Skip to content

Commit

Permalink
Specific cap-drop command
Browse files Browse the repository at this point in the history 
Signed-off-by: zhouhao <[email protected]>
  • Loading branch information
zhouhao committed Jul 31, 2017
1 parent 04958ba commit f0e5a5e
Show file tree
Hide file tree
Showing 4 changed files with 174 additions and 109 deletions.
76 changes: 53 additions & 23 deletions cmd/oci-runtime-tool/generate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,14 +76,17 @@ var generateFlags = []cli.Flag{
cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"},
cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"},
cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
cli.StringSliceFlag{Name: "process-cap-add", Usage: "add Linux capabilities"},
cli.StringSliceFlag{Name: "process-cap-add-ambient", Usage: "add Linux ambient capabilities"},
cli.StringSliceFlag{Name: "process-cap-add-bounding", Usage: "add Linux bounding capabilities"},
cli.StringSliceFlag{Name: "process-cap-add-effective", Usage: "add Linux effective capabilities"},
cli.StringSliceFlag{Name: "process-cap-add-inheritable", Usage: "add Linux inheritable capabilities"},
cli.StringSliceFlag{Name: "process-cap-add-permitted", Usage: "add Linux permitted capabilities"},
cli.StringSliceFlag{Name: "process-cap-drop", Usage: "drop Linux capabilities"},
cli.BoolFlag{Name: "process-cap-drop-all", Usage: "drop all Linux capabilities"},
cli.StringSliceFlag{Name: "process-cap-drop-ambient", Usage: "drop Linux ambient capabilities"},
cli.StringSliceFlag{Name: "process-cap-drop-bounding", Usage: "drop Linux bounding capabilities"},
cli.StringSliceFlag{Name: "process-cap-drop-effective", Usage: "drop Linux effective capabilities"},
cli.StringSliceFlag{Name: "process-cap-drop-inheritable", Usage: "drop Linux inheritable capabilities"},
cli.StringSliceFlag{Name: "process-cap-drop-permitted", Usage: "drop Linux permitted capabilities"},
cli.StringFlag{Name: "process-consolesize", Usage: "specifies the console size in characters (width:height)"},
cli.StringFlag{Name: "process-cwd", Value: "/", Usage: "current working directory for the process"},
cli.IntFlag{Name: "process-gid", Usage: "gid for the process"},
Expand Down Expand Up @@ -264,19 +267,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {

g.SetupPrivileged(context.Bool("privileged"))

if context.IsSet("process-cap-add") {
addCaps := context.StringSlice("process-cap-add")
for _, cap := range addCaps {
if err := g.AddProcessCapability(cap); err != nil {
return err
}
}
}

if context.IsSet("process-cap-add-ambient") {
addCaps := context.StringSlice("process-cap-add-ambient")
for _, cap := range addCaps {
if err := g.AddProcessAmbientCapability(cap); err != nil {
if err := g.AddProcessCapabilityAmbient(cap); err != nil {
return err
}
}
Expand All @@ -285,7 +279,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
if context.IsSet("process-cap-add-bounding") {
addCaps := context.StringSlice("process-cap-add-bounding")
for _, cap := range addCaps {
if err := g.AddProcessBoundingCapability(cap); err != nil {
if err := g.AddProcessCapabilityBounding(cap); err != nil {
return err
}
}
Expand All @@ -294,7 +288,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
if context.IsSet("process-cap-add-effective") {
addCaps := context.StringSlice("process-cap-add-effective")
for _, cap := range addCaps {
if err := g.AddProcessEffectiveCapability(cap); err != nil {
if err := g.AddProcessCapabilityEffective(cap); err != nil {
return err
}
}
Expand All @@ -303,7 +297,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
if context.IsSet("process-cap-add-inheritable") {
addCaps := context.StringSlice("process-cap-add-inheritable")
for _, cap := range addCaps {
if err := g.AddProcessInheritableCapability(cap); err != nil {
if err := g.AddProcessCapabilityInheritable(cap); err != nil {
return err
}
}
Expand All @@ -312,16 +306,56 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
if context.IsSet("process-cap-add-permitted") {
addCaps := context.StringSlice("process-cap-add-permitted")
for _, cap := range addCaps {
if err := g.AddProcessPermittedCapability(cap); err != nil {
if err := g.AddProcessCapabilityPermitted(cap); err != nil {
return err
}
}
}

if context.Bool("process-cap-drop-all") {
g.ClearProcessCapabilities()
}

if context.IsSet("process-cap-drop-ambient") {
dropCaps := context.StringSlice("process-cap-drop-ambient")
for _, cap := range dropCaps {
if err := g.DropProcessCapabilityAmbient(cap); err != nil {
return err
}
}
}

if context.IsSet("process-cap-drop-bounding") {
dropCaps := context.StringSlice("process-cap-drop-bounding")
for _, cap := range dropCaps {
if err := g.DropProcessCapabilityBounding(cap); err != nil {
return err
}
}
}

if context.IsSet("process-cap-drop-effective") {
dropCaps := context.StringSlice("process-cap-drop-effective")
for _, cap := range dropCaps {
if err := g.DropProcessCapabilityEffective(cap); err != nil {
return err
}
}
}

if context.IsSet("process-cap-drop") {
dropCaps := context.StringSlice("process-cap-drop")
if context.IsSet("process-cap-drop-inheritable") {
dropCaps := context.StringSlice("process-cap-drop-inheritable")
for _, cap := range dropCaps {
if err := g.DropProcessCapability(cap); err != nil {
if err := g.DropProcessCapabilityInheritable(cap); err != nil {
return err
}
}
}

if context.IsSet("process-cap-drop-permitted") {
dropCaps := context.StringSlice("process-cap-drop-permitted")
for _, cap := range dropCaps {
if err := g.DropProcessCapabilityPermitted(cap); err != nil {
return err
}
}
Expand All @@ -336,10 +370,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
g.SetProcessConsoleSize(width, height)
}

if context.Bool("process-cap-drop-all") {
g.ClearProcessCapabilities()
}

var uidMaps, gidMaps []string

if context.IsSet("linux-uidmappings") {
Expand Down
5 changes: 5 additions & 0 deletions completions/bash/oci-runtime-tool
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,11 @@ _oci-runtime-tool_generate() {
--process-cap-add-effective
--process-cap-add-inheritable
--process-cap-add-permitted
--process-cap-drop-ambient
--process-cap-drop-bounding
--process-cap-drop-effective
--process-cap-drop-inheritable
--process-cap-drop-permitted
--process-consolesize
--process-cwd
--process-gid
Expand Down
Loading

0 comments on commit f0e5a5e

Please sign in to comment.