[$] A container-confinement breakout

Post Syndicated from jake original https://lwn.net/Articles/781013/rss

The recently announced
container-confinement breakout for containers started with runc is interesting from
a few different perspectives.
For one, it affects more than just runc-based containers as privileged LXC-based containers (and likely
others) are also
affected, though the LXC-based variety are harder to compromise than the
runc ones.
But it also, once again, shows that privileged
containers are difficult—perhaps impossible—to create in a secure manner.
Beyond that, it
exploits some Linux kernel interfaces in novel ways and the fixes use a
perhaps lesser-known system call that was added to Linux less than five
years back.