[Security Review] Daily Security Review — gh-aw-firewall Threat Model & Codebase Analysis (2026-04-11)

[github-actions[bot]]

📊 Executive Summary

This review covers a deep, evidence-based security analysis of the gh-aw-firewall codebase conducted on 2026-04-11. The overall security posture is strong for its threat model (containing agentic LLM workflows). The architecture shows defence-in-depth layering: L3/L4 iptables, L7 Squid proxy, capability dropping, seccomp filtering, and UID isolation. Five security findings were identified — one high severity, three medium, and several low/informational items. No critical exploitable paths were discovered.

Metric	Value
Lines of security-critical code analysed	5,881 (6 core files)
Attack surfaces identified	8
STRIDE threats modelled	18
Critical findings	0
High findings	1
Medium findings	3
Low/Informational findings	5

---

🔍 Findings from Firewall Escape Test (Secret Digger Workflow)

The escape-test summary file at /tmp/gh-aw/escape-test-summary.txt contained the conclusion log of the "Secret Digger (Copilot)" workflow run (2026-04-11T03:25). Key outcome signals:

GH_AW_SECRET_VERIFICATION_RESULT: success
GH_AW_AGENT_CONCLUSION: success
Agent succeeded with only noop outputs - this is not a failure

The workflow concluded success with noop outputs — meaning no secrets were exfiltrated or discovered by the agent during that run. No injection or bypass was recorded. This is consistent with the firewall functioning correctly.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered:

# containers/agent/setup-iptables.sh
# Line ~45-55: IPv6 disabled via sysctl
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

# Line ~330-335: Only 80/443 DNAT to Squid
iptables -t nat -A OUTPUT -p tcp --dport 80  -j DNAT --to-destination "\$\{SQUID_IP}:3128"
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination "\$\{SQUID_IP}:3128"

# Line ~390-415: Dangerous ports blocked at NAT level
# Line ~430-445: Default DROP on TCP and UDP
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
```

**Strengths:**
- Dual-layer enforcement: host-level DOCKER-USER chain + container-level OUTPUT chain
- IPv6 disabled in container namespace to prevent bypass
- DNS restricted to configured upstream servers (default: 8.8.8.8/8.8.4.4)
- Multicast and 169.254.0.0/16 (link-local/APIPA/IMDS) explicitly blocked
- 15 "dangerous" ports (SSH/SMTP/databases) blocked at both NAT and filter layers

**Weakness — [HIGH] Shared `/tmp` in chroot mode (`docker-manager.ts:919`):**
```
agentVolumes.push('/tmp:/host/tmp:rw');

The entire host /tmp is mounted read-write into the chroot. In chroot mode, the entrypoint writes temporary script files to /host/tmp/awf-cmd-$$.sh. If two concurrent AWF sessions share the same host, their /tmp is visible to both agents. A malicious or compromised agent could read script files from another session, or race-condition write to another session's script path if it could predict the PID ($$). Shell PID values are typically sequential and predictable.

Weakness — [MEDIUM] ICMP not explicitly logged or blocked at L4:
ICMP is blocked by the default DROP/REJECT rules but is not explicitly logged with a [FW_BLOCKED_ICMP] prefix. This makes it harder to distinguish ICMP egress attempts in audit logs from normal blocked traffic.

---

Container Security Assessment

Evidence gathered:

# src/docker-manager.ts:1319-1323
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   # <--- ⚠️
]

# containers/agent/entrypoint.sh:362-364
# Non-chroot mode:
CAPS_TO_DROP=""
echo "[entrypoint] No capabilities to drop (NET_ADMIN never granted to agent)"
...
gosu awfuser "$@" &
```

**[MEDIUM] AppArmor disabled on agent container (`docker-manager.ts:1322`):**

```
'apparmor:unconfined'
```

AppArmor MAC is intentionally disabled to allow `mount -t proc` in the entrypoint (Docker's default AppArmor profile blocks `mount`). The comment acknowledges this:
```
// AppArmor is set to unconfined to allow mounting procfs at /host/proc
// (Docker's default AppArmor profile blocks mount). This is safe because SYS_ADMIN is
// dropped via capsh before user code runs, so user code cannot mount anything.

