5.4 Ensure that privileged containers are not used

Information

Using the --privileged flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the --cap-add and --cap-drop flags. For this reason you should ensure that it is not used.

Rationale:

The --privileged flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.

Impact:

If you start a container without the --privileged flag, it will not have excessive default capabilities.

Solution

You should not run containers with the --privileged flag.
For example, do not start a container using the command below:

docker run --interactive --tty --privileged centos /bin/bash

Default Value:

False.

See Also

https://workbench.cisecurity.org/files/3353