A byline in a CVE or an advisory isn't enough for months wrangling to get people to even care.
just look at the commit you linked. they have a big blacklist of known ways to bypass their protections, and they missed one file.
-
-
the kernel has an API for giving containers fake root, and that is user namespaces. and if you don't want to use that, at least whitelist.
-
The sysctl are an exception, yes, but many other files in proc that check CAP_SYS_ADMIN.
- 9 more replies
New conversation -
-
-
I am responsible for them blockin /proc/sched_debug



-
I'm responsible for several of them as well. Docker should block them; the kernel too.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.