5.17 Do not directly expose host devices to containers

Information

Host devices can be directly exposed to containers at runtime. Do not directly expose host devices to containers especially for containers that are not trusted.

Rationale:

The '--device' option exposes the host devices to the containers and consequently the containers can directly access such host devices. You would not require the container to run in 'privileged' mode to access and manipulate the host devices. By default, the container will be able to read, write and mknod these devices. Additionally, it is possible for containers to remove block devices from the host. Hence, do not expose host devices to containers directly.

If at all, you would want to expose the host device to a container, use the sharing permissions appropriately:

r - read only

w - writable

m - mknod allowed

Solution

Do not directly expose the host devices to containers. If at all, you need to expose the host devices to containers, use the correct set of permissions:

For example, do not start a container as below:

docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rwm --device=/dev/temp_sda:/dev/temp_sda:rwm centos bash



For example, share the host device with correct permissions:

docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rw --device=/dev/temp_sda:/dev/temp_sda:r centos bash

Impact:

You would not be able to use the host devices directly within the containers.

Default Value:

By default, no host devices are exposed to containers. If you do not provide sharing permissions and choose to expose a host device to a container, the host device would be exposed with read, write and mknod permissions.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4

Plugin: Unix

Control ID: 45316f159a5e61cb29aa39ca4d555125e5e42a071aca62d8feebdde55038352f