security: Minor improvements to no_new_privs documentation

The documentation didn't actually mention how to enable no_new_privs.
This also adds a note about possible interactions between
no_new_privs and LSMs (i.e. why teaching systemd to set no_new_privs
is not necessarily a good idea), and it references the new docs
from include/linux/prctl.h.

Suggested-by: Rob Landley <>
Signed-off-by: Andy Lutomirski <>
Acked-by: Kees Cook <>
Signed-off-by: James Morris <>
2 files changed