Disabling builder sandboxes can lead to unauthorized access of the host system by malicious programs. By default, programs executed by a `RUN` statement use only a subset of https://man7.org/linux/man-pages/man7/capabilities.7.html[capabilities] which are considered safe: this is called `sandbox` mode. If you disable the sandbox with the `--security=insecure` option, the executed command can use the full set of Linux capabilities. + This can lead to a container escape. For example, an attacker with the `SYS_ADMIN` capability is able to mount devices from the host system. This vulnerability allows an attacker who controls the behavior of the ran command to access the host system, break out of the container and penetrate the infrastructure. After a successful intrusion, the underlying systems are exposed to: * theft of intellectual property and/or personal data * extortion * denial of service == Ask Yourself Whether * The program is controlled by an external entity. * The program is part of a supply chain that could be a victim of a supply chain attack. There is a risk if you answered yes to either of these questions. == Recommended Secure Coding Practices * Whenever possible, the sandbox should stay enabled to reduce unnecessary risk. * If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it. == Sensitive Code Example [source,docker] ---- # syntax=docker/dockerfile:1-labs FROM ubuntu:22.04 # Sensitive RUN --security=insecure ./example.sh ---- == Compliant Solution [source,docker] ---- # syntax=docker/dockerfile:1-labs FROM ubuntu:22.04 RUN ./example.sh RUN --security=sandbox ./example.sh ---- == See * CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] * https://docs.docker.com/engine/reference/builder/#run---security[Dockerfile reference] - RUN ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Make sure that disabling the builder sandbox is safe here. === Highlighting Highlight the `security` parameter, i.e. `--security=insecure`. ''' endif::env-github,rspecator-view[]