Disabling builder sandboxes can lead to unauthorized access of the host system
by malicious programs.

By default, programs that are executed by a `RUN` instruction are in a sandbox
mode that limits the capabilities of the process being executed. Explicitly
disabling the sandbox grants the process additional capabilities that might
allow it to escalate its privileges and access the host system.


== Ask Yourself Whether

* The program is controlled by an external entity.
* The program is part of a supply chain that could be a victim of a supply chain attack.

There is a risk if you answered yes to either of these questions.


== Recommended Secure Coding Practices

* Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.
* If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.


== Sensitive Code Example

[source,docker]
----
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
# Sensitive
RUN --security=insecure ./example.sh
----

== Compliant Solution

[source,docker]
----
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
RUN ./example.sh
RUN --security=sandbox ./example.sh
----

== See

* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges
* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control
* https://docs.docker.com/engine/reference/builder/#run---security[Dockerfile reference] - RUN


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Make sure that disabling the builder sandbox is safe here.

=== Highlighting

Highlight the `security` parameter, i.e. `--security=insecure`.

'''

endif::env-github,rspecator-view[]