On May 7, 2026, at 7:24 PM, Benjamin Hays <[email protected]> wrote:
> 
> On 5/7/26 18:28, Jens Axboe wrote:
>> I won't comment too much on this to avoid offending anyone, but I'm a
>> bit puzzled by:
>> 
>> "Once we have the address of modprobe_path (from KASLR step above), we
>> write our script path via /proc/sys/kernel/modprobe: c
>> 
>> int fd = open("/proc/sys/kernel/modprobe", O_WRONLY);
>> write(fd, "/var/tmp/evil.sh", 16);
>> 
>> This sysctl entry writes directly into modprobe_path in kernel memory
>> and is writable with CAP_SYS_ADMIN, which we already have via
>> CAP_NET_ADMIN on container configurations that grant both."
>> 
>> as surely the point of a local exploit is, in fact, to gain root in the
>> first place. If you already have CAP_SYS_ADMIN, what is the point?
>> 
>> But hey, someone wrote a blog post about something that sounds
>> dangerous.
> 
> I'm not the original author of the blog post, so I can't speak for their 
> intent; however, I imagine the impact for the proposed scenario would a 
> container escape of some kind? It's not exactly uncommon to see containers 
> with lax permissions such as the above, given under the assumption that the 
> underlying containerization technologies will provide a sufficient level of 
> security.

Well, go read the post in detail and see what you think. 

Reply via email to