Disabling builder sandboxes can lead to unauthorized access of the host system by malicious programs.
By default, programs executed by a RUN statement use only a subset of capabilities which are considered safe: this is called sandbox
mode.
If you disable the sandbox with the --security=insecure option, the executed command can use the full set of Linux capabilities.
This can lead to a container escape. For example, an attacker with the SYS_ADMIN capability is able to mount devices from the host
system.
This vulnerability allows an attacker who controls the behavior of the ran command to access the host system, break out of the container and
penetrate the infrastructure.
After a successful intrusion, the underlying systems are exposed to:
- theft of intellectual property and/or personal data
- extortion
- denial of service
Ask Yourself Whether
- The program is controlled by an external entity.
- The program is part of a supply chain that could be a victim of a supply chain attack.
There is a risk if you answered yes to either of these questions.
Recommended Secure Coding Practices
- Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.
- If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.
Sensitive Code Example
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
# Sensitive
RUN --security=insecure ./example.sh
Compliant Solution
# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
RUN ./example.sh
RUN --security=sandbox ./example.sh
See
