Docker security
disconnect3d
PUT Security Day, 10.11.2018
1
# whoami
� https://github.com/disconnect3d/
disconnect3d # irc.freenode.net
2
Quick poll
3
How many ppl know docker
4
How many ppl use docker�on production
5
How many ppl knows �the difference between �a container and a vm
6
Containers vs VMs
7
Containers vs VMs
Containers
Virtual Machines
source: https://stackoverflow.com/questions/16047306/how-is-docker-different-from-a-virtual-machine
8
Containers are just a way �to run something isolated �from rest of the system
9
Docker overview
10
Docker overview
Docker client�
Docker hub
Docker daemon�
Managing images, containers, volumes, networks, etc.
11
Docker client
12
Docker client
$ which docker
/usr/bin/docker
$ file `which docker`
/usr/bin/docker: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f2fbf2cb9ae21a029186f58e2845d6c3f3249b22, with debug_info, not stripped
$ ls -lah `which docker`
-rwxr-xr-x 1 root root 20M Feb 28 2018 /usr/bin/docker
13
Docker client
$ which docker
/usr/bin/docker
$ file `which docker`
/usr/bin/docker: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f2fbf2cb9ae21a029186f58e2845d6c3f3249b22, with debug_info, not stripped
$ ls -lah `which docker`
-rwxr-xr-x 1 root root 20M Feb 28 2018 /usr/bin/docker
14
Docker client
$ which docker
/usr/bin/docker
$ file `which docker`
/usr/bin/docker: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f2fbf2cb9ae21a029186f58e2845d6c3f3249b22, with debug_info, not stripped
$ ls -lah `which docker`
-rwxr-xr-x 1 root root 20M Feb 28 2018 /usr/bin/docker
15
Docker daemon
16
Docker daemon
$ file /var/run/docker.sock
/var/run/docker.sock: socket
$ ls -la /var/run/docker.sock
srw-rw---- 1 root docker 0 Aug 24 17:02 /var/run/docker.sock
17
Docker daemon
$ file /var/run/docker.sock
/var/run/docker.sock: socket
$ ls -la /var/run/docker.sock
srw-rw---- 1 root docker 0 Aug 24 17:02 /var/run/docker.sock
18
Docker daemon
$ file /var/run/docker.sock
/var/run/docker.sock: socket
$ ls -la /var/run/docker.sock
srw-rw---- 1 root docker 0 Aug 24 17:02 /var/run/docker.sock
19
That’s why the user needs to be in a `docker` group�to be able to use it!
Docker daemon
$ curl --unix-socket /var/run/docker.sock \� http://latest/containers/json
20
Docker daemon
$ curl --unix-socket /var/run/docker.sock \� http://latest/containers/json
[{"Id":"c765050c9063d5c34fe2405c6dfb0122d54f22c5ad802d4dba65cb0cee2cb36a", "Names":["/laughing_kirch"],"Image":"trailofbits/manticore","ImageID":"sha256:a298073eefc6b9b670947f915c447171b28cb10c22ab3bac0a95f5ff32bd9bdb","Command":"/bin/bash","Created":1539866637,"Ports":[],"Labels":{},"State":"running","Status":"Up 6 days","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"ec0da6e97374f3f30107c06a7eba634a0fb911daa4ca5b9dcef8ccdc67fef228","EndpointID":"c09e8269e58600f688ceab6da443abdf4b5f4dc5a3631daf9666b8337e8aadba","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"01:22:ad:14:00:01","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/home/dc/projects/manticore/examples","Destination":"/home/manticore/examples","Mode":"","RW":true,"Propagation":"rprivate"}]}]
21
Under the hood
22
TLDR
namespaces - limits what you can see� (and therefore use)
cgroups - limits how much you can use
source: https://stackoverflow.com/questions/34820558/difference-between-cgroups-and-namespaces
Also see: “man 7” for cgroups and for namespaces
23
Namespaces (what you can see)
Provide processes with their own view of the system. Namespaces:
24
cgroups
Involve resource metering and limiting:
25
Is the root in the container�the same as on host?
26
By default: YES
But there are some exceptions :-p
27
By default: YES
But there are some exceptions :-p
28
Can I reboot my PC?
There are no ‘shutdown’ or ‘reboot’
29
Can I reboot my PC?
There are no ‘shutdown’ or ‘reboot’
30
Reboot
$ docker run --rm -it ubuntu bash
# echo 1 > /proc/sys/kernel/sysrq
# echo b > /proc/sysrq-trigger
31
DEMO
Reboot
$ docker run --rm -it ubuntu bash
# echo 1 > /proc/sys/kernel/sysrq
# echo b > /proc/sysrq-trigger
32
DEMO
Works with --privileged
Linux capabilities
33
Docker grants 14�of them by default
34
Capabilities
SETPCAP - Modify process capabilities.
MKNOD - Create special files using mknod(2).
AUDIT_WRITE - Write records to kernel auditing log.
CHOWN - Make arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAW - Use RAW and PACKET sockets.
DAC_OVERRIDE - Bypass file read, write, and execute permission checks.
