[Security Review] Daily Security Review — AWF Firewall (2026-04-10)

[github-actions[bot]]

📊 Executive Summary

Reviewed 8,089 lines of security-critical code across network, container, domain validation, and input-handling subsystems. The AWF firewall implements a strong defense-in-depth posture: default-deny iptables, seccomp allowlist, capability separation, selective bind mounts, and Squid ACL enforcement. No critical vulnerabilities were found. Three medium and two low-severity observations are documented below.

Area	Status
Network egress filtering (iptables + Squid)	✅ Strong
Container capability isolation	✅ Strong
Seccomp syscall filtering	✅ Strong
Domain/URL input validation	✅ Strong
Credential isolation (api-proxy mode)	✅ Strong
--env/--env-all boundary	⚠️ Medium — see F-02
OIDC token passthrough	⚠️ Medium — see F-03
/tmp host mount (rw)	⚠️ Medium — see F-04
client_lifetime 8 hours (Squid)	🔵 Low — see F-05
Seccomp explicit-block redundancy	🔵 Low — see F-06

---

🔍 Findings from Firewall Escape Test

The file /tmp/gh-aw/escape-test-summary.txt contains CI conclusion logs from a "Secret Digger (Copilot)" workflow run (run ID 24211490707), not firewall escape test results. The workflow reported:

• GH_AW_AGENT_CONCLUSION: success
• GH_AW_SECRET_VERIFICATION_RESULT: success
• "Agent succeeded but produced no safe outputs" → automated failure issue [aw] Secret Digger (Copilot) failed #1853 was created

This indicates the Secret Digger agent completed its scan but failed to emit required safeoutputs signals. No active firewall escape was detected or reported. The absence of escape findings is consistent with the network-layer controls examined below.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered:

