SYSTEM Cited by 1 source

runC

runC is the OCI- reference container runtime: a Go binary that takes an OCI bundle (rootfs + config) and spawns the process inside a combination of Linux namespaces, cgroups, privilege dropping, seccomp-bpf, and mandatory access control (SELinux or AppArmor). It is the default runtime under Docker, containerd, and therefore under most Kubernetes installations.

(Source: sources/2026-04-21-figma-server-side-sandboxing-containers-and-seccomp)

Role in the container-escape attack surface

Figma decomposes the container-escape surface into three components (concepts/container-escape):

1. OS primitives exposed to the runtime — kernel vulnerabilities in namespaces / cgroups / seccomp / SELinux / AppArmor paths.
2. Runtime implementation bugs — bugs in runC itself (CVE-2019-5736 was the landmark: a host-binary-replacement escape that forced every Docker/Kubernetes install to patch).
3. Runtime configuration — the operator's choices.

runC sits in the middle axis: a bug in its C/Go code that handles the privileged container-launch dance can be weaponised even on a fully-patched kernel.

Positioning vs alternatives

• gVisor (runsc) — OCI-compatible alternative runtime; interposes a user-space reimplemented kernel, shrinking kernel attack surface.
• crun — C re-implementation of the OCI runtime (not yet on the wiki).
• kata-containers — VM-based OCI runtime (each container gets its own micro-VM); brings concepts/micro-vm-isolation into OCI-land.

Seen in

• sources/2026-04-21-figma-server-side-sandboxing-containers-and-seccomp — named as the Docker default on Linux, and as one of the three axes of container-escape attack surface.

Related

• systems/docker
• systems/containerd
• systems/gvisor
• concepts/container-escape
• concepts/linux-namespaces
• concepts/linux-cgroup
• concepts/seccomp