Comment 8 for bug 1910456
Revision history for this message
| Jamie Strandboge (jdstrand) wrote Re: container management snaps should have Delegates=true in their systemd unit | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
> I think the issue here (and why this deserves a CVE) is not that the snap services can escape confinement due to this issue, but rather that the container management agents like dockerd are not able to effectively confine their own containers without Delegate=true.
That's a fair point. Based on your assessment, it surely isn't a bug in the docker snap or any of the others because they aren't in a position to fix the issue. It still seems like a bit of a gray area and feels more like a bug. I defer to Alex and Seth who are more up to date on the current guidelines.