Document nonewprivs

author: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 02:26:31 +0200
committer: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 15:01:13 +0200
commit: 2cecda837db48f92d5f6089ba680ae5292382e6c (patch)
tree: f6f25f8812228e842a53850b5dfdb21ca4f2d97a /src/man/firejail-profile.txt
parent: Make NO_NEW_PRIVS configurable (diff)
download: firejail-2cecda837db48f92d5f6089ba680ae5292382e6c.tar.gz
firejail-2cecda837db48f92d5f6089ba680ae5292382e6c.tar.zst
firejail-2cecda837db48f92d5f6089ba680ae5292382e6c.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4d1de76f5..1f7c8beac 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
author	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 02:26:31 +0200
committer	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 15:01:13 +0200
commit	2cecda837db48f92d5f6089ba680ae5292382e6c (patch)
tree	f6f25f8812228e842a53850b5dfdb21ca4f2d97a /src/man/firejail-profile.txt
parent	Make NO_NEW_PRIVS configurable (diff)
download	firejail-2cecda837db48f92d5f6089ba680ae5292382e6c.tar.gz firejail-2cecda837db48f92d5f6089ba680ae5292382e6c.tar.zst firejail-2cecda837db48f92d5f6089ba680ae5292382e6c.zip

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4d1de76f5..1f7c8beac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist the system calls in the list.
239	\fBseccomp.keep syscall,syscall,syscall	239	\fBseccomp.keep syscall,syscall,syscall
240	Enable seccomp filter and whitelist the system calls in the list.	240	Enable seccomp filter and whitelist the system calls in the list.
241	.TP	241	.TP
		242	\fBnonewprivs
		243	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
		244	cannot acquire new privileges using execve(2); in particular,
		245	this means that calling a suid binary (or one with file capabilities)
		246	does not results in an increase of privilege.
		247	.TP
242	\fBnoroot	248	\fBnoroot
243	Use this command to enable an user namespace. The namespace has only one user, the current user.	249	Use this command to enable an user namespace. The namespace has only one user, the current user.
244	There is no root account (uid 0) defined in the namespace.	250	There is no root account (uid 0) defined in the namespace.