5.26 Ensure that the container is restricted from acquiring additional privileges

Information

You should restrict the container from acquiring additional privileges via suid or sgid bits.

Rationale:

A process can set the no_new_priv bit in the kernel and this persists across forks, clones and execve. The no_new_priv bit ensures that the process and its child processes do not gain any additional privileges via suid or sgid bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.

Impact:

The no_new_priv option prevents LSMs like SELinux from allowing processes to acquire new privileges

Solution

You should start your container with the options below:

docker run --rm -it --security-opt=no-new-privileges ubuntu bash

Default Value:

By default, new privileges are not restricted.

See Also

https://workbench.cisecurity.org/files/4532