All Docker Enterprise containers must be restricted from acquiring additional privileges.
An XCCDF Rule
Description
Restrict the container from acquiring additional privileges via suid or sgid bits. A process can set the no_new_priv bit in the kernel. It persists across fork, clone, and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries. no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process. By default, new privileges are not restricted.
- ID
- SV-235816r672380_rule
- Version
- DKER-EE-002110
- Severity
- High
- References
- Updated
Remediation Templates
A Manual Procedure
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Start the containers as below:
docker run --rm -it --security-opt=no-new-privileges <image>
A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.