Hacker News new | past | comments | ask | show | jobs | submit login

Breaking out of a docker container with default settings is hard. You would be making the headlines if you could do so.

Now breaking out of a docker container with --privileged or even just CAP_SYS_ADMIN is much easier.




There was a CVE in February [0][1] that escaped out of Docker's default settings. runc has a few of these over the last few years, it isn't inconceivable that there are more to be found.

Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.

[0] https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-fr...

[1] https://seclists.org/oss-sec/2019/q1/119


The very fact that there's a CVE for breaking out of docker shows that it's a big deal :)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: