The Docker driver allows a sandbox template or spec to override PATH before driver-controlled environment keys are applied. The supervisor later performs privileged network setup by resolving helper binaries through PATH with calls like Command::new("ip") and Command::new("nsenter").
Because the supervisor container runs as root with SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYSLOG, apparmor=unconfined, and network_mode = "host", a malicious image or spec can cause a controlled helper binary such as /malicious/bin/ip or /malicious/bin/nsenter to execute during privileged setup. With host networking enabled, the impact extends to host network state rather than remaining confined to a container network namespace.
Possible impact includes host route changes, iptables changes, interface manipulation, traffic interception, or denial of service.
Suggested mitigations:
- Make
PATH driver-controlled after merging user environment, similar to OPENSHELL_ENDPOINT.
- Prefer absolute helper paths such as
/usr/sbin/ip and /usr/bin/nsenter after validating them.
- Replace shell-out helper usage with Rust netlink/syscall code or a trusted bind-mounted helper binary.
- Add a regression test that attempts to override
PATH and verifies the final supervisor environment keeps the trusted path.
The Docker driver allows a sandbox template or spec to override
PATHbefore driver-controlled environment keys are applied. The supervisor later performs privileged network setup by resolving helper binaries throughPATHwith calls likeCommand::new("ip")andCommand::new("nsenter").Because the supervisor container runs as root with
SYS_ADMIN,NET_ADMIN,SYS_PTRACE,SYSLOG,apparmor=unconfined, andnetwork_mode = "host", a malicious image or spec can cause a controlled helper binary such as/malicious/bin/ipor/malicious/bin/nsenterto execute during privileged setup. With host networking enabled, the impact extends to host network state rather than remaining confined to a container network namespace.Possible impact includes host route changes, iptables changes, interface manipulation, traffic interception, or denial of service.
Suggested mitigations:
PATHdriver-controlled after merging user environment, similar toOPENSHELL_ENDPOINT./usr/sbin/ipand/usr/bin/nsenterafter validating them.PATHand verifies the final supervisor environment keeps the trusted path.