6 files changed, 38 insertions, 1 deletions

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 430b0c5a6..4fdbe1897 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -36,7 +36,9 @@ int checkcfg(int val) {
                 int i;
                 for (i = 0; i < CFG_MAX; i++)
                         cfg_val[i] = 1; // most of them are enabled by default
+
                 cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
+                cfg_val[CFG_FORCE_NONEWPRIVS  ] = 0; // disabled by default
                 
                 // open configuration file
                 char *fname;
@@ -106,6 +108,15 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        // nonewprivs
+                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_SECCOMP] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_SECCOMP] = 0;
+                                else
+                                        goto errout;
+                        }
                         // seccomp
                         else if (strncmp(ptr, "seccomp ", 8) == 0) {
                                 if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f4a176caf..661073730 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -237,6 +237,7 @@ extern int arg_rlimit_nproc;	// rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
 extern int arg_rlimit_sigpending;// rlimit sigpending
 extern int arg_nogroups;        // disable supplementary groups
+extern int arg_nonewprivs;      // set the NO_NEW_PRIVS prctl
 extern int arg_noroot;          // create a new user namespace and disable root user
 extern int arg_netfilter;       // enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
@@ -565,7 +566,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_SECCOMP 5
 #define CFG_NETWORK 6
 #define CFG_RESTRICTED_NETWORK 7
-#define CFG_MAX 8 // this should always be the last entry
+#define CFG_FORCE_NONEWPRIVS 8
+#define CFG_MAX 9 // this should always be the last entry
 int checkcfg(int val);
 
 // fs_rdwr.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a540d468b..2f4a78d4b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0;			// rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
 int arg_nogroups = 0;                           // disable supplementary groups
+int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
 int arg_netfilter;                              // enable netfilter
 int arg_netfilter6;                             // enable netfilter6
@@ -1367,6 +1368,9 @@ int main(int argc, char **argv) {
                         }
                 }
 #endif
+                else if (strcmp(argv[i], "--nonewprivs") == 0) {
+                        arg_nonewprivs = 1;
+                }
                 else if (strncmp(argv[i], "--env=", 6) == 0)
                         env_store(argv[i] + 6);
                 else if (strncmp(argv[i], "--nosound", 9) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3bf294e00..192f36974 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -131,6 +131,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
                 return 0;
         }
+        else if (strcmp(ptr, "nonewprivs") == 0) {
+                arg_nonewprivs = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "seccomp") == 0) {
 #ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5cfee44d8..6133a610d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -748,6 +748,19 @@ int sandbox(void* sandbox_arg) {
         }
 
         //****************************************
+        // Set NO_NEW_PRIVS if desired
+        //****************************************
+        if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) {
+                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+
+                if(no_new_privs != 0)
+                        errExit("NO_NEW_PRIVS");
+                else if (arg_debug)
+                        printf("NO_NEW_PRIVS set\n");
+        }
+
+
+        //****************************************
         // fork the application and monitor it
         //****************************************
         pid_t app_pid = fork();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index ef02c0d72..45bf2e3b1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -157,6 +157,9 @@ void usage(void) {
         printf("\tuser. root user does not exist in the new namespace. This option\n");
         printf("\tis not supported for --chroot and --overlay configurations.\n\n");
 #endif
+        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n");
+        printf("\tcannot gain privileges using execve(2); in particular, this prevents\n");
+        printf("\tgaining privileges by calling a suid binary\n\n");
         printf("    --nosound - disable sound system.\n\n");
                 
         printf("    --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n");