[Security Review] Daily Security Review — AWF Firewall Threat Model & Attack Surface Analysis #5747
Replies: 8 comments
-
|
🔮 The ancient spirits stir; the smoke test agent was here. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent was here. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test has walked this repository. The firewall held, the build rose cleanly, and the omens are favorable. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through the firewall. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent was here. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent was here, and the omens remain favorable. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
This discussion was automatically closed because it expired on 2026-07-08T13:22:37.504Z.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent passed through the firewall and leaves this oracle-marked trace. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
Multi-layered, defense-in-depth architecture. Overall posture: good. Primary risks are design trade-offs (SYS_ADMIN window, apparmor:unconfined, opt-in DLP) and missing protections (unshare syscall, port-list gaps). No exploitable critical vulnerabilities found. The firewall escape test (Secret Digger workflow) concluded with
GH_AW_SECRET_VERIFICATION_RESULT: successand noop outputs — zero secrets exfiltrated.Scope: 380 files · 2,599 security-critical lines in 5 core files · 8 attack surfaces · 12 STRIDE scenarios
🛡️ Architecture Security Analysis
Network Layer
Two independent enforcement layers:
src/squid/config-generator.tssrc/host-iptables-rules.tscontainers/agent/setup-iptables.shStrengths: IPv6 disabled in agent namespace (line 109), default-deny OUTPUT chain (line 459), 15 dangerous ports LOG+DROP, Docker DNS rules preserved before NAT flush.
setup-iptables.sh:72–88) missing:8080, 8443, 9090, 5984, 9200, 11211, 9042, 2181, 6443.Container Security
Capability configuration (
src/services/agent-service.ts:68–92):cap_add: ['SYS_CHROOT', 'SYS_ADMIN']— both dropped bycapshbefore user code runscap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', 'SYS_RAWIO', 'MKNOD']security_opt: ['no-new-privileges:true', 'seccomp=...', 'apparmor:unconfined']pids_limit: 1000,mem_limit: 6gSeccomp profile (
containers/agent/seccomp-profile.json): DefaultSCMP_ACT_ERRNO. Blocks ptrace, process_vm_readv/writev, kexec_*, init_module, pivot_root, keyctl, add_key, request_key (29 syscalls total).Token protection: Three-layer defense — LD_PRELOAD
one-shot-token.so(caches tokens in-process),unset_sensitive_tokens()(14 vars unset),hidepid=2on procfs (blocks PID-1 environ reads).tmpfs overlays: workdir (hides docker-compose.yml secrets), MCP logs,
/dev/shm.H1.
unsharesyscall allowed in seccomp (High)Verified in
containers/agent/seccomp-profile.json:unshare → SCMP_ACT_ALLOW.On Ubuntu 22.04 (agent base),
kernel.unprivileged_userns_clone=1by default. An unprivilegedawfusercan callunshare --userto obtain a user-namespace root mapping — a known container isolation weakening.cloneandclone3are also allowed.H2.
apparmor:unconfined+SYS_ADMINstartup window (High)Between container start and
capsh --dropinentrypoint.sh:401, the process runs as root withSYS_ADMINANDapparmor:unconfined. Themountsyscall is explicitly allowed in seccomp (needed for procfs). This is intentional but represents the highest-privilege window in the system (~1–2 seconds).M1. DLP credential scanning is opt-in (Medium)
src/dlp.tscovers GitHub, OpenAI, Anthropic, AWS, and Google API tokens. Default is off; requires--enable-dlp. Given these are exactly the credentials agents use, silent credential leakage via URLs is possible without enabling it.M2. No
hidepid=2in non-chroot mode (Medium)hidepid=2is applied viamount_host_procfs()only in chroot mode (entrypoint.sh:521). The non-chroot path (run_non_chroot_command) uses the standard container proc — the token timing window (~1s between agent start andunset_sensitive_tokens) is unprotected by hidepid there.L1. Unquoted
$rulevariable in iptables restore (Low)containers/agent/setup-iptables.sh:159:iptables -t nat $ruleexpands unquoted from iptables-save output. Low risk (source requires host root to tamper) but poor hygiene.unshare --useruser-namespace rootunshareagent-service.ts:76,92/proc/1/environraceentrypoint.sh:415–488src/dlp.ts--allow-domainssrc/domain-validation.tssetup-iptables.sh:72–88agent-service.ts:43–48✅ Recommendations
🔴 High
H1. Block
unsharein seccomp profile{ "names": ["unshare"], "action": "SCMP_ACT_ERRNO" }Add to
containers/agent/seccomp-profile.json. Note: may break tools using Bubblewrap/user namespaces for sandboxing.H2. Narrow AppArmor profile
Replace
apparmor:unconfinedwith a custom profile permitting onlymount proc /host/proc— eliminates the AppArmor+SYS_ADMIN window risk class.🟠 Medium
M1. Enable DLP by default — flip
enableDlpdefault totrue, add--disable-dlpopt-out.M2. Expand dangerous ports list — add
8080, 8443, 9090, 5984, 9200, 11211, 9042, 2181, 6443toDANGEROUS_PORTSinsetup-iptables.sh.M3. Apply
hidepid=2in non-chroot mode — addmount -o remount,hidepid=2 /procinrun_non_chroot_command()before privilege drop.M4. Quote iptables variable expansion —
setup-iptables.sh:159: useeval "iptables -t nat $rule"or preferiptables-restorefor rule reapplication.🟡 Low
L1. Pin
ubuntu/squidbase image to a digest incontainers/squid/Dockerfile.L2. Validate DNS IPs with
is_valid_ipv4before use in iptables rules (setup-iptables.sh:236).L3. Consider blocking
clone+CLONE_NEWUSERflag via seccomp arg filtering for additional namespace hardening.📈 Security Metrics
Beta Was this translation helpful? Give feedback.
All reactions