Check CAP_LAST_CAP while setting privileged

Signed-off-by: Haiyan Meng <hmeng@redhat.com>

Author: Haiyan Meng

cmd/ocitools/generate.go

@@ -78,7 +78,7 @@ var generateCommand = cli.Command{
 			}
 		}
 
-		err := setupSpec(specgen, context)
+		err := setupSpec(&specgen, context)
 		if err != nil {
 			return err
 		}
@@ -96,7 +96,12 @@ var generateCommand = cli.Command{
 	},
 }
 
-func setupSpec(g generate.Generator, context *cli.Context) error {
+func setupSpec(gp *generate.Generator, context *cli.Context) error {
+	if context.GlobalBool("host-specific") {
+		gp.EnableHostSpecific()
+	}
+
+	g := *gp
 	spec := g.GetSpec()
 
 	if len(spec.Version) == 0 {

cmd/ocitools/main.go

@@ -18,6 +18,10 @@ func main() {
 			Value: "error",
 			Usage: "Log level (panic, fatal, error, warn, info, or debug)",
 		},
+		cli.BoolFlag{
+			Name:  "host-specific",
+			Usage: "generate host-specific configs or do host-specific validations",
+		},
 	}
 
 	app.Commands = []cli.Command{

cmd/ocitools/validate.go

@@ -25,7 +25,6 @@ type configCheck func(rspec.Spec, string, bool) []string
 
 var bundleValidateFlags = []cli.Flag{
 	cli.StringFlag{Name: "path", Value: ".", Usage: "path to a bundle"},
-	cli.BoolFlag{Name: "host-specific", Usage: "Check host specific configs."},
 }
 
 var (
@@ -84,7 +83,7 @@ var bundleValidateCommand = cli.Command{
 			return fmt.Errorf("The root path %q is not a directory.", rootfsPath)
 		}
 
-		hostCheck := context.Bool("host-specific")
+		hostCheck := context.GlobalBool("host-specific")
 
 		checks := []configCheck{
 			checkMandatoryFields,

generate/generate.go

@@ -21,7 +21,8 @@ var (
 
 // Generator represents a generator for a container spec.
 type Generator struct {
-	spec *rspec.Spec
+	spec         *rspec.Spec
+	hostSpecific bool
 }
 
 // New creates a spec Generator with the default spec.
@@ -139,12 +140,16 @@ func New() Generator {
 			Devices: []rspec.Device{},
 		},
 	}
-	return Generator{&spec}
+	return Generator{
+		spec: &spec,
+	}
 }
 
 // NewFromSpec creates a spec Generator from a given spec.
 func NewFromSpec(spec *rspec.Spec) Generator {
-	return Generator{spec}
+	return Generator{
+		spec: spec,
+	}
 }
 
 // NewFromFile loads the template specifed in a file into a spec Generator.
@@ -166,7 +171,19 @@ func NewFromTemplate(r io.Reader) (Generator, error) {
 	if err := json.NewDecoder(r).Decode(&spec); err != nil {
 		return Generator{}, err
 	}
-	return Generator{&spec}, nil
+	return Generator{
+		spec: &spec,
+	}, nil
+}
+
+// EnableHostSpecific enables g.hostSpecific.
+func (g *Generator) EnableHostSpecific() {
+	g.hostSpecific = true
+}
+
+// GetHostSpecific gets g.hostSpecific.
+func (g *Generator) GetHostSpecific() bool {
+	return g.hostSpecific
 }
 
 // SetSpec sets the spec in the Generator g.
@@ -909,6 +926,9 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 		// Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
+			if g.hostSpecific && cap > capability.CAP_LAST_CAP {
+				continue
+			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
 		}
 		g.spec.Process.Capabilities = finalCapList
@@ -918,12 +938,15 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 	}
 }
 
-func checkCap(c string) error {
+func checkCap(c string, hostSpecific bool) error {
 	isValid := false
 	cp := strings.ToUpper(c)
 
 	for _, cap := range capability.List() {
 		if cp == strings.ToUpper(cap.String()) {
+			if hostSpecific && cap > capability.CAP_LAST_CAP {
+				return fmt.Errorf("CAP_%s is not supported on the current host", cp)
+			}
 			isValid = true
 			break
 		}
@@ -942,7 +965,7 @@ func (g *Generator) ClearProcessCapabilities() {
 
 // AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
 func (g *Generator) AddProcessCapability(c string) error {
-	if err := checkCap(c); err != nil {
+	if err := checkCap(c, g.hostSpecific); err != nil {
 		return err
 	}
 
@@ -960,7 +983,7 @@ func (g *Generator) AddProcessCapability(c string) error {
 
 // DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
 func (g *Generator) DropProcessCapability(c string) error {
-	if err := checkCap(c); err != nil {
+	if err := checkCap(c, g.hostSpecific); err != nil {
 		return err
 	}
 

man/ocitools-validate.1.md

@@ -18,16 +18,6 @@ Validate an OCI bundle
 **--path=PATH
   Path to bundle
 
-**--host-specific**
-  Check host specific configs.
-  By default, validation only tests for compatibility with a hypothetical host.
-  With this flag, validation will also run more specific tests to see whether
-  the current host is capable of launching a container from the configuration.
-  For example, validating a compliant Windows configuration on a Linux machine
-  will pass without this flag ("there may be a Windows host capable of
-  launching this container"), but will fail with it ("this host is not capable
-  of launching this container").
-
 # SEE ALSO
 **ocitools**(1)
 

man/ocitools.1.md

@@ -15,11 +15,26 @@ ocitools is a collection of tools for working with the [OCI runtime specificatio
 
 # OPTIONS
 **--help**
-  Print usage statement
+  Print usage statement.
 
 **-v**, **--version**
   Print version information.
 
+**--log-level**
+  Log level (panic, fatal, error, warn, info, or debug) (default: "error").
+
+**--host-specific**
+  Generate host-specific configs or do host-specific validations.
+
+  By default, generator generates configs without checking whether they are
+  supported on the current host. With this flag, generator will first check
+  whether each config is supported on the current host, and only add it into
+  the config file if it passes the checking.
+
+  By default, validation only tests for compatibility with a hypothetical host.
+  With this flag, validation will also run more specific tests to see whether
+  the current host is capable of launching a container from the configuration.
+
 # COMMANDS
 **validate**
   Validating OCI bundle