While reproducing the cve-2019-16884 I find it can't work. After digging into this it seems the runc version is wrong.
When I reproduce this issue in here https://github.com/opencontainers/runc/issues/2128
I got following error:
cannot be mounted because it is located inside \\\\"/proc\\\\
The runc version for this issue is docker-ce 18.03.1(runc 1.0.0-rc5).
While reproducing the cve-2019-16884 I find it can't work. After digging into this it seems the runc version is wrong. When I reproduce this issue in here https://github.com/opencontainers/runc/issues/2128 I got following error:
cannot be mounted because it is located inside \\\\"/proc\\\\
The runc version for this issue is docker-ce 18.03.1(runc 1.0.0-rc5).
If we use runc 1.0.0-rc6 it can work.
The reason that runc 1.0.0-rc6 can work because this change(linux: drop check for /proc as invalid dest): https://github.com/opencontainers/runc/commit/636b664027293628bbb59a58e7ec5d4cd567affb
So this issue can only trigger after 1.0.0-rc6.
Don't know the relation of docker-ce version and runc version.
Maybe we need to download runc and replace the docker-ce shipped runc.
Thanks, Li Qiang