[Security Review] Daily Security Review — AWF v0.23.1 (2026-04-12)

[github-actions[bot]]

Reviewer: GitHub Copilot CLI (claude-sonnet-4.6)
Scope: Full codebase static analysis — 8,860 lines of security-critical code across 8 files
Run ID: 24307376122 | Date: 2026-04-12

---

📊 Executive Summary

AWF v0.23.1 presents a solid defence-in-depth posture with multiple overlapping controls: seccomp allowlist (default-deny), capability drops, iptables NAT+filter, host-level FW_WRAPPER chain, Squid ACL enforcement, DNS restriction, and one-shot token injection. No npm vulnerabilities were found (npm audit: 0 findings).

However, three findings warrant immediate attention:

Severity	Count
🔴 High	2
🟡 Medium	3
🔵 Low / Informational	4

---

🔍 Findings from Firewall Escape Test

The pre-fetched escape test file (/tmp/gh-aw/escape-test-summary.txt) contained the conclusion logs from a "Secret Digger (Copilot)" workflow run (2026-04-11), which completed with noop output — indicating the agent found no accessible secrets. Key signals:

• GH_AW_SECRET_VERIFICATION_RESULT: success — secret isolation held
• GH_AW_AGENT_CONCLUSION: success — agent completed normally
• GH_AW_LOCKDOWN_CHECK_FAILED: false — lockdown controls effective
• No escape, no credential leak, no inference access error reported

This is a healthy baseline consistent with the access controls observed in the static analysis below.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Strengths:

• Dual-layer traffic enforcement: NAT DNAT to Squid (ports 80/443) + host FW_WRAPPER chain ensures all egress passes ACL filtering. Even proxy-unaware tools are caught by iptables.
• DNS restriction: Only configured DNS servers (default: 8.8.8.8, 8.8.4.4) plus Docker's embedded 127.0.0.11 are allowed. Direct UDP port 53 to other servers is blocked.
• Dangerous port blocklist: 15 ports (SSH/22, SMTP/25, databases, RDP/3389, Redis/6379, MongoDB/27017-28017) are RETURN'd from NAT and then DROP'd. Evidence: containers/agent/setup-iptables.sh:312–336.
• Default-deny TCP/UDP: iptables -A OUTPUT -p tcp -j DROP and iptables -A OUTPUT -p udp -j DROP at the end of the filter chain. Evidence: containers/agent/setup-iptables.sh:428–430.
• IPv6 protection: When ip6tables is unavailable, AWF disables IPv6 via sysctl net.ipv6.conf.all.disable_ipv6=1 to prevent an unfiltered bypass path. Evidence: src/host-iptables.ts:128–141.

⚠️ Finding H-1 (High): ICMP not explicitly blocked in agent container

The agent container's iptables setup drops TCP and UDP but has no DROP rule for ICMP or other IP protocols. The Linux iptables -A OUTPUT -p tcp -j DROP and iptables -A OUTPUT -p udp -j DROP rules at containers/agent/setup-iptables.sh:428–430 leave ICMP (protocol 1) unfiltered.

# Evidence: setup-iptables.sh:428–430 — no ICMP DROP rule exists
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# (no -p icmp rule)

Impact: An agent could use ICMP-based covert channels (e.g., ping-based data exfiltration, iodine-style DNS-over-ICMP) to exfiltrate data to external IPs. The NET_RAW capability is dropped (preventing raw socket creation), but standard ICMP ping does not require NET_RAW since Linux 3.x when using ICMP sockets (SOCK_DGRAM/IPPROTO_ICMP). The seccomp profile allows the socket syscall.

