From de0336c67dfc04777bc667d602de477d609e22c9 Mon Sep 17 00:00:00 2001
From: Mario Rodriguez Molins <mario.rodriguez@elastic.co>
Date: Mon, 22 Apr 2024 13:10:20 +0200
Subject: [PATCH 1/3] Drop all capabilities by default in independent agents

---
 internal/agentdeployer/_static/docker-agent-base.yml.tmpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/agentdeployer/_static/docker-agent-base.yml.tmpl b/internal/agentdeployer/_static/docker-agent-base.yml.tmpl
index 608c2c5f6a..541685cba8 100644
--- a/internal/agentdeployer/_static/docker-agent-base.yml.tmpl
+++ b/internal/agentdeployer/_static/docker-agent-base.yml.tmpl
@@ -18,6 +18,8 @@ services:
       - {{ . }}
     {{- end }}
     {{ end }}
+    cap_drop:
+      - ALL
     environment:
       - FLEET_ENROLL=1
       - FLEET_URL=https://fleet-server:8220

From f6de4ddb13dcd13718e7b2740dc462bc6e464dc4 Mon Sep 17 00:00:00 2001
From: Mario Rodriguez Molins <mario.rodriguez@elastic.co>
Date: Wed, 24 Apr 2024 11:04:08 +0200
Subject: [PATCH 2/3] Drop capabilities for Elastic agent in stack (serverless
 too)

---
 internal/stack/_static/docker-compose-stack.yml.tmpl      | 2 ++
 internal/stack/_static/serverless-docker-compose.yml.tmpl | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl
index b1bd50dc99..319e69a899 100644
--- a/internal/stack/_static/docker-compose-stack.yml.tmpl
+++ b/internal/stack/_static/docker-compose-stack.yml.tmpl
@@ -139,6 +139,8 @@ services:
       interval: 5s
     hostname: docker-fleet-agent
     env_file: "./elastic-agent.env"
+    cap_drop:
+    - ALL
     volumes:
     - "../certs/ca-cert.pem:/etc/ssl/certs/elastic-package.pem"
     - type: bind
diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl
index a61f718dc8..47d1e653f1 100644
--- a/internal/stack/_static/serverless-docker-compose.yml.tmpl
+++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl
@@ -9,6 +9,8 @@ services:
       interval: 5s
     hostname: docker-fleet-agent
     env_file: "./elastic-agent.env"
+    cap_drop:
+    - ALL
     volumes:
     - type: bind
       source: ../../../tmp/service_logs/

From 4dd6eb96dd61c561cb93ca4870c89291ccf60781 Mon Sep 17 00:00:00 2001
From: Mario Rodriguez Molins <mario.rodriguez@elastic.co>
Date: Thu, 25 Apr 2024 11:46:26 +0200
Subject: [PATCH 3/3] Drop ALL capabilities in custom agents (servicedeployer)

---
 internal/servicedeployer/_static/docker-custom-agent-base.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/servicedeployer/_static/docker-custom-agent-base.yml b/internal/servicedeployer/_static/docker-custom-agent-base.yml
index 462813f137..8aa5e1a9f7 100644
--- a/internal/servicedeployer/_static/docker-custom-agent-base.yml
+++ b/internal/servicedeployer/_static/docker-custom-agent-base.yml
@@ -6,6 +6,8 @@ services:
       retries: 180
       interval: 1s
     hostname: docker-custom-agent
+    cap_drop:
+      - ALL
     environment:
       - FLEET_ENROLL=1
       - FLEET_URL=https://fleet-server:8220