From 143b9292ff77458ef84927a6cab5fb4ecdb32591 Mon Sep 17 00:00:00 2001
From: Hugo Osvaldo Barrera <hugo@whynothugo.nl>
Date: Fri, 6 Feb 2026 17:05:50 +0100
Subject: [PATCH] Document the no_new_privs setting

---
 man/openrc-run.8 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/man/openrc-run.8 b/man/openrc-run.8
index 896cfb106..1d23c76bf 100644
--- a/man/openrc-run.8
+++ b/man/openrc-run.8
@@ -259,6 +259,11 @@ which will export
 .Ar $NOTIFY_SOCKET
 and listen for notifications. At the moment supporting
 .Ar READY=1 Ns .
+.It Ar no_new_privs
+Set no_new_privs on the daemon process, preventing it from gaining any
+additional privilege, including through setuid/setgid binaries, file
+capabilities, etc. See
+.Xr capabilities 7 .
 .El
 .Sh DEPENDENCIES
 You should define a