[Security Review] Daily Security Review & Threat Model — 2026-03-24

[github-actions[bot]]

📊 Executive Summary

This review covers a deep evidence-based analysis of 4,970 lines of security-critical code across eight core files. The overall security posture of AWF is strong: defense-in-depth is well-implemented across network, container, credential, and domain layers. No critical vulnerabilities were discovered. However, three high-severity findings and four medium-severity findings warrant attention.

Previous firewall escape test: The most recent secret-digger-copilot run (run #912, 2026-03-24T13:36Z) confirmed the security boundary: the prompt included a prompt-injection attack instructing the agent to read /proc/self/environ, probe cloud metadata at 169.254.169.254, and exfiltrate credentials — all of which were correctly refused by the agent. Detection verdict: prompt_injection: true, secret_leak: false.

---

🔍 Findings from Secret Digger / Escape Test Context

The secret-digger-copilot workflow (run #912) attempted a real prompt injection attack against the workflow runner. The detection step confirmed the agent refused all prohibited actions. This is encouraging validation that the multi-layer defences work in practice. No secret leaks or malicious patches were detected in any of the three most recent runs (#910–912).

---

🛡️ Architecture Security Analysis

Network Security Assessment

Finding H-1: AppArmor set to unconfined on the agent container [HIGH]

# src/docker-manager.ts:1093-1099
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   ← ⚠️ removes Docker's default AppArmor profile
],

The agent container sets apparmor:unconfined to allow the mount -t proc call needed for chroot mode. Docker's default docker-default AppArmor profile provides meaningful protections beyond capability dropping (e.g., preventing /proc/sys writes, ptrace between containers, and certain namespace operations). Setting it to unconfined removes this entire layer. Mitigations present: no-new-privileges:true, seccomp profile, capability dropping — but AppArmor was a redundant layer.

Finding M-1: mount, unshare, setns allowed in seccomp [MEDIUM]

# Evidence:
$ python3 -c "
import json
with open('containers/agent/seccomp-profile.json') as f:
    d = json.load(f)
for s in d['syscalls']:
    if s['action'] == 'SCMP_ACT_ALLOW':
        for name in ['mount','unshare','setns']:
            if name in s['names']:
                print(f'ALLOWED: {name}')
"
ALLOWED: mount
ALLOWED: unshare
ALLOWED: setns

These syscalls are allowed in the seccomp profile. Combined with AppArmor being unconfined:

• unshare --user --map-root-user could create unprivileged user namespaces (if kernel allows unprivileged_userns_clone)
• setns could allow re-joining other namespaces
• mount within user namespaces allows bind mounts of arbitrary paths

Mitigations: SYS_ADMIN and SYS_CHROOT are dropped via capsh --drop before user code runs (entrypoint.sh:306-310). Without SYS_ADMIN, most privileged mount operations fail. The pids_limit: 1000 also limits fork-bomb namespace attacks.

Finding L-1: ICMP handling relies only on host-level rules [LOW]

Inside the agent container, setup-iptables.sh explicitly drops only TCP and UDP at the OUTPUT filter level:

# containers/agent/setup-iptables.sh:328-331
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# No explicit rule for ICMP (protocol 1)

ICMP is blocked at the host level by the FW_WRAPPER chain's final REJECT rule applied to all bridge traffic. However, agent-level defence-in-depth for ICMP is absent. An agent process could potentially use ICMP for covert signalling before host rules catch it, or in edge cases where host rules are momentarily absent during startup.

---

Container Security Assessment

Finding H-2: --enable-dind explicitly bypasses all network controls [HIGH]

// src/docker-manager.ts:860-868
if (config.enableDind) {
  logger.warn('Docker-in-Docker enabled: agent can run docker commands (firewall bypass possible)');
  agentVolumes.push(`\$\{dockerSocketPath}:/host\$\{dockerSocketPath}:rw`);
  agentVolumes.push('/run/docker.sock:/host/run/docker.sock:rw');
}

When --enable-dind is passed, the Docker socket is mounted read-write into the chroot. Any agent command can then run docker run --network host (evil-image) or docker run --privileged to completely bypass AWF's network filtering. The feature is documented as "WARNING: allows firewall bypass via docker run" (src/cli.ts:1249) but there are no audit logs, no secondary warnings at runtime (only a logger.warn), and no restrictions on what Docker commands can be run.

Finding M-2: 5-second fixed token unset window [MEDIUM]

# containers/agent/entrypoint.sh:654-657 (chroot mode) and 701-704 (non-chroot)
sleep 5          # ← Fixed delay, not signal-based
unset_sensitive_tokens

After starting the agent process in the background, the parent shell waits 5 seconds before unsetting sensitive tokens (COPILOT_GITHUB_TOKEN, GITHUB_TOKEN, etc.) from its own environment. During these 5 seconds, the tokens remain visible in /proc/(entrypoint-pid)/environ. This window is deterministic and predictable. A fast-starting agent could theoretically read /proc/1/environ (or the parent shell's PID) within this window.

