Container escape within GitLab CI Runners abusing cgroup’s release_agent functionality as CI jobs are allowed to mount file-systems. The release_agent is a script that will be executed when a cgroup heirachy becomes empty.

So the attacker can mount -t cgroup... (requires a --privileged container) to some mount point, enable notify_on_release and write the path to a release_agent script. That agent script will be executed on the host system. The release_agent technique is fairly well known, and Trail of Bits has done a pretty detailed writeup on it.

The author here didn’t go beyond the container escape, and GitLab has indicated that there is limited impact with the keys they could leak. The Google Cloud Service keys for example only being useful for logging (its unclear if this is still the case as that is from a 2019 report). GitLab closed the report as informational, and is okay with this risk. While its true that on its own this might not be a very useful breakout as it is a container inside a VM. However it is potentially the first stage in a full breakout and in my opinion worth fixing, especially as the author points out there doesn’t appear to be a strong reason for running the container as privileged.