From 2a867b32a823e588bda3010453636abd2446fa02 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Wed, 11 Mar 2026 19:06:59 +0000
Subject: [PATCH] fix: enforce no-new-privileges on all container creation

The manifest field was validated but never applied to the podman create
command. Now passes --security-opt no-new-privileges=true for all containers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 core/container/src/podman_client.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/container/src/podman_client.rs b/core/container/src/podman_client.rs
index 8c9368fd..25f6c805 100644
--- a/core/container/src/podman_client.rs
+++ b/core/container/src/podman_client.rs
@@ -176,7 +176,10 @@ impl PodmanClient {
         for cap in &manifest.app.security.capabilities {
             cmd.arg("--cap-add").arg(cap);
         }
-        
+
+        // Enforce no new privileges (prevent setuid escalation)
+        cmd.arg("--security-opt").arg("no-new-privileges=true");
+
         // Image
         cmd.arg(&manifest.app.container.image);