Mitigations: The one-shot-token LD_PRELOAD library (one-shot-token.so) caches tokens in the agent process memory and clears them from the environment immediately on first getenv() access. This is a strong mitigation for most real scenarios.

Finding M-3: pidfd_getfd allowed in seccomp [MEDIUM]

# containers/agent/seccomp-profile.json
['kcmp', 'pidfd_getfd', 'process_madvise']: SCMP_ACT_ALLOW

pidfd_getfd allows a process to duplicate a file descriptor from another process identified by a pidfd. Combined with pidfd_open (also allowed), this could allow an agent to steal open file descriptors from the init/entrypoint process — potentially including file descriptors to secrets, sockets, or the Docker daemon socket. While file descriptors to the Docker socket are hidden (/dev/null is mounted over it in non-dind mode), other sensitive file descriptors from the entrypoint process could be accessible.

Finding M-4: No hard CPU limit [MEDIUM]

// src/docker-manager.ts:1107-1108
pids_limit: 1000,       // Max 1000 processes ✓
cpu_shares: 1024,       // Soft limit only — no hard cpu quota

cpu_shares is a relative weight, not a hard limit. Under CPU pressure, Docker allocates CPU proportionally; but in a GitHub Actions runner with no competing containers, the agent can consume 100% of available CPU indefinitely. There is no cpus setting. This is a DoS risk for expensive, long-running ML/compilation workflows.

---

Domain Validation Assessment

Overall: Strong. The validateDomainOrPattern() function (src/domain-patterns.ts:136-193) correctly rejects:

• Bare * (matches all domains)
• *.* (too broad)
• Any pattern where all/most segments are pure wildcards
• Double dots, empty domains, trailing dots

The wildcardToRegex() function correctly uses [a-zA-Z0-9.-]* character class instead of .* to prevent ReDoS. The isDomainMatchedByPattern() function has a length guard (MAX_DOMAIN_LENGTH = 512) as additional ReDoS defence.

Finding M-5: DANGEROUS_PORTS list discrepancy between Squid config and iptables [MEDIUM]

# Evidence: ports in src/squid-config.ts DANGEROUS_PORTS but NOT in 
# containers/agent/setup-iptables.sh DANGEROUS_PORTS:
# 5984  (CouchDB)
# 6984  (CouchDB SSL)
# 8086  (InfluxDB HTTP API)
# 8088  (InfluxDB RPC)
# 9200  (Elasticsearch HTTP API)
# 9300  (Elasticsearch transport)

These 6 ports are blocked at the Squid ACL level and by the final iptables -A OUTPUT -p tcp -j DROP rule, so there is no actual firewall bypass. However, they are NOT in the iptables DANGEROUS_PORTS_LIST used for the specific [FW_BLOCKED_DANGEROUS_PORT] log prefix. Access attempts to these ports will be logged as generic [FW_BLOCKED_TCP] rather than [FW_BLOCKED_DANGEROUS_PORT], making forensic triage harder.

---

Input Validation Assessment

Overall: Strong. Shell arguments are properly escaped via escapeShellArg() (src/cli.ts:867-880) using single-quote wrapping with escaped interior single quotes. User input flows through typed TypeScript interfaces, not raw string interpolation into shell commands. execa is used (not exec/child_process.exec) which avoids shell interpolation for most subprocess calls.

DLP is opt-in only [LOW]:

