What does "Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl" mean?

[jerabaul29]

I am running the helix editor (using the appimage from https://github.com/helix-editor/helix/releases ) using firejail, through the alias:

alias hlx="firejail --net=none --whitelist=/home/kzm/Desktop/Git --whitelist=/home/kzm/Desktop/Current --appimage /home/kzm/Desktop/Software/helix-23.03-x86_64.AppImage"

I have at launch the following logs:

kzm@kzm-bpq:~$ hlx
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 27671, child pid 27676

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 141.99 ms

I am curious, what does the part:

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

mean? Am I protected from setuid priviledge rises or not?

I am on Ubuntu 22.04, and:

kzm@kzm-bpq:~$ firejail --version
firejail version 0.9.66

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

[rusty-snake]

It tells you that --appimage implies --nonewprivs, --caps.drop=all and --nogroups without any way to keep them.

Am I protected from setuid priviledge rises or not?

Yes, PR_NO_NEW_PRIVS is set.

[kmk3]

firejail version 0.9.66

Note that we do not maintain that version of firejail:

• https://github.com/netblue30/firejail/blob/master/SECURITY.md

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

• https://github.com/netblue30/firejail#installing

[jerabaul29]

Thanks for pointing this out. This is the usual issue coming from "I am using the default firejail provided by Ubuntu 20.04" ...