So in order to get MIT-SHM working between application running inside docker container and x11 running on the host, I have to pass --ipc host
during starting the container. I've read the documentation about what it's supposed to do.
Assuming the application is NOT running as root (inside the container), what possible attack vectors does this open? In other words, how much does the --ipc host
compromise the security?
In terms of attack surface --ipc=host removes a layer of security and creates new attack vectors as any application running on the host that misbehaves when presented with malicious data in shared memory segments can become a potential attack vector.
Conclusions. Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.
IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of the IPC on the host system. This breaks the benefit of IPC level isolation between the host and the containers.
AFAIK, in the case of Docker for Linux (standard distribution), the IP address of the host will always be 172.17. 0.1 (on the main network of docker, see comments to learn more). The easiest way to get it is via ifconfig (interface docker0) from the host: ifconfig.
In terms of attack surface --ipc=host
removes a layer of security and creates new attack vectors as any application running on the host that misbehaves when presented with malicious data in shared memory segments can become a potential attack vector.
Performance-sensitive programs use shared memory to store and exchange volatile data (x11 frame buffers are one example). In your case the non-root user in the container has access to the x11 server shared memory.
Running as non-root inside the container should somewhat limit unauthorized access, assuming correct permissions are set on all shared objects. Nonetheless if an attacker gained root privileges inside your container they would have access to all shared objects owned by root (some objects might still be restricted by the IPC_OWNER
capability which is not enabled by default).
You may ask yourself for each application on the host :
What are the odds of a compromise from maliciously crafted shared memory segments?
What are the consequences of a compromise? Is the application confined in any way?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With