| package daemon // import "github.com/docker/docker/daemon" |
| |
| import ( |
| "context" |
| |
| "github.com/docker/docker/container" |
| "github.com/docker/docker/daemon/exec" |
| "github.com/docker/docker/oci/caps" |
| "github.com/opencontainers/runc/libcontainer/apparmor" |
| "github.com/opencontainers/runtime-spec/specs-go" |
| ) |
| |
| func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { |
| if len(ec.User) > 0 { |
| uid, gid, additionalGids, err := getUser(c, ec.User) |
| if err != nil { |
| return err |
| } |
| p.User = specs.User{ |
| UID: uid, |
| GID: gid, |
| AdditionalGids: additionalGids, |
| } |
| } |
| if ec.Privileged { |
| if p.Capabilities == nil { |
| p.Capabilities = &specs.LinuxCapabilities{} |
| } |
| p.Capabilities.Bounding = caps.GetAllCapabilities() |
| p.Capabilities.Permitted = p.Capabilities.Bounding |
| p.Capabilities.Inheritable = p.Capabilities.Bounding |
| p.Capabilities.Effective = p.Capabilities.Bounding |
| } |
| if apparmor.IsEnabled() { |
| var appArmorProfile string |
| if c.AppArmorProfile != "" { |
| appArmorProfile = c.AppArmorProfile |
| } else if c.HostConfig.Privileged { |
| // `docker exec --privileged` does not currently disable AppArmor |
| // profiles. Privileged configuration of the container is inherited |
| appArmorProfile = "unconfined" |
| } else { |
| appArmorProfile = "docker-default" |
| } |
| |
| if appArmorProfile == "docker-default" { |
| // Unattended upgrades and other fun services can unload AppArmor |
| // profiles inadvertently. Since we cannot store our profile in |
| // /etc/apparmor.d, nor can we practically add other ways of |
| // telling the system to keep our profile loaded, in order to make |
| // sure that we keep the default profile enabled we dynamically |
| // reload it if necessary. |
| if err := ensureDefaultAppArmorProfile(); err != nil { |
| return err |
| } |
| } |
| p.ApparmorProfile = appArmorProfile |
| } |
| s := &specs.Spec{Process: p} |
| return WithRlimits(daemon, c)(context.Background(), nil, nil, s) |
| } |