From edd6f2cfa9b08c5c43cea545f9ecc8b5021cf9d6 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Fri, 8 Aug 2025 02:11:55 +0900
Subject: [PATCH] container: document ambient capabilities

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/container.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/container/container.go b/container/container.go
index a0e1c2d..ea715d9 100644
--- a/container/container.go
+++ b/container/container.go
@@ -145,8 +145,14 @@ func (p *Container) Start() error {
 		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
 			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
 
-		// remain privileged for setup
-		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP, CAP_DAC_OVERRIDE},
+		AmbientCaps: []uintptr{
+			// general container setup
+			CAP_SYS_ADMIN,
+			// drop capabilities
+			CAP_SETPCAP,
+			// overlay access to upperdir and workdir
+			CAP_DAC_OVERRIDE,
+		},
 
 		UseCgroupFD: p.Cgroup != nil,
 	}