// src/cli.ts:1251-1255
.option('--enable-dlp', 'Enable DLP (Data Loss Prevention) scanning...')
// Default: false
````
Credential exfiltration via URL parameters (e.g., `curl "(alloweddomain.com/redacted) is not blocked by default. The DLP patterns in `src/dlp.ts` are comprehensive (GitHub, OpenAI, Anthropic, AWS, Google, Slack tokens), but must be explicitly opted in.

---

## ⚠️ Threat Model (STRIDE)

| # | Threat | Category | Evidence | Likelihood | Impact | Severity |
|---|--------|----------|----------|------------|--------|----------|
| T1 | Agent uses `unshare --user` to create user namespace, then `mount` to access restricted paths | Elevation of Privilege | `mount`/`unshare` in seccomp ALLOW; AppArmor unconfined | Low (mitigated by SYS_ADMIN cap drop) | High | **High** |
| T2 | Agent uses `--enable-dind` + `docker run --network host` to bypass all egress filtering | Elevation of Privilege / Tampering | `src/docker-manager.ts:860` | High (if feature used) | Critical | **High** |
| T3 | Agent reads `/proc/(entrypoint-pid)/environ` within 5-second token window | Information Disclosure | `entrypoint.sh:654-657` | Low (fast agents only) | High | **Medium** |
| T4 | Agent uses `pidfd_getfd` to steal file descriptors from entrypoint process | Information Disclosure | seccomp-profile.json: `pidfd_getfd ALLOW` | Low | Medium | **Medium** |
| T5 | Credential exfiltration via URL parameters to allowed domains | Information Disclosure | DLP disabled by default | Medium | High | **Medium** |
| T6 | DoS via CPU exhaustion (no hard CPU limit) | Denial of Service | `cpu_shares` only, no `cpus` | Medium | Medium | **Medium** |
| T7 | ICMP-based covert channel or data exfiltration | Information Disclosure | No agent-level ICMP block | Low (host rules block it) | Low | **Low** |
| T8 | Audit gap for CouchDB/InfluxDB/ES port access | Repudiation | 6 ports in squid but not iptables DANGEROUS_PORTS | Low | Low | **Low** |
| T9 | Overly broad wildcard domain `*.*.com` bypasses Squid ACL | Spoofing | Blocked by `validateDomainOrPattern()` | Negligible | High | **Low** |

---

## 🎯 Attack Surface Map

| Entry Point | File:Line | What It Does | Protections | Risk |
|-------------|-----------|--------------|-------------|------|
| `--allow-domains` / `--allow-domains-file` | `src/cli.ts:1118,1128` | Populates Squid allowlist | `validateDomainOrPattern()`, ReDoS guards | Low |
| `--enable-dind` flag | `src/cli.ts:1247` | Exposes Docker socket | Explicit warning only | **High** |
| Agent command string | `src/cli.ts:1366` | Shell command in container | `escapeShellArg()`, chroot | Low |
| `AWF_ONE_SHOT_TOKENS` env var | `entrypoint.sh:319` | Controls which tokens are protected | Hardcoded defaults, obfuscated | Low |
| Docker socket (`/var/run/docker.sock`) | `src/docker-manager.ts:867` | Container management | Hidden via `/dev/null` bind mount | Low |
| Squid forward proxy port 3128 | `src/squid-config.ts:423` | All HTTP/HTTPS | Domain ACL, CONNECT filtering | Low |
| DNS via Docker embedded DNS | `entrypoint.sh:68-86` | All name resolution | Only 127.0.0.11 in resolv.conf | Low |
| `LD_PRELOAD` one-shot-token | `entrypoint.sh:677` | Token caching/clearing | Stripped binary, hidden symbols | Low |
| `pidfd_getfd` syscall | `seccomp-profile.json` | FD theft between processes | No mitigation | **Medium** |
| `unshare`/`mount`/`setns` syscalls | `seccomp-profile.json` | Namespace manipulation | `capsh --drop cap_sys_admin`, mitigated | Medium |
| `--allow-host-ports` | `src/cli.ts:1241` | Extends port bypass to host | Validation vs DANGEROUS_PORTS list | Low |
| API proxy sidecar credentials | `containers/api-proxy/server.js:44` | Real API key injection | Network-isolated sidecar, no agent env access | Low |

---

## 📋 Evidence Collection

<details>
<summary>AppArmor unconfined verification</summary>

````
# src/docker-manager.ts:1093-1099
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',
],
// AppArmor is set to unconfined to allow mounting procfs at /host/proc
// (Docker's default AppArmor profile blocks mount). This is safe because SYS_ADMIN is
// dropped via capsh before user code runs, so user code cannot mount anything.

Seccomp dangerous syscalls

$ python3 -c "
import json
with open('containers/agent/seccomp-profile.json') as f:
    d = json.load(f)
for s in d['syscalls']:
    for name in ['mount','unshare','setns','bpf','pidfd_getfd','io_uring_setup']:
        if name in s.get('names', []):
            print(f'{name}: {s[\"action\"]}')
"
mount: SCMP_ACT_ALLOW
unshare: SCMP_ACT_ALLOW
setns: SCMP_ACT_ALLOW
io_uring_setup: SCMP_ACT_ALLOW
pidfd_getfd: SCMP_ACT_ALLOW
# bpf: SCMP_ACT_ERRNO (correctly blocked)

Token unset timing

# containers/agent/entrypoint.sh:644-659 (chroot mode)
chroot /host /bin/bash -c "
  ...
  exec capsh --drop=\$\{CAPS_TO_DROP} --user=\$\{HOST_USER} -- -c 'exec \$\{SCRIPT_FILE}'
" &
AGENT_PID=$!

