Merge pull request #536 from KellerFuchs/no_new_privs

Enable using the NO_NEW_PRIVS prctl(2) flag
author: netblue30 <netblue30@yahoo.com> 2016-05-25 09:47:35 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-05-25 09:47:35 -0400
commit: 8ddba33900df5cc7e816dde2f2b4c453f37b32e6 (patch)
tree: 4e947965d0eebf221d2ed6ed699cfdaaabeb4f14 /README.md
parent: Merge pull request #534 from ValdikSS/extra-profiles (diff)
parent: Add force-nonewprivs setting (diff)
download: firejail-8ddba33900df5cc7e816dde2f2b4c453f37b32e6.tar.gz
firejail-8ddba33900df5cc7e816dde2f2b4c453f37b32e6.tar.zst
firejail-8ddba33900df5cc7e816dde2f2b4c453f37b32e6.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/README.md b/README.md
index 4fa79d9f2..6f05a010f 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,13 @@ The following features can be enabled or disabled:
       x11    Enable or disable X11 sandboxing support, default enabled.
+       force-nonewprivs
+              Force use of theh NO_NEW_PRIVS prctl(2) flag.
+              This mitigates the possibility of a user abusing firejail's
+              features to trick a privileged (suid or file capabilities)
+              process into loading code or configuration that is partially
+              under their control.  Default disabled
       xephyr-screen
              Screen    size    for   --x11=xephyr,   default   800x600.   Run
              /usr/bin/xrandr for a full list of resolutions available on your
author	netblue30 <netblue30@yahoo.com>	2016-05-25 09:47:35 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-05-25 09:47:35 -0400
commit	8ddba33900df5cc7e816dde2f2b4c453f37b32e6 (patch)
tree	4e947965d0eebf221d2ed6ed699cfdaaabeb4f14 /README.md
parent	Merge pull request #534 from ValdikSS/extra-profiles (diff)
parent	Add force-nonewprivs setting (diff)
download	firejail-8ddba33900df5cc7e816dde2f2b4c453f37b32e6.tar.gz firejail-8ddba33900df5cc7e816dde2f2b4c453f37b32e6.tar.zst firejail-8ddba33900df5cc7e816dde2f2b4c453f37b32e6.zip

diff --git a/README.md b/README.md index 4fa79d9f2..6f05a010f 100644 --- a/README.md +++ b/README.md
@@ -207,6 +207,13 @@ The following features can be enabled or disabled:
207		207
208	x11 Enable or disable X11 sandboxing support, default enabled.	208	x11 Enable or disable X11 sandboxing support, default enabled.
209		209
		210	force-nonewprivs
		211	Force use of theh NO_NEW_PRIVS prctl(2) flag.
		212	This mitigates the possibility of a user abusing firejail's
		213	features to trick a privileged (suid or file capabilities)
		214	process into loading code or configuration that is partially
		215	under their control. Default disabled
		216
210	xephyr-screen	217	xephyr-screen
211	Screen size for --x11=xephyr, default 800x600. Run	218	Screen size for --x11=xephyr, default 800x600. Run
212	/usr/bin/xrandr for a full list of resolutions available on your	219	/usr/bin/xrandr for a full list of resolutions available on your