Skip to content

Commit 4f756fd

Browse files
author
zhouhao
committed
Specific cap-drop command
Signed-off-by: zhouhao <[email protected]>
1 parent ea55f9d commit 4f756fd

File tree

4 files changed

+188
-136
lines changed

4 files changed

+188
-136
lines changed

cmd/oci-runtime-tool/generate.go

Lines changed: 53 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -82,14 +82,17 @@ var generateFlags = []cli.Flag{
8282
cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"},
8383
cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"},
8484
cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
85-
cli.StringSliceFlag{Name: "process-cap-add", Usage: "add Linux capabilities"},
8685
cli.StringSliceFlag{Name: "process-cap-add-ambient", Usage: "add Linux ambient capabilities"},
8786
cli.StringSliceFlag{Name: "process-cap-add-bounding", Usage: "add Linux bounding capabilities"},
8887
cli.StringSliceFlag{Name: "process-cap-add-effective", Usage: "add Linux effective capabilities"},
8988
cli.StringSliceFlag{Name: "process-cap-add-inheritable", Usage: "add Linux inheritable capabilities"},
9089
cli.StringSliceFlag{Name: "process-cap-add-permitted", Usage: "add Linux permitted capabilities"},
91-
cli.StringSliceFlag{Name: "process-cap-drop", Usage: "drop Linux capabilities"},
9290
cli.BoolFlag{Name: "process-cap-drop-all", Usage: "drop all Linux capabilities"},
91+
cli.StringSliceFlag{Name: "process-cap-drop-ambient", Usage: "drop Linux ambient capabilities"},
92+
cli.StringSliceFlag{Name: "process-cap-drop-bounding", Usage: "drop Linux bounding capabilities"},
93+
cli.StringSliceFlag{Name: "process-cap-drop-effective", Usage: "drop Linux effective capabilities"},
94+
cli.StringSliceFlag{Name: "process-cap-drop-inheritable", Usage: "drop Linux inheritable capabilities"},
95+
cli.StringSliceFlag{Name: "process-cap-drop-permitted", Usage: "drop Linux permitted capabilities"},
9396
cli.StringFlag{Name: "process-consolesize", Usage: "specifies the console size in characters (width:height)"},
9497
cli.StringFlag{Name: "process-cwd", Value: "/", Usage: "current working directory for the process"},
9598
cli.IntFlag{Name: "process-gid", Usage: "gid for the process"},
@@ -270,19 +273,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
270273

271274
g.SetupPrivileged(context.Bool("privileged"))
272275

273-
if context.IsSet("process-cap-add") {
274-
addCaps := context.StringSlice("process-cap-add")
275-
for _, cap := range addCaps {
276-
if err := g.AddProcessCapability(cap); err != nil {
277-
return err
278-
}
279-
}
280-
}
281-
282276
if context.IsSet("process-cap-add-ambient") {
283277
addCaps := context.StringSlice("process-cap-add-ambient")
284278
for _, cap := range addCaps {
285-
if err := g.AddProcessAmbientCapability(cap); err != nil {
279+
if err := g.AddProcessCapabilityAmbient(cap); err != nil {
286280
return err
287281
}
288282
}
@@ -291,7 +285,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
291285
if context.IsSet("process-cap-add-bounding") {
292286
addCaps := context.StringSlice("process-cap-add-bounding")
293287
for _, cap := range addCaps {
294-
if err := g.AddProcessBoundingCapability(cap); err != nil {
288+
if err := g.AddProcessCapabilityBounding(cap); err != nil {
295289
return err
296290
}
297291
}
@@ -300,7 +294,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
300294
if context.IsSet("process-cap-add-effective") {
301295
addCaps := context.StringSlice("process-cap-add-effective")
302296
for _, cap := range addCaps {
303-
if err := g.AddProcessEffectiveCapability(cap); err != nil {
297+
if err := g.AddProcessCapabilityEffective(cap); err != nil {
304298
return err
305299
}
306300
}
@@ -309,7 +303,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
309303
if context.IsSet("process-cap-add-inheritable") {
310304
addCaps := context.StringSlice("process-cap-add-inheritable")
311305
for _, cap := range addCaps {
312-
if err := g.AddProcessInheritableCapability(cap); err != nil {
306+
if err := g.AddProcessCapabilityInheritable(cap); err != nil {
313307
return err
314308
}
315309
}
@@ -318,16 +312,56 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
318312
if context.IsSet("process-cap-add-permitted") {
319313
addCaps := context.StringSlice("process-cap-add-permitted")
320314
for _, cap := range addCaps {
321-
if err := g.AddProcessPermittedCapability(cap); err != nil {
315+
if err := g.AddProcessCapabilityPermitted(cap); err != nil {
316+
return err
317+
}
318+
}
319+
}
320+
321+
if context.Bool("process-cap-drop-all") {
322+
g.ClearProcessCapabilities()
323+
}
324+
325+
if context.IsSet("process-cap-drop-ambient") {
326+
dropCaps := context.StringSlice("process-cap-drop-ambient")
327+
for _, cap := range dropCaps {
328+
if err := g.DropProcessCapabilityAmbient(cap); err != nil {
329+
return err
330+
}
331+
}
332+
}
333+
334+
if context.IsSet("process-cap-drop-bounding") {
335+
dropCaps := context.StringSlice("process-cap-drop-bounding")
336+
for _, cap := range dropCaps {
337+
if err := g.DropProcessCapabilityBounding(cap); err != nil {
338+
return err
339+
}
340+
}
341+
}
342+
343+
if context.IsSet("process-cap-drop-effective") {
344+
dropCaps := context.StringSlice("process-cap-drop-effective")
345+
for _, cap := range dropCaps {
346+
if err := g.DropProcessCapabilityEffective(cap); err != nil {
322347
return err
323348
}
324349
}
325350
}
326351

327-
if context.IsSet("process-cap-drop") {
328-
dropCaps := context.StringSlice("process-cap-drop")
352+
if context.IsSet("process-cap-drop-inheritable") {
353+
dropCaps := context.StringSlice("process-cap-drop-inheritable")
329354
for _, cap := range dropCaps {
330-
if err := g.DropProcessCapability(cap); err != nil {
355+
if err := g.DropProcessCapabilityInheritable(cap); err != nil {
356+
return err
357+
}
358+
}
359+
}
360+
361+
if context.IsSet("process-cap-drop-permitted") {
362+
dropCaps := context.StringSlice("process-cap-drop-permitted")
363+
for _, cap := range dropCaps {
364+
if err := g.DropProcessCapabilityPermitted(cap); err != nil {
331365
return err
332366
}
333367
}
@@ -342,10 +376,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
342376
g.SetProcessConsoleSize(width, height)
343377
}
344378

345-
if context.Bool("process-cap-drop-all") {
346-
g.ClearProcessCapabilities()
347-
}
348-
349379
var uidMaps, gidMaps []string
350380

351381
if context.IsSet("linux-uidmappings") {

completions/bash/oci-runtime-tool

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -368,6 +368,11 @@ _oci-runtime-tool_generate() {
368368
--process-cap-add-effective
369369
--process-cap-add-inheritable
370370
--process-cap-add-permitted
371+
--process-cap-drop-ambient
372+
--process-cap-drop-bounding
373+
--process-cap-drop-effective
374+
--process-cap-drop-inheritable
375+
--process-cap-drop-permitted
371376
--process-consolesize
372377
--process-cwd
373378
--process-gid

0 commit comments

Comments
 (0)