What I don't see discussed much is Docker. On macOS it already runs inside a Linux VM, and the setup can hardened even more (in principle): no bind mounts, no /var/run/docker.sock, non-root user, read-only filesystem, tight resource limits, restricted networking, etc.
Given that, what are the concrete reasons people still consider Docker unsafe?
rvz•1h ago
Docker shares the same kernel as the host and is at risk of allowing container escapes and all it takes is for it to be exploited at the kernel level. [0]
As long as you run Docker on the host (which doesn't provide kernel isolation), the host will always be at risk of container escapes.
[0] https://www.sysdig.com/blog/runc-container-escape-vulnerabil...
fdeage•1h ago
(also, on macOS specifically, Docker runs inside a Linux VM, so the shared kernel is the VM's kernel, not the host's. Are there known escapes from containers to Docker Desktop VM to macOS host?)