vault.py::serve (around lines 491-499) exec's the client's bwrap_argv verbatim once token auth passes. Same-uid trust boundary, so not a privilege escalation — but a stale or buggy client could exec unexpected args under the primary's user namespace.
- Minimal: sanity-check
argv[0] == "bwrap" and reject if the argv contains flags the daemon doesn't expect from its own clients.
- Or: add a prominent docstring/comment on
serve stating the same-uid trust assumption, so a future reviewer doesn't mistake this for a remote-capable endpoint.
vault.py::serve(around lines 491-499) exec's the client'sbwrap_argvverbatim once token auth passes. Same-uid trust boundary, so not a privilege escalation — but a stale or buggy client could exec unexpected args under the primary's user namespace.argv[0] == "bwrap"and reject if the argv contains flags the daemon doesn't expect from its own clients.servestating the same-uid trust assumption, so a future reviewer doesn't mistake this for a remote-capable endpoint.