mirror of
https://github.com/containers/podman.git
synced 2025-06-01 17:17:47 +08:00
8db2b4b733
Users need to know about this side effect.
Fixes: 5a2405ae1b3a ("Don't mount /dev/tty* inside privileged...")
Fixes: f4c81b0aa5fd ("Only prevent VTs to be mounted inside ...")
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
21 lines
972 B
Markdown
21 lines
972 B
Markdown
####> This option file is used in:
|
|
####> podman create, exec, run
|
|
####> If file is edited, make sure the changes
|
|
####> are applicable to all of those.
|
|
#### **--privileged**
|
|
|
|
Give extended privileges to this container. The default is **false**.
|
|
|
|
By default, Podman containers are unprivileged (**=false**) and cannot, for
|
|
example, modify parts of the operating system. This is because by default a
|
|
container is only allowed limited access to devices. A "privileged" container
|
|
is given the same access to devices as the user launching the container, with
|
|
the exception of virtual consoles (_/dev/tty\d+_) when running in systemd
|
|
mode (**--systemd=always**).
|
|
|
|
A privileged container turns off the security features that isolate the
|
|
container from the host. Dropped Capabilities, limited devices, read-only mount
|
|
points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
|
|
|
|
Rootless containers cannot have more privileges than the account that launched them.
|