From 2cecda837db48f92d5f6089ba680ae5292382e6c Mon Sep 17 00:00:00 2001
From: The Fox in the Shell <KellerFuchs@hashbang.sh>
Date: Wed, 25 May 2016 02:26:31 +0200
Subject: Document nonewprivs

---
 src/man/firejail-profile.txt | 6 ++++++
 src/man/firejail.txt         | 7 +++++++
 2 files changed, 13 insertions(+)

(limited to 'src')

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4d1de76f5..1f7c8beac 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -239,6 +239,12 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2ea15ff2b..7b22a5bf2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -903,6 +903,13 @@ ping: icmp open socket: Operation not permitted
 .br
 $
 
+.TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not results in an increase of privilege.
+
 .TP
 \fB\-\-nosound
 Disable sound system.
-- 
cgit v1.2.3-70-g09d2