diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go index a103aba24..3509a88f9 100644 --- a/cmd/oci-runtime-tool/generate.go +++ b/cmd/oci-runtime-tool/generate.go @@ -45,6 +45,7 @@ var generateFlags = []cli.Flag{ cli.Int64Flag{Name: "linux-pids-limit", Usage: "maximum number of PIDs"}, cli.Uint64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"}, cli.Uint64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"}, + cli.StringSliceFlag{Name: "masked-paths", Usage: "specifies paths can not be read inside container"}, cli.StringFlag{Name: "mount", Usage: "mount namespace"}, cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"}, cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"}, @@ -59,6 +60,7 @@ var generateFlags = []cli.Flag{ cli.StringSliceFlag{Name: "prestart", Usage: "set command to run in prestart hooks"}, cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"}, cli.BoolFlag{Name: "read-only", Usage: "make the container's rootfs read-only"}, + cli.StringSliceFlag{Name: "readonly-paths", Usage: "specifies paths readonly inside container"}, cli.StringFlag{Name: "root-propagation", Usage: "mount propagation for root"}, cli.StringFlag{Name: "rootfs", Value: "rootfs", Usage: "path to the rootfs"}, cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"}, @@ -211,6 +213,20 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.SetLinuxCgroupsPath(context.String("cgroups-path")) } + if context.IsSet("masked-paths") { + paths := context.StringSlice("masked-paths") + for _, path := range paths { + g.AddLinuxMaskedPaths(path) + } + } + + if context.IsSet("readonly-paths") { + paths := context.StringSlice("readonly-paths") + for _, path := range paths { + g.AddLinuxReadonlyPaths(path) + } + } + if context.IsSet("mount-label") { g.SetLinuxMountLabel(context.String("mount-label")) } diff --git a/completions/bash/oci-runtime-tool b/completions/bash/oci-runtime-tool index 389c6a40f..2f1faf8ed 100644 --- a/completions/bash/oci-runtime-tool +++ b/completions/bash/oci-runtime-tool @@ -287,6 +287,7 @@ _oci-runtime-tool_generate() { --ipc --label --linux-pids-limit + --masked-paths --mount --mount-cgroups --mount-label @@ -297,6 +298,7 @@ _oci-runtime-tool_generate() { --poststart --poststop --prestart + --readonly-paths --root-propagation --rootfs --seccomp-allow diff --git a/generate/generate.go b/generate/generate.go index b4530b5e5..bd8e4908b 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -851,3 +851,15 @@ func (g *Generator) RemoveAllSeccompRules() error { g.initSpecLinuxSeccomp() return seccomp.RemoveAllSeccompRules(g.spec.Linux.Seccomp) } + +// AddLinuxMaskedPaths adds masked paths into g.spec.Linux.MaskedPaths. +func (g *Generator) AddLinuxMaskedPaths(path string) { + g.initSpecLinux() + g.spec.Linux.MaskedPaths = append(g.spec.Linux.MaskedPaths, path) +} + +// AddLinuxReadonlyPaths adds readonly paths into g.spec.Linux.MaskedPaths. +func (g *Generator) AddLinuxReadonlyPaths(path string) { + g.initSpecLinux() + g.spec.Linux.ReadonlyPaths = append(g.spec.Linux.ReadonlyPaths, path) +} diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md index f06a4dd18..d7ba38866 100644 --- a/man/oci-runtime-tool-generate.1.md +++ b/man/oci-runtime-tool-generate.1.md @@ -132,6 +132,10 @@ read the configuration from `config.json`. **--linux-realtime-runtime**=REALTIMERUNTIME Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. +**--masked-paths**=[] + Specifies paths can not be read inside container. e.g. --masked-paths=/proc/kcore + This option can be specified multiple times. + **--mount**=*PATH* Use a mount namespace where *PATH* is an existing mount namespace file to join. The special *PATH* empty-string creates a new namespace. @@ -206,6 +210,10 @@ read the configuration from `config.json`. When the operator executes **oci-runtime-tool generate --privileged**, OCI will enable access to all devices on the host as well as disable some of the confinement mechanisms like AppArmor, SELinux, and seccomp from blocking access to privileged processes. This gives the container processes nearly all the same access to the host as processes generating outside of a container on the host. +**--readonly-paths**=[] + Specifies paths readonly inside container. e.g. --readonly-paths=/proc/sys + This option can be specified multiple times. + **--read-only**=true|false Mount the container's root filesystem as read only.