Skip to content

[Security] Missing Seccomp/AppArmor hardening - default syscall restrictions only #134

Closed
#139
Closed
[Security] Missing Seccomp/AppArmor hardening - default syscall restrictions only#134
#139
Assignees
Mossakacopilot-swe-agent
Labels
enhancementNew feature or request
@Mossaka

Description

@Mossaka
Mossaka
opened on Dec 19, 2025

Priority

P1 - Medium-High

Summary

AWF uses Docker's default seccomp profile with no custom syscall restrictions. Combined with the NET_ADMIN capability, this creates an unnecessarily large attack surface. Dangerous syscalls like ptrace are available to code running in the container.

Current Behavior

The agent container runs with:

  • Default Docker seccomp profile (allows ~300 syscalls)
  • NET_ADMIN capability (required for iptables)
  • No AppArmor profile
// src/docker-manager.ts:305-310
cap_add: ['NET_ADMIN'],
// No seccomp or AppArmor configuration

Security Impact

Code running in the container can:

  • Use ptrace to inspect/modify other processes
  • Use process_vm_readv/process_vm_writev for memory access
  • Load kernel modules (if root)
  • Potentially escape container via unpatched vulnerabilities

Proposed Solution

Add Custom Seccomp Profile

Create containers/agent/seccomp.json:

{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "names": ["ptrace", "process_vm_readv", "process_vm_writev"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block process inspection/modification"
    },
    {
      "names": ["init_module", "finit_module", "delete_module"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block kernel module operations"
    },
    {
      "names": ["kexec_load", "kexec_file_load"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block kernel replacement"
    },
    {
      "names": ["reboot"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block system reboot"
    },
    {
      "names": ["swapon", "swapoff"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block swap manipulation"
    }
  ]
}

Integrate in Docker Manager

// src/docker-manager.ts
security_opt: [
  'no-new-privileges:true',
  'seccomp=/path/to/seccomp.json'
],

Implementation Steps

  1. Create containers/agent/seccomp.json with restricted syscalls
  2. Modify src/docker-manager.ts to apply seccomp profile
  3. Add no-new-privileges to prevent privilege escalation
  4. Test that iptables setup still works (needs specific syscalls)
  5. Test that common tools (curl, git, node, npm) still work

Files to Create/Modify

  • New: containers/agent/seccomp.json - Custom seccomp profile
  • Modify: src/docker-manager.ts:305-310 - Add security options
  • New: Tests for seccomp restrictions

Testing

  • Verify ptrace is blocked: strace ls should fail
  • Verify iptables still works for setup
  • Verify curl, git, node, npm work normally
  • Verify no regression in existing functionality

Related

  • NET_ADMIN capability issue (separate concern, should be addressed together)

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions