README.md: Mention --new-session in section "Sandboxing"

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
2023-03-02 03:51:55 +01:00
parent 9a1d8b7217
commit 2f9ce900d4
1 changed files with 5 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -166,6 +166,11 @@ UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox wi

 Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp).

+If you are not filtering out `TIOCSTI` commands using seccomp filters,
+argument `--new-session` is needed to protect against out-of-sandbox
+command execution
+(see [CVE-2017-5226](https://github.com/containers/bubblewrap/issues/142)).
+
 Related project comparison: Firejail
 ------------------------------------