The docker engine always runs with root permissions. By default whoever has access to the docker cli command and is allowed to access the docker.sock, can effectifly start a container with root permissions, map files from the /etc folder inside and use it for privilage escalation. Never provide access to the docker.sock to users you don’t trust!
You could unbind /var/run/docker.sock and use tls based authentification for your users - just don’t provide certificates for the people you don’t want to control the docker engine.
Other options:
- use the openpolicyagent with AuthZ to restrict access with polices: Open Policy Agent | Docker
- instead of providing shell access to your users, setup Portainer and use Portainers right and access management to narrow down the permissions a user has - I am not sure the granularity is fine enough, but it’s wort to take a look.