Recommended fix: Add explicit ICMP blocks:

iptables -A OUTPUT -p icmp -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP  # (if IPv6 is active)
```
And in `src/host-iptables.ts`, add a corresponding host-level ICMP DROP for the container subnet.

---

### Container Security Assessment

**Strengths:**
- `no-new-privileges: true` on agent, squid, api-proxy, and cli-proxy containers. Evidence: `src/docker-manager.ts:1336,1563,1701,1772`.
- `NET_ADMIN` is never granted to the agent container — only to the short-lived `awf-iptables-init` init container. Evidence: `src/docker-manager.ts:1441–1476`.
- Seccomp profile with **default deny** (`"defaultAction": "SCMP_ACT_ERRNO"`). Evidence: `containers/agent/seccomp-profile.json:2`.
- `SYS_CHROOT` and `SYS_ADMIN` are dropped via `capsh` before user code runs when chroot mode is enabled. Evidence: `containers/agent/entrypoint.sh:351–364`.
- Docker socket is hidden by mounting `/dev/null` over `/host/var/run/docker.sock` and `/host/run/docker.sock` when DinD is not requested. Evidence: `src/docker-manager.ts:1107–1109`.
- Sensitive API tokens are unset from the environment before exec (`unset_sensitive_tokens()`). Evidence: `containers/agent/entrypoint.sh:367–395`.

**⚠️ Finding H-2 (High): `setns`, `unshare`, `open_by_handle_at`, `name_to_handle_at` syscalls allowed**

The seccomp profile's allowlist includes four syscalls that are classic container escape primitives:

```
setns:             SCMP_ACT_ALLOW   (join another namespace)
unshare:           SCMP_ACT_ALLOW   (create new namespace)
open_by_handle_at: SCMP_ACT_ALLOW   (Shocker-class exploit vector)
name_to_handle_at: SCMP_ACT_ALLOW   (Shocker companion)

Evidence: confirmed via python3 parsing of containers/agent/seccomp-profile.json.

• open_by_handle_at + name_to_handle_at: Used in the "Shocker" container escape (CVE-2014-5206/5207). These calls allow resolving file handles from the host filesystem even from within a chroot. While the no-new-privileges flag and capability drops provide layered defense, allowing these at the seccomp level increases attack surface.
• setns: Allows joining another process's namespace. If a process can write to /proc/<pid>/ns/net, it could join the host network namespace, bypassing all iptables rules. Combined with the allowed unshare syscall, a privileged-enough process could create a new mount or network namespace.
• unshare: Used in user-namespace-based escapes. Even without CAP_SYS_ADMIN, user namespaces are often allowed by default on Ubuntu 22.04 (the agent base image).

Recommended fix: Remove setns, unshare, open_by_handle_at, and name_to_handle_at from the allowlist unless a concrete runtime requirement exists. If specific tools need them (e.g., nsenter for debugging), add a comment and consider gating behind a flag.

⚠️ Finding M-1 (Medium): AppArmor set to unconfined for agent container

// src/docker-manager.ts:1338
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   // ← no AppArmor restrictions
],

This means the agent container runs without any AppArmor MAC policy, relying solely on seccomp and capabilities. A custom AppArmor profile (even the Docker default docker-default) would provide defence-in-depth against file access patterns, /proc enumeration, and privilege escalation.

Recommended fix: Remove apparmor:unconfined and allow Docker to apply its default docker-default AppArmor profile. Only override if a specific compatibility issue is identified.

---

Domain Validation Assessment

Strengths:

• SQUID_DANGEROUS_CHARS = /[\s\0"';#]/is applied to all values injected into the Squid config. Evidence:src/domain-patterns.ts:27andsrc/squid-config.ts:64`.
• Domain names additionally reject \ (backslash). Evidence: src/domain-patterns.ts:172.
• Wildcard * patterns are converted to anchored regex ^[a-zA-Z0-9.-]*$ using a character class (not .*), preventing ReDoS. Evidence: src/domain-patterns.ts:103–130.
• --allow-urls enforces --ssl-bump mode. Evidence: src/cli.ts:1784.

