ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6502/docker/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

81 lines
2.2 KiB
Plaintext
Raw Blame History

Disabling builder sandboxes can lead to unauthorized access of the host system
by malicious programs.
By default, programs executed by a `RUN` statement use only a subset of
https://man7.org/linux/man-pages/man7/capabilities.7.html[capabilities] which
are considered safe: this is called `sandbox` mode.
If you disable the sandbox with the `--security=insecure` option, the executed command
can use the full set of Linux capabilities. +
This can lead to a container escape. For example, an attacker with the
`SYS_ADMIN` capability is able to mount devices from the host system.
This vulnerability allows an attacker who controls the behavior of the ran command to access
the host system, break out of the container and penetrate the infrastructure.
After a successful intrusion, the underlying systems are exposed to:
* theft of intellectual property and/or personal data
* extortion
* denial of service
== Ask Yourself Whether
* The program is controlled by an external entity.
* The program is part of a supply chain that could be a victim of a supply chain attack.
There is a risk if you answered yes to either of these questions.
== Recommended Secure Coding Practices
* Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.
* If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.
== Sensitive Code Example
[source,docker]
----
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
# Sensitive
RUN --security=insecure ./example.sh
----
== Compliant Solution
[source,docker]
----
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
RUN ./example.sh
RUN --security=sandbox ./example.sh
----
== See
* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
* https://docs.docker.com/engine/reference/builder/#run---security[Dockerfile reference] - RUN
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Make sure that disabling the builder sandbox is safe here.
=== Highlighting
Highlight the `security` parameter, i.e. `--security=insecure`.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink