Docker Shield is an authorization plugin for Docker that addresses common security configuration issues with Docker. Essentially, it creates a locked-down version of Docker that removes a lot of the attack surface, while still allowing for Docker's feature dense usages.
Docker Shield ensures the following:
- Custom security profiles cannot be added with
--security-opts apparmor=unconfined
, for example - Disallows bind mounts from the host
- Prevents privileged mode
Work in progress:
- Enforcing that users start containers and exec into them with their own user ids, and not the default root user (may not be possible with a plugin)
- All containers are started with
--no-new-privileges
option, which ensures that users can't escalate privileges within a container, for example, with a setuid binary (this can be achieved by default in the /etc/daemon.json file - Create a white list for apparmor/seccomp/selinux profiles
- Prevent
--cap-add
option from being used
Installation is pretty straight forward:
make
sudo make install
Then we need to update our systemd service file for docker. Update the following line in /lib/systemd/system/docker.service:
- ExecStart=/usr/bin/dockerd --debug -H fd:// --containerd=/run/containerd/containerd.sock
+ ExecStart=/usr/bin/dockerd --debug -H fd:// --containerd=/run/containerd/containerd.sock --authorization-plugin=docker-shield
to uninstall:
sudo make uninstall