upvote
If there was a similar class of bug in the illumos kernel, it would also allow for a container escape, no?

There are many issues with the formulation of containers on Linux (though I think people overstate it whenever bugs like this happen) but ultimately this bug was a UAF that gave you arbitrary code execution in the kernel. Zone IDs are also just numbers in kernel memory... right?

reply
Not necessarily. Zones in illumos (and Solaris before) were designed from ground up to be secure in multitenant workloads[0]. It's quite different from the duct tape style[1] of linux containerization.

[0]https://www.usenix.org/legacy/event/lisa04/tech/full_papers/...

[1]Tape different things together and see if it holds.

reply
I am aware of the history behind Zones and Jails, but my point is still the same -- the (lack of) protection you get against kernel exploits should be the same because the only thing protecting you from escapes is kernel data structures.

(I've been one of the maintainers of runc -- the most widely use used container runtime on Linux -- for more than a decade, so I'm at least somewhat well-informed on the topic.)

The duct tape criticisms are fair when talking about other vulnerabilities (such as when container runtimes have misconfiguration or other inatomicity bugs) but not really here in the context of a kernel arbitrary code execution gadget. It also seems quite unlikely that the illumos kernel doesn't contain any of these kinds of bugs.

reply