diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go index 2bdaa2460..c67fc8499 100644 --- a/cmd/oci-runtime-tool/generate.go +++ b/cmd/oci-runtime-tool/generate.go @@ -301,6 +301,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.SetupPrivileged(context.Bool("privileged")) + if context.Bool("process-cap-drop-all") { + g.ClearProcessCapabilities() + } + if context.IsSet("process-cap-add-ambient") { addCaps := context.StringSlice("process-cap-add-ambient") for _, cap := range addCaps { @@ -346,10 +350,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("process-cap-drop-all") { - g.ClearProcessCapabilities() - } - if context.IsSet("process-cap-drop-ambient") { dropCaps := context.StringSlice("process-cap-drop-ambient") for _, cap := range dropCaps { @@ -699,6 +699,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } + if context.Bool("linux-namespace-remove-all") { + g.ClearLinuxNamespaces() + } + if context.IsSet("linux-namespace-add") { namespaces := context.StringSlice("linux-namespace-add") for _, ns := range namespaces { @@ -721,8 +725,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("linux-namespace-remove-all") { - g.ClearLinuxNamespaces() + if context.Bool("process-rlimits-remove-all") { + g.ClearProcessRlimits() } if context.IsSet("process-rlimits-add") { @@ -746,8 +750,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("process-rlimits-remove-all") { - g.ClearProcessRlimits() + if context.Bool("linux-device-remove-all") { + g.ClearLinuxDevices() } if context.IsSet("linux-device-add") { @@ -771,10 +775,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("linux-device-remove-all") { - g.ClearLinuxDevices() - } - err := addSeccomp(context, g) return err } @@ -1042,6 +1042,12 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe } func addSeccomp(context *cli.Context, g *generate.Generator) error { + if context.Bool("linux-seccomp-remove-all") { + err := g.RemoveAllSeccompRules() + if err != nil { + return err + } + } // Set the DefaultAction of seccomp if context.IsSet("linux-seccomp-default") { @@ -1113,12 +1119,6 @@ func addSeccomp(context *cli.Context, g *generate.Generator) error { } } - if context.Bool("linux-seccomp-remove-all") { - err := g.RemoveAllSeccompRules() - if err != nil { - return err - } - } return nil } diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md index 02b3165c5..fab885aa8 100644 --- a/man/oci-runtime-tool-generate.1.md +++ b/man/oci-runtime-tool-generate.1.md @@ -165,6 +165,8 @@ read the configuration from `config.json`. **--linux-device-remove-all**=true|false Remove all devices for linux inside the container. The default is *false*. + This option conflicts with --linux-device-add and --linux-device-remove. + When combined with them, no matter what the options' order is, parse this option first. **--linux-device-cgroup-add**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS] Add a device control rule. @@ -241,6 +243,8 @@ read the configuration from `config.json`. **--linux-namespace-remove-all**=true|false Removes all namespaces from the set of namespaces configured for a container, such that the container will effectively run on the host. + This option conflicts with --linux-namespace-add and --linux-namespace-remove. + When combined with them, no matter what the options' order is, parse this option first. **--linux-network-classid**=CLASSID Specifies network class identifier which will be tagged by container's network packets. @@ -293,14 +297,16 @@ read the configuration from `config.json`. **--linux-seccomp-kill**=SYSCALL Specifies syscalls to create seccomp rule to respond with KILL. -**--linux-seccomp-only**==true|false +**--linux-seccomp-only**=true|false Option to only export the seccomp section of output **--linux-seccomp-remove**=[] Specifies syscall restrictions to remove from the configuration. -**--linux-seccomp-remove-all**==true|false +**--linux-seccomp-remove-all**=true|false Option to remove all syscall restrictions. + This option conflicts with other --linux-seccomp-xxx options. + When combined with them, no matter what the options' order is, parse this option first. **--linux-seccomp-trace**=SYSCALL Specifies syscalls to create seccomp rule to respond with TRACE. @@ -371,8 +377,10 @@ read the configuration from `config.json`. **--process-cap-add-permitted**=[] Add Linux permitted capabilities -**--process-cap-drop-all**true|false +**--process-cap-drop-all**=true|false Drop all Linux capabilities + This option conflicts with other cap options, as --process-cap-*. + When combined with them, no matter what the options' order is, parse this option first. **--process-cap-drop-ambient**=[] Drop Linux ambient capabilities @@ -417,6 +425,8 @@ read the configuration from `config.json`. **--process-rlimits-remove-all**=true|false Remove all resource limits for process inside the container. The default is *false*. + This option conflicts with --linux-rlimits-add and --linux-rlimits-remove. + When combined with them, no matter what the options' order is, parse this option first. **--process-terminal**=true|false Specifies whether a terminal is attached to the process. The default is *false*.