Using host operating system namespaces can lead to compromise of the host system. +
Opening network services of the local host system to the container creates a new attack surface for attackers.

Host network sharing could provide a significant performance advantage for
workloads that require critical network performance. However, the successful
exploitation of this attack vector could have a catastrophic impact on
confidentiality within the host.

== Ask Yourself Whether

* The host exposes sensitive network services.
* The container's services performances do *not* rely on operating system namespaces.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Do not use host operating system namespaces.


== Sensitive Code Example

[source,docker]
----
# syntax=docker/dockerfile:1.3
FROM example
# Sensitive
RUN --network=host wget -O /home/sessions http://127.0.0.1:9000/sessions
----

== Compliant Solution

[source,docker]
----
# syntax=docker/dockerfile:1.3
FROM example
RUN --network=none wget -O /home/sessions http://127.0.0.1:9000/sessions
----

== See
* https://docs.docker.com/build/buildkit/dockerfile-frontend/[Dockerfile reference] - Custom Dockerfile syntax
* https://docs.docker.com/engine/reference/builder/#run---network[Dockerfile reference] - RUN --network
* CWE - https://cwe.mitre.org/data/definitions/653[CWE-653 - Improper Isolation or Compartmentalization]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure it is safe to use the host operating system namespace here.

=== Highlighting

Highlight `--network=host`.

endif::env-github,rspecator-view[]