Post Syndicated from original https://lwn.net/Articles/909627/

Over the past few years, there has been quite a bit of progress in various
kernel features that can be used to create containers without requiring
privileges. Most of the containers these days run as root, which
means that a vulnerability leading to an escape from the container can
result in system compromise. Stéphane Graber gave a talk at the 2022 Linux
Security Summit Europe (LSS EU) to fill in some of the details of work
that he and others have been doing to run containers as unprivileged code.