From dfebe4e9b3711dfb291827c6d6e350713780418a Mon Sep 17 00:00:00 2001
From: Leopold Schabel <mail@leoschabel.de>
Date: Thu, 2 May 2019 11:12:39 +0000
Subject: [PATCH] docs: Clarify security boundaries in privileged mode

See https://github.com/kata-containers/runtime/issues/1568

Fixes #453

Signed-off-by: Leopold Schabel <mail@leoschabel.de>
---
 Limitations.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Limitations.md b/Limitations.md
index 3fe2973f..9d94fb2d 100644
--- a/Limitations.md
+++ b/Limitations.md
@@ -221,11 +221,15 @@ See more documentation at
 
 Privileged support in Kata is essentially different from `runc` containers.
 Kata does support `docker run --privileged` command, but in this case full access
-to the guest VM is provided instead of the host.
+to the guest VM is provided in addition to some host access.
+
 The container runs with elevated capabilities within the guest and is granted 
 access to guest devices instead of the host devices.
 This is also true with using `securityContext privileged=true` with Kubernetes.
 
+The container may also be granted full access to a subset of host devices
+(https://github.com/kata-containers/runtime/issues/1568).
+
 # Miscellaneous
 
 This section lists limitations where the possible solutions are uncertain.