On May 7, 2026, at 7:24 PM, Benjamin Hays <[email protected]> wrote: > > On 5/7/26 18:28, Jens Axboe wrote: >> I won't comment too much on this to avoid offending anyone, but I'm a >> bit puzzled by: >> >> "Once we have the address of modprobe_path (from KASLR step above), we >> write our script path via /proc/sys/kernel/modprobe: c >> >> int fd = open("/proc/sys/kernel/modprobe", O_WRONLY); >> write(fd, "/var/tmp/evil.sh", 16); >> >> This sysctl entry writes directly into modprobe_path in kernel memory >> and is writable with CAP_SYS_ADMIN, which we already have via >> CAP_NET_ADMIN on container configurations that grant both." >> >> as surely the point of a local exploit is, in fact, to gain root in the >> first place. If you already have CAP_SYS_ADMIN, what is the point? >> >> But hey, someone wrote a blog post about something that sounds >> dangerous. > > I'm not the original author of the blog post, so I can't speak for their > intent; however, I imagine the impact for the proposed scenario would a > container escape of some kind? It's not exactly uncommon to see containers > with lax permissions such as the above, given under the assumption that the > underlying containerization technologies will provide a sufficient level of > security.
Well, go read the post in detail and see what you think.
