1029fc9d1c
mount(2) will blindly follow symlinks, which is a problem because it allows a malicious container to trick runc into mounting /proc to an entirely different location (and thus within the attacker's control for a rename-exchange attack). This is just a hotfix (to "stop the bleeding"), and the more complete fix would be finish libpathrs and port runc to it (to avoid these types of attacks entirely, and defend against a variety of other /proc-related attacks). It can be bypased by someone having "/" be a volume controlled by another container. Fixes: CVE-2019-19921 Signed-off-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
43 lines
944 B
RPMSpec
43 lines
944 B
RPMSpec
%global _bindir /usr/local/bin
|
|
|
|
Name: docker-runc
|
|
Version: 1.0.0.rc3
|
|
Release: 104
|
|
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
|
|
|
|
License: ASL 2.0
|
|
Source: %{name}.tar.gz
|
|
|
|
URL: https://www.opencontainers.org/
|
|
Vendor: OCI
|
|
Packager: OCI
|
|
|
|
BuildRequires: golang >= 1.8.3 glibc-static make libseccomp-devel libseccomp-static libselinux-devel
|
|
|
|
%description
|
|
runc is a CLI tool for spawning and running containers according to the OCI specification.
|
|
|
|
%prep
|
|
%setup -c -n runc
|
|
|
|
%install
|
|
./apply-patch
|
|
|
|
mkdir -p .gopath/src/github.com/opencontainers
|
|
export GOPATH=`pwd`/.gopath
|
|
ln -sf `pwd` .gopath/src/github.com/opencontainers/runc
|
|
cd .gopath/src/github.com/opencontainers/runc
|
|
make BUILDTAGS="seccomp selinux" static
|
|
rm -rf .gopath
|
|
|
|
install -d $RPM_BUILD_ROOT/%{_bindir}
|
|
install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
|
|
|
|
%clean
|
|
%{__rm} -rf %{_bindir}/runc
|
|
|
|
%files
|
|
%{_bindir}/runc
|
|
|
|
%changelog
|