2.14 Ensure containers are restricted from acquiring new privileges

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By default you should restrict containers from acquiring additional privileges via suid or sgid.

Rationale:

A process can set the no_new_priv bit in the kernel and this persists across forks, clones and execve. The no_new_priv bit ensures that the process and its child processes do not gain any additional privileges via suid or sgid bits. This reduces the security risks associated with many dangerous operations because there is a much reduced ability to subvert privileged binaries.

Setting this at the daemon level ensures that by default all new containers are restricted from acquiring new privileges.

Impact:

no_new_priv prevents LSMs such as SELinux from escalating the privileges of individual containers.

Solution

You should run the Docker daemon as below:

dockerd --no-new-privileges

Default Value:

By default, containers are not restricted from acquiring new privileges.

See Also

https://workbench.cisecurity.org/files/4244