top | item 39573398 (no title) jabradoodle | 2 years ago It's not just a specific actor targeting a specific entity though; it's any malicious dependency being ran in a privileged environment. discuss order hn newest anonzzzies|2 years ago Yes, that's true. But then you might have bigger issues I would say. But agreed. It's a good reason to make sure it's all closed off. nyrikki|2 years ago Look at the default capabilities below, as a poster above mentioned NET_RAW and MKNOD are enabled by default.https://docs.docker.com/engine/reference/run/#runtime-privil...Unless you perfectly drop all privileges from every pod you are open to attack.Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges.This is an intentional design decision and not a bug.
anonzzzies|2 years ago Yes, that's true. But then you might have bigger issues I would say. But agreed. It's a good reason to make sure it's all closed off. nyrikki|2 years ago Look at the default capabilities below, as a poster above mentioned NET_RAW and MKNOD are enabled by default.https://docs.docker.com/engine/reference/run/#runtime-privil...Unless you perfectly drop all privileges from every pod you are open to attack.Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges.This is an intentional design decision and not a bug.
nyrikki|2 years ago Look at the default capabilities below, as a poster above mentioned NET_RAW and MKNOD are enabled by default.https://docs.docker.com/engine/reference/run/#runtime-privil...Unless you perfectly drop all privileges from every pod you are open to attack.Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges.This is an intentional design decision and not a bug.
anonzzzies|2 years ago
nyrikki|2 years ago
https://docs.docker.com/engine/reference/run/#runtime-privil...
Unless you perfectly drop all privileges from every pod you are open to attack.
Containers are not security contexts, they are namespaces, that require all actors that can launch a VM to actively drop privileges.
This is an intentional design decision and not a bug.