12Tem
Security issues with cgroup device access in privileged container
I'm currently working on a project where I need to edit a runc configuration to stop allowing for wildcard cgroup device access inside the container, or essentially writing below to devices.allow. This is apparently due to some potential security issues, but I do not understand how this could be exploited by a user inside the container. Is this insecure at all and can it be exploited?
{"allow" : True,
"type" : "a",
"access" : "rwm"}