Harden guest boot with sysctls, cap drop, and /root lockdown

JAORMX · claude · JAORMX · commit b3b67e63dd92 · 2026-02-17T10:24:14.000+02:00
Integrate propolis guest/harden into the boot sequence: apply
kernel sysctl defaults after /proc mount, chmod /root to 0700,
and drop all capabilities except SETUID/SETGID/NET_BIND_SERVICE
before starting the SSH server.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/guest/boot/boot.go b/internal/guest/boot/boot.go
@@ -20,6 +20,7 @@ import (
 	"github.com/stacklok/apiary/internal/guest/mount"
 	"github.com/stacklok/apiary/internal/guest/network"
 	"github.com/stacklok/apiary/internal/guest/sshd"
+	"github.com/stacklok/propolis/guest/harden"
 )
 
 // Run executes the full guest boot sequence and returns a shutdown function
@@ -44,19 +45,43 @@ func Run(logger *slog.Logger) (shutdown func(), err error) {
 		logger.Warn("workspace mount failed, continuing without workspace", "error", err)
 	}
 
-	// 4. Load environment file.
+	// 4. Apply kernel sysctl hardening (needs /proc mounted).
+	harden.KernelDefaults(logger)
+
+	// 5. Lock down /root/ so the sandbox user cannot read it.
+	lockdownRoot(logger)
+
+	// 6. Load environment file.
 	envVars, err := env.Load("/etc/sandbox-env")
 	if err != nil {
 		return nil, fmt.Errorf("loading environment: %w", err)
 	}
 
-	// 5. Parse authorized keys.
+	// 7. Parse authorized keys.
 	authorizedKeys, err := parseAuthorizedKeys("/home/sandbox/.ssh/authorized_keys")
 	if err != nil {
 		return nil, fmt.Errorf("parsing authorized keys: %w", err)
 	}
 
-	// 6. Start SSH server — bind synchronously so listen errors surface
+	// 8. Drop unneeded capabilities from the bounding set. Keep only
+	// what sshd needs: SETUID/SETGID for credential switching,
+	// NET_BIND_SERVICE for port 22. This must be the last privileged
+	// operation before starting the SSH server.
+	//
+	// This is fatal because PR_CAPBSET_DROP has been available since
+	// Linux 2.6.25 — failure indicates a serious problem (not root,
+	// kernel bug) and continuing with a full bounding set defeats the
+	// hardening entirely.
+	logger.Info("dropping unnecessary capabilities")
+	if err := harden.DropBoundingCaps(
+		harden.CapSetUID,
+		harden.CapSetGID,
+		harden.CapNetBindService,
+	); err != nil {
+		return nil, fmt.Errorf("dropping capabilities: %w", err)
+	}
+
+	// 9. Start SSH server — bind synchronously so listen errors surface
 	// immediately rather than being swallowed in a goroutine.
 	cfg := sshd.Config{
 		Port:           22,
@@ -90,6 +115,15 @@ func Run(logger *slog.Logger) (shutdown func(), err error) {
 	return func() { srv.Close() }, nil
 }
 
+// lockdownRoot sets /root/ to mode 0700 so the sandbox user cannot read
+// its contents (MCP bootstrap config, debug logs, etc.).
+func lockdownRoot(logger *slog.Logger) {
+	logger.Info("locking down /root permissions")
+	if err := os.Chmod("/root", 0o700); err != nil {
+		logger.Warn("failed to chmod /root", "error", err)
+	}
+}
+
 // parseAuthorizedKeys reads an authorized_keys file and returns the parsed
 // public keys. Returns an error if no valid keys are found.
 func parseAuthorizedKeys(path string) ([]ssh.PublicKey, error) {
