logoalt Hacker News

cypharlast Monday at 4:13 PM1 replyview on HN

If there was a similar class of bug in the illumos kernel, it would also allow for a container escape, no?

There are many issues with the formulation of containers on Linux (though I think people overstate it whenever bugs like this happen) but ultimately this bug was a UAF that gave you arbitrary code execution in the kernel. Zone IDs are also just numbers in kernel memory... right?


Replies

NexRebularlast Monday at 6:19 PM

Not necessarily. Zones in illumos (and Solaris before) were designed from ground up to be secure in multitenant workloads[0]. It's quite different from the duct tape style[1] of linux containerization.

[0]https://www.usenix.org/legacy/event/lisa04/tech/full_papers/...

[1]Tape different things together and see if it holds.

show 1 reply