abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017-5226)

Merged Ariadne Conill requested to merge ariadne/abuild:cve-2017-5226-mitigation into master

Bubblewrap has an under-documented option which helps to protect against abuse of TIOCSTI ioctls against the session PTY to escape the build sandbox, the --new-session option.

Related: https://github.com/containers/bubblewrap/issues/555

Related: https://github.com/containers/bubblewrap/issues/142

Related: https://news.ycombinator.com/item?id=30825088

Signed-off-by: Ariadne Conill ariadne@dereferenced.org

Edited by Ariadne Conill

Merge request reports