|
|
|
|
|
|
by Scramblejams
264 days ago
|
|
|
Better not rely on unprivileged containers to save you. The problem is: Breaking out of a VM requires a hypervisor vulnerability, which are rare. Breaking out of a shared-kernel container requires a kernel syscall vulnerability, which are common. The syscall attack surface is huge, and much of it is exploitable even by unprivileged processes. I posted this thread elsewhere here, but for more info: https://news.ycombinator.com/item?id=32319067 |
|
|