bwrap is a container and AppArmor is used by basically every container runtime i... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

cyphar on Aug 6, 2023 | parent | context | favorite | on: Barco: Linux Containers from Scratch in C

bwrap is a container and AppArmor is used by basically every container runtime if the system is using AppArmor (otherwise they use SELinux). Seccomp is also enabled by default, and I would argue it is a more significant protection against container breakouts because it protects against kernel 0-days as well and doesn't rely on LSM hooks to block operations. The real question is whether you are using user namespaces.

Jessica Frazelle ran a public bug bounty to break out of a container image that is properly secured, and as far as I know nobody collected the bounty. The website isn't up at the moment, maybe she took it down. https://contained.af/

jppittma on Aug 6, 2023 [–]

Sounds like free money to me. You just press Ctrl+D, and you're out.

cyphar on Aug 6, 2023 | [–]

Sadly that doesn't help you get access to the flag file you need to collect the bounty. ;)

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact