generate: add cap-drop-all option

Signed-off-by: zhouhao <[email protected]>

Author: zhouhao

cmd/oci-runtime-tool/generate.go

@@ -24,6 +24,7 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"},
 	cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"},
 	cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"},
+	cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"},
 	cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
 	cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"},
 	cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"},
@@ -279,6 +280,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
+	if context.Bool("cap-drop-all") {
+		g.ClearProcessCapabilities()
+	}
+
 	var uidMaps, gidMaps []string
 
 	if context.IsSet("uidmappings") {

completions/bash/oci-runtime-tool

@@ -368,6 +368,7 @@ _oci-runtime-tool_generate() {
 	"
 
 	local boolean_options="
+		--cap-drop-all
 		--device-remove-all
 		--disable-oom-kill
 		--help -h

man/oci-runtime-tool-generate.1.md

@@ -45,6 +45,9 @@ read the configuration from `config.json`.
 **--cap-drop**=[]
   Drop Linux capabilities
 
+**--cap-drop-all**true|false
+  Drop all Linux capabilities
+
 **--cgroups-path**=""
   Specifies the path to the cgroups relative to the cgroups mount point.