abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017…

…-5226) Bubblewrap has an under-documented option which helps to protect against abuse of TIOCSTI ioctls against the session PTY to escape the build sandbox, the --new-session option. Related: containers/bubblewrap#555 Related: containers/bubblewrap#142 Related: https://news.ycombinator.com/item?id=30825088 Signed-off-by: Ariadne Conill <[email protected]>
alpinelinux · Mar 14, 2023 · d54d8f5 · d54d8f5
1 parent 3695cd2
commit d54d8f5
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/abuild.in b/abuild.in
@@ -2442,7 +2442,7 @@ rootbld() {
 
 	local bwrap_opts=""
 	options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
-	bwrap --unshare-ipc --unshare-uts $bwrap_opts \
+	bwrap --new-session --unshare-ipc --unshare-uts $bwrap_opts \
 		--ro-bind "$BUILD_ROOT" / \
 		--proc /proc \
 		--dev-bind /dev /dev \