(hardening) Add no_new_privs=yes to OpenRC service files