Comment on Security and docker
Lemongrab@lemmy.one 3 months agoIt is not speculation, it is reducing attack surface. Security is preemptive. Docker/Podman are not strong isolation solutions. Rare does not mean we shouldn’t protect against the chance of kernel vulnerabilities. The linux kernel around 30 million lines of code long and written in a memory unsafe language. Code isn’t safe just because we dont know the vulnerabilities, this is basic cybersec reasoning.
possiblylinux127@lemmy.zip 3 months ago
Write me an exploit then
If it so insecure prove it
Lemongrab@lemmy.one 3 months ago
That is not how security works. You must protect against known and unknown attack vectors. I am only pointing out weaknesses of Docker and other linux containers that share the kernel with the host or/and run with Root. I’m not saying anything original or crazy, just read up on the security of these technologies and their limits. I am not a malware designer, I am a security researcher.
Look into gVisor and Kara Containers for info on how to improve the security of containers.
Here are some readings for you:
…tux.pizza/…/help_can_i_safely_run_malware_inside…
csoonline.com/…/vulnerabilities-in-docker-other-c…
www.panoptica.app/…/7-ways-to-escape-a-container
blog.trailofbits.com/…/understanding-docker-conta…
securityweek.com/leaky-vessels-container-escape-v…
cybereason.com/…/container-escape-all-you-need-is…