Example here: http://blog.bofh.it/debian/id_413

* Got root in the countainer.

* You "know" where that is mapped to on the host, because it is based on the UID of the container which is set as the hostname.

* You configure a trigger to run a script, using that knowledge.

* Code happens on the host, outside the container.

The above example is about LXC and sysfs. We are talking docker which uses aufs.

Indeed, this is an LXC attack, rather than docker-specific.

But, that said, the attack works as specified against docker 0.11.0. Largely because guests do have sysfs mounted at /sys.