quadlet: Change NoNewPrivileges default to false

This matches the default of podman run.

Signed-off-by: Alexander Larsson <alexl@redhat.com>

docs/source/markdown/podman-systemd.unit.5.md

@@ -109,7 +109,7 @@ which can be modified with `RemapUsers`, but if that is not specified, this uid
 The (numeric) gid to run as inside the container. This does not need to match the gid on the host,
 which can be modified with `RemapUsers`, but if that is not specified, this gid is also used on the host.
 
-#### `NoNewPrivileges=` (defaults to `yes`)
+#### `NoNewPrivileges=` (defaults to `no`)
 
 If enabled (which is the default), this disables the container processes from gaining additional privileges via things like
 setuid and file capabilities.

pkg/systemd/quadlet/quadlet.go

@@ -297,7 +297,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 	}
 
 	// Default to no higher level privileges or caps
-	noNewPrivileges := container.LookupBoolean(ContainerGroup, KeyNoNewPrivileges, true)
+	noNewPrivileges := container.LookupBoolean(ContainerGroup, KeyNoNewPrivileges, false)
 	if noNewPrivileges {
 		podman.add("--security-opt=no-new-privileges")
 	}

test/e2e/quadlet/basic.container

@@ -10,7 +10,6 @@
 ## assert-podman-args "--runtime" "/usr/bin/crun"
 ## assert-podman-args "--cgroups=split"
 ## assert-podman-args "--sdnotify=conmon"
-## assert-podman-args "--security-opt=no-new-privileges"
 ## assert-podman-args "--cap-drop=all"
 ## assert-podman-args "--read-only"
 ## !assert-podman-args "--read-only-tmpfs=false"