|
|
|
|
|
|
by yrro
993 days ago
|
|
|
> The damage done with container escape is bigger on my machine than any production server I have access to. It's worth pointing out that if you're running on Fedora/RHEL then containers are confined to the container_t domain, with a unit per-container MCS label. SELinux policy will prevent a process that has broken out of its namespaces from being able to read/write files from the host or from other containers, or being able to kill or read the memory of or (I'm assuming, haven't checked) ptrace processes from the host or other containers. |
|
|