From 57a699649524620716935fef27d470598117ee6d Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 18 Feb 2025 08:47:10 +0100
Subject: [PATCH] docs: warn about adding capabilities

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2345676

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 docs/source/markdown/options/cap-add.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/source/markdown/options/cap-add.md b/docs/source/markdown/options/cap-add.md
index d5199579cb..7495b84d93 100644
--- a/docs/source/markdown/options/cap-add.md
+++ b/docs/source/markdown/options/cap-add.md
@@ -5,3 +5,11 @@
 #### **--cap-add**=*capability*
 
 Add Linux capabilities.
+
+Granting additional capabilities increases the privileges of the
+processes running inside the container and potentially allow it to
+break out of confinement.  Capabilities like `CAP_SYS_PTRACE`,
+`CAP_MKNOD` and `CAP_SYS_MODULE` are particularly dangerous.
+
+Before adding any capability, review its security implications and
+ensure it is really necessary for the container’s functionality.