This white paper by Jesse Hertz [PDF] examines various ways to compromise and escape from containers on Linux systems. “A common configuration for companies offering PaaS solutions built on containers is to have multiple customers’ containers running on the same physical host. By default, both LXC and Docker setup container networking so that all containers share the same Linux virtual bridge.
Read more at LWN