commit eace1a33c9ba2370f3c045782cab7467093a4f05 Author: Yawning Angel yawning@schwanenlied.me Date: Tue Jan 17 21:28:52 2017 +0000
Call setsid() before we exec bwrap.
This is part of a defense in depth measure to `TOCSTI` considered harmful (CVE-2017-5226). Released versions of `sandboxed-tor-browser` was NEVER vulnerable to the issue at all because the seccomp whitelist does not allow `TIOCSTI`.
bubblewrap's behavior here changes a bit depending on the version and backports. In theory if everyone shipped the latest and greatest (master), `--new-session` is available as an option, but I can just do this myself. --- src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go index 9d2bba4..fb51e41 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go @@ -56,8 +56,7 @@ func (u *unshareOpts) toArgs() []string { if u.pid { args = append(args, "--unshare-pid") } else { - // Until bubblewrap > 0.1.5 when the child calls setsid(), - // we have to rely on SIGKILL-ing the init fork for cleanup. + // This is basically required for cleanup. panic("sandbox: unshare.pid is required") } if u.net { @@ -167,6 +166,7 @@ func (h *hugbox) run() (*Process, error) { Stdout: h.stdout, Stderr: h.stderr, SysProcAttr: &syscall.SysProcAttr{ + Setsid: true, Pdeathsig: h.pdeathSig, }, }