FIND, FOCUS, and FIX the Cloud Threats that Matter with Accenture, AWS, Expel, Snyk, Sysdig and SANS. So, without further ado, how does our friend shocker.c accomplish this? At first glance I dont know why and has little time to dig into the issue why it has a CVE now. This is similar to the way the setuid bit works. reveals too much data the kernel should deny it. This is the man page for capabilities. Its a great question, and one that can also be answered by the `open_by_handle_at` man page: So, where file descriptors are unique per process, which means you cant easily pass them around, the idea is you can pass around these file handles (which represents a structure that describes an open file system entry in the kernel) to other processes. A Docker container, for example, would normally be a part of the /docker/
cap_dac_override docker escape