Host Namespace is Shared

  • Query id: 4f31dd9f-2cc3-4751-9b53-67e4af83dac0
  • Query name: Host Namespace is Shared
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Resource Management
  • URL: Github

Description

The hosts process namespace should not be shared by containers
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: '3'

services:

  service_name_1:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"
    pid: "host" # Share Process ID Namespace
Positive test num. 2 - yaml file
version: "2.4"
services:
  service_name_2:
    build: ./
    restart: always
    pid: "host"
    entrypoint: node /app/directory.js
    volumes:
      - "./directory:/app"
Positive test num. 3 - yaml file
version: "3"

services:
  app:
    build: app
    ports:
      - "0.0.0.0:80:80"

  internal:
      build: internal
      pid: "host"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: '2.1'

services:

  service_name_4:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"
    pid: "container:container_name_4"
Negative test num. 2 - yaml file
version: '2.1'

services:

  service_name_5:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"
    pid: "container:service_name_4"
Negative test num. 3 - yaml file
version: '3'

services:

  service_name_3:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"