Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker-ce does not respect "--security-opt no-new-privileges" #1393

Closed
2 of 3 tasks
Mandraenke opened this issue May 13, 2022 · 2 comments
Closed
2 of 3 tasks

docker-ce does not respect "--security-opt no-new-privileges" #1393

Mandraenke opened this issue May 13, 2022 · 2 comments

Comments

@Mandraenke
Copy link

Mandraenke commented May 13, 2022
edited

  • This is a bug report
  • This is a feature request
  • I searched existing issues before opening this one

Expected behavior

Running a container like this:

root@fwtest:~# dockerd --version
Docker version 20.10.12, build 459d0df
root@fwtest:~# docker container run --security-opt no-new-privileges --user 1002 --rm alpine ping -c 1 heise.de
ping: permission denied (are you root?)
PING heise.de (193.99.144.80): 56 data bytes
root@fwtest:~#

This is working with 20.10.12 and below.

Actual behavior

root@fwtest:~# dockerd --version
Docker version 20.10.13, build 906f57f
root@fwtest:~# docker container run --security-opt no-new-privileges --user 1002 --rm alpine ping -c 1 heise.de
PING heise.de (193.99.144.80): 56 data bytes
64 bytes from 193.99.144.80: seq=0 ttl=42 time=28.021 ms

--- heise.de ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 28.021/28.021/28.021 ms
root@fwtest:~#

root@fwtest:~# docker container run --security-opt no-new-privileges --user 1002 --rm alpine ping -c 1 heise.de
PING heise.de (193.99.144.80): 56 data bytes
64 bytes from 193.99.144.80: seq=0 ttl=42 time=27.965 ms

--- heise.de ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 27.965/27.965/27.965 ms
root@fwtest:~# dockerd --version
Docker version 20.10.16, build f756502
root@fwtest:~#

(Tests run on Ubuntu Focal.)

Steps to reproduce the behavior

See above.

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.16
 API version:       1.41
 Go version:        go1.17.10
 Git commit:        aa7e414
 Built:             Thu May 12 09:17:23 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.16
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.17.10
  Git commit:       f756502
  Built:            Thu May 12 09:15:28 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.6.2
  GitCommit:        de8046a5501db9e0e478e1c10cbcfb21af4c6b2d
 runc:
  Version:          1.1.1
  GitCommit:        v1.1.1-0-g52de29d7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
  compose: Docker Compose (Docker Inc., v2.5.0)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 20.10.16
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: de8046a5501db9e0e478e1c10cbcfb21af4c6b2d
 runc version: v1.1.1-0-g52de29d7
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-110-generic
 Operating System: Ubuntu 20.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.89GiB
 Name: fwtest
 ID: EC3K:TAM2:O54Z:AXSG:POOR:KTGG:ZZAO:GA5T:ESJO:3YOX:BM5N:BJJT
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.)
@thaJeztah
Copy link
Member

I think this is the expected behaviour; relates to;

@thaJeztah thaJeztah mentioned this issue Mar 15, 2023
Open
@thaJeztah
Copy link
Member

closing per the above

@thaJeztah thaJeztah closed this as not planned Won't fix, can't repro, duplicate, stale Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thaJeztah @Mandraenke