1 files changed, 13 insertions, 0 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5cfee44d8..6133a610d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -748,6 +748,19 @@ int sandbox(void* sandbox_arg) {
        }
        //****************************************
+        // Set NO_NEW_PRIVS if desired
+        //****************************************
+        if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) {
+                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                if(no_new_privs != 0)
+                        errExit("NO_NEW_PRIVS");
+                else if (arg_debug)
+                        printf("NO_NEW_PRIVS set\n");
+        }
+        //****************************************
        // fork the application and monitor it
        //****************************************
        pid_t app_pid = fork();

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5cfee44d8..6133a610d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -748,6 +748,19 @@ int sandbox(void* sandbox_arg) {
748	}	748	}
749		749
750	//****************************************	750	//****************************************
		751	// Set NO_NEW_PRIVS if desired
		752	//****************************************
		753	if (arg_nonewprivs \|\| checkcfg(CFG_FORCE_NONEWPRIVS)) {
		754	int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
		755
		756	if(no_new_privs != 0)
		757	errExit("NO_NEW_PRIVS");
		758	else if (arg_debug)
		759	printf("NO_NEW_PRIVS set\n");
		760	}
		761
		762
		763	//****************************************
751	// fork the application and monitor it	764	// fork the application and monitor it
752	//****************************************	765	//****************************************
753	pid_t app_pid = fork();	766	pid_t app_pid = fork();