github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/exec_linux.go (about) 1 package daemon // import "github.com/docker/docker/daemon" 2 3 import ( 4 "context" 5 6 "github.com/docker/docker/container" 7 "github.com/docker/docker/daemon/exec" 8 "github.com/docker/docker/oci/caps" 9 "github.com/opencontainers/runc/libcontainer/apparmor" 10 specs "github.com/opencontainers/runtime-spec/specs-go" 11 ) 12 13 func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { 14 if len(ec.User) > 0 { 15 uid, gid, additionalGids, err := getUser(c, ec.User) 16 if err != nil { 17 return err 18 } 19 p.User = specs.User{ 20 UID: uid, 21 GID: gid, 22 AdditionalGids: additionalGids, 23 } 24 } 25 if ec.Privileged { 26 if p.Capabilities == nil { 27 p.Capabilities = &specs.LinuxCapabilities{} 28 } 29 p.Capabilities.Bounding = caps.GetAllCapabilities() 30 p.Capabilities.Permitted = p.Capabilities.Bounding 31 p.Capabilities.Inheritable = p.Capabilities.Bounding 32 p.Capabilities.Effective = p.Capabilities.Bounding 33 } 34 if apparmor.IsEnabled() { 35 var appArmorProfile string 36 if c.AppArmorProfile != "" { 37 appArmorProfile = c.AppArmorProfile 38 } else if c.HostConfig.Privileged { 39 // `docker exec --privileged` does not currently disable AppArmor 40 // profiles. Privileged configuration of the container is inherited 41 appArmorProfile = unconfinedAppArmorProfile 42 } else { 43 appArmorProfile = defaultAppArmorProfile 44 } 45 46 if appArmorProfile == defaultAppArmorProfile { 47 // Unattended upgrades and other fun services can unload AppArmor 48 // profiles inadvertently. Since we cannot store our profile in 49 // /etc/apparmor.d, nor can we practically add other ways of 50 // telling the system to keep our profile loaded, in order to make 51 // sure that we keep the default profile enabled we dynamically 52 // reload it if necessary. 53 if err := ensureDefaultAppArmorProfile(); err != nil { 54 return err 55 } 56 } 57 p.ApparmorProfile = appArmorProfile 58 } 59 s := &specs.Spec{Process: p} 60 return WithRlimits(daemon, c)(context.Background(), nil, nil, s) 61 }