enforce nonewprivs for --noprofile option

3 files changed, 5 insertions, 1 deletions

diff --git a/RELNOTES b/RELNOTES
index 9df00d976..015c55201 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,8 +1,10 @@
 firejail (0.9.69) baseline; urgency=low
   * work in progress
+  * modif: --noprofile enforces nonewprivs
   * feature: enable shell tab completion (#4936)
   * feature: disable user profiles at compile time (#4990)
   * rework: whitelist restructuring (#4985)
+  * rework: firemon, speed up lots of fixes
   * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
   * bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
   * bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cbf9df79f..f3b656e2e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1875,6 +1875,8 @@ int main(int argc, char **argv, char **envp) {
                         arg_noprofile = 1;
                         // force keep-config-pulse in order to keep ~/.config/pulse as is
                         arg_keep_config_pulse = 1;
+                        // force nonewprivs
+                        arg_nonewprivs = 1;
                 }
                 else if (strncmp(argv[i], "--ignore=", 9) == 0) {
                         if (custom_profile) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 420a96ab5..f78b75346 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1696,7 +1696,7 @@ Disable printers.
 
 .TP
 \fB\-\-noprofile
-Do not use a security profile.
+Do not use a security profile. nonewprivs is enforced for this option.
 .br
 
 .br