diff --git a/lib/libalpm/sandbox.c b/lib/libalpm/sandbox.c
index 7650c119..1e96dc00 100644
--- a/lib/libalpm/sandbox.c
+++ b/lib/libalpm/sandbox.c
@@ -17,9 +17,14 @@
  *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "config.h"
+
 #include <errno.h>
 #include <grp.h>
 #include <pwd.h>
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif /* HAVE_SYS_PRCTL_H */
 #include <sys/types.h>
 #include <unistd.h>
 
@@ -40,6 +45,10 @@ int SYMEXPORT alpm_sandbox_setup_child(alpm_handle_t *handle, const char* sandbo
 	if(sandbox_path != NULL && !handle->disable_sandbox) {
 		_alpm_sandbox_fs_restrict_writes_to(handle, sandbox_path);
 	}
+#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_NO_NEW_PRIVS)
+	/* make sure that we cannot gain more privileges later, failure is fine */
+	prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+#endif /* HAVE_SYS_PRCTL && PR_SET_NO_NEW_PRIVS */
 	if(restrict_syscalls && !handle->disable_sandbox) {
 		_alpm_sandbox_syscalls_filter(handle);
 	}
diff --git a/meson.build b/meson.build
index e48120e8..e8f502b7 100644
--- a/meson.build
+++ b/meson.build
@@ -132,6 +132,7 @@ foreach header : [
     'sys/mnttab.h',
     'sys/mount.h',
     'sys/param.h',
+    'sys/prctl.h',
     'sys/statvfs.h',
     'sys/types.h',
     'sys/ucred.h',