Skip to content
Permalink
Browse files

Call setsid() before executing sandboxed code (CVE-2017-5226)

This prevents the sandboxed code from getting a controlling tty,
which in turn prevents it from accessing the TIOCSTI ioctl and hence
faking terminal input.

Fixes: #142

Closes: #143
Approved by: cgwalters
  • Loading branch information...
smcv authored and rh-atomic-bot committed Jan 9, 2017
1 parent a10af85 commit d7fc532c42f0e9bf427923bab85433282b3e5117
Showing with 3 additions and 0 deletions.
  1. +3 −0 bubblewrap.c
@@ -2071,6 +2071,9 @@ main (int argc,
/* We want sigchild in the child */
unblock_sigchild ();

if (setsid () == (pid_t) -1)
die_with_error ("setsid");

if (label_exec (opt_exec_label) == -1)
die_with_error ("label_exec %s", argv[0]);

0 comments on commit d7fc532

Please sign in to comment.
You can’t perform that action at this time.