security: harden gateway container privileges

Adds cap_drop and no-new-privileges hardening for the bundled gateway Docker Compose services.\n\nThanks @VintageAyu.
2026-05-06 20:00:42 +00:00 · 2026-05-05 13:07:26 +05:30
parent 121ac44fa8
commit f9da484365
3 changed files with 7 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -49,6 +49,11 @@ services:
    # Let bundled local-model providers reach host-side LM Studio/Ollama via
    # http://host.docker.internal:<port>. Docker Desktop usually provides this
    # alias; the host-gateway mapping makes it work on Linux Docker Engine too.
+    cap_drop:
+      - NET_RAW
+      - NET_ADMIN
+    security_opt:
+      - no-new-privileges:true
    extra_hosts:
      - "host.docker.internal:host-gateway"
    ports: