Cybersecurity
Container escapes bypass audits via CAP_SYS_ADMIN and two-container chains
Standard Docker security audits check for privileged mode but miss CAP_SYS_ADMIN capability, which enables host filesystem access without triggering flags. Separately, attackers can chain containers with docker.sock access and host mounts to escalate privileges - neither container alone appears dangerous.