Introduction Containers running with `--privileged` have full access to the host's devices and kernel capabilities. This breaks container isolation and allows processes inside the container to escape to the host system, which is a critical security vulnerability.
Symptoms - Container started with `--privileged` flag - Container can access /dev, mount filesystems, modify iptables - Security scan reports privileged container risk - Container can read host's /proc and /sys - Potential container escape to host root filesystem
Common Causes - Legacy container configuration using --privileged for convenience - Docker-in-Docker (DinD) requiring privileged mode - Hardware access (USB, GPU) requiring device access - Misconfigured CI/CD pipeline granting privileged access - Developer convenience overriding security best practices
Step-by-Step Fix 1. **Identify privileged containers**: ```bash docker ps --format '{{.Names}}' | while read c; do if docker inspect --format='{{.HostConfig.Privileged}}' "$c" | grep -q true; then echo "PRIVILEGED: $c" fi done ```
- 1.Replace --privileged with specific capabilities:
- 2.```bash
- 3.# Instead of:
- 4.docker run --privileged my-container
- 5.# Use specific capabilities:
- 6.docker run --cap-add=NET_ADMIN --cap-add=SYS_PTRACE my-container
- 7.
` - 8.For Docker-in-Docker, use rootless or socket mounting:
- 9.```bash
- 10.# Instead of privileged DinD, mount the Docker socket:
- 11.docker run -v /var/run/docker.sock:/var/run/docker.sock my-ci-container
- 12.# Or use rootless DinD
- 13.docker run --privileged docker:24-dind-rootless
- 14.
` - 15.Apply seccomp profile to restrict syscalls:
- 16.```bash
- 17.docker run --security-opt seccomp=default.json my-container
- 18.# Or use a custom profile
- 19.docker run --security-opt seccomp=custom-profile.json my-container
- 20.
`