123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 |
- package daemon // import "github.com/docker/docker/daemon"
- import (
- "context"
- "github.com/containerd/containerd"
- coci "github.com/containerd/containerd/oci"
- "github.com/containerd/containerd/pkg/apparmor"
- "github.com/docker/docker/container"
- "github.com/docker/docker/daemon/config"
- "github.com/docker/docker/oci/caps"
- specs "github.com/opencontainers/runtime-spec/specs-go"
- )
- func getUserFromContainerd(ctx context.Context, containerdCli *containerd.Client, ec *container.ExecConfig) (specs.User, error) {
- ctr, err := containerdCli.LoadContainer(ctx, ec.Container.ID)
- if err != nil {
- return specs.User{}, err
- }
- cinfo, err := ctr.Info(ctx)
- if err != nil {
- return specs.User{}, err
- }
- spec, err := ctr.Spec(ctx)
- if err != nil {
- return specs.User{}, err
- }
- opts := []coci.SpecOpts{
- coci.WithUser(ec.User),
- coci.WithAdditionalGIDs(ec.User),
- coci.WithAppendAdditionalGroups(ec.Container.HostConfig.GroupAdd...),
- }
- for _, opt := range opts {
- if err := opt(ctx, containerdCli, &cinfo, spec); err != nil {
- return specs.User{}, err
- }
- }
- return spec.Process.User, nil
- }
- func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, daemonCfg *config.Config, ec *container.ExecConfig, p *specs.Process) error {
- if len(ec.User) > 0 {
- var err error
- if daemon.UsesSnapshotter() {
- p.User, err = getUserFromContainerd(ctx, daemon.containerdClient, ec)
- if err != nil {
- return err
- }
- } else {
- p.User, err = getUser(ec.Container, ec.User)
- if err != nil {
- return err
- }
- }
- }
- if ec.Privileged {
- p.Capabilities = &specs.LinuxCapabilities{
- Bounding: caps.GetAllCapabilities(),
- Permitted: caps.GetAllCapabilities(),
- Effective: caps.GetAllCapabilities(),
- }
- }
- if apparmor.HostSupports() {
- var appArmorProfile string
- if ec.Container.AppArmorProfile != "" {
- appArmorProfile = ec.Container.AppArmorProfile
- } else if ec.Container.HostConfig.Privileged {
- // `docker exec --privileged` does not currently disable AppArmor
- // profiles. Privileged configuration of the container is inherited
- appArmorProfile = unconfinedAppArmorProfile
- } else {
- appArmorProfile = defaultAppArmorProfile
- }
- if appArmorProfile == defaultAppArmorProfile {
- // Unattended upgrades and other fun services can unload AppArmor
- // profiles inadvertently. Since we cannot store our profile in
- // /etc/apparmor.d, nor can we practically add other ways of
- // telling the system to keep our profile loaded, in order to make
- // sure that we keep the default profile enabled we dynamically
- // reload it if necessary.
- if err := ensureDefaultAppArmorProfile(); err != nil {
- return err
- }
- }
- p.ApparmorProfile = appArmorProfile
- }
- s := &specs.Spec{Process: p}
- return withRlimits(daemon, daemonCfg, ec.Container)(ctx, nil, nil, s)
- }
|