From 4986f27c25ac3d6b20df78f6b137a0b3839dbe3f Mon Sep 17 00:00:00 2001
From: Leah Neukirchen <leah@vuxu.org>
Date: Mon, 23 Sep 2019 11:26:29 +0200
Subject: add -x to set PR_SET_NO_NEW_PRIVS for the children

---
 reap.1 | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'reap.1')

diff --git a/reap.1 b/reap.1
index 86cd2c9..fe51f96 100644
--- a/reap.1
+++ b/reap.1
@@ -1,4 +1,4 @@
-.Dd August 13, 2019
+.Dd September 23, 2019
 .Dt REAP 1
 .Os
 .Sh NAME
@@ -6,7 +6,7 @@
 .Nd run process until all its spawned processes are dead
 .Sh SYNOPSIS
 .Nm
-.Op Fl vw
+.Op Fl vwx
 .Ar command\ line ...
 .Sh DESCRIPTION
 The
@@ -31,12 +31,15 @@ will start slaying all children immediately.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl w
-Wait for all spawned processes to finish.
 .It Fl v
 Verbose mode, report what
 .Nm
 is doing.
+.It Fl w
+Wait for all spawned processes to finish.
+.It Fl x
+Forbid execution of binaries we cannot kill (using
+.Dv PR_SET_NO_NEW_PRIVS ) .
 .El
 .Sh EXIT STATUS
 The
@@ -57,7 +60,8 @@ is enabled.
 .Nm
 can only work reliably when it has permission to kill all spawned
 processes and they respect
-.Dv SIGTERM .
+.Dv SIGTERM
+.Pq see also Fl x .
 .Sh RATIONALE
 Keeping track of all spawned process is traditionally a hard problem
 on Unix systems, mainly due to daemonization by forking twice.
-- 
cgit 1.4.1