Home > 云安全 > Docker Container Break-out Exploit

Docker Container Break-out Exploit

December 17th, 2015 baoz Go to comments

Amidst various blog postings on Docker, a security issue announced yesterday that detailed an exploit of Docker that makes it possible to do container breakout. This exploit would allow the ability to any data, including sensitive data, on the host system.

How does it work? Essentially, the file system struct of the container is shared with the host which allows a program on the container to run that can open file handles– which consist of a 64-bit string and a 32-bit inode number. Starting at an inode value of 2, which is / (root filesystem), the file system path is then walked and the use of brute force the 32-bit inode number to find the desired file.

The code to test this, shocker.c, which was developed by Sebastian Krahmer (Thank you!) can be used to demonstrate this exploit, and indeed I was able to:

Oops! /etc/shadow is definitely not a file on my host I want to be visible by a container.

With a newer version of Docker (1.0.0), this is not a problem:

Do note though, one must not rest upon their laurels or getting to comfortable with the default configuration despite being 1.0.

Some of the suggested fixes are to use apparmor or selinux containment, map trust groups to separate machines or to avoid running the app as root. I think the quickest fix and one that I tested and found easiest was running as a regular user. On my first instance where the exploit worked, using an ubuntu user solved the issue:

The article also states that there will be further enhancements to Docker including user-namespaces. For the full scoop, the article is here




  1. No comments yet.