Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload dockerd socket mount detection rule and test file #3360

Merged
merged 19 commits into from
Sep 19, 2024
Merged

Upload dockerd socket mount detection rule and test file #3360

merged 19 commits into from
Sep 19, 2024

Conversation

r0075h3ll
Copy link
Contributor

This PR adds a new rule, along with a test file, for dockerd unix socket file i.e. docker.sock mount detection.

Description

Docker works in client-server architecture. In a normal setup, docker command issued in the CLI interacts with the docker server(dockerd) using a Remote API or Unix Socket File(docker.sock) - the latter is often encountered. However, in a scenario where an attacker breaks into the container that has /var/run/docker.sock mounted, it can be leveraged to execute arbitrary commands on the host machine i.e. to talk back to the host machine thereby providing a way for escaping the container.

Example

Here's a dummy Dockerfile that mounts docker.sock file:

FROM docker:latest

WORKDIR /app

VOLUME /var/run/docker.sock:/var/run/docker.sock

CMD ["docker", "images"]

Upon running Semgrep with the provided rule, this is how the output looks like:
image

Thanks.

@CLAassistant
Copy link

CLAassistant commented Apr 19, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@ievans
Copy link
Member

ievans commented Apr 23, 2024

thanks for the contribution! can you add a positive and negative test case annotation to the code? cf https://semgrep.dev/docs/writing-rules/testing-rules/

@r0075h3ll
Copy link
Contributor Author

r0075h3ll commented Apr 24, 2024
edited
Loading

@ievans

Done :)

@0xDC0DE
Copy link
Contributor

0xDC0DE commented Jul 8, 2024

This looks good to me, thanks for the contribution!

@r0075h3ll
Copy link
Contributor Author

Hey @0xDC0DE, can we merge?

@r0075h3ll r0075h3ll requested a review from p4p3r July 17, 2024 04:30
p4p3r
p4p3r approved these changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@p4p3r p4p3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@0xDC0DE 0xDC0DE enabled auto-merge (squash) September 19, 2024 06:51
@0xDC0DE 0xDC0DE merged commit 7427b82 into semgrep:develop Sep 19, 2024
8 checks passed
aryx
aryx reviewed Sep 20, 2024
View reviewed changes
dockerfile/security/dockerd-socket-mount.yaml
to escape container and execute arbitrary commands on the host machine.
languages:
- dockerfile
- yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@0xDC0DE why we have yaml listed as a language here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aryx aryx aryx left review comments

@p4p3r p4p3r p4p3r approved these changes

@0xDC0DE 0xDC0DE 0xDC0DE approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@r0075h3ll @CLAassistant @ievans @0xDC0DE @aryx @p4p3r