49b5b0c54d
This means you're able to set the bits for capabilities on files inside the container. This is needed for e.g. many fedora packages as they use finegrained capabilities rather than setuid binaries. This is safe as we're not adding capabilities really, since the container is already allowed to create setuid binaries. Setuid binaries are strictly more powerful that any capabilities (as root implies all capabilities). This doesn't mean the container can *gain* capabilities that it doesn't already have though. The actual set of caps are strictly decreasing. Upstream-commit: 80319add5542153146fdaecd46be5549b4397beb Component: engine