5.25 Ensure the container is restricted from acquiring additional privileges

Information

Restrict the container from acquiring additional privileges via suid or sgid bits.
Rationale:
A process can set the no_new_priv bit in the kernel. It persists across fork, clone and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries.

Solution

For example, you should start your container as below:
docker run --rm -it --security-opt=no-new-privileges ubuntu bash
Impact:
no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process.
Default Value:
By default, new privileges are not restricted.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39, CSCv6|5

Plugin: Unix

Control ID: f8fddea7bd54fe44672546ee66c4181e6d929795f0c7966f7158a692bdbd8f11