exec_linux.go 1.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354
  1. package daemon // import "github.com/docker/docker/daemon"
  2. import (
  3. "context"
  4. "github.com/containerd/containerd/pkg/apparmor"
  5. "github.com/docker/docker/container"
  6. "github.com/docker/docker/oci/caps"
  7. specs "github.com/opencontainers/runtime-spec/specs-go"
  8. )
  9. func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, ec *container.ExecConfig, p *specs.Process) error {
  10. if len(ec.User) > 0 {
  11. var err error
  12. p.User, err = getUser(ec.Container, ec.User)
  13. if err != nil {
  14. return err
  15. }
  16. }
  17. if ec.Privileged {
  18. p.Capabilities = &specs.LinuxCapabilities{
  19. Bounding: caps.GetAllCapabilities(),
  20. Permitted: caps.GetAllCapabilities(),
  21. Effective: caps.GetAllCapabilities(),
  22. }
  23. }
  24. if apparmor.HostSupports() {
  25. var appArmorProfile string
  26. if ec.Container.AppArmorProfile != "" {
  27. appArmorProfile = ec.Container.AppArmorProfile
  28. } else if ec.Container.HostConfig.Privileged {
  29. // `docker exec --privileged` does not currently disable AppArmor
  30. // profiles. Privileged configuration of the container is inherited
  31. appArmorProfile = unconfinedAppArmorProfile
  32. } else {
  33. appArmorProfile = defaultAppArmorProfile
  34. }
  35. if appArmorProfile == defaultAppArmorProfile {
  36. // Unattended upgrades and other fun services can unload AppArmor
  37. // profiles inadvertently. Since we cannot store our profile in
  38. // /etc/apparmor.d, nor can we practically add other ways of
  39. // telling the system to keep our profile loaded, in order to make
  40. // sure that we keep the default profile enabled we dynamically
  41. // reload it if necessary.
  42. if err := ensureDefaultAppArmorProfile(); err != nil {
  43. return err
  44. }
  45. }
  46. p.ApparmorProfile = appArmorProfile
  47. }
  48. s := &specs.Spec{Process: p}
  49. return WithRlimits(daemon, ec.Container)(ctx, nil, nil, s)
  50. }