This prevents any program on the host from gaining privileges via execve(), ever. There are currently no such programs on the host so this should be a no-op for now. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/image/etc/init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755 --- a/host/rootfs/image/etc/init +++ b/host/rootfs/image/etc/init @@ -2,4 +2,4 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> -/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ +/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ --- base-commit: 92e219e7c08c479d216a46d2736ea9d229ff034d change-id: 20251205-no-new-privs-2f22088c0736 -- Sincerely, Demi Marie Obenour (she/her/hers)