README.md: Mention --new-session in section "Sandboxing"

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
author: Sebastian Pipping <sebastian@pipping.org> 2023-03-02 03:51:55 +0100
committer: Alexander Larsson <alexander.larsson@gmail.com> 2023-04-03 09:52:37 +0200
commit: 2f9ce900d4cbe51c88d22da144759828ae04d0f0 (patch)
tree: 41db30269758962515b66e073c7c1f1a82e949a0
parent: 9a1d8b7217c7153d5ce260db2a408d3679a2847e (diff)
download: bubblewrap-2f9ce900d4cbe51c88d22da144759828ae04d0f0.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/README.md b/README.md
index f898915..388ed80 100644
--- a/README.md
+++ b/README.md
@@ -166,6 +166,11 @@ UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox wi
 
 Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp).
 
+If you are not filtering out `TIOCSTI` commands using seccomp filters,
+argument `--new-session` is needed to protect against out-of-sandbox
+command execution
+(see [CVE-2017-5226](https://github.com/containers/bubblewrap/issues/142)).
+
 Related project comparison: Firejail
 ------------------------------------
author	Sebastian Pipping <sebastian@pipping.org>	2023-03-02 03:51:55 +0100
committer	Alexander Larsson <alexander.larsson@gmail.com>	2023-04-03 09:52:37 +0200
commit	2f9ce900d4cbe51c88d22da144759828ae04d0f0 (patch)
tree	41db30269758962515b66e073c7c1f1a82e949a0
parent	9a1d8b7217c7153d5ce260db2a408d3679a2847e (diff)
download	bubblewrap-2f9ce900d4cbe51c88d22da144759828ae04d0f0.tar.gz