Home > Article > Operation and Maintenance > What is docker container escape
Docker container escape refers to the process and result in which the attacker has obtained the command execution capability under certain permissions in the container by hijacking the containerized business logic or direct control; because docker uses isolation technology , so the process inside the container cannot see the outside process, but the outside process can see inside, so if a container can access outside resources, or even obtain the permissions of the host host, this is called "Docker escape".
The operating environment of this tutorial: linux7.3 system, docker version 19.03, Dell G3 computer.
"Container escape" refers to such a process and result:First, the attacker hijacks the containerized business logic, Or direct control (CaaS and other scenarios where container control is legally obtained), etc., have obtained the command execution capability under certain permissions in the container;
Attackers use this command execution capability to Some methods further obtain certain permissions on the direct host where the container is located (we often see the scenario of "a physical machine runs a virtual machine, and the virtual machine then runs the container". The direct host in this scenario refers to the virtual machine outside the container). command execution capabilities.
Because Docker uses isolation technology, the process inside the container cannot see the outside process, but the outside process can see inside, so if a container can access the outside process resources, or even obtain the permissions of the host host. This is called "Docker escape".
There are currently three reasons for Docker escape:
Caused by kernel vulnerabilities.
#Caused by Docker software design.
# Caused by improper privilege mode and configuration.
The following is a brief explanation of these three escape methods.
1. Escape caused by kernel vulnerability
Because Docker is a directly shared host host kernel, when there is a security vulnerability in the host host kernel, it will also be affected Docker security may cause Docker to escape. The specific process is as follows:
Use the kernel vulnerability to enter the kernel context
Obtain the task struct of the current process
Backtrace the task list to obtain the task struct with pid = 1 and copy its related data
Switch the current namespace
Open the root shell and complete the escape
2. Escape caused by Docker software design
A typical example is Docker’s standardized container execution engine----runc. Runc was exposed to a Docker escape vulnerability CVE-2019-5736 in February 2019. The principle of the vulnerability is that Docker, Containerd or other runc-based programs are prone to security vulnerabilities at runtime. An attacker can obtain the file handle when the host runc executes the file through a specific container image or exec operation and modify the runc binary file. , thereby obtaining the root execution permission of the host machine, causing Docker to escape.
3. Escape caused by directory mounting in privileged mode
This escape method is more commonly used than the other two. Privileged mode was introduced to Docker in version 6.0. Its core function is to allow root in the container to have root permissions on the external physical machine. Previously, the root user in the container only had the permissions of ordinary users on the external physical machine.
After starting the container in privileged mode (docker run --privileged), the Docker container is allowed to access all devices on the host, can obtain access rights to a large number of device files, and can execute the mount command to mount.
When controlling a container using privileged mode, the Docker administrator can mount the external host disk device into the container through the mount command to obtain file read and write permissions for the entire host. In addition, he can also write Execute commands on the host machine by entering scheduled tasks and other methods.
In addition to using privileged mode to start Docker, which will cause Docker to escape, using functional mechanisms will also cause Docker to escape. The Linux kernel has introduced functional mechanisms (Capabilities) since version 2.2, breaking the concepts of super users and ordinary users in UNIX/LINUX operating systems, allowing ordinary users to execute commands that can only be run with super user privileges. For example, when the container is started with --cap-add=SYSADMIN, the Container process is allowed to execute a series of system management commands such as mount and umount. If the attacker mounts the external device directory in the container at this time, Docker escape will occur.
Recommended learning: "docker video tutorial"
The above is the detailed content of What is docker container escape. For more information, please follow other related articles on the PHP Chinese website!