New vulnerability in runc allows container escape, root-level code execution in Docker

Odds are you can run arbitrary workloads. When you do so, you can also usually mount any directory on the host inside the container (docker run -v /host/dir:/countainer/mount).

You can grant access to the daemon (via the docker.sock) with normal user permissions. So create a user, add it to the docker group, and then that user can only bind directories into a container that it has access to.

So normal rules apply around Linux user permissions if you are just using a plain old docker daemon.

Now – for docker in docker installations (to support cicd workloads, for example) that ask to mount the docker.sock as a volume inside the container, I can see some more possibilities. If you do that, then I believe the daemon will see that you are “root” and let you bind anything from the host to that guest.

Leave a Reply

Your email address will not be published. Required fields are marked *