| - |
If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. |
| + |
If you are not providing the ability for untrusted users to start |
| + |
containers in the same network namespace as the shim (typically the |
| + |
"host" network namespace, for example with docker run --net=host or |
| + |
hostNetwork: true in a Kubernetes pod) and run with an effective UID of |
| + |
0, you are not vulnerable to this issue. |
| |
|
| - |
If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. |
| + |
If you are running containers with a vulnerable configuration, you can |
| + |
deny access to all abstract sockets with AppArmor by adding a line |
| + |
similar to deny unix addr=@**, to your policy. |
| |
|
| - |
It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container. |
| + |
It is best practice to run containers with a reduced set of privileges, |
| + |
with a non-zero UID, and with isolated namespaces. The containerd |
| + |
maintainers strongly advise against sharing namespaces with the host. |
| + |
Reducing the set of isolation mechanisms used for a container |
| + |
necessarily increases that container's privilege, regardless of what |
| + |
container runtime is used for running that container. |