diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 616983bc7..cde32b35f 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -643,6 +643,23 @@ password my-password
+ allow-new-privileges
+
+ (Linux-specific.) By default, builders on Linux
+ cannot acquire new privileges by calling setuid/setgid programs or
+ programs that have file capabilities. For example, programs such
+ as sudo or ping will
+ fail. (Note that in sandbox builds, no such programs are available
+ unless you bind-mount them into the sandbox via the
+ option.) You can allow the
+ use of such programs by enabling this option. This is impure and
+ usually undesirable, but may be useful in certain scenarios
+ (e.g. to spin up containers or set up userspace network interfaces
+ in tests).
+
+
+
+
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index f40a8c549..355fb3b7d 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2340,6 +2340,9 @@ void setupSeccomp()
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
throw SysError("unable to add seccomp rule");
+ if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0)
+ throw SysError("unable to set 'no new privileges' seccomp attribute");
+
if (seccomp_load(ctx) != 0)
throw SysError("unable to load seccomp BPF program");
#endif
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index af37ec61d..c8d67b071 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -321,6 +321,12 @@ public:
Setting userAgentSuffix{this, "", "user-agent-suffix",
"String appended to the user agent in HTTP requests."};
+
+#if __linux__
+ Setting allowNewPrivileges{this, false, "allow-new-privileges",
+ "Whether builders can acquire new privileges by calling programs with "
+ "setuid/setgid bits or with file capabilities."};
+#endif
};