Hardening
Securing Privileged Containers
disallow-write-core-pattern
Prohibit modifying procfs' core_pattern.
Attackers may attempt container escape by modifying the procfs core_pattern in a privileged container or, in a container (w/ CAP_SYS_ADMIN), unmounting specific mount points and then modifying the procfs core_pattern to execute a container escape.
Disallow writing to the procfs' core_pattern file.
- AppArmor
- BPF
disallow-mount-securityfs
Prohibit mounting securityfs.
Attackers may attempt container escape in containers (w/ CAP_SYS_ADMIN) by mounting securityfs with read-write permissions and subsequently modifying it.
Disallow mounting of new security file systems.
- AppArmor
- BPF
disallow-mount-procfs
Prohibit remounting procfs.
Attackers may attempt container escape in containers (w/ CAP_SYS_ADMIN) by remounting procfs with read-write permissions and subsequently modifying the core_pattern, among other things.
- Disallow mounting of new proc file systems.
- Prohibit using bind, rbind, move, remount options to remount
/proc**
. - When using BPF enforcer, it also prevents unmounting
/proc**
.
- AppArmor
- BPF
disallow-write-release-agent
Prohibit modifying cgroupfs' release_agent.
Attackers may attempt container escape within privileged container by directly modifying the cgroupfs release_agent.
Disallow writing to the cgroupfs' release_agent file.
- AppArmor
- BPF
disallow-mount-cgroupfs
Prohibit remounting cgroupfs.
Attackers may attempt to escape from containers (w/ CAP_SYS_ADMIN) by remounting cgroupfs with read-write permissions. Subsequently, they can modify release_agent and device access permissions, among other things.
- Disallow mounting new cgroup file systems.
- Prohibit using bind, rbind, move, remount options to remount
/sys/fs/cgroup**
. - Prohibit using rbind option to remount
/sys**
. - When using BPF enforcer, it also prevents unmounting
/sys**
.
- AppArmor
- BPF
disallow-debug-disk-device
Prohibit debugging of disk devices.
Attackers may attempt to read and write host machine files by debugging host machine disk devices within a privileged container.
It is recommended to use this rule in conjunction with disable-cap-mknod to prevent attackers from bypassing the rule with mknod.
Dynamically acquire host disk devices and restrict container access them with read-write permissions.
- AppArmor
- BPF
disallow-mount-disk-device
Prohibit mounting of host's disk devices.
Attackers may attempt to mount host machine disk devices within a privileged container, thereby gaining read-write access to host machine files.
It is recommended to use this rule in conjunction with disable-cap-mknod to prevent attackers from bypassing the rule with mknod.
Dynamically acquire host machine disk device files and prevent mounting within containers.
- AppArmor
- BPF
disallow-mount
Disable the mount system call.
MOUNT(2) is often used for privilege escalation, container escapes, and other attacks. Most microservices applications do not require mount operations. Therefore, it is recommended to use this rule to restrict container processes from using the mount()
system call.
Note: The mount system call will be disabled by default if the spec.policy.privileged
field is false.
Disable the mount system call.
- AppArmor
- BPF
disallow-umount
Disable the umount system call.
UMOUNT(2) can be used to remove the attachment of topmost mount points(such as maskedPaths), leading to privilege escalation and information disclosure. Most microservices applications do not require umount operations. Therefore, it is recommended to use this rule to restrict container processes from using the umount()
system call.
Disable the umount system call.
- AppArmor
- BPF
disallow-insmod
Prohibit loading kernel modules.
Attackers may attempt to inject code into the kernel within a container (w/ CAP_SYS_MODULE) by executing kernel module loading command.
Disable CAP_SYS_MODULE.
- AppArmor
- BPF