Container Capabilities Unrestricted

  • Query id: ce76b7d0-9e77-464d-b86f-c5c48e03e22d
  • Query name: Container Capabilities Unrestricted
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Resource Management
  • CWE: 400
  • URL: Github

Description

Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./dir
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"
    cap_add: 
      - all
Positive test num. 2 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./dir
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"
    cap_add: 
      - all
    cap_drop:
      - SYS_CHROOT
Positive test num. 3 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./dir
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"
    cap_add: 
      - all
    cap_drop:
      - all

Positive test num. 4 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./dir
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3.9"

services:
  webapp:
    build:
      context: ./dir
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1
    ports:
      - "8080:8080"
      - "3000:3000"
    cap_drop: 
      - all