What damages can be done by an untrusted Docker container?

Question

Let's suppose I run a docker container with a malware on my Linux machine, what are the damages that can be done?

What's the list of security concerns for running Docker in term of CPU, Memory, Disk I/O, Network I/O, system...?

My first guesses (to complete):

The container will be able to burn my CPU as there is no way to limit the percentage of CPU that the container can use.

It will also have a direct access to my Linux kernel, which might not be really good as well (if not locked down with SE Linux).

Will it be able to completely fill up my disk or inject crappy things into memory?

Answer 1

Yes, it has access to your Kernel, so basically, you have small protection, as you can see it here.

About burning your CPU, when CPU get's to some temperature, some motherboards shutdown computer to avoid "burning" CPU (if is that you' talking about).

There's a few things you can do to improve security, as you can see it here:

SELinux - Enabling this will automatically generate an MCS label for each container, limiting its ability to do damage.

Read-Only - You can also mark the container read-only which can allow you make large portions of the container's image read-only, which can make it harder for an attacker to deploy malware.

Self-Hosted Registry - To reduce the risk of image tampering, loading malicious containers, leaking secrets, or otherwise putting yourself at risk you can host a registry internally. https://github.com/dogestry/dogestry is an example of one which sits on top of S3, though there are other options as well.