Call setsid() before executing sandboxed code (CVE-2017-5226)

This prevents the sandboxed code from getting a controlling tty, which in turn prevents it from accessing the TIOCSTI ioctl and hence faking terminal input. Fixes: containers#142
smcv · Jan 9, 2017 · 3f2f885 · 3f2f885
1 parent a10af85
commit 3f2f885
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/bubblewrap.c b/bubblewrap.c
@@ -2071,6 +2071,9 @@ main (int    argc,
   /* We want sigchild in the child */
   unblock_sigchild ();
 
+  if (setsid () == (pid_t) -1)
+    die_with_error ("setsid");
+
   if (label_exec (opt_exec_label) == -1)
     die_with_error ("label_exec %s", argv[0]);