enforce nonewprivs for --noprofile option

2026-05-21 14:56:05 -06:00 · 2022-06-03 07:02:31 -04:00 · 2022-06-03 07:02:31 -04:00 · 6d0ff0c7db
commit 6d0ff0c7db
parent 37ac02d478
3 changed files with 5 additions and 1 deletions
--- a/2
+++ b/2
@ -1,8 +1,10 @@
 firejail (0.9.69) baseline; urgency=low
  * work in progress
+  * modif: --noprofile enforces nonewprivs
  * feature: enable shell tab completion (#4936)
  * feature: disable user profiles at compile time (#4990)
  * rework: whitelist restructuring (#4985)
+  * rework: firemon, speed up lots of fixes
  * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
  * bugfix: nogroups + wrc prints confusing messages (#4930 #4933)
  * bugfix: openSUSE Leap - whitelist-run-common.inc (#4954)
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -1875,6 +1875,8 @@ int main(int argc, char **argv, char **envp) {
 			arg_noprofile = 1;
 			// force keep-config-pulse in order to keep ~/.config/pulse as is
 			arg_keep_config_pulse = 1;
+			// force nonewprivs
+			arg_nonewprivs = 1;
 		}
 		else if (strncmp(argv[i], "--ignore=", 9) == 0) {
 			if (custom_profile) {
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -1696,7 +1696,7 @@ Disable printers.

 .TP
 \fB\-\-noprofile
-Do not use a security profile.
+Do not use a security profile. nonewprivs is enforced for this option.
 .br

 .br