And we don't usually worry about them, because an application with normal user privileges can already to so much damage.
But this exploit can be triggered from inside a tightly sandboxed process, such as firefox's isolated browser process. Which means the attacker now only needs to chain two exploits together: One javascript exploit to get local code execution in an isolated sandbox, and this one to jump all the rest of the way to kernel mode.
Which means, you should update both firefox, and your linux kernel.
Thank you for emphasizing this important detail.
> you should update both firefox, and your linux kernel
No doubt, update all the things! My point was, it can most likely wait until Monday.
Many (maybe most) containers actually default to running programs as root. Kernel exploit not required.
The "root" you get in docker is not actually root outside of the namespace the container in running in.
Assuming no bugs in the kernel, it should not be able to do anything more than the UID that it's mapped from.
(Privileges are still limited by seccomp filters blocking some syscalls, and there's SELinux to block some other stuff, but it's still the actual root user without user namespaces, I think?)
Confinement still leverages dropping some root caps, seccomp, various other namespaces, etc.
People still should use user namespaces (and tools like Podman and Incus do by default) but basic stuff like that is not the reason.
https://stackoverflow.com/questions/33013539/docker-loading-...
Not sure about running rootful though. I don't really use rootful containers personally.
While there is a feature to do with UID mapping, it doesn't actually work/isn't usable/nobody uses it in current docker iirc.
Therefore root in the container very much is root on the host.
That's not meant to be snide, just true, I think.
My mistake, leaving out some adjective one could interpret as a misunderstanding of containers as an effective (etc.) security boundary. Fool me 100+ times and all that.
There must be at least a triple-digit number of CVEs by now demonstratimg that in practice containers are a thinner layer of security (perhaps not quite as thin as the classic recommendation of running SSH on a nonstandard port, but that might be leaning toward the safer side of analogies vs. malicious code!) rather than a boundary like virtualization (not perfect but a best practice for isolation).
Nothing is a security boundary anymore.
I would have hoped that only a few of us are so misinformed as to do that.
from ssh to node, so much stuff showing every other week. might as well call everything remote unless you run 100% behind wireguard or something.