63 lines
1.7 KiB
Plaintext
63 lines
1.7 KiB
Plaintext
Using host operating system namespaces can lead to compromise of the host system. +
|
|
Opening network services of the local host system to the container creates a new attack surface for attackers.
|
|
|
|
Host network sharing could provide a significant performance advantage for
|
|
workloads that require critical network performance. However, the successful
|
|
exploitation of this attack vector could have a catastrophic impact on
|
|
confidentiality within the host.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* The host exposes sensitive network services.
|
|
* The container's services performances do *not* rely on operating system namespaces.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Do not use host operating system namespaces.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,docker]
|
|
----
|
|
# syntax=docker/dockerfile:1.3
|
|
FROM example
|
|
# Sensitive
|
|
RUN --network=host wget -O /home/sessions http://127.0.0.1:9000/sessions
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,docker]
|
|
----
|
|
# syntax=docker/dockerfile:1.3
|
|
FROM example
|
|
RUN --network=none wget -O /home/sessions http://127.0.0.1:9000/sessions
|
|
----
|
|
|
|
== See
|
|
* https://docs.docker.com/build/buildkit/dockerfile-frontend/[Dockerfile reference] - Custom Dockerfile syntax
|
|
* https://docs.docker.com/engine/reference/builder/#run---network[Dockerfile reference] - RUN --network
|
|
* CWE - https://cwe.mitre.org/data/definitions/653[CWE-653 - Improper Isolation or Compartmentalization]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure it is safe to use the host operating system namespace here.
|
|
|
|
=== Highlighting
|
|
|
|
Highlight `--network=host`.
|
|
|
|
endif::env-github,rspecator-view[]
|
|
|