quadlet: Use same default capability set as podman run

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2025-10-17 11:14:40 +08:00 · 2022-12-02 16:37:22 +01:00
parent b34ab8b5fa
commit 16cf34dc3a
4 changed files with 3 additions and 10 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -116,8 +116,7 @@ setuid and file capabilities.

 #### `DropCapability=` (defaults to `all`)

-Drop these capabilities from the default podman capability set, or `all` for all capabilities. The default if no
-`DropCapability` is set is `all`. Set this to empty (i.e. `DropCapability=`) to use the default podman capability set.
+Drop these capabilities from the default podman capability set, or `all` to drop all capabilities.

 This is a space separated list of capabilities. This key can be listed multiple times.

@ -140,7 +139,7 @@ AddCapability=CAP_DAC_OVERRIDE CAP_IPC_OWNER

 #### `ReadOnly=` (defaults to `no`)

-If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless disabled by `VolatileTmp=no`).
+If enabled, makes image read-only, with /var/tmp, /tmp and /run a tmpfs (unless disabled by `VolatileTmp=no`).r

 **NOTE:** Podman will automatically copy any content from the image onto the tmpfs

--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -312,10 +312,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.add("--security-opt", fmt.Sprintf("seccomp=%s", seccompProfile))
 	}

-	dropCaps := []string{"all"} // Default
-	if container.HasKey(ContainerGroup, KeyDropCapability) {
-		dropCaps = container.LookupAllStrv(ContainerGroup, KeyDropCapability)
-	}
+	dropCaps := container.LookupAllStrv(ContainerGroup, KeyDropCapability)

 	for _, caps := range dropCaps {
 		podman.addf("--cap-drop=%s", strings.ToLower(caps))
--- a/test/e2e/quadlet/basic.container
+++ b/test/e2e/quadlet/basic.container
@ -8,7 +8,6 @@
 ## assert-podman-args "--runtime" "/usr/bin/crun"
 ## assert-podman-args "--cgroups=split"
 ## assert-podman-args "--sdnotify=conmon"
-## assert-podman-args "--cap-drop=all"
 ## assert-key-is "Unit" "RequiresMountsFor" "%t/containers"
 ## assert-key-is "Service" "KillMode" "mixed"
 ## assert-key-is "Service" "Delegate" "yes"
--- a/test/e2e/quadlet/capabilities.container
+++ b/test/e2e/quadlet/capabilities.container
@ -5,7 +5,5 @@

 [Container]
 Image=localhost/imagename
-# Verify that we can reset to the default cap set
-DropCapability=
 AddCapability=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 AddCapability=CAP_IPC_OWNER