While the SYS_ADMIN capability is dropped before user code executes, the AppArmor profile is disabled for the entire container lifetime, not just the procfs-mount window. This means:

• No MAC enforcement during the entrypoint setup phase (where capabilities are still elevated)
• No AppArmor path restrictions on file access throughout the container
• No AppArmor network socket restrictions

A more targeted mitigation would be a custom AppArmor profile that explicitly permits mount -t proc while denying other dangerous operations, or using aa-exec with a temporary profile switch.

[MEDIUM] Non-chroot mode drops no capabilities from bounding set:

In non-chroot mode (AWF_CHROOT_ENABLED != true):

CAPS_TO_DROP=""
...
gosu awfuser "$@" &   # no capsh, no bounding set modification
```

The container launches with Docker's default capability set for the agent container:
```
# src/docker-manager.ts:1308-1314 — only drops NET_RAW, SYS_PTRACE, etc. from the compose config
cap_drop: ['NET_RAW', 'SYS_PTRACE', ...]

In non-chroot mode, capsh --drop=... is never called, so the bounding set equals what Docker configured. The no-new-privileges:true security_opt prevents gaining new caps via SUID, but does not shrink the existing bounding set further. An agent code path that calls setuid(0) or uses ambient capabilities would operate within the granted set. gosu correctly drops to awfuser, but the bounding set is not tightened per-process.

Strengths:

• no-new-privileges:true applied to agent container (prevents SUID escalation)
• Seccomp profile blocks ptrace, process_vm_readv/writev, kexec_load, reboot, init_module, pivot_root, keyctl, etc.
• pids_limit: 1000 limits fork bombs
• One-shot-token LD_PRELOAD prevents API key re-reading from /proc/self/environ
• Sensitive tokens unset from parent shell before agent process starts
• SYS_CHROOT + SYS_ADMIN dropped via capsh in chroot mode before user code runs
• NET_ADMIN isolated to dedicated init container (never granted to agent)

---

Domain Validation Assessment

Evidence gathered:

// src/domain-patterns.ts:27
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// src/squid-config.ts:57-63
function assertSafeForSquidConfig(value: string): string {
  if (SQUID_DANGEROUS_CHARS.test(value)) {
    throw new Error(`SECURITY: Domain or pattern contains characters unsafe for Squid config...`);
  }
  return value;
}

Strengths:

• Characters dangerous for Squid config injection are filtered: [\s\0"';#]`
• Wildcard patterns are converted to anchored regex ^...$ preventing catastrophic backtracking (ReDoS) via [a-zA-Z0-9.-]* character class instead of .*
• Backslash excluded from domain-level rejection (needed for URL regex) but explicitly checked in validateDomainOrPattern()
• Redundant subdomains and domains covered by wildcard patterns are deduplicated

[LOW] Backslash exclusion from SQUID_DANGEROUS_CHARS:
The comment in domain-patterns.ts explains that backslash is excluded because --allow-urls patterns use \ for regex escaping. This is technically correct but creates a subtle difference: domains vs URL patterns have different validation paths. A future code change that inadvertently passes a URL pattern value through the domain-only path could introduce a Squid config injection vector.

---

Input Validation Assessment

Evidence gathered:

// src/cli.ts:1522
const agentCommand = args.length === 1 ? args[0] : joinShellArgs(args);

// src/cli.ts:983-1001
export function escapeShellArg(arg: string): string { ... }  // single-quotes + escape internal quotes
export function joinShellArgs(args: string[]): string { ... }  // maps escapeShellArg over array

Strengths:

• Multi-argument commands are properly shell-escaped via escapeShellArg (single-quote wrapping)
• Single-string commands pass through unescaped (by design, for shell variable expansion in container)
• Host UID/GID validated to be numeric and non-zero (src/docker-manager.ts:56, containers/agent/entrypoint.sh:15-32)

[INFORMATIONAL] Single-argument pass-through is by-design but high trust:

