fix: enforce no-new-privileges on all container creation
The manifest field was validated but never applied to the podman create command. Now passes --security-opt no-new-privileges=true for all containers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
367763e2fe
commit
fd2a837bea
@ -177,6 +177,9 @@ impl PodmanClient {
|
|||||||
cmd.arg("--cap-add").arg(cap);
|
cmd.arg("--cap-add").arg(cap);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Enforce no new privileges (prevent setuid escalation)
|
||||||
|
cmd.arg("--security-opt").arg("no-new-privileges=true");
|
||||||
|
|
||||||
// Image
|
// Image
|
||||||
cmd.arg(&manifest.app.container.image);
|
cmd.arg(&manifest.app.container.image);
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user