|
|
|
|
|
|
by tssuser
2688 days ago
|
|
|
Privileged containers in docker have a different meaning [1]. A lot of work has gone into trying to harden the default docker container options against container escape, even when the process is running as root. This includes dropping some capabilities, blocking syscalls with seccomp, shadowing sensitive procfs and sysfs paths, hiding most devices, and some LSM hardening [2]. Even with all that it is far more effective to just run as non-root, but hopefully that gives some context for why vulnerabilities like this are treated as high severity. [1] https://docs.docker.com/engine/reference/commandline/run/#fu...
[2] https://docs.docker.com/engine/security/non-events/ |
|
|