From d54d8f5d06d83353dcd0eeb4e04613fa41a5247d Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Tue, 14 Mar 2023 11:06:05 +0000
Subject: [PATCH] abuild: bwrap: use --new-session to mitigate TIOCSTI escape
 (CVE-2017-5226)

Bubblewrap has an under-documented option which helps to protect against abuse
of TIOCSTI ioctls against the session PTY to escape the build sandbox, the
--new-session option.

Related: https://github.com/containers/bubblewrap/issues/555
Related: https://github.com/containers/bubblewrap/issues/142
Related: https://news.ycombinator.com/item?id=30825088
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
---
 abuild.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/abuild.in b/abuild.in
index 5382129..a901ca4 100755
--- a/abuild.in
+++ b/abuild.in
@@ -2442,7 +2442,7 @@ rootbld() {
 
 	local bwrap_opts=""
 	options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
-	bwrap --unshare-ipc --unshare-uts $bwrap_opts \
+	bwrap --new-session --unshare-ipc --unshare-uts $bwrap_opts \
 		--ro-bind "$BUILD_ROOT" / \
 		--proc /proc \
 		--dev-bind /dev /dev \