release: github.com/cloudfoundry/garden-runc-release / 1.1.1

Github source: f5fbbf1e or master branch

Patches runC to address a security vulnerability (CVE-2016-9962). Garden never runs user processes as pid 1 (which the mentioned exploit relies on) and enables apparmor (which prevents ptrace), but the patch also works around a kernel mis-ordering of operations that could very briefly expose an fd in a container.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.1.1 --sha1 6e50e37efbfbfcfa803d5d87a7a85a3073f69243

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: garden-runc
  version: "1.1.1"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 6e50e37efbfbfcfa803d5d87a7a85a3073f69243 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.1.1

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.1.1