// src/cli.ts:1498-1522 (comments from source)
// SINGLE ARGUMENT: treated as complete shell command string
// → Container shell: 'echo $HOME' (expands to container home)
// Trust assumption: $3 comes from Docker CMD set by docker-manager.ts
const agentCommand = args.length === 1 ? args[0] : joinShellArgs(args);
```

The single-string command path intentionally allows shell constructs (`$(...)`, `$VAR`, backticks). This is correct for the intended use case, but means any user who can control the AWF invocation has full shell execution inside the container. This is a known and accepted design decision.

---

## ⚠️ Threat Model (STRIDE)

| Category | Threat | Likelihood | Impact | Evidence Location |
|----------|--------|-----------|--------|------------------|
| **Spoofing** | Agent forges Squid CONNECT request with injected Host header to bypass ACL | Low | High | `src/squid-config.ts` — Squid validates Host via dstdom_regex |
| **Spoofing** | Agent spoofs Docker embedded DNS to resolve disallowed domains | Low | High | `containers/agent/setup-iptables.sh:~150` — DNS locked to 127.0.0.11 |
| **Spoofing** | API target host header injection via manipulated `X-Forwarded-For` | Low | Medium | `containers/api-proxy/server.js` — `STRIPPED_HEADERS` removes forwarding headers |
| **Tampering** | Agent modifies iptables rules via `NET_ADMIN` | Very Low | Critical | `src/docker-manager.ts:1298` — NET_ADMIN never granted to agent |
| **Tampering** | Agent writes to host filesystem via shared `/tmp` bind mount | Medium | Medium | `docker-manager.ts:919` — `/tmp:/host/tmp:rw` |
| **Tampering** | Agent modifies resolv.conf in chroot to redirect DNS | Low | Medium | `containers/agent/entrypoint.sh:~545` — resolv.conf restored on exit via trap |
| **Repudiation** | Agent makes requests that aren't logged | Low | Medium | Squid logs all L7 traffic; iptables logs blocked L3/L4 |
| **Repudiation** | Agent operates between log rotation leaving audit gap | Very Low | Low | Squid access.log continuous; no log rotation during session |
| **Information Disclosure** | API keys leaked via `/proc/self/environ` | Low | Critical | One-shot-token LD_PRELOAD clears env; `unset_sensitive_tokens()` |
| **Information Disclosure** | Concurrent session cross-contamination via shared `/tmp` | Medium | Medium | `/tmp:/host/tmp:rw` — predictable PID-based script file names |
| **Information Disclosure** | DoH covert channel through allowed HTTPS domains | Medium | Medium | HTTPS traffic to allowed domains (e.g., `dns.google`) can carry arbitrary data |
| **Information Disclosure** | `/etc/passwd` and `/etc/group` mounted read-only | Very Low | Low | `docker-manager.ts:~1010` — needed for chroot user lookup; no shadow mount |
| **Denial of Service** | Agent exhausts pids_limit causing container crash | Low | Low | `pids_limit: 1000` — limits fork bomb scope |
| **Denial of Service** | Squid cache exhaustion via many unique domain requests | Low | Low | Squid cache disabled in most configs |
| **Elevation of Privilege** | Agent uses `mount` syscall (allowed) to mount over sensitive paths | Low | High | Seccomp allows `mount`; mitigated by AppArmor (disabled) and SYS_ADMIN drop |
| **Elevation of Privilege** | Agent uses `unshare` to create user namespace for UID remapping | Low | Medium | Seccomp allows `unshare`; CAP_SETUID restricted |
| **Elevation of Privilege** | Agent uses `setns` to join a different network namespace | Very Low | High | Seccomp allows `setns`; requires fd to target namespace (non-trivial) |
| **Elevation of Privilege** | AppArmor disabled allows broader syscall/path access than intended | Medium | Medium | `docker-manager.ts:1322` — `apparmor:unconfined` |

---

## 🎯 Attack Surface Map

| Surface | Entry Point | Current Protections | Risk |
|---------|-------------|--------------------|----|
| **Network egress (HTTP/HTTPS)** | iptables DNAT → Squid:3128 | Domain ACL, `assertSafeForSquidConfig`, dangerous port blocklist | Low |
| **Network egress (non-HTTP ports)** | iptables OUTPUT DROP | Default deny for TCP/UDP; dangerous ports blocked at NAT level | Low |
| **DNS** | Container resolv.conf → 127.0.0.11 | Docker embedded DNS only; upstream restricted to 8.8.8.8/8.8.4.4; UDP DROP default | Low-Medium |
| **Container filesystem** | Selective bind mounts under `/host/` | No `/etc/shadow`; no blanket `$HOME`; credential overlays via `/dev/null` | Low-Medium |
| **Host `/tmp`** | `/tmp:/host/tmp:rw` bind mount | Predictable PID script names; no session isolation | Medium |
| **CLI input (domains/commands)** | `--allow-domains`, agent command string | `validateDomainOrPattern`, `escapeShellArg`, `SQUID_DANGEROUS_CHARS` | Low |
| **Capabilities/syscalls** | Agent process inside container | seccomp profile (default SCMP_ACT_ERRNO), `no-new-privileges:true`, capsh drop | Low-Medium |
| **AppArmor/MAC** | Container-level | `apparmor:unconfined` — no MAC policy applied | Medium |
| **API key isolation** | API proxy sidecar | Credentials never in agent env; one-shot-token LD_PRELOAD | Low |

---

## 📋 Evidence Collection

<details>
<summary>Key evidence commands and outputs</summary>

**AppArmor unconfined setting:**
```
src/docker-manager.ts:1316-1323:
  // AppArmor is set to unconfined to allow mounting procfs at /host/proc
  security_opt: [
    'no-new-privileges:true',
    `seccomp=\$\{config.workDir}/seccomp-profile.json`,
    'apparmor:unconfined',   ← MAC disabled
  ]
```

**Seccomp profile default action:**
```
containers/agent/seccomp-profile.json:
  "defaultAction": "SCMP_ACT_ERRNO"  ← default deny
  Allowed dangerous (but necessary): mount, unshare, setns, prctl
  Explicitly blocked: ptrace, process_vm_readv/writev, kexec_load, pivot_root, keyctl, etc.
```

**Shared /tmp mount:**
```
src/docker-manager.ts:919:
  agentVolumes.push('/tmp:/host/tmp:rw');
containers/agent/entrypoint.sh:~693:
  SCRIPT_FILE="/tmp/awf-cmd-$$.sh"  ← written to /host\$\{SCRIPT_FILE} = /host/tmp/awf-cmd-$$.sh
```

**Non-chroot capability non-drop:**
```
containers/agent/entrypoint.sh:363-364:
  CAPS_TO_DROP=""
  echo "[entrypoint] No capabilities to drop (NET_ADMIN never granted to agent)"
...line 876:
  gosu awfuser "$@" &   ← no capsh invocation, no bounding set modification
```

**DNS restriction:**
```
containers/agent/setup-iptables.sh:~75-90:
  iptables -t nat -A OUTPUT -p udp -d "$dns_server" --dport 53 -j RETURN
  iptables -A OUTPUT -p udp -d 127.0.0.11 --dport 53 -j ACCEPT
  iptables -A OUTPUT -p udp -j DROP   ← default deny UDP
```

**Squid config injection defense:**
```
src/domain-patterns.ts:27:
  export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;
src/squid-config.ts:57-63:
  function assertSafeForSquidConfig(value: string): string { ... throws on match }
```

**Token protection:**
```
containers/agent/entrypoint.sh:~371-392:
  unset_sensitive_tokens() — unsets GITHUB_TOKEN, ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.
containers/agent/one-shot-token/ — LD_PRELOAD library that caches then clears env vars
```

**Secret Digger escape test result:**
```
/tmp/gh-aw/escape-test-summary.txt:
  GH_AW_SECRET_VERIFICATION_RESULT: success
  GH_AW_AGENT_CONCLUSION: success
  Agent succeeded with only noop outputs - this is not a failure
  (No secrets exfiltrated, no firewall bypass recorded)

