This document describes the linux/nnp isolator. This isolator sets the no_new_privs flag for all containers launched using the MesosContainerizer.
The no_new_privs flag disables the ability of container tasks to acquire any additional privileges by means of executing a child process e.g. through invocation of setuid or setgid programs. To enable the linux/nnp isolator, append linux/nnp to the --isolation flag when starting the Mesos agent.