kumquat-buildroot/package/runc/runc.mk
Peter Korsgaard d6706dc430 runc: security bump to fix CVE-2016-9962
RunC allowed additional container processes via runc exec to be ptraced by
the pid 1 of the container.  This allows the main processes of the
container, if running as root, to gain access to file-descriptors of these
new processes during the initialization and can lead to container escapes or
modification of runC state before the process is fully placed inside the
container.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-01-23 19:07:48 +11:00

51 lines
1.2 KiB
Makefile

################################################################################
#
# runc
#
################################################################################
RUNC_VERSION = 50a19c6ff828c58e5dab13830bd3dacde268afe5
RUNC_SITE = $(call github,opencontainers,runc,$(RUNC_VERSION))
RUNC_LICENSE = Apache-2.0
RUNC_LICENSE_FILES = LICENSE
RUNC_DEPENDENCIES = host-go
RUNC_GOPATH = "$(@D)/Godeps/_workspace"
RUNC_MAKE_ENV = $(HOST_GO_TARGET_ENV) \
CGO_ENABLED=1 \
GOBIN="$(@D)/bin" \
GOPATH="$(RUNC_GOPATH)" \
PATH=$(BR_PATH)
RUNC_GLDFLAGS = \
-X main.gitCommit=$(RUNC_VERSION)
ifeq ($(BR2_STATIC_LIBS),y)
RUNC_GLDFLAGS += -extldflags '-static'
endif
RUNC_GOTAGS = cgo static_build
ifeq ($(BR2_PACKAGE_LIBSECCOMP),y)
RUNC_GOTAGS += seccomp
RUNC_DEPENDENCIES += libseccomp host-pkgconf
endif
define RUNC_CONFIGURE_CMDS
mkdir -p $(RUNC_GOPATH)/src/github.com/opencontainers
ln -s $(@D) $(RUNC_GOPATH)/src/github.com/opencontainers/runc
endef
define RUNC_BUILD_CMDS
cd $(@D) && $(RUNC_MAKE_ENV) $(HOST_DIR)/usr/bin/go \
build -v -o $(@D)/bin/runc \
-tags "$(RUNC_GOTAGS)" -ldflags "$(RUNC_GLDFLAGS)" .
endef
define RUNC_INSTALL_TARGET_CMDS
$(INSTALL) -D -m 0755 $(@D)/bin/runc $(TARGET_DIR)/usr/bin/runc
endef
$(eval $(generic-package))