[jeffbee]

This style of writing sucks, and the abuse of the meaningless term "container" does nothing to clear it up. To reduce this CVE to one sentence: a process running in the top level control group, which has the ability to create user namespace, can take over the machine, because the kernel fails to check for CAP_SYS_ADMIN.

See how easy that was?

[stormbrew]

You kind of missed the key to the whole thing here, though, which is that users are able to create userns' now by default. This is really important to understanding this and the last few container escape CVEs.

The article doesn't do much better on that front, but it is in there at least.

[jackpirate]

Isn't the whole purpose of this style of writing to define terms like "top level control group" and "CAP_SYS_ADMIN" for those people who don't already understand what they mean?

[jeffbee]

The article doesn't do that. It throws around jargon without defining it, or defining it vaguely or inaccurately.