This is why I’ve been running LXC with
apparmor on this box.
Of course I run my own container images, and of course
apparmor is a pain, but it saved my bacon the one time I had an outside breach on a test container I instantiated from an old, vulnerable rootfs and forgot to shut down late at night.
Still, nothing’s uncrackable. Even if this is suitably patched in Docker 1.0, there are sure to be other attack vectors.