Docker security

Container breakouts : Abusing SYS_MODULE capability

SYS_MODULE capability allows a container to insert/remove kernel modules (init_module(2), finit_module(2) and delete_module(2) system calls) in/from the kernel of the host machine. If enabled, the kernel can be modified at will, subverting all system security, Linux Security Modules, and container systems.

In the following video, an attacker leverages SYS_MODULE capability provided in the container to use the Usermode Helper API and then invokes a reverse shell from the host. Usermode Helper API is for creating a user mode process from kernel space.