Summary
The base sandbox image includes gcc, which allows the sandbox user to compile arbitrary native code including shared libraries for LD_PRELOAD injection, exploit code, and custom tooling.
Reproduction
$ ssh into sandbox
$ gcc --version
gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
$ echo 'void __attribute__((constructor)) init() { /* arbitrary code */ }' > /tmp/evil.c
$ gcc /tmp/evil.c -shared -o /tmp/evil.so
$ # succeeds
Impact
An agent (or prompt-injected agent) can compile:
LD_PRELOAD libraries to intercept libc calls and capture secrets passed through function arguments- Custom network tooling to probe internal interfaces
- Exploit code targeting kernel vulnerabilities
Recommendation
Remove gcc, g++, make, and build-essential from the sandbox image. If compilation is needed for agent workflows (e.g. pip install with native extensions), provide a separate build-enabled image profile rather than including it in the default.
Environment
- openshell 0.0.14
- Base sandbox image:
ghcr.io/nvidia/openshell-community/sandboxes/base:latest
- DGX Spark (aarch64)
Summary
The base sandbox image includes
gcc, which allows the sandbox user to compile arbitrary native code including shared libraries forLD_PRELOADinjection, exploit code, and custom tooling.Reproduction
Impact
An agent (or prompt-injected agent) can compile:
LD_PRELOADlibraries to intercept libc calls and capture secrets passed through function argumentsRecommendation
Remove
gcc,g++,make, andbuild-essentialfrom the sandbox image. If compilation is needed for agent workflows (e.g.pip installwith native extensions), provide a separate build-enabled image profile rather than including it in the default.Environment
ghcr.io/nvidia/openshell-community/sandboxes/base:latest