Would CVE-2016-0728 affect Docker?

Question

I ended up having a discussion about Docker and system security today and we came to the point where we asked ourselves of the latest CVE-2016-0728 exploit (privilege escalation) would affect Docker containers as well.

Docker utilizes the system kernel (which may be vulnerable) but isolates the the user (root within it's own little space). My questions are the following:

• Does CVE-2016-0728 affect Docker instances?
• Will users within a container be able to use CVE-2016-0728 to break out of the container?

Answer 1

This is not a privilege escalation where code gets "only" executed as a higher privileged user. This issue is about execution of code inside the Linux kernel, i.e. the kernel which gets shared between all docker instances and the OS containing the docker instances. This is the highest privilege one could get and at this level one can bypass any kind of restrictions. This means that an unprivileged user which is able to execute this attack can break out of the container.

Answer 2

First of all, yes; if your kernel supports keyrings, then docker doesn't prevent their use, which means they also don't prevent exploitation.

But it's worth noting that docker containers are not security containers. While they can and usually do offer some level of security, that isn't their purpose, and design decisions were made that are not compatible with virtualizing hostile code. Isolation has to happen at a layer above that.

Answer 3

As of Docker 1.10 the answer is that this wouldn't work with the default installation, as the keyctl system call is blocked by the default seccomp filter.