fix: enforce no-new-privileges on all container creation

The manifest field was validated but never applied to the podman create command. Now passes --security-opt no-new-privileges=true for all containers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 19:06:59 +00:00 · 2026-03-11 19:06:59 +00:00 · 2a867b32a8
commit 2a867b32a8
parent 563aff1e44
1 changed files with 4 additions and 1 deletions
--- a/core/container/src/podman_client.rs
+++ b/core/container/src/podman_client.rs
@ -176,7 +176,10 @@ impl PodmanClient {
        for cap in &manifest.app.security.capabilities {
            cmd.arg("--cap-add").arg(cap);
        }
-        
+
+        // Enforce no new privileges (prevent setuid escalation)
+        cmd.arg("--security-opt").arg("no-new-privileges=true");
+
        // Image
        cmd.arg(&manifest.app.container.image);