[Security Review] Daily Security Review and Threat Modeling — 2026-03-10

[github-actions[bot]]

📊 Executive Summary

This is a comprehensive security review of the gh-aw-firewall codebase conducted via static analysis of ~3,500 lines of security-critical code. The architecture is generally well-designed with multiple independent defense layers. No prior "Firewall Escape Test" workflow was found in the repository; the closest workflows are security-guard.md and security-review.md.

Security Posture: GOOD with 2 Medium-severity findings and 2 Low-severity findings. Zero npm dependency vulnerabilities. No critical flaws identified.

Severity	Count
🔴 Critical	0
🟠 High	0
🟡 Medium	2
🔵 Low	2
ℹ️ Informational	3

---

🔍 Findings from Prior Workflow Runs

No "Firewall Escape Test" workflow exists in this repository. The security-review and security-guard workflows are present but recent log downloads failed. This review is therefore based entirely on static analysis of the current codebase.

---

🛡️ Architecture Security Analysis

Network Security Assessment — ✅ Strong

Evidence gathered:

cat containers/agent/setup-iptables.sh
cat src/host-iptables.ts

Positive findings:

• Two-layer firewall architecture: Agent container NAT (redirects HTTP/HTTPS to Squid) + Host DOCKER-USER chain (default-deny all remaining traffic)
• Correct rule ordering: NAT RETURN rules for dangerous ports fire before DNAT redirect rules; blocked domains in Squid config deny before allowed domains (src/squid-config.ts:388-396)
• DNS exfiltration prevention: Both agent-level and host-level iptables restrict DNS to whitelisted servers only (default: Google 8.8.8.8, 8.8.4.4)
• IPv6 handled: Either ip6tables rules are applied, or IPv6 is disabled via sysctl (net.ipv6.conf.all.disable_ipv6=1) to prevent an unfiltered bypass path
• Host-level default-deny: src/host-iptables.ts:548 — rule 8 REJECTs all traffic not explicitly permitted, including ICMP

Finding LOW-1: Agent container does not explicitly block ICMP or non-DNS UDP:

# Only TCP is blocked at agent level (setup-iptables.sh line 295):
iptables -A OUTPUT -p tcp -j DROP
# No equivalent rule for -p icmp or -p udp (non-DNS)

Mitigation: The host-level DOCKER-USER chain handles this. However, if the host iptables fail to initialize (permission error, race condition), the agent-level filter becomes the only layer, and ICMP/UDP would be unfiltered.

---

Container Security Assessment — ✅ Good with caveats

Evidence gathered:

cat containers/agent/seccomp-profile.json
grep -n "cap_add\|cap_drop\|security_opt\|apparmor" src/docker-manager.ts
grep -n "CAPS_TO_DROP\|capsh" containers/agent/entrypoint.sh

Positive findings:

• no-new-privileges:true applied (src/docker-manager.ts:884)
• Dangerous capabilities explicitly dropped: NET_RAW, SYS_PTRACE, SYS_MODULE, SYS_RAWIO, MKNOD
• capsh drops cap_net_admin,cap_sys_chroot,cap_sys_admin before user code runs (entrypoint.sh:278,606)
• AWF_CHROOT_ENABLED is always set to 'true' by docker-manager.ts:479, ensuring all 3 high-risk capabilities are always dropped
• Docker socket hidden: /dev/null:/host/var/run/docker.sock:ro and /dev/null:/host/run/docker.sock:ro (docker-manager.ts:683-685)
• Resource limits: 4GB memory, no swap, 1000 PID limit (docker-manager.ts:889-891)

Finding MEDIUM-1: Custom seccomp profile is weaker than Docker's default

python3 -c "
import json
data = json.load(open('containers/agent/seccomp-profile.json'))
print('Default action:', data['defaultAction'])  # SCMP_ACT_ALLOW
print('Total entries:', len(data['syscalls']))    # 3 groups
"
```

Output:
```
Default action: SCMP_ACT_ALLOW
Total entries: 3 groups (ptrace, kernel ops, umount)

Docker's default seccomp profile uses SCMP_ACT_ERRNO (deny-by-default) with ~300+ explicitly allowed syscalls — an allowlist approach. The custom profile uses SCMP_ACT_ALLOW (allow-by-default) with a small denylist. This means syscalls like bpf, perf_event_open, setns, unshare, clone with namespace flags, kcmp, lookup_dcookie, and many others that Docker's default profile blocks are permitted by this custom profile.

Capability drops partially compensate (e.g., bpf requires CAP_NET_ADMIN or CAP_SYS_ADMIN), but bpf with BPF_PROG_TYPE_SOCKET_FILTER requires no capabilities for unprivileged use. The threat is reduced by the no-new-privileges:true constraint.

Finding MEDIUM-2: AppArmor set to unconfined

grep -n "apparmor" src/docker-manager.ts
# Line 885: 'apparmor:unconfined',
# Comment: "Docker's default AppArmor profile blocks mount"

The justification is that SYS_ADMIN is required for mounting procfs at /host/proc, and the Docker default AppArmor profile blocks mount. While SYS_ADMIN is properly dropped before user code runs, disabling AppArmor entirely removes its file-access and network-access restrictions. Docker's default profile (docker-default) also restricts /proc/sys writes, certain /sys accesses, and signal delivery to other containers.

---

Domain Validation Assessment — ✅ Strong

Evidence gathered:

cat src/domain-patterns.ts

Positive findings:

• Overly-broad patterns explicitly rejected: *, *.*, and regex /^[*.]+$/ patterns (domain-patterns.ts:157-165)
• Double-dot injection prevented (domain-patterns.ts:170)
• Multiple wildcard segments blocked: patterns with more wildcards than concrete segments rejected (domain-patterns.ts:183-190)
• ReDoS prevention: DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*' used instead of .* for wildcard expansion (domain-patterns.ts:79)
• Input length limit before regex matching: 512 chars (domain-patterns.ts:232)
• Protocol-specific allowlisting: (github.com/redacted) restricts to port 80 only (domain-patterns.ts:44-59`)

---

Input Validation Assessment — ✅ Adequate

Evidence gathered:

grep -n "agentCommand\|command.*replace" src/docker-manager.ts
sed -n '573,640p' src/cli.ts  # parseVolumeMounts

Positive findings:

• Agent command passed as Docker command: array (not shell string), prevents command injection via Docker Compose YAML
• $ in agent command escaped as $$ for Docker Compose interpolation (docker-manager.ts:896)
• Selective mounting design with credential hiding (19+ credential files mapped to /dev/null)

Finding LOW-2: --mount flag lacks sensitive path restrictions

# parseVolumeMounts in src/cli.ts:573
# Only validates: format, absolute paths, path existence, and mode (ro/rw)
# Does NOT block sensitive host paths
```

Users can mount sensitive host paths via `--mount`:
- `--mount /etc/shadow:/tmp/shadow:ro` → exposes host password hashes to the agent
- `--mount /root/.ssh:/tmp/ssh:ro` → exposes root SSH private keys
- `--mount /proc:/tmp/proc:ro` → exposes host process information

**Note**: This requires the operator to deliberately choose dangerous paths. Since `awf` requires `sudo`, the operator is already root and could access these files anyway. The risk is accidental or malicious use by operators granting overly permissive mounts to agents. Adding a blocklist of sensitive host paths would be defense-in-depth.

---

## ⚠️ Threat Model (STRIDE)

| # | Category | Threat | Likelihood | Impact | Severity | Mitigated By |
|---|----------|--------|------------|--------|----------|--------------|
| T1 | Spoofing | Attacker-controlled domain matching allowed pattern (e.g., `attacker-github.com` if pattern is `*github.com`) | Low | Medium | 🔵 Low | Pattern requires `.github.com` (leading dot); wildcard anchoring |
| T2 | Tampering | Agent modifies iptables rules to bypass firewall | Very Low | Critical | 🔵 Low | `cap_net_admin` dropped via capsh before user code |
| T3 | Tampering | bpf socket filter circumvents Squid redirect | Low | High | 🟡 Medium | Permissive seccomp allows `bpf`; unprivileged BPF programs can intercept socket traffic |
| T4 | Repudiation | Agent exfiltrates data without appearing in Squid logs | Low | Medium | 🔵 Low | UDP (non-DNS) and ICMP blocked at host DOCKER-USER level; logged with `[FW_BLOCKED_UDP]` prefix |
| T5 | Info Disclosure | Credential files accessed via prompt injection | Low | High | 🟡 Medium | Selective mounting + `/dev/null` overlays for 19+ credential files |
| T6 | Info Disclosure | Agent reads sensitive paths via `--mount` flag | Low | Medium | 🔵 Low | Requires operator action; operator is already root |
| T7 | Info Disclosure | ICMP tunneling from agent container | Very Low | Low | ℹ️ Info | Host DOCKER-USER chain default-denies; `NET_RAW` dropped |
| T8 | Denial of Service | Agent spawns many processes / exhausts memory | Low | Medium | ℹ️ Info | `pids_limit: 1000`, `mem_limit: 4g` |
| T9 | Elevation of Privilege | Container escape via SYS_ADMIN before capsh drop | Very Low | Critical | ℹ️ Info | Window is very narrow (entrypoint setup only); AppArmor unconfined is a compounding factor |

---

## 🎯 Attack Surface Map

| Entry Point | File:Line | What It Does | Protections | Risk |
|-------------|-----------|--------------|-------------|------|
| `--allow-domains` | `cli.ts:580` | Domain allowlist input | `validateDomainOrPattern()`, pattern sanitization | Low |
| `--mount` | `cli.ts:573` | Custom volume mounts | Format validation, absolute path check | Medium |
| `--dns-servers` | `cli.ts` | Trusted DNS server IPs | IPv4/IPv6 validation (`isValidIPv4`, `isValidIPv6`) | Low |
| Agent command string | `docker-manager.ts:896` | User command execution | Array-form Docker command, `$` escaping | Low |
| `AWF_USER_UID/GID` | `entrypoint.sh:18-35` | Numeric-only validation, root (0) rejected | Numeric regex + zero check | Low |
| `setup-iptables.sh` DNS parsing | `setup-iptables.sh:88-95` | DNS server list from env | IFS comma-split, basic `is_ipv6()` / `is_valid_ipv4()` | Low |
| `--allow-urls` patterns | `ssl-bump.ts:313` | URL regex patterns | Wildcard to safe char class (`[^\s]*`), anchored | Low |
| `seccomp-profile.json` | `containers/agent/` | Syscall filtering | Allow-by-default (permissive) | Medium |
| Squid `url_regex` | `squid-config.ts:119` | URL patterns passed directly | Pre-processed by `parseUrlPatterns()` | Low |

---

## 📋 Evidence Collection

<details>
<summary>Seccomp profile analysis</summary>

```
# Command: python3 -c "import json; data=json.load(open('containers/agent/seccomp-profile.json')); print('Default:', data['defaultAction']); [print(s['action'], s.get('names',[])) for s in data['syscalls']]"
Default: SCMP_ACT_ALLOW
SCMP_ACT_ERRNO ['ptrace', 'process_vm_readv', 'process_vm_writev']
SCMP_ACT_ERRNO ['kexec_load', 'kexec_file_load', 'reboot', 'init_module', 'finit_module', 'delete_module', 'acct', 'swapon', 'swapoff', 'pivot_root', 'syslog', 'add_key', 'request_key', 'keyctl', 'uselib', 'personality', 'ustat', 'sysfs', 'vhangup', 'get_kernel_syms', 'query_module', 'create_module', 'nfsservctl']
SCMP_ACT_ERRNO ['umount', 'umount2']

Docker's default seccomp profile (moby/profiles/seccomp/default.json) blocks bpf, perf_event_open, setns, unshare, clone with namespace flags, kcmp, and ~44 others that are not blocked here.

AppArmor setting

# Command: grep -n "apparmor" src/docker-manager.ts
883:    security_opt: [
884:      'no-new-privileges:true',
885:      'seccomp=.../seccomp-profile.json',
886:      'apparmor:unconfined',   ← disables AppArmor
887:    ],

Comment at line 881: "AppArmor is set to unconfined to allow mounting procfs at /host/proc (Docker's default AppArmor profile blocks mount). This is safe because SYS_ADMIN is dropped via capsh before user code runs, so user code cannot mount anything."

Agent iptables TCP-only DROP

# Command: grep -n "DROP\|REJECT" containers/agent/setup-iptables.sh
# Line 295 only:
295: iptables -A OUTPUT -p tcp -j DROP
# No rules for: -p icmp, -p udp (non-DNS), -p all
```
</details>

<details>
<summary>npm audit results</summary>

```
Total vulnerabilities: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

Zero known vulnerabilities in npm dependencies.

