rspec/rules/S6502/docker/rule.adoc

Disabling builder sandboxes can lead to unauthorized access of the host system
by malicious programs.

By default, programs that are executed by a `RUN` instruction are in a sandbox
mode that limits the capabilities of the process being executed. Explicitly
disabling the sandbox grants the process additional capabilities that might
allow it to escalate its privileges and access the host system.


== Ask Yourself Whether

* The program is controlled by an external entity.
* The program is part of a supply chain that could be a victim of a supply chain attack.

There is a risk if you answered yes to either of these questions.


== Recommended Secure Coding Practices

* Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.
* If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.


== Sensitive Code Example

[source,docker]
----
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
# Sensitive
RUN --security=insecure ./example.sh
----

== Compliant Solution

[source,docker]
----
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
RUN ./example.sh
RUN --security=sandbox ./example.sh
----

== See

* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges
* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control
* https://docs.docker.com/engine/reference/builder/#run---security[Dockerfile reference] - RUN


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Make sure that disabling the builder sandbox is safe here.

=== Highlighting

Highlight the `security` parameter, i.e. `--security=insecure`.

'''

endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Disabling builder sandboxes can lead to unauthorized access of the host system`
			`by malicious programs.`
Create rule S6502: Disabling builder sandboxes is security-sensitive (#1547) 2023-02-07 10:32:16 +01:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			By default, programs that are executed by a `RUN` instruction are in a sandbox
			`mode that limits the capabilities of the process being executed. Explicitly`
			`disabling the sandbox grants the process additional capabilities that might`
			`allow it to escalate its privileges and access the host system.`


			`== Ask Yourself Whether`

			`* The program is controlled by an external entity.`
			`* The program is part of a supply chain that could be a victim of a supply chain attack.`

			`There is a risk if you answered yes to either of these questions.`


			`== Recommended Secure Coding Practices`

			`* Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.`
			`* If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.`
Create rule S6502: Disabling builder sandboxes is security-sensitive (#1547) 2023-02-07 10:32:16 +01:00

			`== Sensitive Code Example`

			`[source,docker]`
			`----`
			`# syntax=docker/dockerfile:1-labs`
			`FROM ubuntu:22.04`
			`# Sensitive`
			`RUN --security=insecure ./example.sh`
			`----`

			`== Compliant Solution`

			`[source,docker]`
			`----`
			`# syntax=docker/dockerfile:1-labs`
			`FROM ubuntu:22.04`
			`RUN ./example.sh`
			`RUN --security=sandbox ./example.sh`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== See`

			`* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges`
			`* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control`
			`* https://docs.docker.com/engine/reference/builder/#run---security[Dockerfile reference] - RUN`


			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`* Make sure that disabling the builder sandbox is safe here.`

			`=== Highlighting`

			Highlight the `security` parameter, i.e. `--security=insecure`.

			`'''`

			`endif::env-github,rspecator-view[]`
Create rule S6502: Disabling builder sandboxes is security-sensitive (#1547) 2023-02-07 10:32:16 +01:00