Upload dockerd socket mount detection rule and test file

[r0075h3ll]

This PR adds a new rule, along with a test file, for dockerd unix socket file i.e. docker.sock mount detection.

Description

Docker works in client-server architecture. In a normal setup, docker command issued in the CLI interacts with the docker server(dockerd) using a Remote API or Unix Socket File(docker.sock) - the latter is often encountered. However, in a scenario where an attacker breaks into the container that has /var/run/docker.sock mounted, it can be leveraged to execute arbitrary commands on the host machine i.e. to talk back to the host machine thereby providing a way for escaping the container.

Example

Here's a dummy Dockerfile that mounts docker.sock file:

FROM docker:latest

WORKDIR /app

VOLUME /var/run/docker.sock:/var/run/docker.sock

CMD ["docker", "images"]

Upon running Semgrep with the provided rule, this is how the output looks like:

Thanks.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[ievans]

thanks for the contribution! can you add a positive and negative test case annotation to the code? cf https://semgrep.dev/docs/writing-rules/testing-rules/

[r0075h3ll]

@ievans

Done :)

[0xDC0DE]

This looks good to me, thanks for the contribution!

[r0075h3ll]

Hey @0xDC0DE, can we merge?

[p4p3r]

lgtm