mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
bc0fd3f617
This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities. This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769). - A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162. - runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
29 lines
946 B
Bash
Executable file
29 lines
946 B
Bash
Executable file
#!/bin/sh
|
|
set -e
|
|
|
|
# RUNC_VERSION specifies the version of runc to install from the
|
|
# https://github.com/opencontainers/runc repository.
|
|
#
|
|
# The version of runc should match the version that is used by the containerd
|
|
# version that is used. If you need to update runc, open a pull request in
|
|
# the containerd project first, and update both after that is merged.
|
|
#
|
|
# When updating RUNC_VERSION, consider updating runc in vendor.mod accordingly
|
|
: "${RUNC_VERSION:=v1.1.2}"
|
|
|
|
install_runc() {
|
|
RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp"}"
|
|
|
|
echo "Install runc version $RUNC_VERSION (build tags: $RUNC_BUILDTAGS)"
|
|
git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
|
|
cd "$GOPATH/src/github.com/opencontainers/runc"
|
|
git checkout -q "$RUNC_VERSION"
|
|
if [ -z "$1" ]; then
|
|
target=static
|
|
else
|
|
target="$1"
|
|
fi
|
|
make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
|
|
mkdir -p "${PREFIX}"
|
|
cp runc "${PREFIX}/runc"
|
|
}
|