specgen: permit --privileged and --cap-add

--cap-add is useful when running a privileged container with UID != 0, so that individual capabilities can be added to the container process. Closes: https://github.com/containers/podman/issues/13449 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2022-04-01 10:15:08 +0200
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2022-04-01 10:15:17 +0200
commit: 1cd529b22d40205c1f3246ed49f07e3615cf8292 (patch)
tree: 2bad250c3c7e36ef6f6c3609b559f7286459eec9 /pkg/specgen
parent: d1f3a2d6a82ed66d4dab5be62821bc59bfb84dd8 (diff)
download: podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.tar.gz
podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.tar.bz2
podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.zip
1 files changed, 0 insertions, 4 deletions
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index e71eafb75..42b70e334 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -83,10 +83,6 @@ func (s *SpecGenerator) Validate() error {
 	//
 	// ContainerSecurityConfig
 	//
-	// capadd and privileged are exclusive
-	if len(s.CapAdd) > 0 && s.Privileged {
-		return exclusiveOptions("CapAdd", "privileged")
-	}
 	// userns and idmappings conflict
 	if s.UserNS.IsPrivate() && s.IDMappings == nil {
 		return errors.Wrap(ErrInvalidSpecConfig, "IDMappings are required when not creating a User namespace")
author	Giuseppe Scrivano <gscrivan@redhat.com>	2022-04-01 10:15:08 +0200
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2022-04-01 10:15:17 +0200
commit	1cd529b22d40205c1f3246ed49f07e3615cf8292 (patch)
tree	2bad250c3c7e36ef6f6c3609b559f7286459eec9 /pkg/specgen
parent	d1f3a2d6a82ed66d4dab5be62821bc59bfb84dd8 (diff)
download	podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.tar.gz podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.tar.bz2 podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.zip