Docker Community Forums

Share and learn in the Docker community.

Read memory belonging to another container

The field of maliciously accessing another process’s memory has been broadly studied in the Linux environment.

But for some reason I am not able to find similar discussion/similarities for the Docker environment, even despite the fact that Covert Channel Attacks have been studied.

Differences I can think of are:

  1. PID namespace - what is the impact of it?
  2. reduced capabilities and systemcall filtering can make it harder for a simple container execution (docker run --it ubuntu:latest /bin/bash) to access the memory

I wish to ask what are the similarities and difference between the two environments?
Suppose all capabilities are granted is there really a different whether I run a container or not?