generate: add process-cap-add option

Zhou Hao · Zhou Hao · commit 192a8eb7b8cf · 2018-12-14T13:33:56.000+08:00
Add process-cap-add option to add Linux capabilities to all 5 capability sets.

```
oci-runtime-tool generate --process-cap-add CAP_FOWNER,CAP_FSETID
```

Signed-off-by: Zhou Hao &lt;zhouhao@cn.fujitsu.com&gt;
diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go
@@ -94,6 +94,7 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "os", Value: runtime.GOOS, Usage: "operating system the container is created for"},
 	cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"},
 	cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
+	cli.StringFlag{Name: "process-cap-add", Usage: "add Linux capabilities to all 5 capability sets"},
 	cli.StringFlag{Name: "process-cap-add-ambient", Usage: "add Linux ambient capabilities"},
 	cli.StringFlag{Name: "process-cap-add-bounding", Usage: "add Linux bounding capabilities"},
 	cli.StringFlag{Name: "process-cap-add-effective", Usage: "add Linux effective capabilities"},
@@ -339,6 +340,16 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.ClearProcessCapabilities()
 	}
 
+	if context.IsSet("process-cap-add") {
+		addCaps := context.String("process-cap-add")
+		parts := strings.Split(addCaps, ",")
+		for _, part := range parts {
+			if err := g.AddProcessCapability(part); err != nil {
+				return err
+			}
+		}
+	}
+
 	if context.IsSet("process-cap-add-ambient") {
 		addCaps := context.String("process-cap-add-ambient")
 		parts := strings.Split(addCaps, ",")
diff --git a/completions/bash/oci-runtime-tool b/completions/bash/oci-runtime-tool
@@ -371,6 +371,7 @@ _oci-runtime-tool_generate() {
 		--mounts-remove
 		--os
 		--output
+		--process-cap-add
 		--process-cap-add-ambient
 		--process-cap-add-bounding
 		--process-cap-add-effective
diff --git a/generate/generate.go b/generate/generate.go
@@ -1074,6 +1074,69 @@ func (g *Generator) ClearProcessCapabilities() {
 	g.Config.Process.Capabilities.Ambient = []string{}
 }
 
+// AddProcessCapability adds a process capability into all 5 capability sets.
+func (g *Generator) AddProcessCapability(c string) error {
+	cp := strings.ToUpper(c)
+	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+		return err
+	}
+
+	g.initConfigProcessCapabilities()
+
+	var foundAmbient, foundBounding, foundEffective, foundInheritable, foundPermitted bool
+	for _, cap := range g.Config.Process.Capabilities.Ambient {
+		if strings.ToUpper(cap) == cp {
+			foundAmbient = true
+			break
+		}
+	}
+	if !foundAmbient {
+		g.Config.Process.Capabilities.Ambient = append(g.Config.Process.Capabilities.Ambient, cp)
+	}
+
+	for _, cap := range g.Config.Process.Capabilities.Bounding {
+		if strings.ToUpper(cap) == cp {
+			foundBounding = true
+			break
+		}
+	}
+	if !foundBounding {
+		g.Config.Process.Capabilities.Bounding = append(g.Config.Process.Capabilities.Bounding, cp)
+	}
+
+	for _, cap := range g.Config.Process.Capabilities.Effective {
+		if strings.ToUpper(cap) == cp {
+			foundEffective = true
+			break
+		}
+	}
+	if !foundEffective {
+		g.Config.Process.Capabilities.Effective = append(g.Config.Process.Capabilities.Effective, cp)
+	}
+
+	for _, cap := range g.Config.Process.Capabilities.Inheritable {
+		if strings.ToUpper(cap) == cp {
+			foundInheritable = true
+			break
+		}
+	}
+	if !foundInheritable {
+		g.Config.Process.Capabilities.Inheritable = append(g.Config.Process.Capabilities.Inheritable, cp)
+	}
+
+	for _, cap := range g.Config.Process.Capabilities.Permitted {
+		if strings.ToUpper(cap) == cp {
+			foundPermitted = true
+			break
+		}
+	}
+	if !foundPermitted {
+		g.Config.Process.Capabilities.Permitted = append(g.Config.Process.Capabilities.Permitted, cp)
+	}
+
+	return nil
+}
+
 // AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.
 func (g *Generator) AddProcessCapabilityAmbient(c string) error {
 	cp := strings.ToUpper(c)
diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md
@@ -372,6 +372,11 @@ read the configuration from `config.json`.
 
   When the operator executes **oci-runtime-tool generate --privileged**, OCI will enable access to all devices on the host as well as disable some of the confinement mechanisms like AppArmor, SELinux, and seccomp from blocking access to privileged processes.  This gives the container processes nearly all the same access to the host as processes generating outside of a container on the host.
 
+**--process-cap-add**=[]
+  Add Linux capabilities to all 5 capability sets.
+  You can use this command to add multiple capabilities. Each value should be used ',' separated.
+  e.g. --process-cap-add CAP_FOWNER,CAP_FSETID
+
 **--process-cap-add-ambient**=[]
   Add Linux ambient capabilities.
   You can use this command to add multiple capabilities. Each value should be used ',' separated.
