> docker run super-evil-oci-container
reply 1. That super evil OCI container still needs to find a vulnerability in Docker
2. You can run Docker in rootless mode e.g. Orbstack runs without rootThey're suggesting that the attacker is in a position to `docker run`. Any attacker in that position has privesc to root, trivially.
replyRootless mode requires unprivileged user namespaces, disabled on almost any distribution because it's a huge security hole in and of itself.
What's particularly vexing is that there is this agentic sandboxing software called "container-use" and out of the box it requires you to add a user to the docker group because they haven't thought about what that really means and why running docker in that configuration option shouldn't be allowed, but instead they have made it mandatory as a default.
reply