[Security Review] 🔐 Daily Security Review: gh-aw-firewall Threat Model & Findings (2026-07-06) #5939
Replies: 5 comments
-
|
🔮 The ancient spirits stir; the smoke test agent was here. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has walked this thread. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion with a brief omen. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent has passed through this discussion. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent was here, and the omens are stable. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
Reviewed ~3,100 lines of security-critical code across 8 key files. The architecture is well-engineered with multiple defense-in-depth layers: iptables DNAT + default-deny, Squid domain ACL, capability dropping (capsh), deny-by-default seccomp, tmpfs overlays hiding secrets, hidepid=2 on procfs, and one-shot token LD_PRELOAD protection.
No critical or high vulnerabilities found. Three medium and three low items are detailed below.
🔍 Prior Escape Test Context
The pre-fetched
escape-test-summary.txtwas the conclusion log for workflow "Secret Digger (Copilot)" (secret-digger-copilot, run 2026-04-11):GH_AW_SECRET_VERIFICATION_RESULT: success— no exfiltrationGH_AW_LOCKDOWN_CHECK_FAILED: false— lockdown intact🛡️ Architecture Assessment
Network (setup-iptables.sh)
✅ IPv6 fully disabled (sysctl, lines 110–111) — prevents dual-stack bypass
✅ DNAT port 80/443 → Squid (lines 371–372) — catches proxy-unaware tools
✅ 14 dangerous ports blocked at NAT level (SSH, SMTP, MySQL, Redis, MongoDB...)
✅ Default-deny filter chain: final DROP on all unmatched TCP/UDP (lines 460–462)
✅ DNS restricted to configured upstream IPs; arbitrary DNS queries blocked
--enable-host-accessaddsiptables -t nat RETURNfor host + network gateways, bypassing Squid entirely. Traffic is then filtered to ports 80, 443, and--allow-host-portsonly — no domain ACL applies. A broad--allow-host-portsvalue creates unfiltered host access.Container Security (src/services/agent-service.ts, entrypoint.sh)
✅ NET_ADMIN never on agent — only on
awf-iptables-init✅ SYS_CHROOT + SYS_ADMIN granted but dropped via
capshbefore user code✅
cap_drop: [NET_RAW, SYS_PTRACE, SYS_MODULE, SYS_RAWIO, MKNOD]✅
no-new-privileges:true, mem_limit 6g, pids_limit 1000✅ tmpfs overlay on workDir hides docker-compose.yml (contains env-var secrets)
✅ hidepid=2 procfs blocks cross-PID /proc/[pid]/environ reads
src/services/agent-service.ts:92):Required because Docker's default AppArmor profile blocks
mount. SYS_ADMIN is dropped before user code, so mount is inaccessible at runtime. However,apparmor:unconfinedremoves the MAC layer as a defense backstop entirely. A custom AppArmor profile permitting onlymount procwould restore this layer.containers/agent/seccomp-profile.json):io_uring_setup,io_uring_enter,io_uring_registerareSCMP_ACT_ALLOW. io_uring has had multiple kernel privilege escalation CVEs (CVE-2022-29582, CVE-2023-2598) and can partially bypass netfilter in some configurations. Google gVisor and many hardened profiles block io_uring.Domain Validation (src/domain-validation.ts, src/squid/domain-acl.ts)
✅ 5-layer validation: empty check → dangerous chars (
/[\s\0"'\;#\]/) → over-broad wildcards → double-dot → excess wildcard segments ✅ Defense-in-depth:assertSafeForSquidConfig()called again at Squid config write time ✅ Wildcard → regex uses[a-zA-Z0-9.-]*(prevents ReDoS via catastrophic backtracking) ✅ Direct IP connections blocked:acl dst_ipv4 dstdom_regex ^[0-9]+.[0-9]+...✅forwarded_for delete+via off` — no IP leakage to upstreamNo injection vulnerabilities found.
✅ Recommendations
🔴 Medium — Restrict io_uring in seccomp:
Add
io_uring_setup,io_uring_enter,io_uring_registerto the explicit SCMP_ACT_ERRNO list incontainers/agent/seccomp-profile.jsonunless a specific workload requires them.🔴 Medium — Evaluate AppArmor profile:
Create a minimal custom AppArmor profile for the agent container allowing only
mount proc, instead ofapparmor:unconfined. This restores MAC enforcement as a backstop against capability-drop bypasses.🟡 Medium — Warn on
--enable-host-access+--allow-host-ports:Document or emit a runtime warning that
--enable-host-accesscreates a Squid bypass. Broad--allow-host-portsvalues grant unfiltered host access.🟢 Low — Enable DLP by default:
--enable-dlp(credential-in-URL detection) is opt-in. Consider making it opt-out since credential URL leakage is unrecoverable.🟢 Low — Reduce token visibility race window:
The 1-second wait before
unset_sensitive_tokensinentrypoint.shcould be reduced to ~300ms. The one-shot-token library caches in ~100ms; hidepid=2 is the primary mitigation anyway.🟢 Low — Audit log
--enable-host-accessstate:Add
enableHostAccessandallowHostPortsto the policy manifest audit log (src/commands/logs-audit.ts) for compliance traceability.📈 Security Metrics
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions