The setsid() change broke my code because I use a seccomp whitelist, which didn't include setsid, and the seccomp filter gets installed prior to the call. To avoid problems like this in the future, the prctl call should be done as close to immediately prior to the execvp as possible.
As it stands there's other calls that need to be placed in everyone's whitelist that don't need to be if the filter was installed last, which is unnecessary attack surface, though the benefits here are likely fairly minor since bubblewrap is done doing most of the exotic things by the time the filter is installed currently.
The
setsid()change broke my code because I use a seccomp whitelist, which didn't includesetsid, and the seccomp filter gets installed prior to the call. To avoid problems like this in the future, the prctl call should be done as close to immediately prior to theexecvpas possible.As it stands there's other calls that need to be placed in everyone's whitelist that don't need to be if the filter was installed last, which is unnecessary attack surface, though the benefits here are likely fairly minor since bubblewrap is done doing most of the exotic things by the time the filter is installed currently.