From 9e16c35582af7704958dd2b2ec3cba524c9605b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Diakhat=C3=A9?= <fdiakh@gmail.com>
Date: Thu, 9 Apr 2026 18:17:33 +0000
Subject: [PATCH 2/2] fix: harden privsep parent against unexpected operations

---
 bubblewrap.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bubblewrap.c b/bubblewrap.c
index 5fcccf7..9a6add0 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -1158,7 +1158,9 @@ privileged_op (int         privileged_op_socket,
       break;
 
     case PRIV_SEP_OP_OVERLAY_MOUNT:
-      if (mount ("overlay", arg2, "overlay", MS_MGC_VAL, arg1) != 0)
+      if (is_privileged)
+        die ("Overlay mounts are not supported in setuid mode");
+      if (mount ("overlay", arg2, "overlay", MS_MGC_VAL | MS_NOSUID | MS_NODEV, arg1) != 0)
         {
           /* The standard message for ELOOP, "Too many levels of symbolic
            * links", is not helpful here. */
@@ -1176,6 +1178,8 @@ privileged_op (int         privileged_op_socket,
          something manages to send hacked priv-sep operation requests. */
       if (!opt_unshare_uts)
         die ("Refusing to set hostname in original namespace");
+      if (arg1 == NULL)
+        die ("Hostname argument is NULL");
       if (sethostname (arg1, strlen(arg1)) != 0)
         die_with_error ("Can't set hostname to %s", arg1);
       break;
-- 
2.53.0