diff options
author | Sebastian Pipping <sebastian@pipping.org> | 2023-03-02 03:51:55 +0100 |
---|---|---|
committer | Alexander Larsson <alexander.larsson@gmail.com> | 2023-04-03 09:52:37 +0200 |
commit | 2f9ce900d4cbe51c88d22da144759828ae04d0f0 (patch) | |
tree | 41db30269758962515b66e073c7c1f1a82e949a0 | |
parent | 9a1d8b7217c7153d5ce260db2a408d3679a2847e (diff) | |
download | bubblewrap-2f9ce900d4cbe51c88d22da144759828ae04d0f0.tar.gz |
README.md: Mention --new-session in section "Sandboxing"
Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
-rw-r--r-- | README.md | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -166,6 +166,11 @@ UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox wi Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp). +If you are not filtering out `TIOCSTI` commands using seccomp filters, +argument `--new-session` is needed to protect against out-of-sandbox +command execution +(see [CVE-2017-5226](https://github.com/containers/bubblewrap/issues/142)). + Related project comparison: Firejail ------------------------------------ |