Skip to content

Add --new-session and --die-with-parent flags to bubblewrap #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ollie-anthropic merged 3 commits into from
Dec 9, 2025
Merged

Add --new-session and --die-with-parent flags to bubblewrap #66

ollie-anthropic merged 3 commits into from
Dec 9, 2025

Conversation

@ddworken
Copy link
Collaborator

@ddworken ddworken commented Dec 9, 2025

Summary

  • Adds --new-session flag to bwrap invocations for improved terminal isolation
  • Adds --die-with-parent flag to ensure sandbox processes are properly terminated when the parent dies

These flags are used by Flatpak in production and work correctly with our existing --unshare-pid flag.

Changes

  • --new-session: Calls setsid() to create a new terminal session, disconnecting the sandbox from the controlling terminal
  • --die-with-parent: Ensures all sandbox processes are killed (via SIGKILL) when bwrap's parent dies, preventing orphan processes

Test plan

  • Added regression tests to verify child processes are killed on timeout
  • Added regression tests to verify no orphan processes remain after forced termination
  • All 147 tests passing

🤖 Generated with Claude Code

ddworken and others added 2 commits December 9, 2025 17:46
@ddworken @claude
Add --new-session and --die-with-parent flags to bubblewrap
826ed32 
Security improvements:
- --new-session: Protects against CVE-2017-5226 (TIOCSTI terminal injection)
  by calling setsid() to disconnect from the controlling terminal
- --die-with-parent: Ensures all sandbox processes are killed (via SIGKILL)
  when bwrap's parent dies, preventing orphan processes

Both flags are used by Flatpak in production and work correctly with our
existing --unshare-pid flag (required for --die-with-parent to kill all
descendant processes).

Added regression tests to verify:
- Child processes are killed when sandbox is terminated via timeout
- No orphan processes remain after forced termination

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@ddworken @claude
Update macOS CI runner from retired macos-13 to macos-15-large
04fc873 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@ddworken ddworken marked this pull request as ready for review December 9, 2025 18:22
@ddworken @claude
Bump version to 0.0.20
22e4efa 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@ollie-anthropic ollie-anthropic merged commit f326268 into main Dec 9, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ollie-anthropic ollie-anthropic ollie-anthropic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ddworken @ollie-anthropic