Merge pull request #320 from chainguard-dev/fix/bwrap-new-session-cve…

…-2017-5226 container: bubblewrap runner: use --new-session to mitigate CVE-2017-5226
chainguard-dev · Mar 14, 2023 · f680f28 · f680f28
2 parents 404f01b + 07cd62e
commit f680f28
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/pkg/container/bubblewrap_runner.go b/pkg/container/bubblewrap_runner.go
@@ -40,7 +40,8 @@ func (bw *BWRunner) Run(cfg *Config, args ...string) error {
 		"--dev", "/dev",
 		"--proc", "/proc",
 		"--chdir", "/home/build",
-		"--clearenv")
+		"--clearenv",
+		"--new-session")
 
 	if !cfg.Capabilities.Networking {
 		baseargs = append(baseargs, "--unshare-net")