[PR #536] [MERGED] Enable using the NO_NEW_PRIVS prctl(2) flag #3659

New issue

Closed

opened 2026-05-05 10:05:32 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:05:32 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/536
Author: @KellerFuchs
Created: 5/25/2016
Status: ✅ Merged
Merged: 5/25/2016
Merged by: @netblue30

Base: master ← Head: no_new_privs

📝 Commits (4)

178f649 sandbox: Add NO_NEW_PRIVS inconditionally
0688847 Make NO_NEW_PRIVS configurable
2cecda8 Document nonewprivs
1c0428d Add force-nonewprivs setting

📊 Changes

11 files changed (+72 additions, -1 deletions)

View changed files

📝 README.md (+7 -0)
📝 etc/firejail.config (+6 -0)
📝 src/firejail/checkcfg.c (+11 -0)
📝 src/firejail/firejail.h (+3 -1)
📝 src/firejail/main.c (+4 -0)
📝 src/firejail/profile.c (+4 -0)
📝 src/firejail/sandbox.c (+13 -0)
📝 src/firejail/usage.c (+3 -0)
📝 src/man/firejail-config.txt (+8 -0)
📝 src/man/firejail-profile.txt (+6 -0)
📝 src/man/firejail.txt (+7 -0)

📄 Description

Any task can set no_new_privs. Once the bit is set, it is inherited across fork,
clone, and execve and cannot be unset. With no_new_privs set, execve
promises not to grant the privilege to do anything that could not have been
done without the execve call. For example, the setuid and setgid bits will no
longer change the uid or gid; file capabilities will not add to the permitted set,
and LSMs will not relax constraints after execve.
-- Linux kernel documentation

Judicious use of no_new_privs can both:

prevent sandboxed applications from (attempting to) exploit privileged (setuid, setgid or fcaps) binaries;
prevent malicious users from (attempting to) exploit privileged binaries using firejail's features, by setting force-nonewprivs system-wide.

This PR introduces the support for NO_NEW_PRIVS and makes it configurable through the nonewpriv directive, documents it, and introduces a force-nonewprivs configuration item.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/536 **Author:** [@KellerFuchs](https://github.com/KellerFuchs) **Created:** 5/25/2016 **Status:** ✅ Merged **Merged:** 5/25/2016 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `no_new_privs` --- ### 📝 Commits (4) - [`178f649`](https://github.com/netblue30/firejail/commit/178f649ac21f1511db89c1bfcb617678b7bf2e2a) sandbox: Add NO_NEW_PRIVS inconditionally - [`0688847`](https://github.com/netblue30/firejail/commit/0688847fa8287752e2bdd209bde37029dff48dc5) Make NO_NEW_PRIVS configurable - [`2cecda8`](https://github.com/netblue30/firejail/commit/2cecda837db48f92d5f6089ba680ae5292382e6c) Document nonewprivs - [`1c0428d`](https://github.com/netblue30/firejail/commit/1c0428dba28299b66380c8c05770d6619383d758) Add force-nonewprivs setting ### 📊 Changes **11 files changed** (+72 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+7 -0) 📝 `etc/firejail.config` (+6 -0) 📝 `src/firejail/checkcfg.c` (+11 -0) 📝 `src/firejail/firejail.h` (+3 -1) 📝 `src/firejail/main.c` (+4 -0) 📝 `src/firejail/profile.c` (+4 -0) 📝 `src/firejail/sandbox.c` (+13 -0) 📝 `src/firejail/usage.c` (+3 -0) 📝 `src/man/firejail-config.txt` (+8 -0) 📝 `src/man/firejail-profile.txt` (+6 -0) 📝 `src/man/firejail.txt` (+7 -0) </details> ### 📄 Description > Any task can set `no_new_privs`. Once the bit is set, it is inherited across `fork`, > `clone`, and `execve` and cannot be unset. With `no_new_privs` set, `execve` > promises not to grant the privilege to do anything that could not have been > done without the `execve` call. For example, the setuid and setgid bits will no > longer change the uid or gid; file capabilities will not add to the permitted set, > and LSMs will not relax constraints after `execve`. > -- [Linux kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) Judicious use of `no_new_privs` can both: - prevent sandboxed applications from (attempting to) exploit privileged (setuid, setgid or fcaps) binaries; - prevent malicious users from (attempting to) exploit privileged binaries _using firejail's features_, by setting `force-nonewprivs` system-wide. This PR introduces the support for `NO_NEW_PRIVS` and makes it configurable through the `nonewpriv` directive, documents it, and introduces a `force-nonewprivs` configuration item. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:05:32 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:27:31 -06:00

[PR #3660] [MERGED] Fix AppArmor 3.0 support (closes #3659) #4838

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3659

No description provided.

Rows
Columns