mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
f03698b69a
- Fixes a vulnerability in runc that allows a container escape (CVE-2019-5736)6635b4f0c6, - Includes security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`):28a697cce3(NOTE: the vuln is attackable only when `DOCKER_RAMDISK=1` is set && seccomp is disabled) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
30 lines
1 KiB
Bash
Executable file
30 lines
1 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
# When updating RUNC_COMMIT, also update runc in vendor.conf accordingly
|
|
# The version of runc should match the version that is used by the containerd
|
|
# version that is used. If you need to update runc, open a pull request in
|
|
# the containerd project first, and update both after that is merged.
|
|
RUNC_COMMIT=6635b4f0c6af3810594d2770f662f34ddc15b40d
|
|
|
|
install_runc() {
|
|
# If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting
|
|
if uname -r | grep -q '^3\.10\.0.*\.el7\.'; then
|
|
: ${RUNC_NOKMEM='nokmem'}
|
|
fi
|
|
|
|
# Do not build with ambient capabilities support
|
|
RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp apparmor selinux $RUNC_NOKMEM"}"
|
|
|
|
echo "Install runc version $RUNC_COMMIT (build tags: $RUNC_BUILDTAGS)"
|
|
git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
|
|
cd "$GOPATH/src/github.com/opencontainers/runc"
|
|
git checkout -q "$RUNC_COMMIT"
|
|
if [ -z "$1" ]; then
|
|
target=static
|
|
else
|
|
target="$1"
|
|
fi
|
|
make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
|
|
mkdir -p "${PREFIX}"
|
|
cp runc "${PREFIX}/runc"
|
|
}
|