2.18 Ensure containers are restricted from acquiring new privileges

Information

Restrict containers from acquiring additional privileges via suid or sgid bits, by default.
Rationale:
A process can set the no_new_priv bit in the kernel. It persists across fork, clone and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries.
Setting this at the daemon level ensures that by default all new containers are restricted from acquiring new privileges.

Solution

Run the Docker daemon as below:
dockerd --no-new-privileges
Impact:
no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process.
Default Value:
By default, containers are not restricted from acquiring new privileges.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5

Plugin: Unix

Control ID: 9e6fd31b42d44a7e0ef2bf8797bb2e30f3f54fe455b34f1e67c8941352d0ab19