Document nonewprivs

2 files changed, 13 insertions, 0 deletions

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4d1de76f5..1f7c8beac 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2ea15ff2b..7b22a5bf2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -904,6 +904,13 @@ ping: icmp open socket: Operation not permitted
 $
 
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+
+.TP
 \fB\-\-nosound
 Disable sound system.
 .br