From 94a50673b5289da9da65b1c1d6301e81b29ef639 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Mon, 4 Nov 2024 20:47:07 +1100
Subject: [PATCH] memfd-bind: mention that overlayfs obviates the need for it

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 contrib/cmd/memfd-bind/README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/contrib/cmd/memfd-bind/README.md b/contrib/cmd/memfd-bind/README.md
index a83cc78208c..0cc16ec796a 100644
--- a/contrib/cmd/memfd-bind/README.md
+++ b/contrib/cmd/memfd-bind/README.md
@@ -1,6 +1,13 @@
 ## memfd-bind ##
 
-`runc` normally has to make a binary copy of itself when constructing a
+> **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to
+> protect the runc binary. This protection is far more light-weight than
+> memfd-bind, and for most users this should obviate the need for `memfd-bind`
+> entirely. Fully rootless containers will still make a memfd copy, but
+> `memfd-bind` was not useful for rootless container users anyway (see
+> [Caveats](#Caveats) for more details).
+
+`runc` sometimes has to make a binary copy of itself when constructing a
 container process in order to defend against certain container runtime attacks
 such as CVE-2019-5736.