top | item 30825088

(no title)

rsa25519 | 3 years ago

Note that a sandbox escape is often possible via TIOCSTI (CVE-2017-5226) [0] unless a special flag (--new-session) is used.

Bubblewrap is aware of this, yet their documentation gives no indication that this flag is necessary to produce a secure sandbox. In --help, the documentation of --new-session is simply "Create a new terminal session," which severely understates its importance.

It's frustrating to have such a useful tool be knowingly easy to misuse.

[0]: https://github.com/containers/bubblewrap/issues/142

discuss

jagrsw|3 years ago

FWIW, it's disabled in nsjail by default https://github.com/google/nsjail/blob/6483728e2490c1fc497a81... with relevant comment.

ciupicri|3 years ago

By the way, it looks like OpenBSD disabled TIOCSTI [1] [2].

[1]: https://undeadly.org/cgi?action=article;sid=20170701132619

[2]: https://marc.info/?l=openbsd-cvs&m=149870941319610