5.20 Ensure mount propagation mode is not set to shared

Information

Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode unless explicitly needed.

Rationale:

A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points.

Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume.

As this is likely not a desirable option from a security standpoint, this feature should not be used unless explicitly required.

Impact:

None.

Solution

Do not mount volumes in shared mode propagation.
For example, do not start a container as below:

docker run <Run arguments> --volume=/hostPath:/containerPath:shared <Container Image Name or ID> <Command>

Default Value:

By default, the container mounts are private.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(10), CSCv7|13

Plugin: Unix

Control ID: df4af33b5a4a830e19bd590270a2f514a225e0cba3037ba5e31090ed20957a9f