README.md: Mention --new-session in section "Sandboxing"

Signed-off-by: Sebastian Pipping <[email protected]>
containers · Mar 4, 2023 · a0c2d89 · a0c2d89
1 parent 48ad176
commit a0c2d89
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -145,6 +145,11 @@ UTS namespace ([CLONE_NEWUTS](http://linux.die.net/man/2/clone)): The sandbox wi
 
 Seccomp filters: You can pass in seccomp filters that limit which syscalls can be done in the sandbox. For more information, see [Seccomp](https://en.wikipedia.org/wiki/Seccomp).
 
+If you are not filtering out `TIOCSTI` commands using seccomp filters,
+argument `--new-session` is needed to protect against out-of-sandbox
+command execution
+(see [CVE-2017-5226](https://github.com/containers/bubblewrap/issues/142)).
+
 Related project comparison: Firejail
 ------------------------------------