Security of Docker/Podman in LXC

tobi · November 9, 2023, 11:56am

Hello,
I’m running rootless Podman in an LXC container using the following config:

security.nesting: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"

From my understanding this does not make the LXC container privileged, is there still a way to break out of it?

stgraber · November 9, 2023, 5:46pm

Nope, that configuration should be perfectly safe.