Non-default /proc masks set
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description#
The configuration sets a non-default value for ‘procMount’ in container security contexts, overriding the default /proc masks that help restrict container access to sensitive host process information.
Impact#
Allowing non-default /proc masks increases the risk that containers can access or manipulate host process data, potentially enabling privilege escalation, information disclosure, or container breakout attacks.
Resolution#
Do not set spec.containers[].securityContext.procMount and spec.initContainers[].securityContext.procMount.