diff options
Diffstat (limited to 'bwrap.xml')
| -rw-r--r-- | bwrap.xml | 12 |
1 files changed, 8 insertions, 4 deletions
@@ -6,7 +6,7 @@ <refentryinfo> <title>bwrap</title> - <productname>Project Atomic</productname> + <productname>Containers</productname> <authorgroup> <author> <contrib>Developer</contrib> @@ -42,7 +42,8 @@ <refsect1><title>Description</title> <para> - <command>bwrap</command> is a privileged helper for container setup. You + <command>bwrap</command> is a unprivileged low-level sandboxing tool + (optionally setuid on older distributions). You are unlikely to use it directly from the commandline, although that is possible. </para> <para> @@ -463,7 +464,9 @@ </para><para> Note: In a general sandbox, if you don't use --new-session, it is recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise - the application can feed keyboard input to the terminal. + the application can feed keyboard input to the terminal + which can e.g. lead to out-of-sandbox command execution + (see CVE-2017-5226). </para></listitem> </varlistentry> <varlistentry> @@ -484,7 +487,8 @@ <varlistentry> <term><option>--cap-add <arg choice="plain">CAP</arg></option></term> <listitem><para> - Add the specified capability when running as privileged user. It accepts + Add the specified capability <arg choice="plain">CAP</arg>, e.g. + CAP_DAC_READ_SEARCH, when running as privileged user. It accepts the special value ALL to add all the permitted caps. </para></listitem> </varlistentry> |