daemon/exec_linux.go

   1 package daemon
   2
   3 import (
   4         "github.com/docker/docker/container"
   5         "github.com/docker/docker/daemon/caps"
   6         "github.com/docker/docker/daemon/exec"
   7         "github.com/docker/docker/libcontainerd"
   8         "github.com/opencontainers/runc/libcontainer/apparmor"
   9         "github.com/opencontainers/runtime-spec/specs-go"
  10 )
  11
  12 func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainerd.Process) error {
  13         if len(ec.User) > 0 {
  14                 uid, gid, additionalGids, err := getUser(c, ec.User)
  15                 if err != nil {
  16                         return err
  17                 }
  18                 p.User = &specs.User{
  19                         UID:            uid,
  20                         GID:            gid,
  21                         AdditionalGids: additionalGids,
  22                 }
  23         }
  24         if ec.Privileged {
  25                 p.Capabilities = caps.GetAllCapabilities()
  26         }
  27         if apparmor.IsEnabled() {
  28                 var appArmorProfile string
  29                 if c.AppArmorProfile != "" {
  30                         appArmorProfile = c.AppArmorProfile
  31                 } else if c.HostConfig.Privileged {
  32                         appArmorProfile = "unconfined"
  33                 } else {
  34                         appArmorProfile = "docker-default"
  35                 }
  36
  37                 if appArmorProfile == "docker-default" {
  38                         // Unattended upgrades and other fun services can unload AppArmor
  39                         // profiles inadvertently. Since we cannot store our profile in
  40                         // /etc/apparmor.d, nor can we practically add other ways of
  41                         // telling the system to keep our profile loaded, in order to make
  42                         // sure that we keep the default profile enabled we dynamically
  43                         // reload it if necessary.
  44                         if err := ensureDefaultAppArmorProfile(); err != nil {
  45                                 return err
  46                         }
  47                 }
  48         }
  49         return nil
  50 }