| package daemon // import "github.com/docker/docker/daemon" |
| |
| import ( |
| "context" |
| |
| "github.com/containerd/containerd" |
| coci "github.com/containerd/containerd/oci" |
| "github.com/containerd/containerd/pkg/apparmor" |
| "github.com/docker/docker/container" |
| "github.com/docker/docker/daemon/config" |
| "github.com/docker/docker/oci/caps" |
| specs "github.com/opencontainers/runtime-spec/specs-go" |
| ) |
| |
| func getUserFromContainerd(ctx context.Context, containerdCli *containerd.Client, ec *container.ExecConfig) (specs.User, error) { |
| ctr, err := containerdCli.LoadContainer(ctx, ec.Container.ID) |
| if err != nil { |
| return specs.User{}, err |
| } |
| |
| cinfo, err := ctr.Info(ctx) |
| if err != nil { |
| return specs.User{}, err |
| } |
| |
| spec, err := ctr.Spec(ctx) |
| if err != nil { |
| return specs.User{}, err |
| } |
| |
| opts := []coci.SpecOpts{ |
| coci.WithUser(ec.User), |
| coci.WithAdditionalGIDs(ec.User), |
| coci.WithAppendAdditionalGroups(ec.Container.HostConfig.GroupAdd...), |
| } |
| for _, opt := range opts { |
| if err := opt(ctx, containerdCli, &cinfo, spec); err != nil { |
| return specs.User{}, err |
| } |
| } |
| |
| return spec.Process.User, nil |
| } |
| |
| func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, daemonCfg *config.Config, ec *container.ExecConfig, p *specs.Process) error { |
| if len(ec.User) > 0 { |
| var err error |
| if daemon.UsesSnapshotter() { |
| p.User, err = getUserFromContainerd(ctx, daemon.containerdClient, ec) |
| if err != nil { |
| return err |
| } |
| } else { |
| p.User, err = getUser(ec.Container, ec.User) |
| if err != nil { |
| return err |
| } |
| } |
| } |
| |
| if ec.Privileged { |
| p.Capabilities = &specs.LinuxCapabilities{ |
| Bounding: caps.GetAllCapabilities(), |
| Permitted: caps.GetAllCapabilities(), |
| Effective: caps.GetAllCapabilities(), |
| } |
| } |
| |
| if apparmor.HostSupports() { |
| var appArmorProfile string |
| if ec.Container.AppArmorProfile != "" { |
| appArmorProfile = ec.Container.AppArmorProfile |
| } else if ec.Container.HostConfig.Privileged { |
| // `docker exec --privileged` does not currently disable AppArmor |
| // profiles. Privileged configuration of the container is inherited |
| appArmorProfile = unconfinedAppArmorProfile |
| } else { |
| appArmorProfile = defaultAppArmorProfile |
| } |
| |
| if appArmorProfile == defaultAppArmorProfile { |
| // Unattended upgrades and other fun services can unload AppArmor |
| // profiles inadvertently. Since we cannot store our profile in |
| // /etc/apparmor.d, nor can we practically add other ways of |
| // telling the system to keep our profile loaded, in order to make |
| // sure that we keep the default profile enabled we dynamically |
| // reload it if necessary. |
| if err := ensureDefaultAppArmorProfile(); err != nil { |
| return err |
| } |
| } |
| p.ApparmorProfile = appArmorProfile |
| } |
| s := &specs.Spec{Process: p} |
| return withRlimits(daemon, daemonCfg, ec.Container)(ctx, nil, nil, s) |
| } |