Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

Docker Integration


The procedure for integrating Polymorphing for Linux into a Docker image is very similar to the process for installing Polymorphing for Linux on any of our supported distributions. You still use our installation script to add our repositories to your package manager's list of repositories, then reinstall your packages.

The one main difference is where the installation command is located.

Recommended approach

For the purposes of a Docker container there are several places you could insert our installation script: in docker-compose.yml, in the dockerfile in the entry point, the CMD nodes, or in a RUN command in the dockerfile.

We recommend the RUN command, since it's run once, during build time. This means that from build time onwards, your image will be protected. Replacing all the binaries on an image can also take time, so instead of replacing them when the container is started, it’s more efficient to do it at build time.

There are two parts to installing Polymorphing for Linux:

  1. Adding our repositories
  2. Replacing your binaries

The advantage to simply adding our repositories to your package manager's list is that if something goes wrong, it won't disrupt your workflow. The package manager will just go to the next repository on the list, and download binaries as usual. With the idea of being fault-tolerant, we recommend wrapping the command that replaces the binaries in a conditional to ensure that if something goes wrong during the install process, the entire command doesn’t return a non-zero result. This ensures that Polymorphing isn’t a hard dependency and operations remain unaffected.

The command to add Polymorphing to a supported distro would look like this:

Note: Replace the demo auth key with your own, user-specific auth key.


RUN curl -s | sh -s install <Your auth key here>; \
if [ $? -eq 0 ]; then \
apk update && apk upgrade --no-cache --available && sed -in 's/^#//g' /etc/apk/repositories && apk update; \


RUN curl -s | sh -s install <Your auth key here>; \
if [ $? -eq 0 ]; then \
yum update -y && yum reinstall --disablerepo \* --enablerepo polyverse* -y \*; \

Red Hat

RUN curl -s | sh -s install <Your auth key here>; \
if [ $? -eq 0 ]; then \
yum update -y && yum reinstall -y \*; \


RUN curl -s | sh -s install <Your auth key here>; \
if [ $? -eq 0 ]; then \
zypper -n --gpg-auto-import-keys update && zypper -n install --auto-agree-with-licenses --no-recommends -f $(zypper -n search --installed-only --type package -v | grep "^i.*|" | sed "s/\s//g" | awk -F\| "{print \$2}"); \


RUN curl -s | sh -s install <Your auth key here>; \
if [ $? -eq 0 ]; then \
apt -y update && apt –y upgrade \
curl | bash -s replace-installed-elf; \

This code can also easily be added to a script run by the RUN command.

Code breakdown

The code presented here is relatively straightforward, but let's look at what's going on.

The first part is simply our installation command, which is identical between distros:

curl -s | sh -s install <Your auth key here>

Next, is the conditional. This checks the exit code from the install script. This ensures that if anything goes wrong on our end, your deployment process is unaffected:

if [ $? -eq 0 ]; then \

Lastly, within the conditional is the reinstall command. This varies from distro to distro, and can also be found in the documentation for your particular distro.


Verifying your image is essentially the same as verifying Polymorphing on any other Linux system. Just start a container using an interactive terminal:

docker run --rm -it <image name>

Or, connect to a running container:

docker exec -it <container name> /bin/bash

At that point, you can use any of the methods from the verification section as usual.


Uninstallation is simple. Just remove the code added to the RUN command, and rebuild your image.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.