diff --git a/oak/server/rust/oak_runtime/src/node/wasm.rs b/oak/server/rust/oak_runtime/src/node/wasm.rs
index 7ece8600b73..3382fd798d7 100644
--- a/oak/server/rust/oak_runtime/src/node/wasm.rs
+++ b/oak/server/rust/oak_runtime/src/node/wasm.rs
@@ -201,7 +201,6 @@ impl WasmInterface {
                 &config_name,
                 &entrypoint,
                 // TODO(#630): Let caller provide this label via the Wasm ABI.
-                // TODO(#630): Check whether the label of the caller "flows to" the provided label.
                 &oak_abi::label::Label::public_trusted(),
                 channel_ref.clone(),
             )
@@ -220,7 +219,10 @@ impl WasmInterface {
         write_addr: AbiPointer,
         read_addr: AbiPointer,
     ) -> Result<(), OakStatus> {
-        let (writer, reader) = self.runtime.new_channel();
+        let (writer, reader) = self
+            .runtime
+            // TODO(#630): Let caller provide this label via the Wasm ABI.
+            .new_channel(&oak_abi::label::Label::public_trusted());
 
         self.validate_ptr(write_addr, 8)?;
         self.validate_ptr(read_addr, 8)?;
diff --git a/oak/server/rust/oak_runtime/src/runtime/channel.rs b/oak/server/rust/oak_runtime/src/runtime/channel.rs
index 3ddb20c3d6f..c5c9e7f25e5 100644
--- a/oak/server/rust/oak_runtime/src/runtime/channel.rs
+++ b/oak/server/rust/oak_runtime/src/runtime/channel.rs
@@ -55,6 +55,13 @@ pub struct Channel {
     /// instead of removing itself from all the `Channel`s it subscribed to.
     /// Threads can be woken up spuriously without issue.
     pub waiting_threads: WaitingThreads,
+
+    /// The Label associated with this channel.
+    ///
+    /// This is set at channel creation time and does not change after that.
+    ///
+    /// See https://github.com/project-oak/oak/blob/master/docs/concepts.md#labels
+    label: oak_abi::label::Label,
 }
 
 /// A reference to a [`Channel`]. Each [`Handle`] has an implicit direction such that it is only
@@ -88,12 +95,13 @@ pub struct ChannelMapping {
 impl Channel {
     /// Create a new channel with the assumption there is currently one active reader and one active
     /// writer references.
-    pub fn new() -> Channel {
+    pub fn new(label: &oak_abi::label::Label) -> Channel {
         Channel {
             messages: RwLock::new(Messages::new()),
             writers: AtomicU64::new(1),
             readers: AtomicU64::new(1),
             waiting_threads: Mutex::new(HashMap::new()),
+            label: label.clone(),
         }
     }
 
@@ -150,10 +158,10 @@ impl ChannelMapping {
     }
 
     /// Create a new [`Channel`] and return a `(writer handle, reader handle)` pair.
-    pub fn new_channel(&self) -> (Handle, Handle) {
+    pub fn new_channel(&self, label: &oak_abi::label::Label) -> (Handle, Handle) {
         let channel_id = self.next_channel_id.fetch_add(1, SeqCst);
         let mut channels = self.channels.write().unwrap();
-        channels.insert(channel_id, Channel::new());
+        channels.insert(channel_id, Channel::new(label));
         (self.new_writer(channel_id), self.new_reader(channel_id))
     }
 
diff --git a/oak/server/rust/oak_runtime/src/runtime/mod.rs b/oak/server/rust/oak_runtime/src/runtime/mod.rs
index c878d67c01d..001a2f67143 100644
--- a/oak/server/rust/oak_runtime/src/runtime/mod.rs
+++ b/oak/server/rust/oak_runtime/src/runtime/mod.rs
@@ -36,6 +36,12 @@ pub use channel::{Handle, HandleDirection};
 struct Node {
     reference: NodeRef,
     join_handle: JoinHandle<()>,
+
+    /// The Label associated with this node.
+    ///
+    /// This is set at node creation time and does not change after that.
+    ///
+    /// See https://github.com/project-oak/oak/blob/master/docs/concepts.md#labels
     label: oak_abi::label::Label,
 }
 
@@ -84,7 +90,10 @@ impl Runtime {
 
         let runtime = RuntimeRef(Arc::new(runtime));
 
-        let (chan_writer, chan_reader) = runtime.new_channel();
+        // When first starting, we assign the least privileged label to the channel connecting the
+        // outside world to the entry point node.
+        let (chan_writer, chan_reader) =
+            runtime.new_channel(&oak_abi::label::Label::public_trusted());
 
         runtime.node_create(
             &config.entry_module,
@@ -125,8 +134,8 @@ impl Runtime {
     }
 
     /// Creates a new channel.
-    pub fn new_channel(&self) -> (Handle, Handle) {
-        self.channels.new_channel()
+    pub fn new_channel(&self, label: &oak_abi::label::Label) -> (Handle, Handle) {
+        self.channels.new_channel(label)
     }
 
     /// Reads the statuses from a slice of `Option<&ChannelReader>`s.
diff --git a/sdk/rust/oak_tests/src/lib.rs b/sdk/rust/oak_tests/src/lib.rs
index 558bf18a577..e03626bebdb 100644
--- a/sdk/rust/oak_tests/src/lib.rs
+++ b/sdk/rust/oak_tests/src/lib.rs
@@ -111,13 +111,15 @@ where
         .expect("failed to serialize GrpcRequest message");
 
     // Create a new channel to hold the request message.
-    let (req_write_half, req_read_half) = runtime.new_channel();
+    let (req_write_half, req_read_half) =
+        runtime.new_channel(&oak_abi::label::Label::public_trusted());
     runtime
         .channel_write(req_write_half, req_msg)
         .expect("could not write message");
 
     // Create a new channel for responses to arrive on and also attach that to the message.
-    let (rsp_write_half, rsp_read_half) = runtime.new_channel();
+    let (rsp_write_half, rsp_read_half) =
+        runtime.new_channel(&oak_abi::label::Label::public_trusted());
 
     // Create a notification message and attach the method-invocation specific channels to it.
     let notify_msg = oak_runtime::Message {