Using host operating system namespaces breaks container isolation and can lead to compromise of the host system.

Why is this an issue?

Sharing host operating system namespaces (PID, IPC, or network) with containers opens new attack surfaces for attackers who have already exploited services exposed by containers. These namespaces expose host processes, inter-process communication mechanisms, and network services of the local host system. Host network sharing could provide a performance advantage for workloads that require critical network performance, but the successful exploitation of this attack vector could have a catastrophic impact on the confidentiality, integrity, and availability of the host or cluster.

What is the potential impact?

An attacker who compromises a container with host namespace access can extend their attack to the host system. They may be able to view or interact with sensitive host processes, intercept inter-process communications, or reach network services that are only intended to be accessible locally.

How to fix it

Code examples

Noncompliant code example

# syntax=docker/dockerfile:1.3
FROM example
RUN --network=host wget -O /home/sessions http://127.0.0.1:9000/sessions # Noncompliant

Compliant solution

# syntax=docker/dockerfile:1.3
FROM example
RUN --network=none wget -O /home/sessions http://127.0.0.1:9000/sessions

Resources

Documentation

• Dockerfile reference - Custom Dockerfile syntax
• Dockerfile reference - RUN --network

Standards

• CWE - CWE-653 - Improper Isolation or Compartmentalization