container: bubblewrap runner: use --new-session to mitigate CVE-2017-…

…5226 Without it, it is possible to escape the sandbox via TIOCSTI ioctls on the session PTY. Related: containers/bubblewrap#555 Related: containers/bubblewrap#142 Related: https://news.ycombinator.com/item?id=30825088 Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
chainguard-dev · Mar 14, 2023 · 07cd62e · 07cd62e
1 parent 404f01b
commit 07cd62e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/pkg/container/bubblewrap_runner.go b/pkg/container/bubblewrap_runner.go
@@ -40,7 +40,8 @@ func (bw *BWRunner) Run(cfg *Config, args ...string) error {
 		"--dev", "/dev",
 		"--proc", "/proc",
 		"--chdir", "/home/build",
-		"--clearenv")
+		"--clearenv",
+		"--new-session")
 
 	if !cfg.Capabilities.Networking {
 		baseargs = append(baseargs, "--unshare-net")