6e3f7fbc07
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2 The fix for this issue uses fexecve(3), which isn't available on uClibc, so add a dependency on !uclibc to runc and propagate to the reverse dependencies (containerd/docker-engine). Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
58 lines
1.9 KiB
Plaintext
58 lines
1.9 KiB
Plaintext
config BR2_PACKAGE_DOCKER_ENGINE
|
|
bool "docker-engine"
|
|
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
|
|
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
|
|
depends on BR2_TOOLCHAIN_HAS_THREADS
|
|
depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc
|
|
depends on BR2_USE_MMU # docker-containerd
|
|
select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
|
|
select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
|
|
select BR2_PACKAGE_IPTABLES # runtime dependency
|
|
select BR2_PACKAGE_SQLITE # runtime dependency
|
|
help
|
|
Docker is a platform to build, ship,
|
|
and run applications as lightweight containers.
|
|
|
|
https://github.com/docker/docker
|
|
|
|
if BR2_PACKAGE_DOCKER_ENGINE
|
|
|
|
config BR2_PACKAGE_DOCKER_ENGINE_EXPERIMENTAL
|
|
bool "build experimental features"
|
|
|
|
config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_BTRFS
|
|
bool "btrfs filesystem driver"
|
|
depends on BR2_USE_MMU # btrfs-progs
|
|
depends on BR2_TOOLCHAIN_HAS_THREADS # btrfs-progs
|
|
select BR2_PACKAGE_BTRFS_PROGS
|
|
help
|
|
Build the btrfs filesystem driver for Docker.
|
|
|
|
config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_DEVICEMAPPER
|
|
bool "devicemapper filesystem driver"
|
|
depends on BR2_TOOLCHAIN_HAS_THREADS # lvm2
|
|
depends on BR2_USE_MMU # lvm2
|
|
depends on !BR2_STATIC_LIBS # lvm2
|
|
depends on !BR2_TOOLCHAIN_USES_MUSL # lvm2
|
|
select BR2_PACKAGE_LVM2
|
|
select BR2_PACKAGE_LVM2_APP_LIBRARY
|
|
help
|
|
Build the devicemapper filesystem driver for Docker.
|
|
|
|
config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_VFS
|
|
bool "vfs filesystem driver"
|
|
depends on BR2_USE_WCHAR # gvfs
|
|
depends on BR2_USE_MMU # gvfs
|
|
depends on BR2_TOOLCHAIN_HAS_THREADS # gvfs
|
|
select BR2_PACKAGE_GVFS
|
|
help
|
|
Build the vfs filesystem driver for Docker.
|
|
|
|
endif
|
|
|
|
comment "docker-engine needs a glibc or musl toolchain w/ threads"
|
|
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
|
|
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
|
|
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC
|
|
depends on BR2_USE_MMU
|