FOWNER - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETID - Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILL - Bypass permission checks for sending signals.
SETGID - Make arbitrary manipulations of process GIDs and supplementary GID list.
SETUID - Make arbitrary manipulations of process UIDs.
NET_BIND_SERVICE - Bind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOT - Use chroot(2), change root directory.
SETFCAP - Set file capabilities.
source: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
35
Capabilities
SETPCAP - Modify process capabilities.
MKNOD - Create special files using mknod(2).
AUDIT_WRITE - Write records to kernel auditing log.
CHOWN - Make arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAW - Use RAW and PACKET sockets.
DAC_OVERRIDE - Bypass file read, write, and execute permission checks.
FOWNER - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETID - Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILL - Bypass permission checks for sending signals.
SETGID - Make arbitrary manipulations of process GIDs and supplementary GID list.
SETUID - Make arbitrary manipulations of process UIDs.
NET_BIND_SERVICE - Bind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOT - Use chroot(2), change root directory.
SETFCAP - Set file capabilities.
source: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
36
Capabilities
SETPCAP - Modify process capabilities.
MKNOD - Create special files using mknod(2).
AUDIT_WRITE - Write records to kernel auditing log.
CHOWN - Make arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAW - Use RAW and PACKET sockets.
DAC_OVERRIDE - Bypass file read, write, and execute permission checks.
FOWNER - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETID - Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILL - Bypass permission checks for sending signals.
SETGID - Make arbitrary manipulations of process GIDs and supplementary GID list.
SETUID - Make arbitrary manipulations of process UIDs.
NET_BIND_SERVICE - Bind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOT - Use chroot(2), change root directory.
SETFCAP - Set file capabilities.
source: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
37
Capabilities
SETPCAP - Modify process capabilities.
MKNOD - Create special files using mknod(2).
AUDIT_WRITE - Write records to kernel auditing log.
CHOWN - Make arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAW - Use RAW and PACKET sockets.
DAC_OVERRIDE - Bypass file read, write, and execute permission checks.
FOWNER - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETID - Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILL - Bypass permission checks for sending signals.
SETGID - Make arbitrary manipulations of process GIDs and supplementary GID list.
SETUID - Make arbitrary manipulations of process UIDs.
NET_BIND_SERVICE - Bind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOT - Use chroot(2), change root directory.
SETFCAP - Set file capabilities.
source: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
38
Capabilities
SETPCAP - Modify process capabilities.
MKNOD - Create special files using mknod(2).
AUDIT_WRITE - Write records to kernel auditing log.
CHOWN - Make arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAW - Use RAW and PACKET sockets.
DAC_OVERRIDE - Bypass file read, write, and execute permission checks.
FOWNER - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETID - Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILL - Bypass permission checks for sending signals.
SETGID - Make arbitrary manipulations of process GIDs and supplementary GID list.
SETUID - Make arbitrary manipulations of process UIDs.
NET_BIND_SERVICE - Bind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOT - Use chroot(2), change root directory.
SETFCAP - Set file capabilities.
source: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
39
Docker drops the rest (23)�of capabilities
40
Examples of dropped capabilities
41
SYS_BOOT
Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
42
SYS_ADMIN
Perform a range of system administration operations.��For example: mount, unmount, setting swap and a lot more.
43
SYS_ADMIN
Perform a range of system administration operations.��For example: mount, unmount, setting swap and a lot more.
44
SYS_PTRACE
Trace arbitrary processes using ptrace(2)��So: using strace / ltrace / gdb
45
SYS_PTRACE
Trace arbitrary processes using ptrace(2)��So: using strace / ltrace / gdb
46
And others; full list is on �docker run reference��https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
47
[Un]setting capabilities
with docker
48
--cap-drop=ALL��--cap-add=<some-cap>� --cap-add=<other-cap>
49
So can I be NOT a real root�in a Docker container?
50
51
Is it safe to let non-sudo users spawn docker containers?
52
Not really…:��docker run --rm -it�--privileged -v /:/host�ubuntu bash
53
Not really…:��docker run --rm -it�--privileged -v /:/host�ubuntu bash
54
Not really…:��docker run --rm -it�--privileged -v /:/host�ubuntu bash
55
The user can modify e.g. /etc/passwd or /etc/sudoers and become root on the host
Btw this is also super bad
56
docker run (...)�-v /var/run/docker.sock:/var/run/docker.sock
57
Docker hub…�[no slides for this part ;p]
58
Btw there are many�other cool things�not covered by the talk
59
Trusted (signed) images
60
Protecting the Docker daemon socket�(when run via HTTPS)
61
Verifying repository client�with certificates
https://docs.docker.com/engine/security/certificates/��(so given docker hub can authenticate you)�
62
System calls policies: seccomp�https://docs.docker.com/engine/security/seccomp/��--security-opt seccomp=profile.json
*docker uses a default profile
[if your kernel supports seccomp]
63
64
Ok, to sum up
65
66
And that’s all.
67
Thanks
68
Questions?