Comments (3)
These are not contended statements, ask any docker developer (me for instance), or look in the docker manpage for instance. For instance, the docker run with --privileged and -v /:/host_root will give you full privileges and access to the full host filesystem. systemd-nspawn similarly lets you set up minimally contained container (of course, systemd-nspawn requires you to be root to run it, so its not technically a privilege escalation).
from bubblewrap.
For instance, the docker run with --privileged and -v /:/host_root will give you full privileges and access to the full host filesystem
Running everything with --privileged
is simply misconfiguration, not an architectural problem, even less a vulnerability.
from bubblewrap.
I don't understand what you mean by that. If you give your user access to the docker socket he can use --privileged to get access, there is nothing unexpected or "vulnerability" in this. It is just something implied by having docker access. But, that also means you can't generally give out docker access to users you don't trust with root.
from bubblewrap.
Related Issues (20)
- [How-to] Handle 'chroot' system calls as an unprivileged user HOT 2
- Binding of joystick inside bubblewrap HOT 2
- bubblewrap should fall back to MS_MOVE if pivot_root() fails HOT 3
- What is a proper way to have a regular user with sudo and root in container? HOT 3
- "pivot_root: Invalid argument" when running on a SLURM cluster node from NFS HOT 12
- Overlayfs masking/whiteout layer
- Bubblewrap trying to access `/proc/sys/kernel/overflowuid` HOT 1
- Assessment of the difficulty in porting CPU architecture for bubblewrap HOT 1
- Best practices for running games on Linux with Nvidia HOT 6
- Fails to build with meson 1.3.0 rc1 due to broken bash-completion handling HOT 7
- Please specify the license in Github HOT 1
- [Question] How does bwrap handle nested bindings? HOT 3
- enhancement: --daemonize-with-child option
- not immediately obvious that `--file` can overwrite a file mounted rw from outside the container HOT 4
- bwrap processes not exiting cleanly under Linux 6.8 (likely kernel regression) HOT 24
- Is there like a native C Library?
- Mount private information leakage HOT 5
- `bwrap` broke on Ubuntu 24.04 HOT 4
- `--die-with-parent` fails to clean up due to a race condition if the parent bwrap process is killed soon after startup
- Child PID from `--info-fd` and `--json-status-fd` is not concurency safe
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bubblewrap.