# Rung 1 (docker). Single privileged container acts as the inner Linux
# "host" running the vulnerable runc 1.1.13. The CVE causes runc to create
# an inode on THIS container's filesystem (the inner host), outside any
# launched-container rootfs. No host ports are needed: the exploiter and
# verifier drive everything via `docker exec`.
services:
  innerhost:
    build:
      context: .
      dockerfile: Dockerfile
    image: cve-2024-45310-innerhost:1.1.13
    container_name: cve-2024-45310-innerhost
    # runc needs full privileges to create namespaces, cgroups and mounts.
    privileged: true
    # Keep cgroup/namespace machinery available for nested container launch.
    cgroup: host
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    tmpfs:
      - /run
    healthcheck:
      test: ["CMD", "sh", "-c", "/usr/local/sbin/runc --version >/dev/null && test -d /srv/share-backing"]
      interval: 5s
      timeout: 5s
      retries: 5
      start_period: 5s