From e4b0e731d68b5e6d50ed21301523d415a728d2fd Mon Sep 17 00:00:00 2001
From: Ohad Livne <libohad-dev@proton.me>
Date: Thu, 9 Apr 2026 21:56:06 +0300
Subject: [PATCH] Restrict service container privileges

---
 .config/containers/systemd/ollama.container   | 2 ++
 .config/containers/systemd/plantuml.container | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container
index 98929ac..051de23 100644
--- a/.config/containers/systemd/ollama.container
+++ b/.config/containers/systemd/ollama.container
@@ -5,9 +5,11 @@ Description=A local LLM server
 # keep-sorted start
 AutoUpdate=registry
 ContainerName=ollama
+DropCapability=ALL
 Environment=OLLAMA_KEEP_ALIVE=10m
 Image=docker.io/ollama/ollama:latest
 Network=ollama.network
+NoNewPrivileges=true
 PodmanArgs=--transient-store
 PublishPort=11434:11434
 ReadOnly=true
diff --git a/.config/containers/systemd/plantuml.container b/.config/containers/systemd/plantuml.container
index aa8057d..0648c34 100644
--- a/.config/containers/systemd/plantuml.container
+++ b/.config/containers/systemd/plantuml.container
@@ -5,8 +5,10 @@ Description=A local PlantUML server
 # keep-sorted start
 AutoUpdate=registry
 ContainerName=plantuml
+DropCapability=ALL
 Image=docker.io/plantuml/plantuml-server:jetty
 Network=private
+NoNewPrivileges=true
 PodmanArgs=--transient-store
 PublishPort=8080:8080
 ReadOnly=true