2016-03-18 14:50:19 -04:00
|
|
|
package daemon
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/docker/docker/container"
|
|
|
|
"github.com/docker/docker/daemon/caps"
|
|
|
|
"github.com/docker/docker/daemon/exec"
|
2017-03-12 23:57:35 -04:00
|
|
|
"github.com/opencontainers/runc/libcontainer/apparmor"
|
2016-09-27 13:26:59 -04:00
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
2016-03-18 14:50:19 -04:00
|
|
|
)
|
|
|
|
|
2017-09-22 09:52:41 -04:00
|
|
|
func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error {
|
2016-03-18 14:50:19 -04:00
|
|
|
if len(ec.User) > 0 {
|
|
|
|
uid, gid, additionalGids, err := getUser(c, ec.User)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-09-22 09:52:41 -04:00
|
|
|
p.User = specs.User{
|
2016-03-18 14:50:19 -04:00
|
|
|
UID: uid,
|
|
|
|
GID: gid,
|
|
|
|
AdditionalGids: additionalGids,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ec.Privileged {
|
2017-09-22 09:52:41 -04:00
|
|
|
if p.Capabilities == nil {
|
|
|
|
p.Capabilities = &specs.LinuxCapabilities{}
|
|
|
|
}
|
|
|
|
p.Capabilities.Bounding = caps.GetAllCapabilities()
|
|
|
|
p.Capabilities.Permitted = p.Capabilities.Bounding
|
|
|
|
p.Capabilities.Inheritable = p.Capabilities.Bounding
|
|
|
|
p.Capabilities.Effective = p.Capabilities.Bounding
|
2016-03-18 14:50:19 -04:00
|
|
|
}
|
2017-03-12 23:57:35 -04:00
|
|
|
if apparmor.IsEnabled() {
|
|
|
|
var appArmorProfile string
|
|
|
|
if c.AppArmorProfile != "" {
|
|
|
|
appArmorProfile = c.AppArmorProfile
|
|
|
|
} else if c.HostConfig.Privileged {
|
|
|
|
appArmorProfile = "unconfined"
|
|
|
|
} else {
|
|
|
|
appArmorProfile = "docker-default"
|
|
|
|
}
|
|
|
|
|
|
|
|
if appArmorProfile == "docker-default" {
|
|
|
|
// Unattended upgrades and other fun services can unload AppArmor
|
|
|
|
// profiles inadvertently. Since we cannot store our profile in
|
|
|
|
// /etc/apparmor.d, nor can we practically add other ways of
|
|
|
|
// telling the system to keep our profile loaded, in order to make
|
|
|
|
// sure that we keep the default profile enabled we dynamically
|
|
|
|
// reload it if necessary.
|
|
|
|
if err := ensureDefaultAppArmorProfile(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2017-09-22 09:52:41 -04:00
|
|
|
daemon.setRlimits(&specs.Spec{Process: p}, c)
|
2016-03-18 14:50:19 -04:00
|
|
|
return nil
|
|
|
|
}
|