Information
By default you should restrict containers from acquiring additional privileges via suid or sgid.
Rationale:
A process can set the no_new_priv bit in the kernel and this persists across forks, clones and execve. The no_new_priv bit ensures that the process and its child processes do not gain any additional privileges via suid or sgid bits. This reduces the security risks associated with many dangerous operations because there is a much reduced ability to subvert privileged binaries.
Setting this at the daemon level ensures that by default all new containers are restricted from acquiring new privileges.
Impact:
no_new_priv prevents LSMs such as SELinux from escalating the privileges of individual containers.
Solution
You should run the Docker daemon as below:
dockerd --no-new-privileges
Default Value:
By default, containers are not restricted from acquiring new privileges.