Use seccomp instead of setsid() to workaround CVE-2017-5226

.redhat-ci.yml

@@ -16,6 +16,7 @@ packages:
   - redhat-rpm-config
   - libcap-devel
   - pkgconfig(libselinux)
+  - pkgconfig(libseccomp)
   - libxslt
   - docbook-style-xsl
 
@@ -48,6 +49,7 @@ packages:
   - redhat-rpm-config
   - libcap-devel
   - pkgconfig(libselinux)
+  - pkgconfig(libseccomp)
   - libxslt
   - docbook-style-xsl
   - clang

Makefile-bwrap.am

@@ -1,4 +1,3 @@
-
 bwrap_SOURCES = \
 	$(bwrap_srcpath)/bubblewrap.c \
 	$(bwrap_srcpath)/bind-mount.h \
@@ -10,4 +9,4 @@ bwrap_SOURCES = \
 	$(NULL)
 
 bwrap_CFLAGS = $(AM_CFLAGS)
-bwrap_LDADD = $(SELINUX_LIBS)
+bwrap_LDADD = $(LIBSECCOMP_LIBS) $(SELINUX_LIBS)

Makefile.am

@@ -1,6 +1,9 @@
 AM_CFLAGS = $(WARN_CFLAGS)
 CLEANFILES =
+MAINTAINERCLEANFILES =
 EXTRA_DIST =
+BUILT_SOURCES =
+noinst_PROGRAMS =
 
 GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4
 

bubblewrap.c

@@ -34,6 +34,10 @@
 #include <linux/seccomp.h>
 #include <linux/filter.h>
 
+#ifndef DISABLE_SECCOMP
+#include <seccomp.h>
+#endif
+
 #include "utils.h"
 #include "network.h"
 #include "bind-mount.h"
@@ -2027,6 +2031,43 @@ main (int    argc,
       close (opt_block_fd);
     }
 
+#ifndef DISABLE_SECCOMP
+  {
+    scmp_filter_ctx ctx = NULL;
+    uint32_t extra_arches[][2] = {
+      {SCMP_ARCH_X86_64, SCMP_ARCH_X86},
+#ifdef SCMP_ARCH_AARCH64
+      {SCMP_ARCH_AARCH64, SCMP_ARCH_ARM},
+#endif
+      {0}
+    };
+    int i;
+
+    ctx = seccomp_init (SCMP_ACT_ALLOW);
+    if (!ctx)
+      die ("Initialize seccomp failed\n");
+
+    for (i = 0; extra_arches[i][0] != 0; i++)
+      {
+        if (seccomp_arch_native () == extra_arches[i][0])
+          {
+            int res = seccomp_arch_add (ctx, extra_arches[i][1]);
+            if (res < 0)
+              die ("Error adding extra arch\n");
+          }
+      }
+
+    if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ioctl), 1,
+                          SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)) < 0)
+      die ("Failed to add TIOCSTI rule\n");
+
+    if (seccomp_load (ctx) != 0)
+      die ("Unable to load seccomp rules");
+
+    seccomp_release (ctx);
+  }
+#endif
+
   if (opt_seccomp_fd != -1)
     {
       cleanup_free char *seccomp_data = NULL;
@@ -2121,8 +2162,14 @@ main (int    argc,
   /* We want sigchild in the child */
   unblock_sigchild ();
 
+#ifdef DISABLE_SECCOMP
+  /* If we don'y have seccomp, then we need to setsid to protect against CVE-2017-5226
+   * See e.g. https://github.com/projectatomic/bubblewrap/pull/143
+   * This workaround is pretty bad though, as it breaks shell job control.
+   */
   if (setsid () == (pid_t) -1)
     die_with_error ("setsid");
+#endif
 
   if (label_exec (opt_exec_label) == -1)
     die_with_error ("label_exec %s", argv[0]);

configure.ac

@@ -49,6 +49,19 @@ else
     BASH_COMPLETION_DIR="$with_bash_completion_dir"
 fi
 
+AC_ARG_ENABLE([seccomp-tty-fix],
+              AC_HELP_STRING([--disable-seccomp-tty-fix],
+                             [Disable libseccomp-based TIOCSTI ioctl workaround (not recommended)]),
+              [enable_seccomp_tty_fix=no],
+              [enable_seccomp_tty_fix=yes])
+
+if test "x$enable_seccomp_tty_fix" = "xno"; then
+   AC_DEFINE([DISABLE_SECCOMP], [1],
+      [Define if not using seccomp])
+else
+   PKG_CHECK_MODULES(LIBSECCOMP, [libseccomp])
+fi
+
 AC_SUBST([BASH_COMPLETION_DIR])
 AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
 # ------------------------------------------------------------------------------
@@ -111,6 +124,7 @@ echo "
 
     man pages (xsltproc):                         $enable_man
     SELinux:                                      $have_selinux
+    Seccomp tty fix:                              $enable_seccomp_tty_fix
     setuid mode on make install:                  $with_priv_mode
     mysteriously satisfying to pop:               yes"
 echo ""