Skip to content

[Security] Missing Seccomp/AppArmor hardening - default syscall restrictions only #134

New issue
New issue
Open
#139
Open
[Security] Missing Seccomp/AppArmor hardening - default syscall restrictions only#134
#139
Assignees
Mossakacopilot-swe-agent
Labels
enhancementNew feature or request
@Mossaka

Description

@Mossaka
Mossaka
opened on Dec 19, 2025

Priority

P1 - Medium-High

Summary

AWF uses Docker's default seccomp profile with no custom syscall restrictions. Combined with the NET_ADMIN capability, this creates an unnecessarily large attack surface. Dangerous syscalls like ptrace are available to code running in the container.

Current Behavior

The agent container runs with:

  • Default Docker seccomp profile (allows ~300 syscalls)
  • NET_ADMIN capability (required for iptables)
  • No AppArmor profile
// src/docker-manager.ts:305-310
cap_add: ['NET_ADMIN'],
// No seccomp or AppArmor configuration

Security Impact

Code running in the container can:

  • Use ptrace to inspect/modify other processes
  • Use process_vm_readv/process_vm_writev for memory access
  • Load kernel modules (if root)
  • Potentially escape container via unpatched vulnerabilities

Proposed Solution

Add Custom Seccomp Profile

Create containers/agent/seccomp.json:

{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "names": ["ptrace", "process_vm_readv", "process_vm_writev"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block process inspection/modification"
    },
    {
      "names": ["init_module", "finit_module", "delete_module"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block kernel module operations"
    },
    {
      "names": ["kexec_load", "kexec_file_load"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block kernel replacement"
    },
    {
      "names": ["reboot"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block system reboot"
    },
    {
      "names": ["swapon", "swapoff"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block swap manipulation"
    }
  ]
}

Integrate in Docker Manager

// src/docker-manager.ts
security_opt: [
  'no-new-privileges:true',
  'seccomp=/path/to/seccomp.json'
],

Implementation Steps

  1. Create containers/agent/seccomp.json with restricted syscalls
  2. Modify src/docker-manager.ts to apply seccomp profile
  3. Add no-new-privileges to prevent privilege escalation
  4. Test that iptables setup still works (needs specific syscalls)
  5. Test that common tools (curl, git, node, npm) still work

Files to Create/Modify

  • New: containers/agent/seccomp.json - Custom seccomp profile
  • Modify: src/docker-manager.ts:305-310 - Add security options
  • New: Tests for seccomp restrictions

Testing

  • Verify ptrace is blocked: strace ls should fail
  • Verify iptables still works for setup
  • Verify curl, git, node, npm work normally
  • Verify no regression in existing functionality

Related

  • NET_ADMIN capability issue (separate concern, should be addressed together)

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions