abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017-5226)

Bubblewrap has an under-documented option which helps to protect against abuse of TIOCSTI ioctls against the session PTY to escape the build sandbox, the --new-session option. Related: https://github.com/containers/bubblewrap/issues/555 Related: https://github.com/containers/bubblewrap/issues/142 Related: https://news.ycombinator.com/item?id=30825088 Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
2025-01-03 05:02:18 +00:00 · 2023-03-14 11:06:05 +00:00 · 2023-03-14 11:06:05 +00:00 · d54d8f5d06
commit d54d8f5d06
parent 3695cd2008
1 changed files with 1 additions and 1 deletions
--- a/abuild.in
+++ b/abuild.in
@ -2442,7 +2442,7 @@ rootbld() {

 	local bwrap_opts=""
 	options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
-	bwrap --unshare-ipc --unshare-uts $bwrap_opts \
+	bwrap --new-session --unshare-ipc --unshare-uts $bwrap_opts \
 		--ro-bind "$BUILD_ROOT" / \
 		--proc /proc \
 		--dev-bind /dev /dev \