
Breaking Out of Docker via RunC - zelivans
https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
======
simosx
A post by Christian Brauner (LXC/LXD developer) on how LXC and LXD are
affected. In summary, unprivileged containers (as found in LXD) are not
affected.

[https://brauner.github.io/2019/02/12/privileged-
containers.h...](https://brauner.github.io/2019/02/12/privileged-
containers.html)

------
helper
This is a really great exploration of this vulnerability.

It makes me sad that lxc doesn't get more love. LXC has had unprivileged
containers as its default for 5+ years now. Its a really solid tool set that
has mostly been passed over for lack of marketing.

~~~
barbecue_sauce
The reason Docker gets so much attention is its container image repository
infrastructure. I'm sure LXC has something similar, but Docker's is built-in
and has almost anything you can think of. (Of course, this presents other
security/trust issues).

------
yutghgh
This is very interesting, because most docker break outs I see are exploits in
the linux kernel, but this is one of the few in the containerization
components themselves (first one I remember in runC).

~~~
cpuguy83
Definitely not the first. There was one with leaking file descriptors which
weren't opened with O_CLOEXEC.

Another with ptrace (fixed by making the process non-dumpable).

------
amerine
Are those diagrams generated via something or did you create it in an app?

~~~
uvuv
They're created using [https://www.draw.io/](https://www.draw.io/)

------
awilddocker
why isn't docker and k8s banned by security teams? these are clearly broken
abstractions that would violate most security audits immediately

~~~
MotiveMe
We think of these as deployment abstractions that provide no security value.
This is why services like Amazon’s ECS Fargate pair 1 task definition (usually
a single container) to a single EC2 host for isolation.

~~~
otterley
AWS employee here! The relationship is actually one task per EC2 _instance_
(VM isolation), not one task per host. I'm sure you meant the former, but just
wanted to clarify for readers.

~~~
jen20
Something I've been wondering for a while (and you may be placed to answer):
is firecracker part of the isolation story for Fargate - or is it regular EC2
instances?

~~~
_msw_
Hi, I'm from the core compute engineering part of AWS.

Like most good stories, there's a beginning, middle, and end. We're in the
middle now, and Fargate uses both regular EC2 instances and Firecracker in
some cases.

