Information
Restrict the container from acquiring additional privileges via suid or sgid bits.A process can set the no_new_priv bit in the kernel. It persists across fork, clone and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This waya lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries.
Solution
Start a container as below-
docker run <run-options>--security-opt=no-new-privileges<IMAGE> <CMD>
For example,
docker run --rm -it --security-opt=no-new-privileges ubuntu bash
Impact-
no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process.
Default Value-
By default, new privileges are not restricted.