--noexec

5 files changed, 43 insertions, 3 deletions

diff --git a/README.md b/README.md
index c16a32e62..a60c8dd7f 100644
--- a/README.md
+++ b/README.md
@@ -90,9 +90,28 @@ AUDIT
        Limitations: audit feature is not implemented for --x11 commands.
 `````
 
-## --private-dev enhancements - work in progress!
+## --noexec
+`````
+       --noexec=dirname_or_filename
+              Remount directory or file noexec, nodev and nosuid.
+
+              Example:
+              $ firejail --noexec=/tmp
+
+              /etc and /var are noexec by default. If there are more than one
+              mount operation on the path of the file  or  directory,  noexec
+              should  be  applied to the last one. Always check if the change
+              took effect inside the sandbox.
+`````
 
-The following devices are added to --private-dev list.
+## --rmenv
+`````
+      --rmenv=name
+              Remove environment variable in the new sandbox.
+
+              Example:
+              $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
+`````
 
 ## Converting profiles to private-bin - work in progress!
 
diff --git a/RELNOTES b/RELNOTES
index 20e7df7f1..ef3706eb1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low
   * AppImage support (--appimage)
   * Sandbox auditing support (--audit)
   * remove environment variable (--rmenv)
+  * noexec support (--noexec)
   * include /dev/snd in --private-dev
   * added mkfile profile command
   * seccomp filter updated
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 6b7a666db..f7a93174f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -147,9 +147,11 @@ void usage(void) {
         printf("    --nice=value - set nice value\n\n");
         printf("    --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
         printf("\tfile.\n\n");
+        printf("    --noexec=dirname_of_filenam - remount the file or directory noexec\n");
+        printf("\tnosuid and nodev\n\n");
         printf("    --nogroups - disable supplementary groups. Without this option,\n");
         printf("\tsupplementary groups are enabled for the user starting the sandbox.\n");
-        printf("\t For root, groups are always disabled.\n\n");
+        printf("\tFor root, groups are always disabled.\n\n");
 
         printf("    --noprofile - do not use a profile.  Profile priority is use the one\n");
         printf("\tspecified on the command line, next try to find one that\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 98fa17908..504842a9e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -157,6 +157,9 @@ whitelist ~/.cache/mozilla/firefox
 Similar to mkdir, this command creates a file in user home before the sandbox is started.
 The file is created if it doesn't already exist.
 .TP
+\fBnoexec file_or_directory
+Remount the file or the directory noexec, nodev and nosuid.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 7c9cd98de..cd9ea6a8a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -851,6 +851,21 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-noexec=dirname_or_filename
+Remount directory or file noexec, nodev and nosuid.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noexec=/tmp
+.br
+
+.br
+/etc and /var are noexec by default. If there are more than one mount operation
+on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
+
+.TP
 \fB\-\-nogroups
 Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
 sandbox. For root user supplementary groups are always disabled.