Merge pull request #358 from q384566678/cap-specific

Specific cap-add and cap-drop command

Author: liangchenye

cmd/oci-runtime-tool/generate.go

@@ -82,9 +82,17 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"},
 	cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"},
 	cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
-	cli.StringSliceFlag{Name: "process-cap-add", Usage: "add Linux capabilities"},
-	cli.StringSliceFlag{Name: "process-cap-drop", Usage: "drop Linux capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-ambient", Usage: "add Linux ambient capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-bounding", Usage: "add Linux bounding capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-effective", Usage: "add Linux effective capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-inheritable", Usage: "add Linux inheritable capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-add-permitted", Usage: "add Linux permitted capabilities"},
 	cli.BoolFlag{Name: "process-cap-drop-all", Usage: "drop all Linux capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-drop-ambient", Usage: "drop Linux ambient capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-drop-bounding", Usage: "drop Linux bounding capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-drop-effective", Usage: "drop Linux effective capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-drop-inheritable", Usage: "drop Linux inheritable capabilities"},
+	cli.StringSliceFlag{Name: "process-cap-drop-permitted", Usage: "drop Linux permitted capabilities"},
 	cli.StringFlag{Name: "process-consolesize", Usage: "specifies the console size in characters (width:height)"},
 	cli.StringFlag{Name: "process-cwd", Value: "/", Usage: "current working directory for the process"},
 	cli.IntFlag{Name: "process-gid", Usage: "gid for the process"},
@@ -265,19 +273,95 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 
 	g.SetupPrivileged(context.Bool("privileged"))
 
-	if context.IsSet("process-cap-add") {
-		addCaps := context.StringSlice("process-cap-add")
+	if context.IsSet("process-cap-add-ambient") {
+		addCaps := context.StringSlice("process-cap-add-ambient")
 		for _, cap := range addCaps {
-			if err := g.AddProcessCapability(cap); err != nil {
+			if err := g.AddProcessCapabilityAmbient(cap); err != nil {
 				return err
 			}
 		}
 	}
 
-	if context.IsSet("process-cap-drop") {
-		dropCaps := context.StringSlice("process-cap-drop")
+	if context.IsSet("process-cap-add-bounding") {
+		addCaps := context.StringSlice("process-cap-add-bounding")
+		for _, cap := range addCaps {
+			if err := g.AddProcessCapabilityBounding(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-effective") {
+		addCaps := context.StringSlice("process-cap-add-effective")
+		for _, cap := range addCaps {
+			if err := g.AddProcessCapabilityEffective(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-inheritable") {
+		addCaps := context.StringSlice("process-cap-add-inheritable")
+		for _, cap := range addCaps {
+			if err := g.AddProcessCapabilityInheritable(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-add-permitted") {
+		addCaps := context.StringSlice("process-cap-add-permitted")
+		for _, cap := range addCaps {
+			if err := g.AddProcessCapabilityPermitted(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.Bool("process-cap-drop-all") {
+		g.ClearProcessCapabilities()
+	}
+
+	if context.IsSet("process-cap-drop-ambient") {
+		dropCaps := context.StringSlice("process-cap-drop-ambient")
 		for _, cap := range dropCaps {
-			if err := g.DropProcessCapability(cap); err != nil {
+			if err := g.DropProcessCapabilityAmbient(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-drop-bounding") {
+		dropCaps := context.StringSlice("process-cap-drop-bounding")
+		for _, cap := range dropCaps {
+			if err := g.DropProcessCapabilityBounding(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-drop-effective") {
+		dropCaps := context.StringSlice("process-cap-drop-effective")
+		for _, cap := range dropCaps {
+			if err := g.DropProcessCapabilityEffective(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-drop-inheritable") {
+		dropCaps := context.StringSlice("process-cap-drop-inheritable")
+		for _, cap := range dropCaps {
+			if err := g.DropProcessCapabilityInheritable(cap); err != nil {
+				return err
+			}
+		}
+	}
+
+	if context.IsSet("process-cap-drop-permitted") {
+		dropCaps := context.StringSlice("process-cap-drop-permitted")
+		for _, cap := range dropCaps {
+			if err := g.DropProcessCapabilityPermitted(cap); err != nil {
 				return err
 			}
 		}
@@ -292,10 +376,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.SetProcessConsoleSize(width, height)
 	}
 
-	if context.Bool("process-cap-drop-all") {
-		g.ClearProcessCapabilities()
-	}
-
 	var uidMaps, gidMaps []string
 
 	if context.IsSet("linux-uidmappings") {

completions/bash/oci-runtime-tool

@@ -363,8 +363,16 @@ _oci-runtime-tool_generate() {
 		--mount-bind
 		--mount-cgroups
 		--output
-		--process-cap-add
-		--process-cap-drop
+		--process-cap-add-ambient
+		--process-cap-add-bounding
+		--process-cap-add-effective
+		--process-cap-add-inheritable
+		--process-cap-add-permitted
+		--process-cap-drop-ambient
+		--process-cap-drop-bounding
+		--process-cap-drop-effective
+		--process-cap-drop-inheritable
+		--process-cap-drop-permitted
 		--process-consolesize
 		--process-cwd
 		--process-gid

generate/generate.go

@@ -17,6 +17,12 @@ import (
 var (
 	// Namespaces include the names of supported namespaces.
 	Namespaces = []string{"network", "pid", "mount", "ipc", "uts", "user", "cgroup"}
+
+	// we don't care about order...and this is way faster...
+	removeFunc = func(s []string, i int) []string {
+		s[i] = s[len(s)-1]
+		return s[:len(s)-1]
+	}
 )
 
