Docker daemon no-new-privileges: true seems to not work

[archfz]

Although I have set in the daemon:

{
 "icc": false,
 "no-new-privileges": true,
 "userland-proxy": false,
 "live-restore": true 
}

Restarted docker. Recreated containers. I still get the following errors.

[WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: <container_name>

[konstruktoid]

Hi @archfz and thanks for reporting this. I believe this is fixed with https://github.com/docker/docker-bench-security/pull/493, please test.

[archfz]

Can you push a docker tag so I can test it?

[konstruktoid]

As in a Docker container tag? Sorry, the Docker Hub image isn't supported (https://github.com/docker/docker-bench-security/issues/405) at the moment.

[archfz]

Ok. I have built the image and tested manually. It seems to be working.

But there is something strange. Running the tests from master docker image I get score 23. If I run from your branch, in the same environment, I get only 14. I would have expected the score to increase. Or is the score backwards, lower is better ?

[konstruktoid]

Hmm, I'll have a look at that score issue.

There isn't any "good" or "bad" scores since there's no definition of what a good score should be or what's considered a good minimum value.

[archfz]

There are more checks on the other hand. I suppose the latest master has additional unreleased features, that are not yet in the latest docker image. I think this can be closed.

[konstruktoid]

Ah, yeah. The repo code is the newest Benchmark while the Docker image is getting very old.

Did you compare the master branch with my update?