quadlet: Allow multiple elements on each Add/DropCaps line

You can still use multiple lines, but this is not necessary.

Signed-off-by: Alexander Larsson <alexl@redhat.com>

docs/source/markdown/podman-systemd.unit.5.md

@@ -128,13 +128,25 @@ setuid and file capabilities.
 
 Drop these capabilities from the default container capability set. The default is `all`, allowing
 addition of capabilities with `AddCapability`. Set this to empty to drop no capabilities.
-This can be listed multiple times.
+
+This is a space separated list of capabilities. This key can be listed multiple times.
+
+For example:
+```
+DropCapability=CAP_DAC_OVERRIDE CAP_IPC_OWNER
+```
 
 #### `AddCapability=`
 
 By default, the container runs with no capabilities (due to DropCapabilities='all'). If any specific
 caps are needed, then add them with this key. For example using `AddCapability=CAP_DAC_OVERRIDE`.
-This can be listed multiple times.
+
+This is a space separated list of capabilities. This key can be listed multiple times.
+
+For example:
+```
+AddCapability=CAP_DAC_OVERRIDE CAP_IPC_OWNER
+```
 
 #### `ReadOnly=` (defaults to `yes`)
 

pkg/systemd/quadlet/quadlet.go

@@ -396,7 +396,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 
 	dropCaps := []string{"all"} // Default
 	if container.HasKey(ContainerGroup, KeyDropCapability) {
-		dropCaps = container.LookupAll(ContainerGroup, KeyDropCapability)
+		dropCaps = container.LookupAllStrv(ContainerGroup, KeyDropCapability)
 	}
 
 	for _, caps := range dropCaps {
@@ -404,7 +404,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 	}
 
 	// But allow overrides with AddCapability
-	addCaps := container.LookupAll(ContainerGroup, KeyAddCapability)
+	addCaps := container.LookupAllStrv(ContainerGroup, KeyAddCapability)
 	for _, caps := range addCaps {
 		podman.addf("--cap-add=%s", strings.ToLower(caps))
 	}

test/e2e/quadlet/capabilities.container

@@ -1,8 +1,9 @@
 ## assert-podman-args "--cap-drop=all"
 ## assert-podman-args "--cap-add=cap_dac_override"
+## assert-podman-args "--cap-add=cap_audit_write"
 ## assert-podman-args "--cap-add=cap_ipc_owner"
 
 [Container]
 Image=imagename
-AddCapability=CAP_DAC_OVERRIDE
+AddCapability=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 AddCapability=CAP_IPC_OWNER

test/e2e/quadlet/capabilities2.container

@@ -0,0 +1,9 @@
+## !assert-podman-args "--cap-drop=all"
+## assert-podman-args "--cap-drop=cap_dac_override"
+## assert-podman-args "--cap-drop=cap_audit_write"
+## assert-podman-args "--cap-drop=cap_ipc_owner"
+
+[Container]
+Image=localhost/imagename
+DropCapability=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+DropCapability=CAP_IPC_OWNER

test/e2e/quadlet_test.go

@@ -269,6 +269,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("annotation.container", "annotation.container"),
 		Entry("basepodman.container", "basepodman.container"),
 		Entry("capabilities.container", "capabilities.container"),
+		Entry("capabilities2.container", "capabilities2.container"),
 		Entry("env.container", "env.container"),
 		Entry("escapes.container", "escapes.container"),
 		Entry("exec.container", "exec.container"),