github.com/rumpl/bof@v23.0.0-rc.2+incompatible/daemon/exec_linux.go (about) 1 package daemon // import "github.com/docker/docker/daemon" 2 3 import ( 4 "context" 5 6 "github.com/containerd/containerd/pkg/apparmor" 7 "github.com/docker/docker/container" 8 "github.com/docker/docker/daemon/exec" 9 "github.com/docker/docker/oci/caps" 10 specs "github.com/opencontainers/runtime-spec/specs-go" 11 ) 12 13 func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { 14 if len(ec.User) > 0 { 15 var err error 16 p.User, err = getUser(c, ec.User) 17 if err != nil { 18 return err 19 } 20 } 21 if ec.Privileged { 22 p.Capabilities = &specs.LinuxCapabilities{ 23 Bounding: caps.GetAllCapabilities(), 24 Permitted: caps.GetAllCapabilities(), 25 Effective: caps.GetAllCapabilities(), 26 } 27 } 28 if apparmor.HostSupports() { 29 var appArmorProfile string 30 if c.AppArmorProfile != "" { 31 appArmorProfile = c.AppArmorProfile 32 } else if c.HostConfig.Privileged { 33 // `docker exec --privileged` does not currently disable AppArmor 34 // profiles. Privileged configuration of the container is inherited 35 appArmorProfile = unconfinedAppArmorProfile 36 } else { 37 appArmorProfile = defaultAppArmorProfile 38 } 39 40 if appArmorProfile == defaultAppArmorProfile { 41 // Unattended upgrades and other fun services can unload AppArmor 42 // profiles inadvertently. Since we cannot store our profile in 43 // /etc/apparmor.d, nor can we practically add other ways of 44 // telling the system to keep our profile loaded, in order to make 45 // sure that we keep the default profile enabled we dynamically 46 // reload it if necessary. 47 if err := ensureDefaultAppArmorProfile(); err != nil { 48 return err 49 } 50 } 51 p.ApparmorProfile = appArmorProfile 52 } 53 s := &specs.Spec{Process: p} 54 return WithRlimits(daemon, c)(context.Background(), nil, nil, s) 55 }