From f6edffea0dbc5814846bc7643d9457939e423d15 Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Mon, 12 Jan 2026 21:32:01 +1100
Subject: [PATCH] add CHOWN cap

---
 manifests/scc/scc-restricted-hostpath-privesc.yaml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/manifests/scc/scc-restricted-hostpath-privesc.yaml b/manifests/scc/scc-restricted-hostpath-privesc.yaml
index 18ecb76..9e44708 100644
--- a/manifests/scc/scc-restricted-hostpath-privesc.yaml
+++ b/manifests/scc/scc-restricted-hostpath-privesc.yaml
@@ -2,14 +2,15 @@ apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
   name: restricted-hostpath-privesc
-allowHostDirVolumePlugin: true  # Needed for /dev/dri hostPath
+allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: false
-allowedCapabilities: null
+allowedCapabilities:
+  - CHOWN
 defaultAddCapabilities: null
 fsGroup:
   type: MustRunAs
@@ -31,8 +32,9 @@ volumes:
   - configMap
   - downwardAPI
   - emptyDir
-  - hostPath  # This is what distinguishes it from restricted-s6
+  - hostPath # This is what distinguishes it from restricted-s6
   - persistentVolumeClaim
   - projected
   - secret
-priority: 6  # Higher than restricted-s6 (5) due to hostPath access
\ No newline at end of file
+priority: 6 # Higher than restricted-s6 (5) due to hostPath access
+