Read-only tcp socket is available to any container in the same subnet by default #17
Description
Hi,
I think it is work mentioning in the README, that since this service unconditionally listens on 0.0.0.0:2375 and proxies docker socket, any container that runs in the same subnet (which without an explicit networks configuration is literally any container) can have read access to docker socket - even if that is not intended.
Also it would be nice if there was an env flag to disable tcp socket on 2375.
An example of how this can be abused:
name: "reverse-proxy"
services:
socket-proxy:
image: "11notes/socket-proxy:2.1.6"
read_only: true
user: "0:973"
environment:
TZ: "Europe/Zurich"
volumes:
- "/var/run/docker.sock:/run/docker.sock:ro"
- "socket-proxy.run:/run/proxy"
restart: "always"
test:
image: "alpine/curl"
# Usually random containers are not intended to have access to docker sock
command: "curl http://socket-proxy:2375/containers/json"
depends_on:
socket-proxy:
condition: "service_healthy"
restart: true
volumes:
socket-proxy.run:An example of how this can be mitigated
name: "reverse-proxy"
services:
socket-proxy:
image: "11notes/socket-proxy:2.1.6"
read_only: true
user: "0:973"
environment:
TZ: "Europe/Zurich"
volumes:
- "/var/run/docker.sock:/run/docker.sock:ro"
- "socket-proxy.run:/run/proxy"
networks: ["ultra_isolated_net"]
restart: "always"
test:
image: "alpine/curl"
# Will fail
command: "curl http://socket-proxy:2375/containers/json"
depends_on:
socket-proxy:
condition: "service_healthy"
restart: true
volumes:
socket-proxy.run:
networks:
# If the proxy is only in this subnet, this effectively makes it impossible to access the tcp socket from the outside of the container
ultra_isolated_net:
driver: bridge
internal: true
driver_opts:
com.docker.network.bridge.enable_icc: "false"