Skip to content

fix: improve one-shot token library copy robustness in chroot mode #606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 2 commits into from
Feb 10, 2026
Merged

fix: improve one-shot token library copy robustness in chroot mode #606

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d54e0bf
Initial plan
Copilot Feb 10, 2026
928c3d4
fix: improve one-shot token library copy with better error handling
Copilot Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions containers/agent/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,14 +169,24 @@ if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then

# Copy one-shot-token library to host filesystem for LD_PRELOAD in chroot
# This prevents tokens from being read multiple times by malicious code
# Note: /tmp is always writable in chroot mode (mounted from host /tmp as rw)
ONE_SHOT_TOKEN_LIB=""
if [ -f /usr/local/lib/one-shot-token.so ]; then
mkdir -p /host/tmp/awf-lib
if cp /usr/local/lib/one-shot-token.so /host/tmp/awf-lib/one-shot-token.so 2>/dev/null; then
ONE_SHOT_TOKEN_LIB="/tmp/awf-lib/one-shot-token.so"
echo "[entrypoint] One-shot token library copied to chroot at ${ONE_SHOT_TOKEN_LIB}"
# Create the library directory in /tmp (always writable)
if mkdir -p /host/tmp/awf-lib 2>/dev/null; then
# Copy the library and verify it exists after copying
if cp /usr/local/lib/one-shot-token.so /host/tmp/awf-lib/one-shot-token.so 2>/dev/null && \
[ -f /host/tmp/awf-lib/one-shot-token.so ]; then
Comment on lines +176 to +179
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mkdir/cp failures are redirected to /dev/null, so the warnings/errors here won’t include the underlying reason (e.g., permission denied, ENOSPC). For the “improved diagnostics” goal, consider capturing stderr and including it in the log output (or at least logging it when the operation fails).

Copilot uses AI. Check for mistakes.
ONE_SHOT_TOKEN_LIB="/tmp/awf-lib/one-shot-token.so"
echo "[entrypoint] One-shot token library copied to chroot at ${ONE_SHOT_TOKEN_LIB}"
else
echo "[entrypoint][WARN] Could not copy one-shot-token library to /tmp/awf-lib"
echo "[entrypoint][WARN] Token protection will be disabled (tokens may be readable multiple times)"
fi
else
echo "[entrypoint][WARN] Could not copy one-shot-token library to chroot"
echo "[entrypoint][ERROR] Could not create /tmp/awf-lib directory"
echo "[entrypoint][ERROR] This should not happen - /tmp is mounted read-write in chroot mode"
Comment on lines +187 to +188
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mkdir failure message refers to "/tmp/awf-lib", but the failing operation is creating "/host/tmp/awf-lib" (pre-chroot). Using the actual path here (and optionally noting it maps to /tmp in the chroot) would make the error easier to act on.

This issue also appears on line 183 of the same file.

See below for a potential fix:

        echo "[entrypoint][WARN] Could not copy one-shot-token library to /host/tmp/awf-lib (chroot path: /tmp/awf-lib)"
        echo "[entrypoint][WARN] Token protection will be disabled (tokens may be readable multiple times)"
      fi
    else
      echo "[entrypoint][ERROR] Could not create /host/tmp/awf-lib directory (chroot path: /tmp/awf-lib)"
      echo "[entrypoint][ERROR] This should not happen - /host/tmp is mounted read-write and mapped to /tmp in chroot mode"

Copilot uses AI. Check for mistakes.
echo "[entrypoint][WARN] Token protection will be disabled (tokens may be readable multiple times)"
fi
fi

Expand Down
9 changes: 9 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions src/docker-manager.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -478,8 +478,9 @@ export function generateDockerCompose(
const userHome = getRealUserHome();
agentVolumes.push(`${userHome}:/host${userHome}:rw`);

// /tmp is needed for chroot mode to write temporary command scripts
// The entrypoint.sh writes to /host/tmp/awf-cmd-$$.sh
// /tmp is needed for chroot mode to write:
// - Temporary command scripts: /host/tmp/awf-cmd-$$.sh
// - One-shot token LD_PRELOAD library: /host/tmp/awf-lib/one-shot-token.so
agentVolumes.push('/tmp:/host/tmp:rw');

// Minimal /etc - only what's needed for runtime
Expand Down
Loading