Comment on Security and docker
just_another_person@lemmy.world 6 months ago
Containers are isolated from the host by default. If you give a container a mount, it can only interact with the mount, but not the running host. If you further isolated and protected that mount, you would have fine. Since you ran it as your unprivileged user, it’s one step safer from being able to hijack other parts of the machine, and if it was a “virus”, all it could do is write files to the mount and fill up your disk I guess, or drop a binary and hope you execute it.
asap@lemmy.world 6 months ago
Are you certain about that? My understanding is that Docker containers are literally just processes running on the host (ideally rootless), but with no isolation in the way that VMs are isolated from the host.
kevincox@lemmy.ml 6 months ago
There is definitely isolation. In theory (if containers worked perfectly as intended) a container can’t see any processes from the host, sees different filesystems, possibly a different network interface and basically everything else. There are some things that are shared like CPU, Memory and disk space but these can also be limited by the host.
But yes, in practice the Linux kernel is wildly complex and these interfaces don’t work quite as well as intended. You get bugs in permission checks and even memory corruption and code execution vulnerabilities. This results in unintended ways for code to break out of containers.
So in theory the isolation is quite strong, but in practice you shouldn’t rely on it for security critical isolation.
possiblylinux127@lemmy.zip 6 months ago
The Linux kernel recently became a CVE numbering authority. That means that there are now tons of CVEs coming out but the overwhelming majority aren’t easily exploitable. They can be rated pretty high with no actual impact. Furthermore, a lot of them require a very specific setup with specific kernel components. It is best to look at the exploitablity score and the recommended CISA actions.