NoNewPrivileges on most containers. drop all caps on a few others

beeper/etc/containers/systemd/sharkey/sharkey-activity.container

@@ -18,6 +18,8 @@ PublishPort=127.0.0.1:47815:3002
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/activity:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
 
 [Service]
 Restart=always

beeper/etc/containers/systemd/sharkey/sharkey-api.container

@@ -17,6 +17,8 @@ PublishPort=127.0.0.1:60628:3001
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/api:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
 
 [Service]
 Restart=always

beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container

@@ -17,6 +17,8 @@ HealthCmd=redis-cli ping
 HealthOnFailure=kill
 HealthStartPeriod=10s
 Notify=healthy
+# Security
+NoNewPrivileges=true
 
 [Service]
 Restart=always

beeper/etc/containers/systemd/sharkey/sharkey-media.container

@@ -18,6 +18,8 @@ PublishPort=127.0.0.1:57378:3003
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/media:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
 
 [Service]
 Restart=always

beeper/etc/containers/systemd/sharkey/sharkey-worker.container

@@ -15,6 +15,8 @@ Network=postgresql.network
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/worker:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
 
 [Service]
 Restart=always