containers.conf: add privileged field to containers table

As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf.  I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

vendor/github.com/containers/common/libimage/copier.go

@@ -72,7 +72,7 @@ type CopyOptions struct {
 	// Default 3.
 	MaxRetries *uint
 	// RetryDelay used for the exponential back off of MaxRetries.
-	// Default 1 time.Scond.
+	// Default 1 time.Second.
 	RetryDelay *time.Duration
 	// ManifestMIMEType is the desired media type the image will be
 	// converted to if needed.  Note that it must contain the exact MIME

vendor/github.com/containers/common/libimage/filters.go

@@ -289,7 +289,7 @@ func filterReferences(r *Runtime, value string) filterFunc {
 			refString := ref.String() // FQN with tag/digest
 			candidates := []string{refString}
 
-			// Split the reference into 3 components (twice if diggested/tagged):
+			// Split the reference into 3 components (twice if digested/tagged):
 			// 1) Fully-qualified reference
 			// 2) Without domain
 			// 3) Without domain and path

vendor/github.com/containers/common/libnetwork/netavark/network.go

@@ -53,7 +53,7 @@ type netavarkNetwork struct {
 	// ipamDBPath is the path to the ip allocation bolt db
 	ipamDBPath string
 
-	// syslog describes whenever the netavark debbug output should be log to the syslog as well.
+	// syslog describes whenever the netavark debug output should be log to the syslog as well.
 	// This will use logrus to do so, make sure logrus is set up to log to the syslog.
 	syslog bool
 
@@ -93,7 +93,7 @@ type InitConfig struct {
 	// PluginDirs list of directories were netavark plugins are located
 	PluginDirs []string
 
-	// Syslog describes whenever the netavark debbug output should be log to the syslog as well.
+	// Syslog describes whenever the netavark debug output should be log to the syslog as well.
 	// This will use logrus to do so, make sure logrus is set up to log to the syslog.
 	Syslog bool
 }

vendor/github.com/containers/common/pkg/config/config.go

@@ -213,6 +213,18 @@ type ContainersConfig struct {
 	// performance implications.
 	PrepareVolumeOnCreate bool `toml:"prepare_volume_on_create,omitempty"`
 
+	// Give extended privileges to all containers. A privileged container
+	// turns off the security features that isolate the container from the
+	// host. Dropped Capabilities, limited devices, read-only mount points,
+	// Apparmor/SELinux separation, and Seccomp filters are all disabled.
+	// Due to the disabled security features the privileged field should
+	// almost never be set as containers can easily break out of
+	// confinment.
+	//
+	// Containers running in a user namespace (e.g., rootless containers)
+	// cannot have more privileges than the user that launched them.
+	Privileged bool `toml:"privileged,omitempty"`
+
 	// ReadOnly causes engine to run all containers with root file system mounted read-only
 	ReadOnly bool `toml:"read_only,omitempty"`
 
@@ -662,7 +674,7 @@ type MachineConfig struct {
 	Provider string `toml:"provider,omitempty"`
 }
 
-// FarmConfig represents the "farm" TOML config tabls
+// FarmConfig represents the "farm" TOML config tables
 type FarmConfig struct {
 	// Default is the default farm to be used when farming out builds
 	Default string `toml:"default,omitempty"`

vendor/github.com/containers/common/pkg/config/containers.conf

@@ -237,6 +237,18 @@ default_sysctls = [
 #
 #prepare_volume_on_create = false
 
+# Give extended privileges to all containers. A privileged container turns off
+# the security features that isolate the container from the host. Dropped
+# Capabilities, limited devices, read-only mount points, Apparmor/SELinux
+# separation, and Seccomp filters are all disabled. Due to the disabled
+# security features the privileged field should almost never be set as
+# containers can easily break out of confinment.
+#
+# Containers running in a user namespace (e.g., rootless containers) cannot
+# have more privileges than the user that launched them.
+#
+#privileged = false
+
 # Run all containers with root file system mounted read-only
 #
 # read_only = false

vendor/github.com/containers/common/pkg/config/containers.conf-freebsd

@@ -200,6 +200,18 @@ default_sysctls = [
 #
 #prepare_volume_on_create = false
 
+# Give extended privileges to all containers. A privileged container turns off
+# the security features that isolate the container from the host. Dropped
+# Capabilities, limited devices, read-only mount points, Apparmor/SELinux
+# separation, and Seccomp filters are all disabled. Due to the disabled
+# security features the privileged field should almost never be set as
+# containers can easily break out of confinment.
+#
+# Containers running in a user namespace (e.g., rootless containers) cannot
+# have more privileges than the user that launched them.
+#
+#privileged = false
+
 # Set timezone in container. Takes IANA timezones as well as "local",
 # which sets the timezone in the container to match the host machine.
 #