Hacker News new | ask | show | jobs
by gettodachoppa 758 days ago
I'm a casual Docker user, ran maybe 30 images my whole life. I've never used any of these flags and didn't know most of them even existed.

Are these serious threats? I mean it seems like common sense that if you give a malicious container elevated privileges, it can do bad stuff.

Is a VM any different? If you create a VM and add your host's / directory as a share with write permissions (allowing the VM to modify your host filesystem/binaries) does that mean VMs are bad at isolation and shouldn't be used? Because that's what these "7 ways to escaper a container" ways look like to me.
1 comments
belter 758 days ago
Containers are called "Leaky Vessels" for a reason...

"Container Escape: New Vulnerabilities Affecting Docker and RunC" - https://www.paloaltonetworks.com/blog/prisma-cloud/leaky-ves...

VMs offer a much better isolation mode.

link
gettodachoppa 758 days ago
Thanks, that link made me much more confident in using Docker.

I mean come on: "Attackers could try to exploit this issue by causing the user to build two malicious images at the same time, which can be done by poisoning the registry, typosquatting or other methods"

So basically ridiculous CVEs that will never affect people not in the habit of building random Dockerfiles off Github with 2 stars. Good to know. Only the 1st one isn't dismissable out of hand, I can't tell if it's bogus like the rest./

link