moby/moby
Security
Moby is a privileged daemon that exposes container management to local clients (and, optionally, remote clients). The trust boundary is between the API client and the daemon; everything below the daemon (containerd, kernel) is fully trusted.
For reporting vulnerabilities, see SECURITY.md: mail security@docker.com privately rather than filing a public issue.
Trust boundaries
graph LR External[External tooling] -->|TLS| TCPSocket[TCP socket] CLI[Local docker CLI] -->|Unix socket| UnixSocket TCPSocket --> Server[daemon/server] UnixSocket --> Server Server -->|trusted| Daemon Daemon -->|trusted| Containerd Daemon -->|trusted| Libnetwork Daemon --> Plugins[Plugins<br/>(out-of-process)] Daemon --> Registries[Image registries]
- The daemon trusts all callers that get past authentication. By default, that's anything with read/write access to
/var/run/docker.sock— typically root or members of thedockergroup, which is essentially equivalent to root. - TCP listeners require TLS in production; the daemon will refuse to listen on TCP without
--tls*flags or a config file enabling it.
Authorization plugins
For finer-grained authorization, the daemon supports authorization plugins (pkg/authorization/). When configured via --authorization-plugin=name, every request goes through pre/post hooks that can deny or modify it. The chain is wired into the server middleware. See Plugins.
Sandboxing inside containers
The daemon sets up several layers of process isolation when starting a container:
| Mechanism | Where |
|---|---|
| Linux namespaces (mnt, pid, net, ipc, uts, user, cgroup) | OCI spec generated in daemon/oci_linux.go. |
| Cgroup v1/v2 limits | OCI resources block; runtime config in daemon/runtime_unix.go. |
| Seccomp | Default profile from github.com/moby/profiles/seccomp. Wiring: daemon/seccomp_linux.go. |
| AppArmor | Default profile from github.com/moby/profiles/apparmor. Wiring: daemon/apparmor_default.go. |
| Capability set | Drop all by default, add a small allowlist (CAP_NET_BIND_SERVICE, CAP_AUDIT_WRITE, etc.). |
| User namespaces | --userns-remap=.... Implementation: daemon/internal/idtools/. |
| Rootless mode | Run the entire daemon as a non-root user. Code: daemon/internal/rootless/, docs/rootless.md. |
--privileged containers bypass most of this. Some flags (--cap-add SYS_ADMIN, --security-opt seccomp=unconfined) loosen specific layers; the daemon does not police whether the resulting combination is safe.
Image trust
- Pulls are HTTPS by default. Insecure registries must be explicitly listed in
daemon.json(insecure-registries). - Manifest digests are verified against descriptors during pull (see
pull_v2.goon the legacy path; containerd's resolver on the modern path). - The OCI policy helpers from
github.com/moby/policy-helpers(referenced byDaemon) provide a hook for image-policy enforcement.
Build-time secrets
BuildKit supports --secret and --ssh mounts that never persist into the produced image. The classic builder does not. Avoid embedding credentials in RUN commands; use BuildKit secrets.
Docker socket exposure
Mounting /var/run/docker.sock into a container gives that container root on the host. The README and docs are explicit about this. Authorization plugins can mitigate, but the daemon does not enforce per-client capability scoping.
Firewall and iptables
The bridge driver inserts iptables rules for masquerading, isolation, and port forwarding. They live in daemon/libnetwork/iptables/ and the bridge driver. nftables support is in daemon/libnetwork/internal/nftabler/. The daemon does not currently audit pre-existing rules; conflicts can produce surprising results (see the design notes under daemon/libnetwork/docs/).
Supply chain
- Dependencies are vendored under
vendor/and verified bymake validate-vendor. - The
go.sumfile is checked. - CI runs CodeQL (
.github/workflows/codeql.yml) and zizmor (.github/workflows/zizmor.yml) on every PR. - Release artifacts are signed; cosign attestations are produced during the release build.
Reporting
SECURITY.md describes the disclosure process: private email, 72-hour acknowledgement, draft GitHub Security Advisory, embargoed coordination, public disclosure once a patched release is out.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.