github.com/jfrazelle/docker@v1.1.2-0.20210712172922-bf78e25fe508/daemon/exec_linux.go (about) 1 package daemon // import "github.com/docker/docker/daemon" 2 3 import ( 4 "context" 5 6 "github.com/containerd/containerd/pkg/apparmor" 7 "github.com/docker/docker/container" 8 "github.com/docker/docker/daemon/exec" 9 "github.com/docker/docker/oci/caps" 10 specs "github.com/opencontainers/runtime-spec/specs-go" 11 ) 12 13 func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { 14 if len(ec.User) > 0 { 15 var err error 16 p.User, err = getUser(c, ec.User) 17 if err != nil { 18 return err 19 } 20 } 21 if ec.Privileged { 22 if p.Capabilities == nil { 23 p.Capabilities = &specs.LinuxCapabilities{} 24 } 25 p.Capabilities.Bounding = caps.GetAllCapabilities() 26 p.Capabilities.Permitted = p.Capabilities.Bounding 27 p.Capabilities.Inheritable = p.Capabilities.Bounding 28 p.Capabilities.Effective = p.Capabilities.Bounding 29 } 30 if apparmor.HostSupports() { 31 var appArmorProfile string 32 if c.AppArmorProfile != "" { 33 appArmorProfile = c.AppArmorProfile 34 } else if c.HostConfig.Privileged { 35 // `docker exec --privileged` does not currently disable AppArmor 36 // profiles. Privileged configuration of the container is inherited 37 appArmorProfile = unconfinedAppArmorProfile 38 } else { 39 appArmorProfile = defaultAppArmorProfile 40 } 41 42 if appArmorProfile == defaultAppArmorProfile { 43 // Unattended upgrades and other fun services can unload AppArmor 44 // profiles inadvertently. Since we cannot store our profile in 45 // /etc/apparmor.d, nor can we practically add other ways of 46 // telling the system to keep our profile loaded, in order to make 47 // sure that we keep the default profile enabled we dynamically 48 // reload it if necessary. 49 if err := ensureDefaultAppArmorProfile(); err != nil { 50 return err 51 } 52 } 53 p.ApparmorProfile = appArmorProfile 54 } 55 s := &specs.Spec{Process: p} 56 return WithRlimits(daemon, c)(context.Background(), nil, nil, s) 57 }