upvote
I don't think this is true, otherwise you could just load a kernel module into the host kernel from a container.
reply
Root is not just one thing on modern Linux, almost all in-kernel privilege checks are now gated via (slightly) more fine-grained capabilities and the default capability set for Docker containers disallows module loading (CAP_SYS_MODULE) and the relevant syscalls (namely (f)init_module) are also blocked with seccomp.

People still should use user namespaces (and tools like Podman and Incus do by default) but basic stuff like that is not the reason.

reply
There are a million ways to load a kernel module from inside of a container into the host kernel (ie: to trigger a load), but seccomp/ linux caps will block the direct ways (as another commenter notes).
reply
It is very possible to load a kernel module into the host from a container.

https://stackoverflow.com/questions/33013539/docker-loading-...

reply
FYI, looks like you are shadowbanned.
reply
Presumably Docker's seccomp profile [1] blocks the init_module system call which is used by insmod [2]. Although, looking at the default profile, it seems to explicitly allow it - but maybe only if you have CAP_SYS_MODULE, which I think means running Docker with "--cap-add=SYS_MODULE".

[1] https://docs.docker.com/engine/security/seccomp/

[2] https://tldp.org/HOWTO/Module-HOWTO/x627.html

reply