From 76ad143d00b56d057f81993a376a6b9c533e8951 Mon Sep 17 00:00:00 2001 From: Plamen Bardarov Date: Mon, 27 Apr 2026 17:08:14 +0300 Subject: [PATCH] Add garden.no_new_privileges BOSH property Wire new BOSH property to Guardian's --no-new-privileges flag via config.ini. Defaults to false. Bump guardian submodule. --- jobs/garden/spec | 4 ++++ jobs/garden/templates/config/config.ini.erb | 3 +++ src/guardian | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/jobs/garden/spec b/jobs/garden/spec index 40e7ffec6..65dbc44d8 100644 --- a/jobs/garden/spec +++ b/jobs/garden/spec @@ -202,6 +202,10 @@ properties: description: AppArmor profile to use for unprivileged container processes default: garden-default + garden.no_new_privileges: + description: "Set NoNewPrivileges on unprivileged container processes. Prevents privilege escalation via setuid binaries and file capabilities." + default: false + garden.device_cgroup_rules: description: Device cgroup rules that will be applied to privileged containers. By default loop devices are allowed for privileged containers. default: ["b 7:* rwm", "c 10:237 rwm"] diff --git a/jobs/garden/templates/config/config.ini.erb b/jobs/garden/templates/config/config.ini.erb index 52cf8b9b1..9d53aa4c3 100644 --- a/jobs/garden/templates/config/config.ini.erb +++ b/jobs/garden/templates/config/config.ini.erb @@ -72,6 +72,9 @@ parse_ip(p('garden.network_pool'), 'garden.network_pool') <% if apparmor_profile_provided -%> apparmor = <%= p("garden.apparmor_profile") %> <% end -%> +<% if p("garden.no_new_privileges") -%> + no-new-privileges = true +<% end -%> ; binaries iptables-bin = <%= p("garden.iptables_bin_dir") %>/iptables diff --git a/src/guardian b/src/guardian index bf052dd60..55da34e5e 160000 --- a/src/guardian +++ b/src/guardian @@ -1 +1 @@ -Subproject commit bf052dd60ebfd7a292776e38d95c7a6cf12a7b9a +Subproject commit 55da34e5e0473c3f54c2b02b4044bb789cd2b73f