kumquat-buildroot/package/docker-engine/Config.in
Peter Korsgaard 6e3f7fbc07 package/runc: add upstream security fix for CVE-2019-5736
The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host. The level of user interaction is being able
to run any command (it doesn't matter if the command is not
attacker-controlled) as root within a container in either of these
contexts:

  * Creating a new container using an attacker-controlled image.
  * Attaching (docker exec) into an existing container which the
    attacker had previous write access to.

For more details, see the advisory:

https://www.openwall.com/lists/oss-security/2019/02/11/2

The fix for this issue uses fexecve(3), which isn't available on uClibc, so
add a dependency on !uclibc to runc and propagate to the reverse
dependencies (containerd/docker-engine).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-12 20:04:14 +01:00

58 lines
1.9 KiB
Plaintext

config BR2_PACKAGE_DOCKER_ENGINE
bool "docker-engine"
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc
depends on BR2_USE_MMU # docker-containerd
select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
select BR2_PACKAGE_IPTABLES # runtime dependency
select BR2_PACKAGE_SQLITE # runtime dependency
help
Docker is a platform to build, ship,
and run applications as lightweight containers.
https://github.com/docker/docker
if BR2_PACKAGE_DOCKER_ENGINE
config BR2_PACKAGE_DOCKER_ENGINE_EXPERIMENTAL
bool "build experimental features"
config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_BTRFS
bool "btrfs filesystem driver"
depends on BR2_USE_MMU # btrfs-progs
depends on BR2_TOOLCHAIN_HAS_THREADS # btrfs-progs
select BR2_PACKAGE_BTRFS_PROGS
help
Build the btrfs filesystem driver for Docker.
config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_DEVICEMAPPER
bool "devicemapper filesystem driver"
depends on BR2_TOOLCHAIN_HAS_THREADS # lvm2
depends on BR2_USE_MMU # lvm2
depends on !BR2_STATIC_LIBS # lvm2
depends on !BR2_TOOLCHAIN_USES_MUSL # lvm2
select BR2_PACKAGE_LVM2
select BR2_PACKAGE_LVM2_APP_LIBRARY
help
Build the devicemapper filesystem driver for Docker.
config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_VFS
bool "vfs filesystem driver"
depends on BR2_USE_WCHAR # gvfs
depends on BR2_USE_MMU # gvfs
depends on BR2_TOOLCHAIN_HAS_THREADS # gvfs
select BR2_PACKAGE_GVFS
help
Build the vfs filesystem driver for Docker.
endif
comment "docker-engine needs a glibc or musl toolchain w/ threads"
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC
depends on BR2_USE_MMU