Specific cap-add command

Signed-off-by: zhouhao <[email protected]>

Author: zhouhao

cmd/oci-runtime-tool/generate.go

@@ -83,6 +83,11 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"},
 	cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
 	cli.StringSliceFlag{Name: "process-cap-add", Usage: "add Linux capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-ambient", Usage: "add Linux ambient capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-bounding", Usage: "add Linux bounding capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-effective", Usage: "add Linux effective capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-inheritable", Usage: "add Linux inheritable capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-permitted", Usage: "add Linux permitted capabilities"},
 	cli.StringSliceFlag{Name: "process-cap-drop", Usage: "drop Linux capabilities"},
 	cli.BoolFlag{Name: "process-cap-drop-all", Usage: "drop all Linux capabilities"},
 	cli.StringFlag{Name: "process-consolesize", Usage: "specifies the console size in characters (width:height)"},
@@ -274,6 +279,51 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
+	if context.IsSet("process-cap-add-ambient") {
+		addCaps := context.StringSlice("process-cap-add-ambient")
+		for _, cap := range addCaps {
+			if err := g.AddProcessAmbientCapability(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-bounding") {
+		addCaps := context.StringSlice("process-cap-add-bounding")
+		for _, cap := range addCaps {
+			if err := g.AddProcessBoundingCapability(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-effective") {
+		addCaps := context.StringSlice("process-cap-add-effective")
+		for _, cap := range addCaps {
+			if err := g.AddProcessEffectiveCapability(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-inheritable") {
+		addCaps := context.StringSlice("process-cap-add-inheritable")
+		for _, cap := range addCaps {
+			if err := g.AddProcessInheritableCapability(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-permitted") {
+		addCaps := context.StringSlice("process-cap-add-permitted")
+		for _, cap := range addCaps {
+			if err := g.AddProcessPermittedCapability(cap); err != nil {
+				return err
+			}
+		}
+	}
+
 	if context.IsSet("process-cap-drop") {
 		dropCaps := context.StringSlice("process-cap-drop")
 		for _, cap := range dropCaps {

completions/bash/oci-runtime-tool

@@ -363,8 +363,11 @@ _oci-runtime-tool_generate() {
 		--mount-bind
 		--mount-cgroups
 		--output
-		--process-cap-add
-		--process-cap-drop
+		--process-cap-add-ambient
+		--process-cap-add-bounding
+		--process-cap-add-effective
+		--process-cap-add-inheritable
+		--process-cap-add-permitted
 		--process-consolesize
 		--process-cwd
 		--process-gid

generate/generate.go

@@ -1047,6 +1047,101 @@ func (g *Generator) AddProcessCapability(c string) error {
 	return nil
 }
 
+// AddProcessAmbientCapability adds a process capability into g.spec.Process.Capabilities.Ambient.
+func (g *Generator) AddProcessAmbientCapability(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpec()
+
+        for _, cap := range g.spec.Process.Capabilities.Ambient {
+                if strings.ToUpper(cap) == cp {
+                        return nil
+                }
+        }
+	g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
+
+	return nil
+}
+
+// AddProcessBoundingCapability adds a process capability into g.spec.Process.Capabilities.Bounding.
+func (g *Generator) AddProcessBoundingCapability(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpec()
+
+        for _, cap := range g.spec.Process.Capabilities.Bounding {
+                if strings.ToUpper(cap) == cp {
+                        return nil
+                }
+        }
+	g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
+
+	return nil
+}
+
+// AddProcessEffectiveCapability adds a process capability into g.spec.Process.Capabilities.Effective.
+func (g *Generator) AddProcessEffectiveCapability(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpec()
+
+        for _, cap := range g.spec.Process.Capabilities.Effective {
+                if strings.ToUpper(cap) == cp {
+                        return nil
+                }
+        }
+	g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
+
+	return nil
+}
+
+// AddProcessInheritableCapability adds a process capability into g.spec.Process.Capabilities.Inheritable.
+func (g *Generator) AddProcessInheritableCapability(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpec()
+
+        for _, cap := range g.spec.Process.Capabilities.Inheritable {
+                if strings.ToUpper(cap) == cp {
+                        return nil
+                }
+        }
+	g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
+
+	return nil
+}
+
+// AddProcessPermittedCapability adds a process capability into g.spec.Process.Capabilities.Permitted.
+func (g *Generator) AddProcessPermittedCapability(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpec()
+
+        for _, cap := range g.spec.Process.Capabilities.Permitted {
+                if strings.ToUpper(cap) == cp {
+                        return nil
+                }
+        }
+	g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
+
+	return nil
+}
+
 // DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
 func (g *Generator) DropProcessCapability(c string) error {
 	cp := strings.ToUpper(c)