Disabling builder sandboxes can lead to unauthorized access of the host system by malicious programs.

By default, programs that are executed by a RUN instruction are in a sandbox mode that limits the capabilities of the according process. Explicitly disabling the sandbox grants the process additional capabilities that might allow it to escalate privileges and access the host system.

Ask Yourself Whether

• The program is controlled by an external entity.
• The program is part of a supply chain that could be a victim of a supply chain attack.

There is a risk if you answered yes to the question.

Recommended Secure Coding Practices

• Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.
• If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.

Sensitive Code Example

# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
# Sensitive
RUN --security=insecure ./example.sh

Compliant Solution

# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
RUN ./example.sh
RUN --security=sandbox ./example.sh

See

• MITRE, CWE-250 - Execution with Unnecessary Privileges
• MITRE, CWE-284 - Improper Access Control
• Dockerfile reference - RUN