I don't bother reporting Linux vulns anymore. It takes too much effort for zero gain, zero compensation, zero recognition.
if moby gives containers GLOBAL_ROOT_UID and procfs access, blacklisting every dangerous file they know about, missing one, that's on them
-
-
just look at the commit you linked. they have a big blacklist of known ways to bypass their protections, and they missed one file.
-
the kernel has an API for giving containers fake root, and that is user namespaces. and if you don't want to use that, at least whitelist.
- 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.