5.17 Ensure that the host's IPC namespace is not shared

Information

IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.

The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.

Solution

You should not start a container with the --ipc=host argument. For example, do not start a container as below:

docker run --interactive --tty --ipc=host centos /bin/bash

Impact:

Shared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace.

A container's IPC namespace can be shared with another container as shown below:

docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash

See Also

https://workbench.cisecurity.org/benchmarks/16041

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|14.1

Plugin: Unix

Control ID: fc7326b390b760caf62ffd082c509ccb28a85ad7d9961aabac47f4ddca813d78