undefined | Better HN

0 pointstptacek1y ago0 comments

I don't believe shared-kernel container systems are real security boundaries to begin with, so, to me, a container running with CAP_BPF isn't much different than any other program a machine owner might opt to run; the point is that you trust the workload, and so the verifier is more of a safety net than a vault door.

0 comments

3 comments · 1 top-level

kortilla1y ago· 2 in thread

That pessimistic view is not shared by everyone who is working on namespaces, cgroups, etc so I think that’s a pretty unproductive comment in this context.

It reminds me of early days in hypervisors when someone would get an exploit to break out of the isolation and someone would dismiss it because “virtual machines aren’t real isolation anyway”.

Look, I get it and I frankly agree with you in the current state of the world, but this is the time to shut up and get out of the way of people trying to make forward progress. Breakouts of containers are a big deal for people pushing the boundary there.

tptacekOP1y ago

I don't know who you're really talking to (it's not me), but all I'm saying is that CAP_BPF doesn't bother me much, because it's problematic only for a security boundary that is already problematic with a much lower degree of difficulty for attackers than the eBPF verifier.

kortilla1y ago

> it's problematic only for a security boundary that is already problematic

I’m absolutely talking to you because you’re dismissing an issue in a space where people are actively working to make it not “already problematic”.

“I don’t care about hypervisor vulnerabilities because they are only problematic for a security boundary that is already problematic. Smart people are bare metal only.”

1 more reply

j / k navigate · click thread line to collapse