⚠️ Finding M-2 (Medium): Port sanitization uses stripping instead of strict validation

// src/squid-config.ts:528
const sanitizedPort = port.replace(/[^0-9-]/g, '');
portAclsSection += `\nacl Safe_ports port \$\{sanitizedPort}`;

Port values are sanitized by stripping non-numeric characters rather than by strict integer validation. A value like "80; http_access allow all" would become "80" after sanitization — correct in this case — but relying on character stripping rather than strict parsing (parseInt + range check) is a maintenance hazard. The isValidPortSpec() function in src/host-iptables.ts:41–50 already demonstrates the correct pattern.

Recommended fix: Replace the replace() stripping with parseInt-based validation using the existing isValidPortSpec() helper.

---

Input Validation Assessment

Strengths:

• escapeShellArg() wraps multi-word args in single quotes with proper '\\'' escaping. Evidence: src/cli.ts:1049–1057.
• UID/GID validation prevents setting to 0 (root). Evidence: containers/agent/entrypoint.sh:25–35.
• Docker bridge gateway IP is validated against IPv4 regex before use in iptables. Evidence: src/host-iptables.ts:96–103.

⚠️ Finding M-3 (Medium): --allow-host-service-ports bypasses dangerous port restrictions

// src/cli.ts:779–803
// Unlike --allow-host-ports, dangerous ports are intentionally allowed
// because these ports may need to be used for local services.
```

The `--allow-host-service-ports` flag explicitly bypasses the `DANGEROUS_PORTS` blocklist, including SSH/22, PostgreSQL/5432, Redis/6379, etc. While this is intentional and documented, it represents a significant widening of the attack surface that requires no additional justification in the CLI UX. An operator who unknowingly passes `--allow-host-service-ports 22` would expose the host's SSH daemon to the agent.

**Recommended fix:** Add a prominent CLI-level warning when any dangerous port appears in `--allow-host-service-ports`. The warning at `src/cli.ts:832` exists but should also enumerate which specific dangerous ports are being opened.

---

## ⚠️ Threat Model

| # | STRIDE Category | Threat | Location | Likelihood | Impact | Severity |
|---|---|---|---|---|---|---|
| T1 | **Information Disclosure** | ICMP covert channel exfiltrates data | `setup-iptables.sh:428` | Medium | High | 🔴 High |
| T2 | **Elevation of Privilege** | `setns`/`unshare` namespace escape | `seccomp-profile.json` | Low | Critical | 🔴 High |
| T3 | **Elevation of Privilege** | `open_by_handle_at` Shocker-class file handle escape | `seccomp-profile.json` | Low | Critical | 🔴 High |
| T4 | **Elevation of Privilege** | AppArmor unconfined — no MAC policy | `docker-manager.ts:1338` | Low | High | 🟡 Medium |
| T5 | **Tampering** | Port sanitization by stripping (not validation) | `squid-config.ts:528` | Very Low | Medium | 🟡 Medium |
| T6 | **Elevation of Privilege** | `--allow-host-service-ports` opens dangerous ports silently | `cli.ts:779` | Medium | High | 🟡 Medium |
| T7 | **Information Disclosure** | DinD mode exposes Docker socket (documented) | `docker-manager.ts:1099` | Low (opt-in) | Critical | 🔵 Low |
| T8 | **Repudiation** | `seccomp` syscall itself is allowed (policy could be self-modified) | `seccomp-profile.json` | Very Low | Medium | 🔵 Low |
| T9 | **Denial of Service** | Rate-limited LOG rules could be bypassed with high-volume traffic | `setup-iptables.sh:420,429` | Low | Low | 🔵 Info |

---

## 🎯 Attack Surface Map

| Surface | Entry Point | Current Protections | Residual Risk |
|---|---|---|---|
| **Network egress (TCP/UDP)** | `setup-iptables.sh:341–430` | DNAT→Squid, default DROP, dangerous port blocklist | Low |
| **Network egress (ICMP)** | `setup-iptables.sh` | None — no ICMP DROP rule | **High** |
| **Squid domain ACL** | `squid-config.ts:60–68` | `SQUID_DANGEROUS_CHARS` validation, anchored wildcard regex | Low |
| **Container capabilities** | `docker-manager.ts:1322–1332` | CAP_NET_ADMIN never granted; SYS_CHROOT/SYS_ADMIN dropped before exec | Low |
| **Seccomp syscalls** | `seccomp-profile.json` | Default deny; 400+ allowlisted; dangerous syscalls blocked | **Medium** (`setns`/`unshare` allowed) |
| **AppArmor MAC** | `docker-manager.ts:1338` | None — `apparmor:unconfined` | Medium |
| **Host iptables** | `host-iptables.ts` | FW_WRAPPER chain with default REJECT | Low |
| **Docker socket** | `docker-manager.ts:1107` | Masked with `/dev/null` by default; only exposed with `--enable-dind` | Low (documented) |
| **CLI input (domains)** | `domain-patterns.ts:153` | Dangerous char validation + anchored regex | Low |
| **CLI input (ports)** | `squid-config.ts:528` | Strip-based sanitization (weak) | Low |
| **DNS exfiltration** | `setup-iptables.sh:391–398` | Only configured servers allowed; UDP DROP default | Low |
| **One-shot tokens** | `entrypoint.sh:367–395` | Tokens unset before exec, LD_PRELOAD single-use library | Low |
| **`/proc` access** | `entrypoint.sh:416` | Mounted `nosuid,nodev,noexec`; only container-scoped procfs | Low |

---

## 📋 Evidence Collection

<details>
<summary>Command: ICMP DROP rule absence</summary>

```
$ grep -c "icmp\|ICMP" containers/agent/setup-iptables.sh
0

No ICMP-related iptables rules exist.

Command: Seccomp dangerous syscall disposition

python3 -c "
import json
with open('containers/agent/seccomp-profile.json') as f:
    d = json.load(f)
dangerous = {'setns','unshare','open_by_handle_at','name_to_handle_at','ptrace',
             'kexec_load','init_module','pivot_root','process_vm_readv'}
for sc in d.get('syscalls',[]):
    for name in sc['names']:
        if name in dangerous:
            print(f'{name}: {sc[\"action\"]}')
"

# Output:
name_to_handle_at: SCMP_ACT_ALLOW
open_by_handle_at: SCMP_ACT_ALLOW
setns:             SCMP_ACT_ALLOW
unshare:           SCMP_ACT_ALLOW
ptrace:            SCMP_ACT_ERRNO
process_vm_readv:  SCMP_ACT_ERRNO
kexec_load:        SCMP_ACT_ERRNO
init_module:       SCMP_ACT_ERRNO
pivot_root:        SCMP_ACT_ERRNO
```

</details>

<details>
<summary>Command: AppArmor setting</summary>

```
$ grep -n "apparmor" src/docker-manager.ts
1338:      'apparmor:unconfined',
```

</details>

<details>
<summary>Command: Default deny TCP/UDP (no ICMP)</summary>

```
$ sed -n '422,432p' containers/agent/setup-iptables.sh

iptables -A OUTPUT -p tcp -m limit --limit 10/min --limit-burst 20 \
  -j LOG --log-prefix "[FW_BLOCKED_TCP] " --log-level 4 --log-uid
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -m limit --limit 10/min --limit-burst 20 \
  -j LOG --log-prefix "[FW_BLOCKED_UDP_AGENT] " --log-level 4 --log-uid
iptables -A OUTPUT -p udp -j DROP
# (no -p icmp rule)
```

</details>

<details>
<summary>Command: Port sanitization via stripping</summary>

```
$ grep -n "sanitizedPort\|replace.*0-9" src/squid-config.ts
528:  const sanitizedPort = port.replace(/[^0-9-]/g, '');
```

</details>

<details>
<summary>Command: npm audit</summary>

```
$ npm audit --json | python3 -c "import sys,json; d=json.load(sys.stdin); print('Vulns:', len(d.get('vulnerabilities',{})))"
Vulns: 0

---

✅ Recommendations

🔴 Critical / Must Fix

R1 — Block ICMP in agent container iptables
Add iptables -A OUTPUT -p icmp -j DROP to containers/agent/setup-iptables.sh after the UDP DROP rule. Also add ip6tables -A OUTPUT -p icmpv6 -j DROP when IPv6 is active. Mirror this in src/host-iptables.ts for the host-level FW_WRAPPER chain. This closes the ICMP covert-channel exfiltration path.

