[Security] HIGH: Package shim and intercept layer bypassed by grandchild subprocesses

[piyushsingariya]

Summary

The pip shim, apt shim, call handler (block list, path rewriting, audit logging), and all other mvdan.cc/sh ExecHandlerFunc intercepts apply only to commands invoked directly by the shell interpreter. Any process spawned as a child of an external command (a "grandchild" process) runs completely outside this chain — with full access to the real host filesystem, real package managers, and real system state.

Affected code

• packages/shim.go:35-45 — Shim dispatch is only at the mvdan.cc/sh ExecHandlerFunc level
• executor/intercept/callhook.go:38-85 — Same limitation: intercept applies to direct invocations only
• Architecture: IsolationNone provides zero OS-level process containment

Confirmed reproduction

Pip shim bypass (root and locked profiles, isolation=none)

agentic-bash run --isolation none \
  --cmd 'python3 -c "
import subprocess
r = subprocess.run(
    [\"pip3\", \"install\", \"--target=/tmp/escaped_pip\", \"requests\"],
    text=True, capture_output=True
)
print(r.returncode, r.stderr[:80])
"'
# Output: 0 WARNING: Running pip as the 'root' user...

# On the host:
ls /tmp/escaped_pip/
# requests/  requests-2.x.dist-info/  ← installed to REAL host path

General subprocess escape (root profile, isolation=none)

agentic-bash run --isolation none \
  --cmd 'bash -c "echo ESCAPED > /tmp/bash_subprocess_escape.txt"'

# On the host:
ls /tmp/bash_subprocess_escape.txt   # ← exists on real host filesystem

Subprocess escape via python3 (locked profile, isolation=none)

agentic-bash run --isolation none \
  --cmd 'python3 -c "import subprocess; r=subprocess.run([\"bash\",\"-c\",\"id; cat /etc/hostname\"], text=True, capture_output=True); print(r.stdout)"'
# Output: uid=1000(agent) gid=1000(agent) groups=1000(agent)\nagentic-bash-vm

Impact

• Pip shim bypass: install Python packages to arbitrary host directories, poisoning the host Python environment
• General escape: any external command can launch child processes with full host access, bypassing audit logging, block lists, and path rewriting
• The entire intercept layer provides zero security when language runtimes (Python, Node.js, bash) are available

Fix / Mitigations

1. Document clearly: IsolationNone provides only shell-level illusions — zero process containment. Require IsolationNamespace or higher for any security guarantee.
2. Enforce isolation for shims: When pip/apt shims are active, reject IsolationNone with an error.
3. Language runtime hardening (defense-in-depth): Inject sitecustomize.py to block subprocess, os.system, multiprocessing in Python runtime when running inside sandbox.
4. Document the threat model: The README should explicitly state what IsolationNone does and does not protect against.

Severity

High — defeats pip shim, apt shim, block list, audit logging, and path rewriting for any code that spawns subprocesses (which includes most real-world scripts).