var/lib/containerd"
+	nodeConfig.Containerd.Opt = "/opt/containerd"
+	nodeConfig.Containerd.Log = "/var/log/containerd.log"
+	// nodeConfig.Containerd.State = "/var/lib/docker/overlay2/"
+	nodeConfig.Containerd.State = "/run/containerd"
+	nodeConfig.Containerd.Address = "/run/containerd/containerd.sock"
+	nodeConfig.Containerd.Log = "/var/log/containerd.log"
+	nodeConfig.Containerd.Template = "/etc/containerd/config.toml.tmpl"
+
 	nodeConfig.ServerAddress = serverURLParsed.Host
 	nodeConfig.Certificate = servingCert
 
diff --git a/pkg/ctr/main.go b/pkg/ctr/main.go
index fca1c40810fe..4013f962b1cd 100644
--- a/pkg/ctr/main.go
+++ b/pkg/ctr/main.go
@@ -35,7 +35,7 @@ func main() {
 	for i, flag := range app.Flags {
 		if sFlag, ok := flag.(cli.StringFlag); ok {
 			if sFlag.Name == "address, a" {
-				sFlag.Value = "/run/k3s/containerd/containerd.sock"
+				sFlag.Value = "/run/containerd/containerd.sock"
 				app.Flags[i] = sFlag
 			} else if sFlag.Name == "namespace, n" {
 				sFlag.Value = "k8s.io"
diff --git a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/main_unix.go b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/main_unix.go
index cb5aad9c8d9c..26ec8455428c 100644
--- a/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/main_unix.go
+++ b/vendor/github.com/kubernetes-sigs/cri-tools/cmd/crictl/main_unix.go
@@ -20,5 +20,5 @@ package crictl
 
 const (
 	defaultConfigPath      = "/etc/crictl.yaml"
-	defaultRuntimeEndpoint = "unix:///run/k3s/containerd/containerd.sock"
+	defaultRuntimeEndpoint = "unix:///run/containerd/containerd.sock"
 )

From f544a6473a8ecf25c47685fd1a191d5c09de9c9f Mon Sep 17 00:00:00 2001
From: Erik Wilson <Erik.E.Wilson@gmail.com>
Date: Fri, 21 Feb 2020 16:41:30 -0700
Subject: [PATCH 4/5] WIP - Update Vagrantfile for CentOS 7

---
 Vagrantfile                                   | 39 ++++----
 .../{ => generic/alpine310}/vagrant-provision |  2 +-
 scripts/generic/centos7/vagrant-provision     | 95 +++++++++++++++++++
 3 files changed, 117 insertions(+), 19 deletions(-)
 rename scripts/{ => generic/alpine310}/vagrant-provision (98%)
 create mode 100755 scripts/generic/centos7/vagrant-provision

diff --git a/Vagrantfile b/Vagrantfile
index 8a962e365638..21a9c1b203cc 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -1,12 +1,14 @@
-BOX = "generic/alpine310"
+OS = (ENV['OS'] || "centos7" )
+BOX = (ENV['box'] || "generic/#{OS}")
 HOME = File.dirname(__FILE__)
 PROJECT = File.basename(HOME)
-MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
 NUM_NODES = (ENV['NUM_NODES'] || 0).to_i
 NODE_CPUS = (ENV['NODE_CPUS'] || 4).to_i
 NODE_MEMORY = (ENV['NODE_MEMORY'] || 8192).to_i
 NETWORK_PREFIX = ENV['NETWORK_PREFIX'] || "10.135.135"
-VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/vagrant-provision"
+VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/#{BOX}/vagrant-provision"
+MOUNT_TYPE = ENV['MOUNT_TYPE'] || ""
+# MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
 
 # --- Rules for /etc/sudoers to avoid password entry configuring NFS:
 # %admin	ALL = (root) NOPASSWD: /usr/bin/sed -E -e * -ibak /etc/exports
@@ -14,19 +16,19 @@ VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/vagrant-provision"
 # %admin	ALL = (root) NOPASSWD: /sbin/nfsd restart
 # --- May need to add terminal to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access
 
