github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/setns_init_linux.go (about) 1 // +build linux 2 3 package libcontainer 4 5 import ( 6 "fmt" 7 "os" 8 9 "github.com/opencontainers/runc/libcontainer/apparmor" 10 "github.com/opencontainers/runc/libcontainer/keys" 11 "github.com/opencontainers/runc/libcontainer/label" 12 "github.com/opencontainers/runc/libcontainer/seccomp" 13 "github.com/opencontainers/runc/libcontainer/system" 14 ) 15 16 // linuxSetnsInit performs the container's initialization for running a new process 17 // inside an existing container. 18 type linuxSetnsInit struct { 19 config *initConfig 20 } 21 22 func (l *linuxSetnsInit) getSessionRingName() string { 23 return fmt.Sprintf("_ses.%s", l.config.ContainerId) 24 } 25 26 func (l *linuxSetnsInit) Init() error { 27 if !l.config.Config.NoNewKeyring { 28 // do not inherit the parent's session keyring 29 if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil { 30 return err 31 } 32 } 33 if l.config.NoNewPrivileges { 34 if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { 35 return err 36 } 37 } 38 if l.config.Config.Seccomp != nil { 39 if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil { 40 return err 41 } 42 } 43 if err := finalizeNamespace(l.config); err != nil { 44 return err 45 } 46 if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil { 47 return err 48 } 49 if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { 50 return err 51 } 52 return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) 53 }