Containers are restricted from acquiring new privileges
Set up the docker integration.
Description
By default you should restrict containers from acquiring additional privileges via SUID or SGID.
Rationale
A process can set the no_new_priv bit in the kernel and this persists across forks, clones and execve. The no_new_priv bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the security risks associated with many dangerous operations because there is a much reduced ability to subvert privileged binaries. Setting this at the daemon level ensures that by default all new containers are restricted from acquiring new privileges.
Audit
Confirm that the no-new-privileges setting is not false by reviewing the dockerd startup options and the /etc/docker/daemon.json file. To review the dockerd startup options, run:
Ensure that the --no-new-privileges parameter is present and that it is not set to false.
Also check the value of the no-new-privileges setting in the /etc/docker/daemon.json file.
Run the Docker daemon. For example, dockerd --no-new-privileges
Impact
no_new_priv prevents LSMs such as SELinux from escalating the privileges of individual containers.
Default value
By default, containers are not restricted from acquiring new privileges.
References
- https://github.com/moby/moby/pull/29984
- https://github.com/moby/moby/pull/20727
CIS controls
Version 6 5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges
