Skip to content

fix: keep agent socket runtime network-isolated#74

Open
LIghtJUNction wants to merge 1 commit into
mainfrom
codex/propose-fix-for-network-egress-vulnerability
Open

fix: keep agent socket runtime network-isolated#74
LIghtJUNction wants to merge 1 commit into
mainfrom
codex/propose-fix-for-network-egress-vulnerability

Conversation

@LIghtJUNction

Copy link
Copy Markdown
Owner

Motivation

  • A recent change made the runtime skip bwrap's network namespace isolation whenever the agent policy contained allow <subject> network:default connect, and the bootstrap produced that rule for default reference agents, which yielded unrestricted host-network egress for bootstrapped agents.
  • The intent of this change is to preserve sandbox network isolation by decoupling coarse policy grants from the runtime's decision to omit --unshare-net.

Description

  • Remove the default network:default connect grant from the generated reference agent policy in reference_agent_policy so bootstrapped agents no longer receive that coarse network permission by default. (crates/cortexfs/src/reference_tree_bootstrap.rs)
  • Always include --unshare-net in the bwrap argument builder used by the socket runtime so the sandbox remains network-isolated regardless of coarse policy bits. (crates/cortexfs/src/socket_runtime.rs, function agent_executable_socket_bwrap_args)
  • Update policy documentation to clarify that network:default connect is a coarse capability and must not by itself remove sandbox network namespace isolation. (crates/cortexfs/docs/spec/tool-policy-abi.md)
  • Adjust unit tests to expect the reference policies to omit the default network grant and to assert that --unshare-net is present in the produced bwrap args. (tests under crates/cortexfs/tests/unit/lib/)

Testing

  • Ran cargo test -p cortexfs --lib reference_tree_bootstrap and the reference-tree bootstrap tests passed.
  • Ran cargo test -p cortexfs --lib agent_executable_socket_bwrap_args and the bwrap-args/unit tests asserting network isolation passed.
  • Ran cargo test -p cortexfs --lib to exercise the updated unit test set and the targeted tests completed successfully.
  • Ran cargo fmt and git diff --check to validate formatting and diffs with no issues.

Codex Task

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @LIghtJUNction, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant