Many (maybe most) containers actually default to running programs as root. Kernel exploit not required.
The "root" you get in docker is not actually root outside of the namespace the container in running in.
Assuming no bugs in the kernel, it should not be able to do anything more than the UID that it's mapped from.
(Privileges are still limited by seccomp filters blocking some syscalls, and there's SELinux to block some other stuff, but it's still the actual root user without user namespaces, I think?)
Confinement still leverages dropping some root caps, seccomp, various other namespaces, etc.
People still should use user namespaces (and tools like Podman and Incus do by default) but basic stuff like that is not the reason.
https://stackoverflow.com/questions/33013539/docker-loading-...
Not sure about running rootful though. I don't really use rootful containers personally.
While there is a feature to do with UID mapping, it doesn't actually work/isn't usable/nobody uses it in current docker iirc.
Therefore root in the container very much is root on the host.
That's not meant to be snide, just true, I think.
My mistake, leaving out some adjective one could interpret as a misunderstanding of containers as an effective (etc.) security boundary. Fool me 100+ times and all that.
There must be at least a triple-digit number of CVEs by now demonstratimg that in practice containers are a thinner layer of security (perhaps not quite as thin as the classic recommendation of running SSH on a nonstandard port, but that might be leaning toward the safer side of analogies vs. malicious code!) rather than a boundary like virtualization (not perfect but a best practice for isolation).