Host Namespace is Shared

• Query id: 4f31dd9f-2cc3-4751-9b53-67e4af83dac0
• Query name: Host Namespace is Shared
• Platform: DockerCompose
• Severity: Medium
• Category: Resource Management
• URL: Github

Description

The hosts process namespace should not be shared by containers
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

version: '3'

services:

  service_name_1:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"
    pid: "host" # Share Process ID Namespace

Positive test num. 2 - yaml file

version: "2.4"
services:
  service_name_2:
    build: ./
    restart: always
    pid: "host"
    entrypoint: node /app/directory.js
    volumes:
      - "./directory:/app"

Positive test num. 3 - yaml file

version: "3"

services:
  app:
    build: app
    ports:
      - "0.0.0.0:80:80"

  internal:
      build: internal
      pid: "host"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

version: '2.1'

services:

  service_name_4:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"
    pid: "container:container_name_4"

Negative test num. 2 - yaml file

version: '2.1'

services:

  service_name_5:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"
    pid: "container:service_name_4"

Negative test num. 3 - yaml file

version: '3'

services:

  service_name_3:
    image: not/a-real-image:latest
    command: ["launch"]
    ports:
      - "8080:8080"