Escape from a bind mount

Gandalf Corvotempesta gandalf.corvotempesta at
Thu Sep 22 13:31:45 UTC 2016

2016-09-22 15:02 GMT+02:00 Jann Horn <jann at>:
> This was fixed by Eric Biederman in the "Bind mount escape fixes" patch series
> in August 2015.
> Relevant commits are 397d425d and cde93be4 (maybe more? I'm not sure).

So, now is not possible to escape from bind ? There was a reference to
this in official Docker docs.

Just for my info: to escape from the container, an attacker would have
to move the bound directory directly from the host? Having access only
to the container would't make this issue happen ?
In example, if I have bound as follow:
   /mnt/dir1 => /home/myuser/path_inside_container

moving (from the host) /mnt/dir1 to somewhere else like /tmp/dir1 will
make the container able to escape ?

More information about the Containers mailing list