R2 — Remove or restrict escape-primitive syscalls from seccomp profile
In containers/agent/seccomp-profile.json, move setns, unshare, open_by_handle_at, and name_to_handle_at from SCMP_ACT_ALLOW to SCMP_ACT_ERRNO. Document any concrete tool dependency that requires them before re-adding. This eliminates the Shocker-class and namespace escape vectors at the kernel syscall layer.

🟡 High / Should Fix Soon

R3 — Remove apparmor:unconfined
In src/docker-manager.ts:1335–1338, remove the apparmor:unconfined entry. Docker will automatically apply its docker-default AppArmor profile, which blocks dangerous patterns (e.g., mounting procfs from user space, writing to /proc/sysrq-trigger). Only add an explicit AppArmor override if a documented compatibility issue arises.

R4 — Replace port sanitization stripping with strict validation
In src/squid-config.ts:528, replace port.replace(/[^0-9-]/g, '') with strict parseInt-based validation matching the isValidPortSpec() function already defined in src/host-iptables.ts:41–50. This prevents future maintainers from inadvertently weakening the sanitization.

🔵 Medium / Plan to Address

R5 — Warn on dangerous ports in --allow-host-service-ports
In src/cli.ts, enhance the applyHostServicePortsConfig() function to enumerate which specific dangerous ports (SSH/22, database ports, etc.) are being opened when --allow-host-service-ports contains them. The existing generic warning at line 832 is insufficient.

R6 — Audit mount syscall necessity in post-capability-drop context
The mount syscall is in the seccomp allowlist. After SYS_ADMIN is dropped via capsh, most mount operations should fail at the capability check layer. Verify this assumption is correct across all agent configurations (especially non-chroot mode where SYS_ADMIN is never granted) and add a comment explaining why mount remains in the allowlist.

i️ Informational

R7 — Consider adding iptables audit for ICMP once blocked
Once ICMP is blocked (R1), add a rate-limited LOG rule before the DROP to provide the same visibility that TCP/UDP blocked traffic already has via [FW_BLOCKED_TCP] / [FW_BLOCKED_UDP_AGENT] prefixes.

R8 — Consider a custom AppArmor profile (longer term)
Rather than relying solely on docker-default, a purpose-built AppArmor profile scoped to AWF's known filesystem access patterns would provide stronger MAC guarantees. This is a longer-term hardening improvement.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analysed	8,860
Files reviewed	8
Attack surfaces identified	13
STRIDE threats modelled	9
npm vulnerabilities	0
Findings requiring code changes	6 (R1–R6)
Critical (must fix)	2 (R1, R2)
Previous escape test conclusion	✅ No secrets found (noop)

Generated by Daily Security Review and Threat Modeling · ● 1.4M · ◷

• expires on Apr 19, 2026, 1:09 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls.
The smoke-test agent has walked this path and left its sigil.
By moonlit logs and runes of CI, this discussion is witnessed.
✨ So it is written.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall’s lattice.
The smoke-test seer has walked this thread and marked the run.
By proxy, by script, by build, the omens were read.
May the next invocation pass with clean signals and steady logs.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall winds.
This smoke-test oracle has walked these halls, read the signs, and marked the run.
May the allowed domains remain clear and the blocked paths remain sealed.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir at the edge of the firewall.
The smoke test agent has passed through these halls,
and the runes record this visitation.
May the gates remain strong and the egress paths true.

🔮 The oracle has spoken through Smoke Codex