opencontainers · mrunalp · Oct 23, 2016 · Oct 21, 2016
@@ -45,6 +45,7 @@ var generateFlags = []cli.Flag{
 	cli.Int64Flag{Name: "linux-pids-limit", Usage: "maximum number of PIDs"},
 	cli.Uint64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"},
 	cli.Uint64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"},
+	cli.StringSliceFlag{Name: "masked-paths", Usage: "specifies paths can not be read inside container"},
 	cli.StringFlag{Name: "mount", Usage: "mount namespace"},
 	cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"},
 	cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"},
@@ -59,6 +60,7 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "prestart", Usage: "set command to run in prestart hooks"},
 	cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
 	cli.BoolFlag{Name: "read-only", Usage: "make the container's rootfs read-only"},
+	cli.StringSliceFlag{Name: "readonly-paths", Usage: "specifies paths readonly inside container"},
 	cli.StringFlag{Name: "root-propagation", Usage: "mount propagation for root"},
 	cli.StringFlag{Name: "rootfs", Value: "rootfs", Usage: "path to the rootfs"},
 	cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"},
@@ -211,6 +213,20 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.SetLinuxCgroupsPath(context.String("cgroups-path"))
 	}
 
+	if context.IsSet("masked-paths") {
+		paths := context.StringSlice("masked-paths")
+		for _, path := range paths {
+			g.AddLinuxMaskedPaths(path)
+		}
+	}
+
+	if context.IsSet("readonly-paths") {
+		paths := context.StringSlice("readonly-paths")
+		for _, path := range paths {
+			g.AddLinuxReadonlyPaths(path)
+		}
+	}
+
 	if context.IsSet("mount-label") {
 		g.SetLinuxMountLabel(context.String("mount-label"))
 	}

@@ -287,6 +287,7 @@ _oci-runtime-tool_generate() {
 	      --ipc
 	      --label
 	      --linux-pids-limit
+	      --masked-paths
 	      --mount
 	      --mount-cgroups
 	      --mount-label
@@ -297,6 +298,7 @@ _oci-runtime-tool_generate() {
 	      --poststart
 	      --poststop
 	      --prestart
+	      --readonly-paths
 	      --root-propagation
 	      --rootfs
 	      --seccomp-allow

@@ -851,3 +851,15 @@ func (g *Generator) RemoveAllSeccompRules() error {
 	g.initSpecLinuxSeccomp()
 	return seccomp.RemoveAllSeccompRules(g.spec.Linux.Seccomp)
 }
+
+// AddLinuxMaskedPaths adds masked paths into g.spec.Linux.MaskedPaths.
+func (g *Generator) AddLinuxMaskedPaths(path string) {
+	g.initSpecLinux()
+	g.spec.Linux.MaskedPaths = append(g.spec.Linux.MaskedPaths, path)
+}
+
+// AddLinuxReadonlyPaths adds readonly paths into g.spec.Linux.MaskedPaths.
+func (g *Generator) AddLinuxReadonlyPaths(path string) {
+	g.initSpecLinux()
+	g.spec.Linux.ReadonlyPaths = append(g.spec.Linux.ReadonlyPaths, path)
+}
@@ -132,6 +132,10 @@ read the configuration from `config.json`.
 **--linux-realtime-runtime**=REALTIMERUNTIME
   Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
 
+**--masked-paths**=[]
+  Specifies paths can not be read inside container. e.g. --masked-paths=/proc/kcore
+  This option can be specified multiple times.
+
 **--mount**=*PATH*
   Use a mount namespace where *PATH* is an existing mount namespace file
   to join. The special *PATH*  empty-string  creates a new namespace.
@@ -206,6 +210,10 @@ read the configuration from `config.json`.
 
   When the operator executes **oci-runtime-tool generate --privileged**, OCI will enable access to all devices on the host as well as disable some of the confinement mechanisms like AppArmor, SELinux, and seccomp from blocking access to privileged processes.  This gives the container processes nearly all the same access to the host as processes generating outside of a container on the host.
 
+**--readonly-paths**=[]
+  Specifies paths readonly inside container. e.g. --readonly-paths=/proc/sys
+  This option can be specified multiple times.
+
 **--read-only**=true|false
   Mount the container's root filesystem as read only.