diff --git a/private/access_vectors b/private/access_vectors
index 898c884cdcd64bfa36db3cc8f065f21cd2daf5b1..57ab3a8f08b0526da6eafb0600c83fd917cfeaa2 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -330,6 +330,11 @@ class process
 	getrlimit
 }
 
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
 
 #
 # Define the access vector interpretation for ipc-related objects
diff --git a/private/policy_capabilities b/private/policy_capabilities
index ab55c15e38d8581052a2bfad1badc3cdb8df2752..9290e3ab36427e73a0ce8593de26f87551410a45 100644
--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@@ -11,3 +11,10 @@ policycap open_perms;
 # to the rawip_socket class.
 policycap extended_socket_class;
 
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/private/security_classes b/private/security_classes
index 251b721686174e0f7e77c9d5f3107ab73774c97d..e0007d19c109e984ff8bf58a46f01dd97a361a50 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -130,6 +130,8 @@ class kcm_socket
 class qipcrtr_socket
 class smc_socket
 
+class process2
+
 # Property service
 class property_service          # userspace