Docker --privileged

Reading time: 7 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Nini Kinathiri

Unapokimbia kontena kama kilichopatiwa mamlaka, hizi ndizo ulinzi unazoziondoa:

Mount /dev

Katika kontena lililopatiwa mamlaka, vifaa vyote vinaweza kufikiwa katika /dev/. Hivyo unaweza kutoroka kwa kuunganisha diski ya mwenyeji.

bash

# docker run --rm -it alpine sh
ls /dev
console  fd       mqueue   ptmx     random   stderr   stdout   urandom
core     full     null     pts      shm      stdin    tty      zero

bash

# docker run --rm --privileged -it alpine sh
ls /dev
cachefiles       mapper           port             shm              tty24            tty44            tty7
console          mem              psaux            stderr           tty25            tty45            tty8
core             mqueue           ptmx             stdin            tty26            tty46            tty9
cpu              nbd0             pts              stdout           tty27            tty47            ttyS0
[...]

Mfumo wa faili wa kernel wa kusoma tu

Mifumo ya faili ya kernel inatoa njia kwa mchakato kubadilisha tabia ya kernel. Hata hivyo, linapokuja suala la michakato ya kontena, tunataka kuzuia mabadiliko yoyote kwenye kernel. Hivyo basi, tunashikilia mifumo ya faili ya kernel kama kusoma tu ndani ya kontena, kuhakikisha kwamba michakato ya kontena haiwezi kubadilisha kernel.

bash

# docker run --rm -it alpine sh
mount | grep '(ro'
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
cpuset on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cpu on /sys/fs/cgroup/cpu type cgroup (ro,nosuid,nodev,noexec,relatime,cpu)
cpuacct on /sys/fs/cgroup/cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpuacct)

bash

# docker run --rm --privileged -it alpine sh
mount  | grep '(ro'

Kuficha juu ya mifumo ya faili ya kernel

Mfumo wa faili wa /proc unaweza kuandikwa kwa kuchagua lakini kwa usalama, sehemu fulani zimekingwa dhidi ya ufikiaji wa kuandika na kusoma kwa kuzifunika na tmpfs, kuhakikisha kwamba michakato ya kontena haiwezi kufikia maeneo nyeti.

[!NOTE] > tmpfs ni mfumo wa faili unaohifadhi faili zote katika kumbukumbu ya virtual. tmpfs haaundi faili zozote kwenye diski yako ngumu. Hivyo, ikiwa utaondoa mfumo wa faili wa tmpfs, faili zote zilizomo ndani yake zitapotea milele.

bash

# docker run --rm -it alpine sh
mount  | grep /proc.*tmpfs
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755)

bash

# docker run --rm --privileged -it alpine sh
mount  | grep /proc.*tmpfs

Uwezo wa Linux

Mifumo ya kontena inazindua kontena na idadi ndogo ya uwezo ili kudhibiti kinachotokea ndani ya kontena kwa kawaida. Wale wa haki wana uwezo wote unaopatikana. Ili kujifunza kuhusu uwezo, soma:

{{#ref}} ../linux-capabilities.md {{#endref}}

bash

# docker run --rm -it alpine sh
apk add -U libcap; capsh --print
[...]
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
[...]

bash

# docker run --rm --privileged -it alpine sh
apk add -U libcap; capsh --print
[...]
Current: =eip cap_perfmon,cap_bpf,cap_checkpoint_restore-eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
[...]

Unaweza kudhibiti uwezo unaopatikana kwa kontena bila kukimbia katika hali ya --privileged kwa kutumia bendera za --cap-add na --cap-drop.

Seccomp

Seccomp ni muhimu ili kudhibiti syscalls ambazo kontena linaweza kuita. Profaili ya seccomp ya kawaida imewezeshwa kwa default wakati wa kukimbia kontena za docker, lakini katika hali ya privileged imezimwa. Jifunze zaidi kuhusu Seccomp hapa:

{{#ref}} seccomp.md {{#endref}}

bash

# docker run --rm -it alpine sh
grep Seccomp /proc/1/status
Seccomp:	2
Seccomp_filters:	1

bash

# docker run --rm --privileged -it alpine sh
grep Seccomp /proc/1/status
Seccomp:	0
Seccomp_filters:	0

bash

# You can manually disable seccomp in docker with
--security-opt seccomp=unconfined

Pia, kumbuka kwamba wakati Docker (au CRIs zingine) zinapotumika katika Kubernetes cluster, seccomp filter imezimwa kwa default

AppArmor

AppArmor ni uboreshaji wa kernel ili kufunga containers kwenye seti ndogo ya rasilimali zenye profiles za kila programu. Unapokimbia na bendera --privileged, ulinzi huu umezimwa.

{{#ref}} apparmor.md {{#endref}}

bash

# You can manually disable seccomp in docker with
--security-opt apparmor=unconfined

SELinux

Kukimbia kontena na bendera --privileged kunazima lebo za SELinux, na kusababisha kurithi lebo ya injini ya kontena, kwa kawaida unconfined, ikitoa ufikiaji kamili sawa na injini ya kontena. Katika hali isiyo na mizizi, inatumia container_runtime_t, wakati katika hali ya mizizi, spc_t inatumika.

{{#ref}} ../selinux.md {{#endref}}

bash

# You can manually disable selinux in docker with
--security-opt label:disable

Kitu Ambacho Hakikathiri

Majina

Majina hayakathiriwi na bendera ya --privileged. Ingawa hayana vikwazo vya usalama vilivyowekwa, hayaoni mchakato wote kwenye mfumo au mtandao wa mwenyeji, kwa mfano. Watumiaji wanaweza kuzima majina binafsi kwa kutumia bendera za injini za kontena --pid=host, --net=host, --ipc=host, --uts=host.

bash

# docker run --rm --privileged -it alpine sh
ps -ef
PID   USER     TIME  COMMAND
1 root      0:00 sh
18 root      0:00 ps -ef

bash

# docker run --rm --privileged --pid=host -it alpine sh
ps -ef
PID   USER     TIME  COMMAND
1 root      0:03 /sbin/init
2 root      0:00 [kthreadd]
3 root      0:00 [rcu_gp]ount | grep /proc.*tmpfs
[...]

User namespace

Kwa kawaida, injini za kontena hazitumiwi majina ya watumiaji, isipokuwa kwa kontena zisizo na mizizi, ambazo zinahitaji majina ya watumiaji kwa ajili ya usakinishaji wa mfumo wa faili na kutumia UID nyingi. Majina ya watumiaji, ambayo ni muhimu kwa kontena zisizo na mizizi, hayawezi kuzuiliwa na yanaboresha usalama kwa kiasi kikubwa kwa kupunguza mamlaka.

References

https://www.redhat.com/sysadmin/privileged-flag-container-engines

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.