Add force-nonewprivs setting

author: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 14:59:30 +0200
committer: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 15:01:13 +0200
commit: 1c0428dba28299b66380c8c05770d6619383d758 (patch)
tree: 9930a2e13d8b9b7c51228af50db9337b31e456a2 /README.md
parent: Document nonewprivs (diff)
download: firejail-1c0428dba28299b66380c8c05770d6619383d758.tar.gz
firejail-1c0428dba28299b66380c8c05770d6619383d758.tar.zst
firejail-1c0428dba28299b66380c8c05770d6619383d758.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/README.md b/README.md
index 4fa79d9f2..6f05a010f 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,13 @@ The following features can be enabled or disabled:
       x11    Enable or disable X11 sandboxing support, default enabled.
+       force-nonewprivs
+              Force use of theh NO_NEW_PRIVS prctl(2) flag.
+              This mitigates the possibility of a user abusing firejail's
+              features to trick a privileged (suid or file capabilities)
+              process into loading code or configuration that is partially
+              under their control.  Default disabled
       xephyr-screen
              Screen    size    for   --x11=xephyr,   default   800x600.   Run
              /usr/bin/xrandr for a full list of resolutions available on your
author	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 14:59:30 +0200
committer	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 15:01:13 +0200
commit	1c0428dba28299b66380c8c05770d6619383d758 (patch)
tree	9930a2e13d8b9b7c51228af50db9337b31e456a2 /README.md
parent	Document nonewprivs (diff)
download	firejail-1c0428dba28299b66380c8c05770d6619383d758.tar.gz firejail-1c0428dba28299b66380c8c05770d6619383d758.tar.zst firejail-1c0428dba28299b66380c8c05770d6619383d758.zip

diff --git a/README.md b/README.md index 4fa79d9f2..6f05a010f 100644 --- a/README.md +++ b/README.md
@@ -207,6 +207,13 @@ The following features can be enabled or disabled:
207		207
208	x11 Enable or disable X11 sandboxing support, default enabled.	208	x11 Enable or disable X11 sandboxing support, default enabled.
209		209
		210	force-nonewprivs
		211	Force use of theh NO_NEW_PRIVS prctl(2) flag.
		212	This mitigates the possibility of a user abusing firejail's
		213	features to trick a privileged (suid or file capabilities)
		214	process into loading code or configuration that is partially
		215	under their control. Default disabled
		216
210	xephyr-screen	217	xephyr-screen
211	Screen size for --x11=xephyr, default 800x600. Run	218	Screen size for --x11=xephyr, default 800x600. Run
212	/usr/bin/xrandr for a full list of resolutions available on your	219	/usr/bin/xrandr for a full list of resolutions available on your