RepoMirrors
/
abuild
mirror of https://gitlab.alpinelinux.org/alpine/abuild.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017-5226) 

Bubblewrap has an under-documented option which helps to protect against abuse
of TIOCSTI ioctls against the session PTY to escape the build sandbox, the
--new-session option.

Related: https://github.com/containers/bubblewrap/issues/555
Related: https://github.com/containers/bubblewrap/issues/142
Related: https://news.ycombinator.com/item?id=30825088
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
This commit is contained in:
Ariadne Conill 2023-03-14 11:06:05 +00:00
parent 3695cd2008
commit d54d8f5d06
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
abuild.in
View File

@ -2442,7 +2442,7 @@ rootbld() {
local bwrap_opts=""
options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
bwrap --unshare-ipc --unshare-uts $bwrap_opts \
bwrap --new-session --unshare-ipc --unshare-uts $bwrap_opts \
--ro-bind "$BUILD_ROOT" / \
--proc /proc \
--dev-bind /dev /dev \