Nice work! A rogue image can still exploit a static runc as it calls out to `criu` when doing the restore command, which can be replaced in the image and perform the same attack
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Yea, we wonder now when they will release a working thing. "Patched" version is broken as I reported yesterday… Guess
#docker guys don't care..Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
"To be clear: this causes the original docker-runc process to re-execute into a new docker-runc running within the container (but using the host binary)." - Why is it executing the *host binary*? I imagine by the time it is calling execve, it's in the guest filesystem
-
so /proc/self/exe will point to a binary in the guest filesystem, whether it exists or not
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.