| > The agent inside the container runs with bypassPermissions — it can use Bash, write files, do whatever it wants. But "whatever it wants" is constrained by what the OS lets it see. No application-level permission checks needed. While containers can be useful for reducing privileges, that assumption isn’t safe, remember that the only thing namespaces away is that which supports namespaces and that by themselves, namespaces are not security features. A super critical part I didn’t see or missed is the importance of changing UID, the last line of [0] will show one reason. Remember that the container users has elevated privileges unless you the user explicitly drop this privileges. I applaud the effort at hardening, but containers have mostly been successful because the most popular apps like nginx operate under a traditional cohosting system and take responsibility for privilege dropping. There are tons of kernel calls, ldpreload tricks etc… that are well known and easily to find with exploration. Even dropping elevated privileges and setting no new priv, still isn’t a jail. Without using separate UIDs don’t expect any real separation at all. [0] https://www.kernel.org/doc/html/latest/admin-guide/namespace... |