memfd-bind: mention that overlayfs obviates the need for it

cyphar · cyphar · commit aa505bfa89a6 · 2024-11-05T01:45:05.000+11:00
Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/contrib/cmd/memfd-bind/README.md b/contrib/cmd/memfd-bind/README.md
@@ -1,6 +1,15 @@
 ## memfd-bind ##
 
-`runc` normally has to make a binary copy of itself when constructing a
+> **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to
+> protect the runc binary. This protection is far more light-weight than
+> memfd-bind, and for most users this should obviate the need for `memfd-bind`
+> entirely. Rootless containers will still make a memfd copy (unless you are
+> using `runc` itself inside a user namespace -- a-la
+> [`rootlesskit`][rootlesskit]), but `memfd-bind` is not particularly useful
+> for rootless container users anyway (see [Caveats](#Caveats) for more
+> details).
+
+`runc` sometimes has to make a binary copy of itself when constructing a
 container process in order to defend against certain container runtime attacks
 such as CVE-2019-5736.
 
@@ -38,6 +47,8 @@ much memory usage they can use:
   container process setup takes up about 10MB per process spawned inside the
   container by runc (both pid1 and `runc exec`).
 
+[rootlesskit]: https://github.com/rootless-containers/rootlesskit
+
 ### Caveats ###
 
 There are several downsides with using `memfd-bind` on the `runc` binary:
