You should be able to specify --cap-add=all --cap-drop=cap_perfmon
And end up with all capabilties except cap_perfmon.
You should not be allowed to specify --cap-add all --cap-drop all
The outcome would be undefined.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
follow up to "capabilities: add new method BoundingSet()".
When ALL is used, limit it to the known capabilities in the bounding
set instead of ALL the known capabilities.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
add a new public function to retrieve all the capabilities in the
current bounding set.
This is useful for Podman to use only these capabilities when running
with --privileged as it can break running in a container where the
available capabilities can be a subset of the ones available in the
kernel.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Daniel J Walsh
Giuseppe Scrivano