Capability drops verified

# docker-manager.ts:870
cap_add: ['NET_ADMIN', 'SYS_CHROOT', 'SYS_ADMIN']
cap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', 'SYS_RAWIO', 'MKNOD']

# entrypoint.sh:278 (chroot mode always enabled via docker-manager.ts:479)
CAPS_TO_DROP="cap_net_admin,cap_sys_chroot,cap_sys_admin"

# entrypoint.sh:606 (inside chroot)
exec capsh --drop=\$\{CAPS_TO_DROP} --user=\$\{HOST_USER} -- -c 'exec \$\{SCRIPT_FILE}'

---

✅ Recommendations

🟡 Medium — Should Fix Soon

M1: Migrate seccomp to deny-by-default

Replace the current allow-by-default profile with a deny-by-default allowlist (similar to Docker's default). At minimum, add explicit blocks for bpf, perf_event_open, setns, unshare, clone with namespace creation flags (CLONE_NEWNS, CLONE_NEWNET, CLONE_NEWPID), kcmp, open_by_handle_at, and lookup_dcookie.

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "syscalls": [
    { "names": ["accept", "accept4", "access", "..."], "action": "SCMP_ACT_ALLOW" },
    // explicitly block especially dangerous ones with higher errnoRet priority
    { "names": ["bpf"], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }
  ]
}

Alternatively, remove the custom seccomp file and rely on Docker's built-in default profile (which is deny-by-default and maintained by the Docker project).

M2: Investigate AppArmor-compatible mount approach

The apparmor:unconfined setting defeats a meaningful defense layer. Investigate whether:

• A custom AppArmor profile can be created that allows the specific mount -t proc operation while keeping other protections
• The procfs mount can be performed before AppArmor is enforced (at a privileged entrypoint stage), after which AppArmor is re-enabled for user code

---

🔵 Low — Plan to Address

L1: Add ICMP/UDP DROP in agent container iptables

Add explicit DROP rules in setup-iptables.sh for defense-in-depth:

# After the TCP DROP rule (line 295), add:
iptables -A OUTPUT -p udp -j DROP    # block non-DNS UDP
iptables -A OUTPUT -p icmp -j DROP   # block ICMP (prevent ping-based exfiltration)

This ensures the agent-level filter doesn't rely solely on the host DOCKER-USER chain.

L2: Add sensitive path blocklist to --mount validation

In parseVolumeMounts (src/cli.ts:573), add a blocklist of host paths that should not be mountable:

const SENSITIVE_HOST_PATHS = [
  '/etc/shadow', '/etc/gshadow', '/etc/sudoers',
  '/root', '/proc', '/sys', '/dev',
  '/var/run/docker.sock', '/run/docker.sock',
  // SSH keys
];
// Check if hostPath starts with any sensitive path

---

ℹ️ Informational

I1: Document the seccomp trust model

Add a comment in docker-manager.ts explaining why the custom seccomp is allow-by-default (e.g., compatibility with user workloads that call unusual syscalls) so future reviewers don't mistake it for Docker's default.

I2: Consider adding --no-enable-host-access warning

When --enable-host-access is used, the network gateway IP bypass allows direct port 80/443 access to the host without Squid domain filtering. The comment in setup-iptables.sh explains this is needed for MCP Streamable HTTP, but a visible warning to the operator would help.

I3: Monitor bpf syscall use

Given the permissive seccomp profile allows bpf, consider adding a log-and-audit rule for bpf calls by the agent, to detect potential socket-filter insertion attempts.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	~3,500
Attack surfaces identified	8
npm dependency vulnerabilities	0
Threats modeled (STRIDE)	9
Credential files hidden via /dev/null	19+
Defense layers (network)	2 (agent NAT + host DOCKER-USER)
Defense layers (container)	4 (capabilities + seccomp + no-new-priv + resource limits)
Critical/High findings	0
Medium findings	2
Low findings	2

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 17, 2026, 1:59 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the oracle records that the smoke test agent was here. The omens are cast; the circuit hums with quiet approval.

🔮 The oracle has spoken through Smoke Codex for issue #1151