From b9f783b3bdaf69a06ba7026c10a8b98c50bf9854 Mon Sep 17 00:00:00 2001
From: ComixHe <ComixHe1895@outlook.com>
Date: Wed, 21 Jan 2026 10:55:19 +0800
Subject: [PATCH] refactor: always call setsid for exec processes

Ensure every exec process starts in a new session to achieve:

- Isolation: Decouples the process from the caller's session and
  controlling terminal to prevent unexpected signal propagation.
- Security: Mitigates TIOCSTI terminal injection attacks by
  ensuring the process has no terminal to push characters back to.
- TTY Setup: Provides the required clean state for the process to
  properly acquire its own PTY if terminal=true.

Signed-off-by: ComixHe <ComixHe1895@outlook.com>
---
 src/linyaps_box/container.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/linyaps_box/container.cpp b/src/linyaps_box/container.cpp
index 7cdc7e3..997a4ed 100644
--- a/src/linyaps_box/container.cpp
+++ b/src/linyaps_box/container.cpp
@@ -1741,8 +1741,8 @@ try {
     // TODO: selinux label/apparmor profile
     do_pivot_root(container, rootfs);
 
+    linyaps_box::utils::setsid();
     if (args.console_socket) {
-        linyaps_box::utils::setsid();
         configure_terminal(container, args.console_socket.value());
     }