aboutsummaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2022-04-01 10:15:08 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2022-04-01 10:15:17 +0200
commit1cd529b22d40205c1f3246ed49f07e3615cf8292 (patch)
tree2bad250c3c7e36ef6f6c3609b559f7286459eec9 /pkg/specgen
parentd1f3a2d6a82ed66d4dab5be62821bc59bfb84dd8 (diff)
downloadpodman-1cd529b22d40205c1f3246ed49f07e3615cf8292.tar.gz
podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.tar.bz2
podman-1cd529b22d40205c1f3246ed49f07e3615cf8292.zip
specgen: permit --privileged and --cap-add
--cap-add is useful when running a privileged container with UID != 0, so that individual capabilities can be added to the container process. Closes: https://github.com/containers/podman/issues/13449 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/container_validate.go4
1 files changed, 0 insertions, 4 deletions
diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go
index e71eafb75..42b70e334 100644
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@@ -83,10 +83,6 @@ func (s *SpecGenerator) Validate() error {
//
// ContainerSecurityConfig
//
- // capadd and privileged are exclusive
- if len(s.CapAdd) > 0 && s.Privileged {
- return exclusiveOptions("CapAdd", "privileged")
- }
// userns and idmappings conflict
if s.UserNS.IsPrivate() && s.IDMappings == nil {
return errors.Wrap(ErrInvalidSpecConfig, "IDMappings are required when not creating a User namespace")