Affected by GO-2022-0390
and 17 other vulnerabilities
GO-2022-0390: Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker
GO-2022-0630: Arbitrary Code Execution in Docker in github.com/docker/docker
GO-2022-0636: Man-in-the-Middle (MitM) in github.com/docker/docker
GO-2022-0640: Arbitrary Code Execution in github.com/docker/docker
GO-2022-0649: Symlink Attack in Libcontainer and Docker Engine in github.com/docker/docker
GO-2022-0705: Directory Traversal in Docker in github.com/docker/docker
GO-2022-0708: Arbitrary File Override in Docker Engine in github.com/docker/docker
GO-2022-0751: Path Traversal in Docker in github.com/docker/docker
GO-2022-0752: Privilege Escalation in Docker in github.com/docker/docker
GO-2022-0985: Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions in github.com/docker/docker
GO-2022-1107: Container build can leak any path on the host into the container in github.com/docker/docker
GO-2024-2914: Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker
GO-2025-3829: Moby firewalld reload removes bridge network isolation in github.com/docker/docker
GO-2026-4883: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker
GO-2026-4887: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker
GO-2026-5617: Docker: Race condition in docker cp allows bind mount redirection to host path in github.com/docker/docker
GO-2026-5668: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap in github.com/docker/docker
GO-2026-5746: Docker: `PUT /containers/{id}/archive` executes container binary on the host in github.com/docker/docker
Init checks if the current process has been created by Spawn.
If no, it returns nil and the original program can continue
unmodified.
If no, it hijacks the process to run as a child worker controlled
by its parent over a beam connection, with f exposed as a remote
service. In this case Init never returns.
The hijacking process takes place as follows:
Open file descriptor 3 as a beam endpoint. If this fails,
terminate the current process.
Start a new engine.
Call f.Install on the engine. Any handlers registered
will be available for remote invocation by the parent.
Listen for beam messages from the parent and pass them to
the handlers.
When the beam endpoint is closed by the parent, terminate
the current process.
NOTE: Init must be called at the beginning of the same program
calling Spawn. This is because Spawn approximates a "fork" by
re-executing the current binary - where it expects spawn.Init
to intercept the control flow and execute the worker code.
Spawn starts a new Engine in a child process and returns
a proxy Engine through which it can be controlled.
The commands available on the child engine are determined
by an earlier call to Init. It is important that Init be
called at the very beginning of the current program - this
allows it to be called as a re-execution hook in the child
process.
Long story short, if you want to expose `myservice` in a child
process, do this:
Affected by 
Documentation
¶
Source Files
Directories