upvote
Not necessarily. Zones in illumos (and Solaris before) were designed from ground up to be secure in multitenant workloads[0]. It's quite different from the duct tape style[1] of linux containerization.

[0]https://www.usenix.org/legacy/event/lisa04/tech/full_papers/...

[1]Tape different things together and see if it holds.

reply
I am aware of the history behind Zones and Jails, but my point is still the same -- the (lack of) protection you get against kernel exploits should be the same because the only thing protecting you from escapes is kernel data structures.

(I've been one of the maintainers of runc -- the most widely use used container runtime on Linux -- for more than a decade, so I'm at least somewhat well-informed on the topic.)

The duct tape criticisms are fair when talking about other vulnerabilities (such as when container runtimes have misconfiguration or other inatomicity bugs) but not really here in the context of a kernel arbitrary code execution gadget. It also seems quite unlikely that the illumos kernel doesn't contain any of these kinds of bugs.

reply