Ability to disable NoNewPrivileges & co. overrides #873
Description
I've noticed due to #561 and previous commits in this discussion, my systems set NoNewPrivileges=no.
However, running Arch Linux with the hardened kernel 6.8.9-hardened1-1-hardened(linux-hardened) with Incus 6.3, modifying the generator still works for me with unprivileged containers:
# /run/systemd/system/service.d/zzz-lxc-service.conf
[Service]
ProtectControlGroups=yes
ProtectKernelTunables=yes
NoNewPrivileges=yes
The only problem option I can't set to true due to the hardened kernel is PrivateUsers which will result in the following error:
Failed to set up user namespacing: Operation not permitted
Failed at step USER spawning /foo: Operation not permitted
So the question is: Is there a way to disable the drop in for those security options and allow users to opt-in (possibly requiring trial-and-error) without having to delete the /etc/systemd/system-generators/lxc file on every new container?