Description
Nested container execution is not properly sandboxed. Process escaping from inner container can access the host system. Container isolation is incomplete, creating a privilege escalation vulnerability.
Steps to Reproduce
- Start nested container (container within container)
- Inside nested container, run:
mount command
- Can access host filesystem mounts
- Run privileged command from nested container
- Command executes with elevated privileges on host
Environment Information
- Container runtime: Docker or similar
- Nesting: Multi-level containers
- Isolation: Using cgroups/namespaces (incomplete)
- Privileges: Not properly isolated
Expected Behavior
- Complete namespace isolation
- No host filesystem access from nested container
- Privilege dropping in nested containers
- cgroup resource limits enforced
Actual Behavior
- Nested container can access host
- Filesystem mounts visible
- Privilege escalation possible
- Container escape risk
Code Reference
- File:
daemon/container_runtime.go
- Method:
createNestedContainer() - incomplete isolation
- Missing: User namespace remapping
- Missing: seccomp profile
Additional Context
Level 1 security vulnerability. Fix requires:
- Implementing user namespace remapping
- Adding seccomp sandbox
- Enforcing cgroup limits
- Security testing for container escape
Suggested Labels
security, container-isolation, sandbox, privilege-escalation, critical
Description
Nested container execution is not properly sandboxed. Process escaping from inner container can access the host system. Container isolation is incomplete, creating a privilege escalation vulnerability.
Steps to Reproduce
mountcommandEnvironment Information
Expected Behavior
Actual Behavior
Code Reference
daemon/container_runtime.gocreateNestedContainer()- incomplete isolationAdditional Context
Level 1 security vulnerability. Fix requires:
Suggested Labels
security,container-isolation,sandbox,privilege-escalation,critical