github.com/openshift/moby-moby@v1.13.2-0.20170601211448-f5ec1e2936dc/daemon/exec_linux.go (about) 1 package daemon 2 3 import ( 4 "github.com/docker/docker/container" 5 "github.com/docker/docker/daemon/caps" 6 "github.com/docker/docker/daemon/exec" 7 "github.com/docker/docker/libcontainerd" 8 "github.com/opencontainers/runc/libcontainer/apparmor" 9 "github.com/opencontainers/runtime-spec/specs-go" 10 ) 11 12 func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainerd.Process) error { 13 if len(ec.User) > 0 { 14 uid, gid, additionalGids, err := getUser(c, ec.User) 15 if err != nil { 16 return err 17 } 18 p.User = &specs.User{ 19 UID: uid, 20 GID: gid, 21 AdditionalGids: additionalGids, 22 } 23 } 24 if ec.Privileged { 25 p.Capabilities = caps.GetAllCapabilities() 26 } 27 if apparmor.IsEnabled() { 28 var appArmorProfile string 29 if c.AppArmorProfile != "" { 30 appArmorProfile = c.AppArmorProfile 31 } else if c.HostConfig.Privileged { 32 appArmorProfile = "unconfined" 33 } else { 34 appArmorProfile = "docker-default" 35 } 36 37 if appArmorProfile == "docker-default" { 38 // Unattended upgrades and other fun services can unload AppArmor 39 // profiles inadvertently. Since we cannot store our profile in 40 // /etc/apparmor.d, nor can we practically add other ways of 41 // telling the system to keep our profile loaded, in order to make 42 // sure that we keep the default profile enabled we dynamically 43 // reload it if necessary. 44 if err := ensureDefaultAppArmorProfile(); err != nil { 45 return err 46 } 47 } 48 } 49 return nil 50 }