github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/exec_linux.go

github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/daemon/exec_linux.go (about)

     1  package daemon // import "github.com/docker/docker/daemon"
     2  
     3  import (
     4  	"context"
     5  
     6  	"github.com/docker/docker/container"
     7  	"github.com/docker/docker/daemon/exec"
     8  	"github.com/docker/docker/oci/caps"
     9  	"github.com/opencontainers/runc/libcontainer/apparmor"
    10  	specs "github.com/opencontainers/runtime-spec/specs-go"
    11  )
    12  
    13  func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error {
    14  	if len(ec.User) > 0 {
    15  		uid, gid, additionalGids, err := getUser(c, ec.User)
    16  		if err != nil {
    17  			return err
    18  		}
    19  		p.User = specs.User{
    20  			UID:            uid,
    21  			GID:            gid,
    22  			AdditionalGids: additionalGids,
    23  		}
    24  	}
    25  	if ec.Privileged {
    26  		if p.Capabilities == nil {
    27  			p.Capabilities = &specs.LinuxCapabilities{}
    28  		}
    29  		p.Capabilities.Bounding = caps.GetAllCapabilities()
    30  		p.Capabilities.Permitted = p.Capabilities.Bounding
    31  		p.Capabilities.Inheritable = p.Capabilities.Bounding
    32  		p.Capabilities.Effective = p.Capabilities.Bounding
    33  	}
    34  	if apparmor.IsEnabled() {
    35  		var appArmorProfile string
    36  		if c.AppArmorProfile != "" {
    37  			appArmorProfile = c.AppArmorProfile
    38  		} else if c.HostConfig.Privileged {
    39  			// `docker exec --privileged` does not currently disable AppArmor
    40  			// profiles. Privileged configuration of the container is inherited
    41  			appArmorProfile = unconfinedAppArmorProfile
    42  		} else {
    43  			appArmorProfile = defaultAppArmorProfile
    44  		}
    45  
    46  		if appArmorProfile == defaultAppArmorProfile {
    47  			// Unattended upgrades and other fun services can unload AppArmor
    48  			// profiles inadvertently. Since we cannot store our profile in
    49  			// /etc/apparmor.d, nor can we practically add other ways of
    50  			// telling the system to keep our profile loaded, in order to make
    51  			// sure that we keep the default profile enabled we dynamically
    52  			// reload it if necessary.
    53  			if err := ensureDefaultAppArmorProfile(); err != nil {
    54  				return err
    55  			}
    56  		}
    57  		p.ApparmorProfile = appArmorProfile
    58  	}
    59  	s := &specs.Spec{Process: p}
    60  	return WithRlimits(daemon, c)(context.Background(), nil, nil, s)
    61  }