CVE-2019-5736-fedora-atomic

[root@strigazi-fa-01 fedora]# sha256sum /usr/bin/runc
32ef8e0ae2b98dd0aab3e92699cac3d99894287f94e0887c5d23dc10c7b438b8  /usr/bin/runc
[root@strigazi-fa-01 fedora]# docker run gitlab-registry.cern.ch/strigazi/containers/cve-2019-5736-poc
...
Status: Downloaded newer image for gitlab-registry.cern.ch/strigazi/containers/cve-2019-5736-poc:latest
HAX2: argv: /proc/self/fd/3
HAX2: fd: -1
HAX2: res: -1, 9
[root@strigazi-fa-01 fedora]# strings /usr/bin/runc | tail -n 3
.text
.fini_array
.init_array
[root@strigazi-fa-01 fedora]# sha256sum /usr/bin/runc
32ef8e0ae2b98dd0aab3e92699cac3d99894287f94e0887c5d23dc10c7b438b8  /usr/bin/runc
[root@strigazi-fa-01 fedora]# cat /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1550011037.350:377): avc:  denied  { append } for  pid=1546 comm="stage2" name="docker-runc-current" dev="dm-0" ino=8448766 scontext=system_u:system_r:container_t:s0:c666,c793 tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file permissive=0