Demi Marie Obenour <demiobenour@gmail.com> writes:

> This prevents any program on the host from gaining privileges via
> execve(), ever.  There are currently no such programs on the host so
> this should be a no-op for now.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/rootfs/image/etc/init | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init
> index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755
> --- a/host/rootfs/image/etc/init
> +++ b/host/rootfs/image/etc/init
> @@ -2,4 +2,4 @@
>  # SPDX-License-Identifier: EUPL-1.2+
>  # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
>  
> -/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
> +/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@

Looks good, but it's a standard chainloader interface so should be on
its own line.  I'll fix that when I commit.