MCPcopy
hub / github.com/moby/moby / execSetPlatformOpt

Method execSetPlatformOpt

daemon/exec_linux.go:44–95  ·  view source on GitHub ↗
(ctx context.Context, daemonCfg *config.Config, ec *container.ExecConfig, p *specs.Process)

Source from the content-addressed store, hash-verified

42}
43
44func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, daemonCfg *config.Config, ec *container.ExecConfig, p *specs.Process) error {
45 if ec.User != "" {
46 var err error
47 if daemon.UsesSnapshotter() {
48 p.User, err = getUserFromContainerd(ctx, daemon.containerdClient, ec)
49 if err != nil {
50 return err
51 }
52 } else {
53 p.User, err = getUser(ec.Container, ec.User)
54 if err != nil {
55 return err
56 }
57 }
58 }
59
60 if ec.Privileged {
61 p.Capabilities = &specs.LinuxCapabilities{
62 Bounding: caps.GetAllCapabilities(),
63 Permitted: caps.GetAllCapabilities(),
64 Effective: caps.GetAllCapabilities(),
65 }
66 }
67
68 if appArmorSupported() {
69 var appArmorProfile string
70 if ec.Container.AppArmorProfile != "" {
71 appArmorProfile = ec.Container.AppArmorProfile
72 } else if ec.Container.HostConfig.Privileged {
73 // `docker exec --privileged` does not currently disable AppArmor
74 // profiles. Privileged configuration of the container is inherited
75 appArmorProfile = unconfinedAppArmorProfile
76 } else {
77 appArmorProfile = defaultAppArmorProfile
78 }
79
80 if appArmorProfile == defaultAppArmorProfile {
81 // Unattended upgrades and other fun services can unload AppArmor
82 // profiles inadvertently. Since we cannot store our profile in
83 // /etc/apparmor.d, nor can we practically add other ways of
84 // telling the system to keep our profile loaded, in order to make
85 // sure that we keep the default profile enabled we load it again
86 // if it is missing.
87 if err := loadDefaultAppArmorProfileIfMissing(); err != nil {
88 return err
89 }
90 }
91 p.ApparmorProfile = appArmorProfile
92 }
93 s := &specs.Spec{Process: p}
94 return withRlimits(daemon, daemonCfg, ec.Container)(ctx, nil, nil, s)
95}

Callers 2

ContainerExecStartMethod · 0.95

Calls 7

UsesSnapshotterMethod · 0.95
GetAllCapabilitiesFunction · 0.92
getUserFromContainerdFunction · 0.85
withRlimitsFunction · 0.85
getUserFunction · 0.70
appArmorSupportedFunction · 0.70

Tested by 1