github.com/ssdev-go/moby@v17.12.1-ce-rc2+incompatible/daemon/exec_linux.go (about) 1 package daemon 2 3 import ( 4 "github.com/docker/docker/container" 5 "github.com/docker/docker/daemon/caps" 6 "github.com/docker/docker/daemon/exec" 7 "github.com/opencontainers/runc/libcontainer/apparmor" 8 "github.com/opencontainers/runtime-spec/specs-go" 9 ) 10 11 func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { 12 if len(ec.User) > 0 { 13 uid, gid, additionalGids, err := getUser(c, ec.User) 14 if err != nil { 15 return err 16 } 17 p.User = specs.User{ 18 UID: uid, 19 GID: gid, 20 AdditionalGids: additionalGids, 21 } 22 } 23 if ec.Privileged { 24 if p.Capabilities == nil { 25 p.Capabilities = &specs.LinuxCapabilities{} 26 } 27 p.Capabilities.Bounding = caps.GetAllCapabilities() 28 p.Capabilities.Permitted = p.Capabilities.Bounding 29 p.Capabilities.Inheritable = p.Capabilities.Bounding 30 p.Capabilities.Effective = p.Capabilities.Bounding 31 } 32 if apparmor.IsEnabled() { 33 var appArmorProfile string 34 if c.AppArmorProfile != "" { 35 appArmorProfile = c.AppArmorProfile 36 } else if c.HostConfig.Privileged { 37 appArmorProfile = "unconfined" 38 } else { 39 appArmorProfile = "docker-default" 40 } 41 42 if appArmorProfile == "docker-default" { 43 // Unattended upgrades and other fun services can unload AppArmor 44 // profiles inadvertently. Since we cannot store our profile in 45 // /etc/apparmor.d, nor can we practically add other ways of 46 // telling the system to keep our profile loaded, in order to make 47 // sure that we keep the default profile enabled we dynamically 48 // reload it if necessary. 49 if err := ensureDefaultAppArmorProfile(); err != nil { 50 return err 51 } 52 } 53 } 54 daemon.setRlimits(&specs.Spec{Process: p}, c) 55 return nil 56 }