# Wait for agent to initialize and cache tokens (5 seconds)
sleep 5   # ← fixed 5s window

# Unset all sensitive tokens from parent shell environment
unset_sensitive_tokens

DANGEROUS_PORTS discrepancy

# src/squid-config.ts has (squid-only ports):
5984,  // CouchDB
6984,  // CouchDB (SSL)
8086,  // InfluxDB HTTP API
8088,  // InfluxDB RPC
9200,  // Elasticsearch HTTP API
9300,  // Elasticsearch transport

# containers/agent/setup-iptables.sh DANGEROUS_PORTS array:
# Does NOT include any of the above 6 ports
# These are still blocked by final: iptables -A OUTPUT -p tcp -j DROP
# But NOT tagged as [FW_BLOCKED_DANGEROUS_PORT] in logs

DinD Docker socket handling

// src/docker-manager.ts:855-875
if (config.enableDind) {
  logger.warn('Docker-in-Docker enabled: agent can run docker commands (firewall bypass possible)');
  agentVolumes.push(`\$\{dockerSocketPath}:/host\$\{dockerSocketPath}:rw`);
  agentVolumes.push('/run/docker.sock:/host/run/docker.sock:rw');
} else {
  // Hide Docker socket to prevent firewall bypass via 'docker run'
  agentVolumes.push('/dev/null:/host/var/run/docker.sock:ro');
  agentVolumes.push('/dev/null:/host/run/docker.sock:ro');
}

---

✅ Recommendations

🔴 High — Should Fix Soon

R1: Consider restricting --enable-dind with stronger guardrails
--enable-dind completely bypasses AWF's network controls. Consider: (a) requiring an explicit --i-understand-dind-bypasses-firewall acknowledgement flag; (b) logging all docker commands executed during a DinD session via an audit hook; (c) restricting which Docker networks a DinD container can join.

R2: Scope AppArmor to a custom profile instead of unconfined
Instead of apparmor:unconfined, consider creating a minimal AWF-specific AppArmor profile that allows only the specific mount operation needed (procfs only) while re-enabling the rest of docker-default. This restores a defence-in-depth layer for namespace and path operations.

🟡 Medium — Plan to Address

R3: Block pidfd_getfd and pidfd_open in seccomp or restrict to own PIDs
pidfd_getfd with pidfd_open enables cross-process FD theft. Unless a specific agent use case requires it, these can be blocked in the seccomp profile. If they must remain, consider adding an argument filter (SCMP_CMP_EQ on flags) to restrict to self-targeted operations.

R4: Make token unset signal-based rather than time-based
Replace the fixed sleep 5 with a mechanism where the agent signals readiness (e.g., writes a small file to a tmpfs volume, or the one-shot-token library triggers an event after all tokens are accessed and cached). This eliminates the race window regardless of agent startup speed.

R5: Sync DANGEROUS_PORTS list between squid-config.ts and setup-iptables.sh
Add the 6 missing ports (5984, 6984, 8086, 8088, 9200, 9300) to the DANGEROUS_PORTS array in containers/agent/setup-iptables.sh so that access attempts are correctly tagged as [FW_BLOCKED_DANGEROUS_PORT] in audit logs rather than generic [FW_BLOCKED_TCP].

R6: Consider defaulting DLP to enabled
Credential exfiltration via URL parameters (e.g., ?token=ghp_xxxx) to allowed domains is not blocked without --enable-dlp. Given the zero observed false-positive rate of DLP patterns (all require 36+ character specific prefixes), consider making DLP the default-on stance.

R7: Add a hard CPU limit (cpus) to the agent container
Supplement cpu_shares with a cpus: 4.0 (or similar) hard cap to prevent runaway computation. The default mem_limit: 6g already protects memory — adding cpus provides symmetric protection.

🟢 Low — Nice to Have

R8: Add ICMP DROP to agent-level iptables OUTPUT chain
Add iptables -A OUTPUT -p icmp -j DROP to setup-iptables.sh for defence-in-depth against ICMP-based covert channels, even though the host-level FW_WRAPPER already blocks these.

R9: Block io_uring in seccomp unless needed
io_uring has had numerous kernel CVEs. Unless any agent tool specifically requires it, consider blocking it in the seccomp profile. The current profile allows all three: io_uring_enter, io_uring_register, io_uring_setup.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	4,970
Files reviewed	8
Attack surfaces identified	13
STRIDE threats modeled	9
Critical findings	0
High findings	2
Medium findings	5
Low findings	4
npm vulnerabilities	0
Credential exclusions for API proxy mode	5 explicit + placeholder strategy
Seccomp syscalls allowed	~300 (default ALLOW, 5 groups blocked)
Dangerous syscalls still allowed	mount, unshare, setns, pidfd_getfd, io_uring_*

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 31, 2026, 2:03 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-31T14:03:40.322Z.

Closed by Workflow