It only got fixed because I persisted AND personally knew important stakeholders through my work at Docker.
really? you need GLOBAL_ROOT_UID access for it, no? and with that, you can do all sorts of fun things in procfs, like messing with sysctls
-
-
if moby gives containers GLOBAL_ROOT_UID and procfs access, blacklisting every dangerous file they know about, missing one, that's on them
-
just look at the commit you linked. they have a big blacklist of known ways to bypass their protections, and they missed one file.
- 11 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.