Call setsid() before executing sandboxed code (CVE-2017-5226)

This prevents the sandboxed code from getting a controlling tty, which in turn prevents it from accessing the TIOCSTI ioctl and hence faking terminal input. Fixes: #142 Closes: #143 Approved by: cgwalters
containers · Jan 9, 2017 · d7fc532 · d7fc532
1 parent a10af85
commit d7fc532
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/bubblewrap.c b/bubblewrap.c
@@ -2071,6 +2071,9 @@ main (int    argc,
   /* We want sigchild in the child */
   unblock_sigchild ();
 
+  if (setsid () == (pid_t) -1)
+    die_with_error ("setsid");
+
   if (label_exec (opt_exec_label) == -1)
     die_with_error ("label_exec %s", argv[0]);