No New Privileges Not Set

  • Query id: 27fcc7d6-c49b-46e0-98f1-6c082a6a2750
  • Query name: No New Privileges Not Set
  • Platform: DockerCompose
  • Severity: High
  • Category: Resource Management
  • URL: Github

Description

Ensuring the process does not gain any new privileges lessens the risk associated with many operations.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3.4"
services:
  service-service-service:
    build:
      context: ./
      dockerfile: service.dockerfile
    ports:
      - "6969:8080"
    networks:
      - service-service-frontend
    restart: always
    security_opt:
      - no-new-privileges:false

networks:
  service-service-frontend:
Positive test num. 2 - yaml file
version: "3.4"
services:
  service-service-service:
    build:
      context: ./
      dockerfile: service.dockerfile
    ports:
      - "6969:8080"
    networks:
      - service-service-frontend
    restart: always
    security_opt:
      - "apparmor: false"

networks:
  service-service-frontend:

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3.4"
services:
  service-service-service:
    build:
      context: ./
      dockerfile: service.dockerfile
    ports:
      - "6969:8080"
    networks:
      - service-service-frontend
    restart: always
    security_opt:
      - no-new-privileges:true

networks:
  service-service-frontend: