AIUI they haven't shown a container escape and are just claiming it so far. Or did I miss something?
Having write access on anything you can read should be enough if libraries or binaries are shared (read-only) between the host and container.
Having write access on anything you can read should be enough if libraries or binaries are shared (read-only) between the host and container.