Downloading from 'fedora'... done
A MacBook Air M5 on a table.Devindra Hardawar for Engadget
,详情可参考夫子
Docker applies a default seccomp profile that blocks around 40 to 50 syscalls. This meaningfully reduces the attack surface. But the key limitation is that seccomp is a filter on the same kernel. The syscalls you allow still enter the host kernel’s code paths. If there is a vulnerability in the write implementation, or in the network stack, or in any allowed syscall path, seccomp does not help.
Last summer Greg met Lucy, now in her 20s, for the first time.
更重要的是,一旦贴上防窥膜,就像是戴上了紧箍的孙悟空一样没法取下来了——