How to block docker cp command in linux debian

I need to block the docker cp command on a Debian Linux system. I tried using AppArmor and SELinux, but I couldn’t find any relevant solutions.

In SELinux, it is necessary to install the docker-container module, but this is not possible because the engine is being used by CentOS.

Can you say more about the goal? Even if you block docker cp, people can still use the docker commands to copy files into containers or copy files out (if “tar” is available in the container). If your user has access to Docker, the user can get root privileges, so you would also need to deal with that as anyone with root privileges can override what you do.

This is what I recommended in other topics too. Sadly I never used it you need to protect the API first and then you restrict what someone can do with the API without root privileges.

As rimelek said, I don’t think that is possible, after all, you’re trying to prevent people from copying/moving files that are already on their machine

Instead, if you want to protect your code from being visible to the eyes of others, you can compile it into a binary, or expose it as an API, thus never sending it to the clients, rather having the clients request functionality from your servers

You could leverage Open Policy Agent to prevent it on api level:
https://www.openpolicyagent.org/docs/latest/docker-authorization/

If it’s supposed to be a general rule, it might even work with the normal docker.sock binding.

If it’s supposed to be a rule for specific users, you will need to remove the docker.sock binding (or at least prevent access to it), add a tcp binding protected via mtls (see: Protect the Docker daemon socket | Docker Docs) to facilitate authentication based on certificates. The OPA Rules can then be applied per user.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.