4 "github.com/docker/docker/container"
5 "github.com/docker/docker/daemon/caps"
6 "github.com/docker/docker/daemon/exec"
7 "github.com/docker/docker/libcontainerd"
8 "github.com/opencontainers/runc/libcontainer/apparmor"
9 "github.com/opencontainers/runtime-spec/specs-go"
12 func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainerd.Process) error {
14 uid, gid, additionalGids, err := getUser(c, ec.User)
21 AdditionalGids: additionalGids,
25 p.Capabilities = caps.GetAllCapabilities()
27 if apparmor.IsEnabled() {
28 var appArmorProfile string
29 if c.AppArmorProfile != "" {
30 appArmorProfile = c.AppArmorProfile
31 } else if c.HostConfig.Privileged {
32 appArmorProfile = "unconfined"
34 appArmorProfile = "docker-default"
37 if appArmorProfile == "docker-default" {
38 // Unattended upgrades and other fun services can unload AppArmor
39 // profiles inadvertently. Since we cannot store our profile in
40 // /etc/apparmor.d, nor can we practically add other ways of
41 // telling the system to keep our profile loaded, in order to make
42 // sure that we keep the default profile enabled we dynamically
43 // reload it if necessary.
44 if err := ensureDefaultAppArmorProfile(); err != nil {