Linux bitten by second severe vulnerability in as many weeks

Production-version patches are coming online and should be installed pronto.

See full article...

 

[beheadedstraw]

I am a bit confused by the mentions of virtual machines here. The article almost makes it sound like this is a VM escape vulnerability, but I don't think that's the case based on other sources.

I was confused about this also, this is not a VM escape vulnerability, so why it's mentioned here is beyond me.

 

[beheadedstraw]

Containers are nothing special. You've been using them for decades - you know it as "application isolation". Heck, you're using it now - your web browser runs as a separate process from anything else you have running - your email client, your work tools, other things. All a container is a special mode in Linux that says "you can have your own PIDs" which means you can run init again as PID 1, which can give you a unique userspace environment setup.

But as far as Linux itself is concerned, it's just running a bunch more processes - with a bit more accounting to keep them separated (namespaces). But if you can get access to root, you can do anything, including breaking out of your namespace.

The extra overhead of namespaces is just having a bunch of extra processes running in the background.

Containers/Jails != App Isolation. App's still have access to your local hardware pointers, files, etc.

Also the only "extra processes" are the tools that manage the namespaces. Hardware resources are also separated via namespace and are presented to the extra namespace if configured as such. You can run as "root" in your own namespace. It's just logically isolated from actual root namespace/filesystem (chroot or in docker/containerd case pivot_root).

Mac OS is the only OS (besides appimages/snaps on Linux) that runs full "app isolation" using a form of BSD Jails.