cli: allow --landlock without requiring a VM payload

The --landlock and --landlock-rules arguments were in the "vm-config" argument group, which requires the "vm-payload" group (--kernel or --firmware). This prevented using --landlock with API-socket-only mode, where the VM is configured later via the REST API. Remove these arguments from the "vm-config" group so that landlock process hardening can be enabled independently of VM payload configuration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 20:25:17 +00:00 · 2026-03-23 20:25:17 +00:00 · 1e8f77fbda
commit 1e8f77fbda
parent 7933f33fa9
1 changed files with 2 additions and 4 deletions
--- a/cloud-hypervisor/src/main.rs
+++ b/cloud-hypervisor/src/main.rs
@ -318,13 +318,11 @@ fn get_cli_options_sorted(
                "enable/disable Landlock.",
            )
            .action(ArgAction::SetTrue)
-            .default_value("false")
-            .group("vm-config"),
+            .default_value("false"),
        Arg::new("landlock-rules")
            .long("landlock-rules")
            .help(LandlockConfig::SYNTAX)
-            .num_args(1..)
-            .group("vm-config"),
+            .num_args(1..),
        Arg::new("log-file")
            .long("log-file")
            .help("Log file. Standard error is used if not specified")