From 4517e526baa718ddedc1cb3581e8f75d303da753 Mon Sep 17 00:00:00 2001
From: Marcus Holland-Moritz <github@mhxnet.de>
Date: Tue, 29 Jul 2025 09:42:01 +0200
Subject: [PATCH] chore: no more --privileged containers

---
 .docker/Makefile                       | 2 +-
 .github/workflows/docker-run-build.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.docker/Makefile b/.docker/Makefile
index c481e10b..36acd69a 100644
--- a/.docker/Makefile
+++ b/.docker/Makefile
@@ -10,7 +10,7 @@ ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 NPROC:=$(shell nproc)
 
 COMMON_RUN_OPTS=-it --rm \
-		--cap-add SYS_ADMIN --device /dev/fuse --privileged \
+		--cap-add SYS_ADMIN --device /dev/fuse \
 		--mount type=bind,source="$(ROOT_DIR)"/..,target=/workspace,readonly \
 		--mount type=bind,source="$(ROOT_DIR)"/../@docker-ccache,target=/ccache \
 		--mount type=bind,source="$(ROOT_DIR)"/../@docker-home,target=/home/mhx \
diff --git a/.github/workflows/docker-run-build.yml b/.github/workflows/docker-run-build.yml
index 34fa2337..7b714259 100644
--- a/.github/workflows/docker-run-build.yml
+++ b/.github/workflows/docker-run-build.yml
@@ -64,8 +64,8 @@ jobs:
 
       - name: Run Build
         run: |
-          docker run --rm \
-            --cap-add SYS_ADMIN --device /dev/fuse --privileged \
+          docker run --rm --init \
+            --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined \
             --mount type=bind,source=${GITHUB_WORKSPACE},target=/workspace,readonly \
             --mount type=bind,source=${{ runner.temp }},target=/tmp-runner \
             --mount type=bind,source=${HOME}/github-ccache,target=/ccache \