5.17 Do not directly expose host devices to containers

Information

Host devices can be directly exposed to containers at runtime. Do not directly expose host
devices to containers especially for containers that are not trusted.The '--device' option exposes the host devices to the containers and consequently the
containers can directly access such host devices. You would not require the container to
run in 'privileged' mode to access and manipulate the host devices. By default, the
container will be able to read, write and mknod these devices. Additionally, it is possible for
containers to remove block devices from the host. Hence, do not expose host devices to
containers directly.If at all, you would want to expose the host device to a container, use the sharing
permissions appropriately:. r - read only
. w - writable
. m - mknod allowed

Solution

Do not directly expose the host devices to containers. If at all, you need to expose the host
devices to containers, use the correct set of permissions-For example, do not start a container as below-docker run --interactive --tty --device=/dev/tty0-/dev/tty0-rwm --
device=/dev/temp_sda-/dev/temp_sda-rwm centos bashFor example, share the host device with correct permissions-docker run --interactive --tty --device=/dev/tty0-/dev/tty0-rw --
device=/dev/temp_sda-/dev/temp_sda-r centos bashImpact-You would not be able to use the host devices directly within the containers.Default Value-By default, no host devices are exposed to containers. If you do not provide sharing
permissions and choose to expose a host device to a container, the host device would be
exposed with read, write and mknod permissions.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4

Plugin: Unix

Control ID: f0986cea9d9010809123f3d4b8802acab6db12db8968a94d16659ceae96bcbd7