From 1c0428dba28299b66380c8c05770d6619383d758 Mon Sep 17 00:00:00 2001
From: The Fox in the Shell <KellerFuchs@hashbang.sh>
Date: Wed, 25 May 2016 14:59:30 +0200
Subject: Add force-nonewprivs setting

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 4fa79d9f2..6f05a010f 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,13 @@ The following features can be enabled or disabled:
 
        x11    Enable or disable X11 sandboxing support, default enabled.
 
+       force-nonewprivs
+              Force use of theh NO_NEW_PRIVS prctl(2) flag.
+              This mitigates the possibility of a user abusing firejail's
+              features to trick a privileged (suid or file capabilities)
+              process into loading code or configuration that is partially
+              under their control.  Default disabled
+
        xephyr-screen
               Screen    size    for   --x11=xephyr,   default   800x600.   Run
               /usr/bin/xrandr for a full list of resolutions available on your
-- 
cgit v1.2.3-70-g09d2