[Security Review] Daily Security Review — 2026-06-30 #5720
Replies: 2 comments
-
|
Very useful security review. The overall posture looks strong, but the two high-priority findings around GEMINI_API_KEY / GOOGLE_API_KEY cleanup and CLONE_NEWUSER seccomp filtering seem worth addressing first because they directly affect credential exposure and container escape risk. I also like that the report separates runtime escape-test results from static-analysis findings, since that makes the risk easier to reason about. |
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. May the build remain steadfast and the firewall hold its watch. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
Review date: 2026-06-30 | Version:
@github/agentic-workflow-firewallv0.23.1Overall posture: STRONG with targeted medium-risk gaps. Defence-in-depth across five layers: network egress (Squid + iptables), container isolation (capabilities + seccomp + chroot), credential protection (one-shot-token + hidepid=2 + env-unset), domain injection prevention, and selective bind-mounts.
🔍 Escape Test Context
Pre-fetched results from
/tmp/gh-aw/escape-test-summary.txt(Secret Digger / Copilot, 2026-04-11, run24273493151):GH_AW_SECRET_VERIFICATION_RESULT: success— no secrets exfiltratedGH_AW_AGENT_CONCLUSION: successwith noop-only outputs — agent found nothing to exfiltrateGH_AW_LOCKDOWN_CHECK_FAILED: false/GH_AW_INFERENCE_ACCESS_ERROR: falseThe last escape test found no vulnerabilities. This review adds static analysis findings not observable at runtime.
🛡️ Architecture Assessment
Network Security
HTTPS_PROXYenv.sysctl -w net.ipv6.conf.all.disable_ipv6=1 || echo WARNING. The|| echopattern means failure is silent and the script continues — no ip6tables DNAT fallback.127.0.0.11.Container Security
SYS_CHROOT+SYS_ADMINadded for entrypoint setup, then dropped viacapsh --drop=cap_sys_chroot,cap_sys_adminbefore user code runs (entrypoint.sh:402/1224).NET_ADMINnever on agent.cap_drop: ALL+no-new-privileges: true.SCMP_ACT_ERRNO. 341 allowlisted syscalls.mount,clone,clone3,unshare,setnsare all ALLOWED without argument filters.ptrace,process_vm_readv,pivot_root,keyctlcorrectly denied./host/procwithhidepid=2prevents cross-process/proc/[pid]/environreads.Domain Validation
assertSafeForSquidConfig()(src/squid/domain-acl.ts:28) blocks[\s\0"'\;#]on all domain inputs. Over-broad wildcards (,.,.*.com`) and double-dots rejected. No injection bypass found.Credential Protection
credential-hiding.ts): 14 paths →/dev/null:path:ro. Missing:~/.netrc,~/.pypirc,~/.config/git/credentials,~/.m2/settings.xml./proc/1/environ. Missing:GEMINI_API_KEY,GOOGLE_API_KEY.hidepid=2closes the race window.GEMINI_API_KEY/GOOGLE_API_KEYnot unset from/proc/1/environclone(CLONE_NEWUSER)allowed in seccomp without flag filter → user namespace UID=0~/.netrc,~/.pypirc, etc. not hidden via /dev/null overlay--ruleset-fileor--config-fileYAMLmount+unshare+user-namespace chain (kernel-version dependent)--memory-limitoptional; no default--enable-host-access+host.docker.internalallowlisted = full host service access🎯 Attack Surface Map
src/domain-validation.ts,src/squid/domain-acl.tssrc/rules.ts:58,src/config-file.ts:199containers/agent/entrypoint.shcontainers/agent/setup-iptables.shentrypoint.sh:416-438src/services/agent-volumes/credential-hiding.tscontainers/agent/seccomp-profile.jsoncontainers/api-proxy/src/upstream-proxy.tssrc/services/agent-volumes/docker-socket.tssrc/ssl-bump.ts,src/ssl-key-storage.ts✅ Recommendations
🔴 High — Address Soon
H1: Add Gemini tokens to
unset_sensitive_tokens()containers/agent/entrypoint.sh:416-438GEMINI_API_KEY/GOOGLE_API_KEYare consumed by AWF (src/commands/build-config.ts:184) but not cleared from/proc/1/environwhen api-proxy is not in use."GEMINI_API_KEY" "GOOGLE_API_KEY" "GOOGLE_APPLICATION_CREDENTIALS"toSENSITIVE_TOKENS.H2: Add seccomp arg filter for
CLONE_NEWUSERflagcontainers/agent/seccomp-profile.jsonclone/clone3allowed without args filtering.CLONE_NEWUSER(0x10000000) enables user namespace creation where the process sees itself as UID 0, potentially enabling privilegedmountoperations. Combined withmountandunsharebeing allowed, this is a multi-step escalation path.SCMP_ACT_ERRNOrule forclone/clone3when flags includeCLONE_NEWUSER. Alternatively addsysctl -w user.max_user_namespaces=0insetup-iptables.sh.🟡 Medium — Plan to Address
M1: Harden IPv6 disable with ip6tables DNAT fallback
containers/agent/setup-iptables.sh:97-111sysctlfailure silently continues; no ip6tables DNAT rules redirect IPv6 traffic to Squid.disable_ipv6(); if still active and ip6tables is available, add mirrored DNAT rules or treat as a startup error.M2: Expand credential hiding overlay list
src/services/agent-volumes/credential-hiding.ts~/.netrc,~/.pypirc,~/.config/git/credentials,~/.m2/settings.xml.M3: Wrap
yaml.load()with input-size guardsrc/rules.ts:58,src/config-file.ts:199-212🟢 Low — Nice to Have
sysctlIPv6 failure to AWF logger as ERROR (currently justecho WARNING).setnsto allowed namespace types only.📈 Security Metrics
Beta Was this translation helpful? Give feedback.
All reactions