From b43863ae2ad083cd77c7f0fb316ac9c16e4ea23c Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 18 Feb 2025 08:47:10 +0100
Subject: [PATCH] docs: warn about adding capabilities

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2345676

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 docs/source/markdown/options/cap-add.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/source/markdown/options/cap-add.md b/docs/source/markdown/options/cap-add.md
index d5199579cb..67fc2e4d36 100644
--- a/docs/source/markdown/options/cap-add.md
+++ b/docs/source/markdown/options/cap-add.md
@@ -5,3 +5,15 @@
 #### **--cap-add**=*capability*
 
 Add Linux capabilities.
+
+Granting additional capabilities increases the privileges of the
+processes running inside the container and potentially allow it to
+break out of confinement.  Capabilities like `CAP_SYS_ADMIN`,
+`CAP_SYS_PTRACE`, `CAP_MKNOD` and `CAP_SYS_MODULE` are particularly
+dangerous when they are not used within a user namespace.  Please
+refer to **user_namespaces(7)** for a more detailed explanation of the
+interaction between user namespaces and capabilities.
+
+Before adding any capability, review its security implications and
+ensure it is really necessary for the container’s functionality.  See
+**capabilities(7)** for more information.