5.25 Restrict container from acquiring additional privileges

Information

Restrict the container from acquiring additional privileges via suid or sgid bits.A process can set the no_new_priv bit in the kernel. It persists across fork, clone and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This waya lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries.

Solution

Start a container as below-
docker run <run-options>--security-opt=no-new-privileges<IMAGE> <CMD>
For example,
docker run --rm -it --security-opt=no-new-privileges ubuntu bash
Impact-
no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process.
Default Value-
By default, new privileges are not restricted.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39

Plugin: Unix

Control ID: 82a7a3b5c0e23b3552a20b520c73a804ef25f90d0496e12a15f893d5adbe2adc