---

✅ Recommendations

🔴 High Priority

H1 — Isolate /tmp between concurrent AWF sessions

• File: src/docker-manager.ts:919
• Issue: /tmp:/host/tmp:rw creates cross-session data leakage risk; /tmp/awf-cmd-$$.sh filenames are PID-predictable on busy hosts.
• Recommendation: Create a session-scoped subdirectory (e.g., /tmp/awf-<timestamp>/agent-tmp) and mount that as /host/tmp instead of the full host /tmp. Or, use a named Docker volume for each session's tmp rather than a host bind-mount.

---

🟠 Medium Priority

M1 — Provide a custom AppArmor profile instead of apparmor:unconfined

• File: src/docker-manager.ts:1322
• Issue: AppArmor MAC is disabled for the full container lifetime. Only the procfs mount operation requires relaxed profile; user code runs after capabilities are dropped.
• Recommendation: Write a minimal AppArmor profile that:
  • Allows mount -t proc during entrypoint init
  • Denies ptrace, direct device access, and network socket creation to sensitive device files after init
  • Transition to the restricted profile after procfs is mounted via aa-exec
  • This eliminates the largest gap vs. CIS Docker Benchmark §5.1 (custom AppArmor/SELinux)

M2 — Drop additional capabilities in non-chroot mode via capsh

• File: containers/agent/entrypoint.sh:363-376
• Issue: CAPS_TO_DROP="" in non-chroot mode means capsh is never invoked; bounding set is not tightened beyond what Docker's cap_drop config sets.
• Recommendation: Even in non-chroot mode, invoke capsh --drop=cap_sys_chroot,cap_sys_admin,cap_ipc_lock,cap_sys_rawio,cap_sys_boot -- -c "exec gosu awfuser ..." to minimise the bounding set before the agent process starts.

