Hertz: Abusing privileged and unprivileged Linux containers

Agree here: one of the great powers of the linux container API is that it allows you to do many things, some of which are definitely not "secure". It's actually a feature of containers that we can do things (like pass file descriptors between containers) which other virtualization technology can't, but which deliberately requires a degree of trust between the two containers doing the sharing. The problem is that security isn't an absolute, its a tradeoff between the risks you're willing to run for the features you want to enable.

I suppose there's some vague value in a paper identifying common misconfigurations, but realistically in a complex interface like this, there's always going to be ways of misusing it. Perhaps we should start classifying APIs on the Rusty type scale starting with "impossible to use securely".