docs: warn about adding capabilities

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2345676 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Feb 18, 2025 · b43863a · b43863a
1 parent e88ccec
commit b43863a
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/docs/source/markdown/options/cap-add.md b/docs/source/markdown/options/cap-add.md
@@ -5,3 +5,15 @@
 #### **--cap-add**=*capability*
 
 Add Linux capabilities.
+
+Granting additional capabilities increases the privileges of the
+processes running inside the container and potentially allow it to
+break out of confinement.  Capabilities like `CAP_SYS_ADMIN`,
+`CAP_SYS_PTRACE`, `CAP_MKNOD` and `CAP_SYS_MODULE` are particularly
+dangerous when they are not used within a user namespace.  Please
+refer to **user_namespaces(7)** for a more detailed explanation of the
+interaction between user namespaces and capabilities.
+
+Before adding any capability, review its security implications and
+ensure it is really necessary for the container’s functionality.  See
+**capabilities(7)** for more information.