 // Generator represents a generator for a container spec.
@@ -980,8 +986,32 @@ func (g *Generator) ClearProcessCapabilities() {
 	g.spec.Process.Capabilities.Ambient = []string{}
 }
 
-// AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
-func (g *Generator) AddProcessCapability(c string) error {
+// AddProcessCapabilityAmbient adds a process capability into g.spec.Process.Capabilities.Ambient.
+func (g *Generator) AddProcessCapabilityAmbient(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpecProcessCapabilities()
+
+	var foundAmbient bool
+	for _, cap := range g.spec.Process.Capabilities.Ambient {
+		if strings.ToUpper(cap) == cp {
+			foundAmbient = true
+			break
+		}
+	}
+
+	if !foundAmbient {
+		g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
+	}
+
+	return nil
+}
+
+// AddProcessCapabilityBounding adds a process capability into g.spec.Process.Capabilities.Bounding.
+func (g *Generator) AddProcessCapabilityBounding(c string) error {
 	cp := strings.ToUpper(c)
 	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
 		return err
@@ -1000,6 +1030,18 @@ func (g *Generator) AddProcessCapability(c string) error {
 		g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
 	}
 
+	return nil
+}
+
+// AddProcessCapabilityEffective adds a process capability into g.spec.Process.Capabilities.Effective.
+func (g *Generator) AddProcessCapabilityEffective(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpecProcessCapabilities()
+
 	var foundEffective bool
 	for _, cap := range g.spec.Process.Capabilities.Effective {
 		if strings.ToUpper(cap) == cp {
@@ -1011,6 +1053,18 @@ func (g *Generator) AddProcessCapability(c string) error {
 		g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
 	}
 
+	return nil
+}
+
+// AddProcessCapabilityInheritable adds a process capability into g.spec.Process.Capabilities.Inheritable.
+func (g *Generator) AddProcessCapabilityInheritable(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpecProcessCapabilities()
+
 	var foundInheritable bool
 	for _, cap := range g.spec.Process.Capabilities.Inheritable {
 		if strings.ToUpper(cap) == cp {
@@ -1022,6 +1076,18 @@ func (g *Generator) AddProcessCapability(c string) error {
 		g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
 	}
 
+	return nil
+}
+
+// AddProcessCapabilityPermitted adds a process capability into g.spec.Process.Capabilities.Permitted.
+func (g *Generator) AddProcessCapabilityPermitted(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpecProcessCapabilities()
+
 	var foundPermitted bool
 	for _, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
@@ -1033,57 +1099,79 @@ func (g *Generator) AddProcessCapability(c string) error {
 		g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
 	}
 
-	var foundAmbient bool
-	for _, cap := range g.spec.Process.Capabilities.Ambient {
+	return nil
+}
+
+// DropProcessCapabilityAmbient drops a process capability from g.spec.Process.Capabilities.Ambient.
+func (g *Generator) DropProcessCapabilityAmbient(c string) error {
+	cp := strings.ToUpper(c)
+
+	g.initSpecProcessCapabilities()
+
+	for i, cap := range g.spec.Process.Capabilities.Ambient {
 		if strings.ToUpper(cap) == cp {
-			foundAmbient = true
-			break
+			g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
 		}
 	}
-	if !foundAmbient {
-		g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
-	}
 
-	return nil
+	return validate.CapValid(cp, false)
 }
 
-// DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
-func (g *Generator) DropProcessCapability(c string) error {
+// DropProcessCapabilityBounding drops a process capability from g.spec.Process.Capabilities.Bounding.
+func (g *Generator) DropProcessCapabilityBounding(c string) error {
 	cp := strings.ToUpper(c)
 
 	g.initSpecProcessCapabilities()
 
-	// we don't care about order...and this is way faster...
-	removeFunc := func(s []string, i int) []string {
-		s[i] = s[len(s)-1]
-		return s[:len(s)-1]
-	}
-
 	for i, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Bounding = removeFunc(g.spec.Process.Capabilities.Bounding, i)
 		}
 	}
 
+	return validate.CapValid(cp, false)
+}
+
+// DropProcessCapabilityEffective drops a process capability from g.spec.Process.Capabilities.Effective.
+func (g *Generator) DropProcessCapabilityEffective(c string) error {
+	cp := strings.ToUpper(c)
+
+	g.initSpecProcessCapabilities()
+
 	for i, cap := range g.spec.Process.Capabilities.Effective {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Effective = removeFunc(g.spec.Process.Capabilities.Effective, i)
 		}
 	}
 
+	return validate.CapValid(cp, false)
+}
+
+// DropProcessCapabilityInheritable drops a process capability from g.spec.Process.Capabilities.Inheritable.
+func (g *Generator) DropProcessCapabilityInheritable(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initSpecProcessCapabilities()
+
 	for i, cap := range g.spec.Process.Capabilities.Inheritable {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Inheritable = removeFunc(g.spec.Process.Capabilities.Inheritable, i)
 		}
 	}
 
-	for i, cap := range g.spec.Process.Capabilities.Permitted {
-		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities.Permitted = removeFunc(g.spec.Process.Capabilities.Permitted, i)
-		}
-	}
+	return validate.CapValid(cp, false)
+}
 
-	for i, cap := range g.spec.Process.Capabilities.Ambient {
+// DropProcessCapabilityPermitted drops a process capability from g.spec.Process.Capabilities.Permitted.
+func (g *Generator) DropProcessCapabilityPermitted(c string) error {
+	cp := strings.ToUpper(c)
+
+	g.initSpecProcessCapabilities()
+
+	for i, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
 			g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
 		}