3 files changed, 21 insertions, 0 deletions
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index fcf4109ee..dcede2ec6 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -49,6 +49,14 @@ Enable or disable user namespace support, default enabled.
 Enable or disable X11 sandboxing support, default enabled.
 .TP
+\fBforce-nonewprivs
+Force use of nonewprivs.  This mitigates the possibility of
+a user abusing firejail's features to trick a privileged (suid
+or file capabilities) process into loading code or configuration
+that is partially under their control.  Default disabled.
+.TP
 \fBxephyr-screen
 Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 a full list of resolutions available on your specific setup. Examples:
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4d1de76f5..1f7c8beac 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2ea15ff2b..7b22a5bf2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -904,6 +904,13 @@ ping: icmp open socket: Operation not permitted
 $
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+.TP
 \fB\-\-nosound
 Disable sound system.
 .br

diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..dcede2ec6 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt
@@ -49,6 +49,14 @@ Enable or disable user namespace support, default enabled.
49	Enable or disable X11 sandboxing support, default enabled.	49	Enable or disable X11 sandboxing support, default enabled.
50		50
51	.TP	51	.TP
		52	\fBforce-nonewprivs
		53	Force use of nonewprivs. This mitigates the possibility of
		54	a user abusing firejail's features to trick a privileged (suid
		55	or file capabilities) process into loading code or configuration
		56	that is partially under their control. Default disabled.
		57
		58
		59	.TP
52	\fBxephyr-screen	60	\fBxephyr-screen
53	Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for	61	Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
54	a full list of resolutions available on your specific setup. Examples:	62	a full list of resolutions available on your specific setup. Examples:


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4d1de76f5..1f7c8beac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist the system calls in the list.
239	\fBseccomp.keep syscall,syscall,syscall	239	\fBseccomp.keep syscall,syscall,syscall
240	Enable seccomp filter and whitelist the system calls in the list.	240	Enable seccomp filter and whitelist the system calls in the list.
241	.TP	241	.TP
		242	\fBnonewprivs
		243	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
		244	cannot acquire new privileges using execve(2); in particular,
		245	this means that calling a suid binary (or one with file capabilities)
		246	does not results in an increase of privilege.
		247	.TP
242	\fBnoroot	248	\fBnoroot
243	Use this command to enable an user namespace. The namespace has only one user, the current user.	249	Use this command to enable an user namespace. The namespace has only one user, the current user.
244	There is no root account (uid 0) defined in the namespace.	250	There is no root account (uid 0) defined in the namespace.


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2ea15ff2b..7b22a5bf2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -904,6 +904,13 @@ ping: icmp open socket: Operation not permitted
904	$	904	$
905		905
906	.TP	906	.TP
		907	\fB\-\-nonewprivs
		908	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
		909	cannot acquire new privileges using execve(2); in particular,
		910	this means that calling a suid binary (or one with file capabilities)
		911	does not results in an increase of privilege.
		912
		913	.TP
907	\fB\-\-nosound	914	\fB\-\-nosound
908	Disable sound system.	915	Disable sound system.
909	.br	916	.br