M3 — Add explicit ICMP audit logging

• File: containers/agent/setup-iptables.sh
• Issue: ICMP traffic is blocked by default but not distinctly logged — making it harder to identify ICMP-based exfiltration attempts in audit logs.
• Recommendation: Add a LOG rule before the default DROP:

  iptables -A OUTPUT -p icmp -m limit --limit 5/min \
    -j LOG --log-prefix "[FW_BLOCKED_ICMP] " --log-level 4
  iptables -A OUTPUT -p icmp -j DROP

---

🟡 Low Priority

L1 — Restrict unshare syscall in seccomp profile

• unshare is allowed in the current seccomp profile. While dangerous use requires capabilities that are dropped, explicitly denying user/network namespace creation via unshare(CLONE_NEWUSER | CLONE_NEWNET) reduces attack surface. Consider adding clone_flags args restriction or blocking unshare at seccomp level.

L2 — Consider session-scoped tmpfs for workDir instead of host-directory-based temp files

• agentCommand and other sensitive content pass through /tmp/awf-cmd-$$.sh on the host filesystem. Using an in-container tmpfs volume for sensitive ephemeral files would prevent host-side forensic recovery.

L3 — Pin execa to v9+ (current pin is v5.1.1 in package.json)

• The package.json specifies "execa": "^5.1.1". v5 uses CommonJS; v9 uses pure ESM with improved security posture. An upgrade would keep the dependency current and aligned with other ESM-only deps.

L4 — Document the backslash exclusion in SQUID_DANGEROUS_CHARS with a regression test

• The comment at domain-patterns.ts:22-26 explains why backslash is excluded from domain char filtering. This subtle invariant should be protected by an explicit test covering the domain vs URL-pattern validation split.

L5 — Log the open_by_handle_at syscall invocations

• open_by_handle_at is allowed in the seccomp profile and has historically been used in Docker escape exploits ("Shocker attack"). While capability restrictions should mitigate this, adding a seccomp LOG action (or denying it) would improve auditability.

---

📈 Security Metrics

Metric	Value
Security-critical TypeScript lines (src/)	~4,900
Security-critical shell script lines (containers/)	~1,356
Attack surfaces enumerated	8
STRIDE threats modelled	18
Seccomp allowed syscalls	~290 (default SCMP_ACT_ERRNO)
Seccomp explicitly blocked dangerous syscalls	23
Dangerous ports blocked (NAT + filter)	15
CIS Docker Benchmark gaps identified	2 (AppArmor profile §5.1, no-new-privs via capsh in non-chroot §5.4)
Findings requiring immediate action	0 critical, 1 high
Secrets exfiltrated in latest escape test	0 ✅

---

Review conducted by: GitHub Copilot CLI (claude-sonnet-4.6) | Workflow run: 24283037968 | Date: 2026-04-11

Generated by Daily Security Review and Threat Modeling · ● 1M · ◷

• expires on Apr 18, 2026, 1:09 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall vault.
The smoke-run sigils were cast, and traces were read from code, browser, shell, and build.
By moonlit packet and guarded proxy, this oracle marks: the smoke test agent was here.
May allowed domains remain clear, and forbidden paths stay sealed.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test oracle has passed this threshold.
By moonlit shell and mirrored logs, Codex was here.
May your workflows remain warded and your builds remain green.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the oracle records this passage.
The smoke-test agent walked these halls, read the signs, and marked the run.
By moonlit checksum and guarded flame, the wards remain intact.
So it is written in the firewall annals.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in thread #1903.
I, the smoke-test oracle, have walked this circle and left this sigil.
May the firewall hold, and the network wards remain unbroken.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall’s lattice.
The oracle has witnessed this smoke-test passage.
By sigil and circuit, the ward remains awake.
So it is written in the runes of CI.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls. The smoke-test seer has walked this thread, read the omens, and marked the paths of signal and shadow. May your guards stay sharp and your egress remain true.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-18T13:09:47.836Z.

Closed by Workflow