and yes, this does work on docker 19.03.1 from 2 weeks agopic.twitter.com/id4FhIvylb
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
and yes, this does work on docker 19.03.1 from 2 weeks agopic.twitter.com/id4FhIvylb
Just to check, does this only work if you add CAP_SYS_ADMIN , or would it work with Docker's default capability set?
only w/ adding cap_sys_admin properly b/c docker's seccomp blocks bpf(2) otherwise. it also needs cap_sys_admin to run though, so just enabling bpf(2) directly (i.e. disable seccomp) would not work. that's be a (one hell of a) real cve on linux if it were possible though. :p
To be certain: prevented if Docker’s default was unprivileged?
And sysfs should be r/o, and docker default apparmor blocks the mount syscall.
Don’t reply here, that’d spoil the fun, just thinking out loud 
By default this doesn't work. CAP_SYS_ADMIN is a wide-ranging capability, hence the name.
Does the JIT need to be enabled or not?
it does (should) not have anything to do with this. though i guess it might be slower w/o it. ;)
Did this talk ever get recorded? Is the video up somewhere?
def con hasn't uploaded it yet. only a few dc27 talks have been uploaded so far.
when is your talk? I'd love to stop by and see it :)
friday @ 11am, track 4
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.