Prevent Breakout Container

Block mount /var/run/docker.sock to container

mount:
  mode: block
  target: host
  deny:
    - /var/run/docker.sock

Example

# docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:latest bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/run/docker.sock" to rootfs at "/var/run/docker.sock" caused: mount through procfd: operation not permitted: unknown.

Block access to the /proc/sys directory in the container

file:
  mode: block
  target: container
  allow:
    - /
  deny:
    - /proc/sys

Example

root@ubuntu-impish:/# ls /proc/sys
abi  debug  dev  fs  kernel  net  user  vm

root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@9cf961922b00:/# ls /proc/sys
ls: cannot open directory '/proc/sys': Operation not permitted

Block escapes from Privileged Container

file:
  mode: block
  target: container
  allow:
    - /
  deny:
    - /proc/sysrq-trigger
    - /sys/kernel
    - /proc/sys/kernel

Example

root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@e3b2ffe5b284:/# echo c > /proc/sysrq-trigger
bash: /proc/sysrq-trigger: Operation not permitted

root@e3b2ffe5b284:/# echo '/path/to/evil' > /sys/kernel/uevent_helper
bash: /sys/kernel/uevent_helper: Operation not permitted

root@e3b2ffe5b284:/# echo '|/path/to/evil' > /proc/sys/kernel/core_pattern
bash: /proc/sys/kernel/core_pattern: Operation not permitted