If you use:
network_mode: service:wireguard
The app shares the same network namespace:
- The app can see all interfaces in that namespace
- The app uses the same routing table
- The app is in the same firewall context
If the app is compromised and runs as root (current image runs as root, then gosu to vscode user)
with sufficent caps (NET_ADMIN) it can modify:
- iptables
- routes
- wg interface
- DNS
Because it’s the same namespace.
Without NET_ADMIN, sharing the namespace means:
The app can:
- See all interfaces: wg0 eth0 lo
- See IP addresses
- Inspect routing table
- Attempt raw socket traffic (CAP_NET_RAW is present by default)
- Bind to any port inside that namespace
This might not be enough for a escape ATM but the escape is one misconfiguration away.
If you use:
network_mode: service:wireguardThe app shares the same network namespace:
If the app is compromised and runs as root (current image runs as root, then gosu to vscode user)
with sufficent caps (NET_ADMIN) it can modify:
Because it’s the same namespace.
Without NET_ADMIN, sharing the namespace means:
The app can:
This might not be enough for a escape ATM but the escape is one misconfiguration away.