Hacker News new | ask | show | jobs
by d33 3329 days ago
That's pretty interesting. Does it mean it allows escaping Docker containers if you compromise a service ran as root in it?
2 comments
user5994461 3328 days ago
As a rule of Thumb, an attack can ALWAYS escape from Docker containers.

These containers are a light way to separate processes. They are not intended as a security measure to isolate malicious processes that tries to escape.

link
dohqu8Zi 3329 days ago
No, Docker usually drops CAP_NET_RAW within the container. But you can change that and other container technologies definitely keep CAP_NET_RAW within the container.
link
wrongmmmm 3329 days ago
Not true. CAP_NET_RAW is on by default: https://github.com/moby/moby/blob/master/oci/defaults_linux....

Otherwise no one could ping from a container.

link
dohqu8Zi 3328 days ago
Thanks for the correction.
link
dohqu8Zi 3329 days ago
BTW: Depending on the configuration you can create a new namespace within Docker to gain CAP_NET_RAW since namespaces can nest.
link