generate: add process-cap-drop option

Zhou Hao · Zhou Hao · commit 9f6de4d4e98c · 2018-12-14T13:35:29.000+08:00
Add process-cap-drop option to drop Linux capabilities to all 5 capability sets.

```
oci-runtime-tool generate --process-cap-drop CAP_FOWNER,CAP_FSETID
```

Signed-off-by: Zhou Hao &lt;zhouhao@cn.fujitsu.com&gt;
diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go
@@ -100,6 +100,7 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "process-cap-add-effective", Usage: "add Linux effective capabilities"},
 	cli.StringFlag{Name: "process-cap-add-inheritable", Usage: "add Linux inheritable capabilities"},
 	cli.StringFlag{Name: "process-cap-add-permitted", Usage: "add Linux permitted capabilities"},
+	cli.StringFlag{Name: "process-cap-drop", Usage: "drop Linux capabilities to all 5 capability sets"},
 	cli.BoolFlag{Name: "process-cap-drop-all", Usage: "drop all Linux capabilities"},
 	cli.StringFlag{Name: "process-cap-drop-ambient", Usage: "drop Linux ambient capabilities"},
 	cli.StringFlag{Name: "process-cap-drop-bounding", Usage: "drop Linux bounding capabilities"},
@@ -400,6 +401,16 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
+	if context.IsSet("process-cap-drop") {
+		addCaps := context.String("process-cap-drop")
+		parts := strings.Split(addCaps, ",")
+		for _, part := range parts {
+			if err := g.DropProcessCapability(part); err != nil {
+				return err
+			}
+		}
+	}
+
 	if context.IsSet("process-cap-drop-ambient") {
 		dropCaps := context.String("process-cap-drop-ambient")
 		parts := strings.Split(dropCaps, ",")
diff --git a/completions/bash/oci-runtime-tool b/completions/bash/oci-runtime-tool
@@ -377,6 +377,7 @@ _oci-runtime-tool_generate() {
 		--process-cap-add-effective
 		--process-cap-add-inheritable
 		--process-cap-add-permitted
+		--process-cap-drop
 		--process-cap-drop-ambient
 		--process-cap-drop-bounding
 		--process-cap-drop-effective
diff --git a/generate/generate.go b/generate/generate.go
@@ -1253,6 +1253,42 @@ func (g *Generator) AddProcessCapabilityPermitted(c string) error {
 	return nil
 }
 
+// DropProcessCapability drops a process capability from all 5 capability sets.
+func (g *Generator) DropProcessCapability(c string) error {
+	if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
+		return nil
+	}
+
+	cp := strings.ToUpper(c)
+	for i, cap := range g.Config.Process.Capabilities.Ambient {
+		if strings.ToUpper(cap) == cp {
+			g.Config.Process.Capabilities.Ambient = removeFunc(g.Config.Process.Capabilities.Ambient, i)
+		}
+	}
+	for i, cap := range g.Config.Process.Capabilities.Bounding {
+		if strings.ToUpper(cap) == cp {
+			g.Config.Process.Capabilities.Bounding = removeFunc(g.Config.Process.Capabilities.Bounding, i)
+		}
+	}
+	for i, cap := range g.Config.Process.Capabilities.Effective {
+		if strings.ToUpper(cap) == cp {
+			g.Config.Process.Capabilities.Effective = removeFunc(g.Config.Process.Capabilities.Effective, i)
+		}
+	}
+	for i, cap := range g.Config.Process.Capabilities.Inheritable {
+		if strings.ToUpper(cap) == cp {
+			g.Config.Process.Capabilities.Inheritable = removeFunc(g.Config.Process.Capabilities.Inheritable, i)
+		}
+	}
+	for i, cap := range g.Config.Process.Capabilities.Permitted {
+		if strings.ToUpper(cap) == cp {
+			g.Config.Process.Capabilities.Permitted = removeFunc(g.Config.Process.Capabilities.Permitted, i)
+		}
+	}
+
+	return validate.CapValid(cp, false)
+}
+
 // DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.
 func (g *Generator) DropProcessCapabilityAmbient(c string) error {
 	if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md
@@ -402,6 +402,11 @@ read the configuration from `config.json`.
   You can use this command to add multiple capabilities. Each value should be used ',' separated.
   e.g. --process-cap-add-permitted CAP_FOWNER,CAP_FSETID
 
+**--process-cap-drop**=[]
+  Drop Linux capabilities to all 5 capability sets.
+  You can use this command to drop multiple capabilities. Each value should be used ',' separated.
+  e.g. --process-cap-drop CAP_FOWNER,CAP_FSETID
+
 **--process-cap-drop-all**=true|false
   Drop all Linux capabilities
   This option conflicts with other cap options, as --process-cap-*.
