Podman rootless containers and the Copy Fail exploit
14 hours ago
- #container-security
- #podman
- #linux-vulnerabilities
- CVE-2026-31431 (Copy Fail) allows local unprivileged users to gain root shell access, and it can be exploited within Linux containers.
- Podman supports rootless containers using a fork/exec model, where processes run under unprivileged host users and utilize user namespaces for isolation.
- Rootless containers in Podman map container UIDs to host UIDs via /etc/subuid, with container root mapped to the host's unprivileged user.
- Podman grants Linux capabilities to container processes for privileged operations, but these can be dropped or limited using flags like --cap-drop=all.
- Running containers as non-root users (rootless non-root) and dropping capabilities reduces attack surface and limits exploit impact.
- The Copy Fail exploit can elevate privileges from unprivileged container user to container root, but using --security-opt=no-new-privileges and --cap-drop=all can prevent this.
- Bind mounts show that container root (mapped to host unprivileged user) cannot access files owned by host root, enhancing isolation.
- Defense-in-depth measures include using read-only containers, resource constraints via cgroups, limiting binaries, firewalling, and understanding image details.
- Podman rootless containers offer better default isolation than Docker, but both can be hardened; however, patching the kernel for Copy Fail is still essential.