This gadget detects when the following runc vulnerability is exploited and blocks its usage.
Thanks to CVE-2024-21626, a container workload can access the host filesystem:
$ docker run -ti --rm --workdir=/proc/self/fd/9 ubuntu grep ^ID= ../../../etc/os-release
ID=fedorarunc-vuln-detector is able to detect and block CVE-2024-21626:
$ IG_EXPERIMENTAL=true sudo -E ig run ghcr.io/alban/runc-vuln-detector:latest
INFO[0000] Experimental features enabled
RUNTIME.CONTAINERNAME MNTNS_ID PID COMM PATH
4026533066 409484 runc:[2:INIT] /proc/self/fd/9
$ docker run -ti --rm --workdir=/proc/self/fd/9 ubuntu grep ^ID= ../../../etc/os-release
docker: Error response from daemon: cannot start a stopped process: unknown.
This gadget is for demonstration only and not designed for real-world security. Malicious software can easily bypass its detection capabilities.