-# --- Check for missing plugins
-required_plugins = %w( vagrant-alpine vagrant-timezone )
-plugin_installed = false
-required_plugins.each do |plugin|
-  unless Vagrant.has_plugin?(plugin)
-    system "vagrant plugin install #{plugin}"
-    plugin_installed = true
-  end
-end
-# --- If new plugins installed, restart Vagrant process
-if plugin_installed === true
-  exec "vagrant #{ARGV.join' '}"
-end
+# # --- Check for missing plugins
+# required_plugins = %w( vagrant-alpine vagrant-timezone )
+# plugin_installed = false
+# required_plugins.each do |plugin|
+#  unless Vagrant.has_plugin?(plugin)
+#    system "vagrant plugin install #{plugin}"
+#    plugin_installed = true
+#  end
+# end
+# # --- If new plugins installed, restart Vagrant process
+# if plugin_installed === true
+#  exec "vagrant #{ARGV.join' '}"
+# end
 
 provision = <<SCRIPT
 # --- Use system gopath if available
@@ -61,8 +63,9 @@ Vagrant.configure("2") do |config|
   config.vm.hostname = PROJECT
   config.vm.synced_folder ".", HOME, type: MOUNT_TYPE
   config.vm.provision "shell", inline: provision
-  config.timezone.value = :host
-
+  if Vagrant.has_plugin?("vagrant-timezone")
+    config.timezone.value = :host
+  end
   config.vm.network "private_network", ip: "#{NETWORK_PREFIX}.100" if NUM_NODES==0
 
   (1..NUM_NODES).each do |i|
diff --git a/scripts/vagrant-provision b/scripts/generic/alpine310/vagrant-provision
similarity index 98%
rename from scripts/vagrant-provision
rename to scripts/generic/alpine310/vagrant-provision
index cd9ac0adcdbd..f52df61d7f5d 100755
--- a/scripts/vagrant-provision
+++ b/scripts/generic/alpine310/vagrant-provision
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -ve
 
-cd $(dirname $0)/..
+cd $(dirname $0)/../../..
 
 if [ ! -f /etc/vagrant_box_build_time ]; then
     echo "This script should only be called during vagrant provisioning"
diff --git a/scripts/generic/centos7/vagrant-provision b/scripts/generic/centos7/vagrant-provision
new file mode 100755
index 000000000000..0780c4edaa44
--- /dev/null
+++ b/scripts/generic/centos7/vagrant-provision
@@ -0,0 +1,95 @@
+#!/bin/bash
+set -ve
+
+cd $(dirname $0)/../../..
+
+if [ ! -f /etc/vagrant_box_build_time ]; then
+    echo "This script should only be called during vagrant provisioning"
+    exit 1
+fi
+
+ARCH=amd64
+if [[ $HOME == /go/* ]]; then
+    echo "Must not launch vagrant from /go/"
+    exit 1
+fi 
+
+if [ -z "${GOPATH}" ]; then
+    GOPATH=$(realpath $HOME/../../../..)
+    echo "WARNING: Assuming GOPATH=$GOPATH"
+else
+    echo "Using parent GOPATH=$GOPATH"
+fi
+goversion=$(grep "^FROM " Dockerfile.dapper | sed -e 's/^FROM golang:\(.*\)-.*/\1/')
+
+if [ -z "$goversion" ]; then
+    echo "Cannot find version of go to fetch"
+    exit 1
+fi
+
+echo "Installing go $goversion"
+curl -sL https://storage.googleapis.com/golang/go${goversion}.linux-${ARCH}.tar.gz | tar -xzf - -C /usr/local
+# ---
+cat <<EOF >/etc/profile.d/build.sh
+export GO111MODULE=off
+export GOPATH=$GOPATH
+export PATH=/usr/local/bin:$PATH:/usr/local/go/bin:$GOPATH/bin
+EOF
+. /etc/profile.d/build.sh
+# ---
+sed -i 's|:/bin/ash$|:/bin/bash|g' /etc/passwd
+cat <<\EOF >/etc/profile.d/color.sh
+alias ls='ls --color=auto'
+export PS1='\033[31m[ \033[90m\D{%F %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]🐮\[\033[32m\]\h:\[\033[33;1m\]\w\[\033[m\]$ '
+EOF
+# ---
+yum install -y \
+    bash git gcc musl-dev vim less file wget jq tar zip squashfs-tools npm coreutils \
+    libffi-dev libseccomp-devel make \
+    pkg-config libselinux-devel \
+    container-selinux policycoreutils policycoreutils-python
+# ---
+yum install -y gdb
+go get -u github.com/go-delve/delve/cmd/dlv
+# ---
+# docker install instructions slightly changed from https://kubernetes.io/docs/setup/production-environment/container-runtimes/
+# default "exec-opts": ["native.cgroupdriver=cgroupfs"], and set "selinux-enabled": true
+yum install -y yum-utils device-mapper-persistent-data lvm2
+yum-config-manager --add-repo   https://download.docker.com/linux/centos/docker-ce.repo
+yum update -y && yum install -y   containerd.io-1.2.10   docker-ce-19.03.4   docker-ce-cli-19.03.4
+mkdir -p /etc/docker
+cat > /etc/docker/daemon.json <<EOF
+{
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "100m"
+  },
+  "selinux-enabled": true,
+  "storage-driver": "overlay2",
+  "storage-opts": [
+    "overlay2.override_kernel_check=true"
+  ]
+}
+EOF
+# ---
+systemctl daemon-reload
+systemctl disable --now firewalld
+# disable docker for now as the default containerd path interferes
+systemctl disable --now docker
+# ---
+# set selinux to permissive for dev & testing purposes only
+setenforce 0
+sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
+# ---
+cat <<\EOF >>/etc/motd
+               ,        ,
+   ,-----------|'------'| |\    ____
+  /.           '-'@  o|-' | |  /___ \
+ |/|             | .. |   | | __ __) | ____
+   |   .________.'----'   | |/ /|__ < / __/
+   |  ||        |  ||     |   < ___) |\__ \
+   \__|'        \__|'     |_|\_\_____/____/
+
+EOF
+# ---
+set +v

