✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.3.5 Filesystem Attack Reduction

A focused guide to Filesystem Attack Reduction, connecting core concepts with practical Docker and container operations.

Filesystem attack reduction is the overall security benefit gained from minimizing a container's writable filesystem surface, since every writable path represents a potential location a compromised process could use to persist malicious content, escalate its access, or otherwise extend an initial compromise.

Why Writable Paths Represent Attack Surface

Each writable location a compromised process can reach represents an opportunity to write a malicious script, modify existing application code, or otherwise establish some form of persistence within the container.

docker run -v app-code:/app myapp:1.0

If /app (containing the application's own code) is unnecessarily writable, a compromised process gains the ability to directly modify the running application's own code.

How Minimizing Writable Surface Directly Reduces This Risk

Restricting writable access to only the specific paths genuinely needed eliminates this opportunity everywhere else in the filesystem.

docker run --read-only --tmpfs /tmp -v app-uploads:/app/uploads myapp:1.0

A compromised process here has no writable path to the application's own code, only to the specifically designated uploads directory and the ephemeral /tmp.

Why This Reduction Compounds With Other Security Practices

Combined with running as non-root and minimal capabilities, a reduced writable filesystem surface contributes to an overall posture where a compromised process has meaningfully fewer avenues to extend its initial foothold into something more consequential.

docker run --user 1000:1000 --cap-drop=ALL --read-only --tmpfs /tmp myapp:1.0
Measuring an Application's Current Writable Surface

Reviewing exactly what paths a container's current configuration leaves writable provides a basis for identifying where this surface could still be further reduced.

docker inspect myapp --format '{{json .Mounts}}'
Why Filesystem Attack Reduction Matters

Deliberately minimizing a container's writable filesystem surface is a concrete, measurable way to reduce the practical consequences a compromised process could achieve, an important contributing factor within the broader set of container runtime security practices.

Related content