Escaping Docker Privileged Containers

Why you should not run Docker with the “privileged” flag

Photo by freestocks on Unsplash

Privileged Docker containers are containers that are run with the --privileged flag. Unlike regular containers, these containers have root privilege to the host machine.

Privileged containers are often used when the containers need direct hardware access to complete their tasks. However, privileged Docker containers can enable attackers to take over the host system. Today, let’s look at how attackers can escape privileged containers.

Finding an Exploitable Container

But how can we tell if we are in a privileged container in the first place?

How can you tell if you’re in a container?

cgroups stands for “control groups.” It is a Linux feature that isolates resource usage and is what Docker uses to isolate containers. You can tell if you are in a container by checking the init process’ control group at /proc/1/cgroup. If you are not located inside a container, the control group should be /. On the other hand, if you are inside a container, you should see /docker/CONTAINER_ID instead.

How can you tell if a container is privileged?

Once you’ve determined that you are in a container, you need to determine if that container is privileged. The best way to do this is to run a command that requires the --privileged flag and see if it succeeds.

For example, you can try to add a dummy interface by using an iproute2 command. This command requires the NET_ADMIN capability, which the container would have if it is privileged:

$ ip link add dummy0 type dummy

If this command runs successfully, you can conclude that the container has the NET_ADMIN capability. NET_ADMIN is part of the privileged capabilities set, and containers that don’t have it are not privileged. You can clean up the dummy0 link after this test by running this command:

ip link delete dummy0

Container Escape

So how do you escape a privileged container? By using this script. This example and PoC were…