From cd6778f53d324a399a3b93acae9a1ba4b2c03800 Mon Sep 17 00:00:00 2001
From: Erik Wilson <Erik.E.Wilson@gmail.com>
Date: Fri, 21 Feb 2020 16:42:59 -0700
Subject: [PATCH 5/5] WIP - Don't semanage on install, cleanup /run/containerd

---
 install.sh | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/install.sh b/install.sh
index d364e12d4e12..6e77dfee4a3c 100755
--- a/install.sh
+++ b/install.sh
@@ -396,15 +396,15 @@ setup_binary() {
     $SUDO chown root:root ${TMP_BIN}
     $SUDO mv -f ${TMP_BIN} ${BIN_DIR}/k3s
 
-    if command -v getenforce > /dev/null 2>&1; then
-        if [ "Disabled" != $(getenforce) ]; then
-	    info 'SELinux is enabled, setting permissions'
-	    if ! $SUDO semanage fcontext -l | grep "${BIN_DIR}/k3s" > /dev/null 2>&1; then
-	        $SUDO semanage fcontext -a -t bin_t "${BIN_DIR}/k3s"
-	    fi
-	    $SUDO restorecon -v ${BIN_DIR}/k3s > /dev/null
-        fi
-    fi
+    # if command -v getenforce > /dev/null 2>&1; then
+    #     if [ "Disabled" != $(getenforce) ]; then
+	#     info 'SELinux is enabled, setting permissions'
+	#     if ! $SUDO semanage fcontext -l | grep "${BIN_DIR}/k3s" > /dev/null 2>&1; then
+	#         $SUDO semanage fcontext -a -t bin_t "${BIN_DIR}/k3s"
+	#     fi
+	#     $SUDO restorecon -v ${BIN_DIR}/k3s > /dev/null
+    #     fi
+    # fi
 }
 
 # --- download and verify k3s ---
@@ -520,6 +520,7 @@ do_unmount() {
 }
 
 do_unmount '/run/k3s'
+do_unmount '/run/containerd'
 do_unmount '/var/lib/rancher/k3s'
 do_unmount '/var/lib/kubelet/pods'
 do_unmount '/run/netns/cni-'