This repository has been archived by the owner on May 2, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 2e7480f
Showing
5 changed files
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ./dist |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| vendor/pkg | ||
| /runc | ||
| /runc-* | ||
| contrib/cmd/recvtty/recvtty | ||
| man/man8 | ||
| release |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| FROM golang:1.11.4-stretch | ||
|
|
||
| RUN dpkg --add-architecture armel \ | ||
| && dpkg --add-architecture armhf \ | ||
| && dpkg --add-architecture arm64 \ | ||
| && dpkg --add-architecture ppc64el \ | ||
| && apt-get update && apt-get install -y \ | ||
| build-essential \ | ||
| curl \ | ||
| sudo \ | ||
| gawk \ | ||
| iptables \ | ||
| jq \ | ||
| pkg-config \ | ||
| libaio-dev \ | ||
| libcap-dev \ | ||
| libprotobuf-dev \ | ||
| libprotobuf-c0-dev \ | ||
| libnl-3-dev \ | ||
| libnet-dev \ | ||
| libseccomp2 \ | ||
| libseccomp-dev \ | ||
| libapparmor-dev \ | ||
| protobuf-c-compiler \ | ||
| protobuf-compiler \ | ||
| python-minimal \ | ||
| uidmap \ | ||
| kmod \ | ||
| crossbuild-essential-armel crossbuild-essential-armhf crossbuild-essential-arm64 crossbuild-essential-ppc64el \ | ||
| libseccomp-dev:armel libseccomp-dev:armhf libseccomp-dev:arm64 libseccomp-dev:ppc64el \ | ||
| --no-install-recommends \ | ||
| && apt-get clean | ||
|
|
||
| COPY . /go/src/github.com/opencontainers/runc | ||
| WORKDIR /go/src/github.com/opencontainers/runc | ||
| RUN for VER in v1.12.6 v1.13.1 v17.03.2 v17.06.2 v17.09.1 v17.12.1 v18.03.1 v18.06.1; do \ | ||
| git checkout release-${VER} && \ | ||
| for GOARCH in $(go env GOARCH); do \ | ||
| export GOARCH && \ | ||
| make BUILDTAGS="seccomp selinux apparmor" static && \ | ||
| mkdir -p dist && \ | ||
| mv runc dist/runc-${VER}-${GOARCH} \ | ||
| ; done ; done && \ | ||
| cd dist && \ | ||
| sha256sum * > sha256sum-${GOARCH}.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| release: | ||
| docker build -t run-cve . | ||
| docker create --name run-cve run-cve | ||
| docker cp run-cve:/go/src/github.com/opencontainers/runc/dist . | ||
| docker rm -fv run-cve |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| CVE Builds for legacy docker-runc | ||
| --------------------------------- | ||
|
|
||
| This repo provides a backport of patches for CVE-2019-5736 for older versions of runc | ||
| that were packaged with Docker. | ||
|
|
||
| ## Build and Releases | ||
|
|
||
| Refer to the releases section of this repo for the binaries. In order to build yourself, | ||
| or build for different architectures, just run `make` and the binaries will end up in | ||
| `./dist`. | ||
|
|
||
| The binaries will be of the form runc-${VERSION}-${ARCHITECTURE} where VERSION is the | ||
| associated Docker version, not the version of runc. | ||
|
|
||
|
|
||
| ## Installing | ||
|
|
||
| To install, find the runc for you docker version, for example Docker 17.06.2 for amd64 | ||
| will be runc-v17.06.2-amd64. Then replace the docker-runc on your host with the patched | ||
| one. | ||
|
|
||
| ```bash | ||
| # Figure out where your docker-runc is, typically in /usr/bin/docker-runc | ||
| which docker-runc | ||
|
|
||
| # Backup | ||
| mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds) | ||
|
|
||
| # Copy file | ||
| cp runc-v17.06.2-amd64 /usr/bin/docker-runc | ||
|
|
||
| # Ensure it's executable | ||
| chmod +x /usr/bin/docker-runc | ||
|
|
||
| # Test it works | ||
| docker-runc -v | ||
| docker run -it --rm ubuntu echo OK | ||
| ``` |