How to disable the docker copy functionality in both the ways (From container to host, From host to container)?
Asked
Active
Viewed 319 times
1
-
1You can't disable individual Docker commands, and anyone who can run any `docker` command has unrestricted root-level access to the whole host; even if they couldn't `docker cp` they can dig around in `/var/lib/docker` and find things. If you're asking [Is distributing python source code in Docker secure?](https://stackoverflow.com/questions/51552706/is-distributing-python-source-code-in-docker-secure), no, it's all but trivial to copy files out and you can't prevent it. (Consider a compiled language and a single-binary container in this case.) – David Maze Dec 06 '21 at 11:30
-
One idea:, write a http proxy to docker socket that filters certain requests, disable access to docker socket, so that all has to be done via http proxy. Another idea: write specific selinux configuration so that docker process can't access anything. – KamilCuk Dec 06 '21 at 13:59