Bypassing API firewall : Mounted directory
Even in the case that a sysadmin disallowed users to run containers with the --privileged flag or give any extra capability to the container, he may permit to mount a folder in the container. Depending of the folder, an user can leverage this permission to make dangerous modifications on the host and sometimes become root.
In the following video, the /tmp directory can be mounted in the container despite of the deployed 3rd party docker firewall plugin. An attacker leverages this permission to become root in the host machine ( using a copie of /bin/bash binary with the setuid activated ).
In this second video, the /etc directory can be mounted. An attacker takes advantage of this permission to modify the root password form /etc/shadow file.