This should be stated that this is very dangerous. #8
Comments
|
This opens this access to all containers. If access to the docker.socket is needed within a container on an SELinux system, SELinux separation should get disabled. docker run --security-opt label=disabled Then only the container running with the docker.sock or Podman.sock gains the dangerous access. |
|
I avoid using Docker as much as possible, unfortunately there are few exceptions where I have to run it and what @rhatdan is stating is absolutely crucial to understand and this policy should not be used in prod or on any public instance. Also, switching to podman solves a lot of issues. |
Thank you this flag is what I was looking for so I didn't need to install this entire plugin |
If a container process gains access to this socket or the podman socket then it has full control on the system. IE Full root.
Basically the container process does a
docker run --ti --privileged fedora sh and it has a full root running process on the system, and only needs to escape mount namespace.
The text was updated successfully, but these errors were encountered: