5.25 Restrict container from acquiring additional privileges

Information

Restrict the container from acquiring additional privileges via suid or sgid bits.A process can set the no_new_priv bit in the kernel. It persists across fork, clone and
execve. The no_new_priv bit ensures that the process or its children processes do not gain
any additional privileges via suid or sgid bits. This way a lot of dangerous operations
become a lot less dangerous because there is no possibility of subverting privileged
binaries.

Solution

Start a container as below-docker run <run-options> --security-opt=no-new-privileges <IMAGE> <CMD>For example,docker run --rm -it --security-opt=no-new-privileges ubuntu bashImpact-no_new_priv prevents LSMs like SELinux from transitioning to process labels that have
access not allowed to the current process.Default Value-By default, new privileges are not restricted.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39

Plugin: Unix

Control ID: 9aa9d6dee17acd4bff3ff1bfaa25e4bd40f67cc81733a39e501785d0ec30cfb1