Already flagged as planned in SECURITY.md and the README Known Limitations: the container only needs --privileged for mount -t cifs. When ROMs come from a local volume mount, no elevated privileges are required at all; when CIFS is used, --cap-add SYS_ADMIN should be enough.
Suggested approach: document/run the container unprivileged by default; detect at mount time that the capability is missing and return a clear error telling the user which flag to add.
Already flagged as planned in
SECURITY.mdand the README Known Limitations: the container only needs--privilegedformount -t cifs. When ROMs come from a local volume mount, no elevated privileges are required at all; when CIFS is used,--cap-add SYS_ADMINshould be enough.Suggested approach: document/run the container unprivileged by default; detect at mount time that the capability is missing and return a clear error telling the user which flag to add.