| 42 | } |
| 43 | |
| 44 | func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, daemonCfg *config.Config, ec *container.ExecConfig, p *specs.Process) error { |
| 45 | if ec.User != "" { |
| 46 | var err error |
| 47 | if daemon.UsesSnapshotter() { |
| 48 | p.User, err = getUserFromContainerd(ctx, daemon.containerdClient, ec) |
| 49 | if err != nil { |
| 50 | return err |
| 51 | } |
| 52 | } else { |
| 53 | p.User, err = getUser(ec.Container, ec.User) |
| 54 | if err != nil { |
| 55 | return err |
| 56 | } |
| 57 | } |
| 58 | } |
| 59 | |
| 60 | if ec.Privileged { |
| 61 | p.Capabilities = &specs.LinuxCapabilities{ |
| 62 | Bounding: caps.GetAllCapabilities(), |
| 63 | Permitted: caps.GetAllCapabilities(), |
| 64 | Effective: caps.GetAllCapabilities(), |
| 65 | } |
| 66 | } |
| 67 | |
| 68 | if appArmorSupported() { |
| 69 | var appArmorProfile string |
| 70 | if ec.Container.AppArmorProfile != "" { |
| 71 | appArmorProfile = ec.Container.AppArmorProfile |
| 72 | } else if ec.Container.HostConfig.Privileged { |
| 73 | // `docker exec --privileged` does not currently disable AppArmor |
| 74 | // profiles. Privileged configuration of the container is inherited |
| 75 | appArmorProfile = unconfinedAppArmorProfile |
| 76 | } else { |
| 77 | appArmorProfile = defaultAppArmorProfile |
| 78 | } |
| 79 | |
| 80 | if appArmorProfile == defaultAppArmorProfile { |
| 81 | // Unattended upgrades and other fun services can unload AppArmor |
| 82 | // profiles inadvertently. Since we cannot store our profile in |
| 83 | // /etc/apparmor.d, nor can we practically add other ways of |
| 84 | // telling the system to keep our profile loaded, in order to make |
| 85 | // sure that we keep the default profile enabled we load it again |
| 86 | // if it is missing. |
| 87 | if err := loadDefaultAppArmorProfileIfMissing(); err != nil { |
| 88 | return err |
| 89 | } |
| 90 | } |
| 91 | p.ApparmorProfile = appArmorProfile |
| 92 | } |
| 93 | s := &specs.Spec{Process: p} |
| 94 | return withRlimits(daemon, daemonCfg, ec.Container)(ctx, nil, nil, s) |
| 95 | } |