feat: add no-new-privileges and ptrace syscall blocking (#139)

* Initial plan

* feat(security): add no-new-privileges and ptrace syscall blocking

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

Author: Copilot

containers/agent/seccomp-profile.json

@@ -6,6 +6,16 @@
     "SCMP_ARCH_AARCH64"
   ],
   "syscalls": [
+    {
+      "names": [
+        "ptrace",
+        "process_vm_readv",
+        "process_vm_writev"
+      ],
+      "action": "SCMP_ACT_ERRNO",
+      "errnoRet": 1,
+      "comment": "Block process inspection/modification"
+    },
     {
       "names": [
         "kexec_load",

src/docker-manager.test.ts

@@ -206,6 +206,9 @@ describe('docker-manager', () => {
       // Verify seccomp profile is configured
       expect(agent.security_opt).toContain('seccomp=/tmp/awf-test/seccomp-profile.json');
 
+      // Verify no-new-privileges is enabled to prevent privilege escalation
+      expect(agent.security_opt).toContain('no-new-privileges:true');
+
       // Verify resource limits
       expect(agent.mem_limit).toBe('4g');
       expect(agent.memswap_limit).toBe('4g');

src/docker-manager.ts

@@ -326,8 +326,11 @@ export function generateDockerCompose(
       'SYS_RAWIO',    // Prevents raw I/O access
       'MKNOD',        // Prevents device node creation
     ],
-    // Apply seccomp profile to restrict dangerous syscalls
-    security_opt: [`seccomp=${config.workDir}/seccomp-profile.json`],
+    // Apply seccomp profile and no-new-privileges to restrict dangerous syscalls and prevent privilege escalation
+    security_opt: [
+      'no-new-privileges:true',
+      `seccomp=${config.workDir}/seccomp-profile.json`,
+    ],
     // Resource limits to prevent DoS attacks (conservative defaults)
     mem_limit: '4g',           // 4GB memory limit
     memswap_limit: '4g',       // No swap (same as mem_limit)