docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon MobSF

docker.md: drop caps and set nonewpriv flag

Open disconnect3d opened this issue 3 years ago • 2 comments
trafficstars

This commit adds the --security-opt no-new-privileges:true --cap-drop=ALL flags to the docker run invocations so that the container runs with lower privileges and cannot gain more of them via suid binaries.

See also:

  • https://man7.org/linux/man-pages/man7/capabilities.7.html
  • https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html

disconnect3d avatar Jul 26 '22 12:07 disconnect3d

A best practice which does not hurt the user and may as well educate them that it is important ;).

Feel free to either accept or reject this PR. If you feel this should be added elsewhere too, I'd suggest accepting this one and just adding other changes where you think it should be added.

disconnect3d avatar Jul 27 '22 14:07 disconnect3d

I agree, we do want to to promote best practices. Its just that we don't want to overwhelm users on basic docker usage. It would be nice to have a sub section above or below https://github.com/MobSF/docs/blob/9a4725fe7c5891c1f4a1ecbc48b7abc6eda4f4eb/docker.md?plain=1#L15 and explain what these arguments do to improve the security posture.

ajinabraham avatar Jul 27 '22 17:07 ajinabraham