Pass WINCH signal to child process

[PhilipRoman]

Program running in sandbox is not getting SIGWINCH events (this can be verified easily by doing "strace cat"). It seems to me that forwarding this signal would be quite useful and wouldn't be a security issue.

[jamielinux]

To add some context here, terminal applications (such as a text editor like Neovim) can usually respond to the terminal window being resized as the the terminal will send a SIGWINCH signal to the application. The application can then resize itself appropriately.

When running bwrap with the --new-session argument, it disconnects the sandbox from the controlling terminal and therefore prevents communication of a SIGWINCH signal.

Unfortunately, running bwrap without --new-session isn't a good idea for security as it opens up possible sandbox escape.

So at the moment, it doesn't seem possible to let sandboxed terminal applications respond to terminal resize events unless you want to create a leaky hole in your sandbox.

[smcv]

This is in the scope of #586.

[smcv]

doesn't seem possible to let sandboxed terminal applications respond to terminal resize events

It is also possible to do this by creating a pseudo-terminal (pty) and bridging input and output between the terminal device inside the sandbox and the terminal emulator outside the sandbox, similar to what sudo does by default. This is out-of-scope for bubblewrap (which is a security boundary and must be setuid root on some systems, therefore every line of code adds security risk), but could be done by a larger framework that uses bubblewrap (Flatpak or equivalent) if it wants to.