5
you are viewing a single comment's thread
view the rest of the comments
[-] moonpiedumplings@programming.dev 3 points 2 days ago* (last edited 2 days ago)

If an attacker breaks out of the container, through a kernel bug, a runtime bug, a careless bind mount, or a misconfigured capability, they can land on the host as root. This is not hypothetical, we have well known examples, such as CVE-2025-9074.

If the same happened with a rootless container, the attacker would be able to act in the host system as well, but with an unprivileged user, limiting the scope and impact of their “expedition”.

This is not true. I have addressed this in my other comment here: https://programming.dev/post/51095402/24088470

TLDR: Kernel bugs from inside a rootless container still get root on the host. Podman wasn't effected due to more restricted default seccomp policy (controlling what syscalls can be used), but podman being rootless didn't actually help in the example of that recent CVE.

this post was submitted on 09 Jul 2026
5 points (100.0% liked)

DevOps

2189 readers
1 users here now

DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle.

Rules:

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 3 years ago
MODERATORS