|
|
|
|
|
|
by firesteelrain
38 days ago
|
|
|
This is a problem and most people hadn’t considered it before because the caching is done to speed up build pipeline performance: “ While rootless containers prevent the attacker from escalating to host root, the page cache is still shared across the host. Containers that re-use the same base image layers share the same cached pages for those layers — if a malicious CI job corrupts a binary in the page cache, other containers launched from that same image could end up executing the poisoned version.” |
|
|
I don't believe the kernel maintains separate page caches for each container; a malicious CI job could corrupt a binary from any container, or the host.