containers/agent/setup-iptables.sh
src/squid-config.ts
src/host-iptables.ts
```

**Strengths:**
- **IPv6 disabled in container namespace** (`sysctl net.ipv6.conf.all.disable_ipv6=1`) on startup, preventing IPv6 bypass of IPv4-only DNAT rules (`setup-iptables.sh:37-46`)
- **Default-deny iptables**: Final rules `iptables -A OUTPUT -p tcp -j DROP` and `-p udp -j DROP` ensure all non-explicitly-allowed traffic is blocked (`setup-iptables.sh:~454-462`)
- **DNAT redirection**: All TCP port 80 and 443 traffic is forced through Squid (`setup-iptables.sh:341-342`), even from proxy-unaware tools
- **IP literal blocking**: Squid rejects CONNECT to raw IPv4/IPv6 addresses via `dstdom_regex` ACLs (`squid-config.ts:591-594`), preventing domain filter bypass via direct IP
- **DNS exfiltration prevention**: UDP/TCP port 53 only allowed to configured DNS servers; all other UDP is dropped (`setup-iptables.sh:391-398`)
- **Client IP stripping**: `forwarded_for delete` and `via off` in Squid prevent origin IP disclosure to upstream servers (`squid-config.ts:614-615`)

**No weaknesses found in this area.**

---

### Container Security Assessment

**Evidence gathered:**
```
src/docker-manager.ts (lines 515-522, 1315-1321)
containers/agent/entrypoint.sh (lines 351-376, 731-876)
containers/agent/seccomp-profile.json
```

**Strengths:**
- **NET_ADMIN never granted to agent** — only the ephemeral `awf-iptables-init` container receives `NET_ADMIN, NET_RAW`, both dropped after its single run (`docker-manager.test.ts:1193-1201`)
- **SYS_CHROOT and SYS_ADMIN dropped** before user code runs via `capsh --drop=` in `entrypoint.sh:809`
- **`no-new-privileges:true`** applied to all containers (`docker-manager.ts:1320, 1546, 1668, 1739`)
- **Seccomp profile**: `defaultAction: SCMP_ACT_ERRNO` (deny-all) with only two explicit allowlists. Explicitly blocks `ptrace`, `process_vm_readv/writev` (memory inspection), `kexec_load/file_load` (kernel replacement), `reboot`, kernel module operations, and `umount/umount2`
- **Selective bind mounts**: No blanket `/:/host` mount. System paths mounted read-only; workspace and `/tmp` read-write; empty home volume with only whitelisted subdirs; explicit exclusion of `/etc/shadow` and unwhitelisted `$HOME` subdirs
- **Root uid/gid (0) rejected** in `entrypoint.sh:27-35` — prevents UID/GID spoofing to root
- **UID/GID numeric validation** — non-numeric values rejected with error exit (`entrypoint.sh:13-22`)

---

### Domain Validation Assessment

**Evidence gathered:**
```
src/domain-patterns.ts (lines 18-27, 97-145, 153-182)
src/squid-config.ts (lines 61-78, 172)
```

**Strengths:**
- **`SQUID_DANGEROUS_CHARS` regex** rejects whitespace, null bytes, `"'` `;` backtick, `#` — all characters that could inject Squid directives or split ACL tokens (`domain-patterns.ts:27`)
- **Backslash rejected in domain names** (but allowed in `--allow-urls` regex patterns where it serves legitimate escaping — `domain-patterns.ts:23-25`)
- **Wildcard conversion** uses character-class `[a-zA-Z0-9.-]*` instead of `.*` to prevent ReDoS (`domain-patterns.ts:109, 132`)
- **`assertSafeForSquidConfig()`** applied at config generation time as defense-in-depth, even for values already validated at CLI parse time (`squid-config.ts:63-70`)
- **Double validation**: domains validated at CLI parse (`cli.ts:1734-1735`) AND at config write time

---

### Input Validation Assessment

**Evidence gathered:**
```
src/cli.ts (lines 983-1001, 1498-1522)
src/docker-manager.ts (lines 574-800)
```

**Strengths:**
- `escapeShellArg()` uses single-quote wrapping with correct `'\\''` escape for embedded single quotes (`cli.ts:989-994`)
- Port validation (`isValidPortSpec()`) accepts only `1-65535` integers or ranges, rejecting injection strings
- Memory limit, DNS server, and UID/GID inputs all have explicit format validation

---

## ⚠️ Threat Model (STRIDE)

| ID | Category | Threat | Likelihood | Impact | Mitigated By |
|---|---|---|---|---|---|
| T-01 | Spoofing | Agent impersonates another container on `awf-net` | Low | Medium | Fixed subnet IPs (`.10`, `.20`, `.30`); no container-to-container trust beyond Squid |
| T-02 | Tampering | Modify Squid config at runtime | Low | High | Config injected via base64 env var at startup; no file bind mount; container immutable after start |
| T-03 | Repudiation | Agent denies network access attempts | Low | Low | iptables LOG rules `[FW_BLOCKED_TCP]`, `[FW_BLOCKED_UDP_AGENT]`, `[FW_BLOCKED_DANGEROUS_PORT]`; Squid access.log preserved |
| T-04 | Info Disclosure | Credential exfiltration via allowed domain | Medium | Critical | API proxy holds keys (credential isolation); one-shot token model; `EXCLUDED_ENV_VARS` |
| T-05 | Info Disclosure | DNS exfiltration via TXT/CNAME records | Low | Medium | DNS restricted to configured servers only; all other UDP dropped |
| T-06 | Info Disclosure | Host credential file access via bind mount | Low | High | Selective mounts; `/etc/shadow` excluded; home whitelisted to specific subdirs |
| T-07 | DoS | Agent floods Squid proxy (resource exhaustion) | Low | Low | Docker resource limits; Squid rate limiting on LOG rules (5-10/min) |
| T-08 | EoP | Agent uses ptrace to inspect another process | Low | High | Seccomp blocks `ptrace`, `process_vm_readv/writev` |
| T-09 | EoP | Agent regains dropped capabilities via setuid binary | Low | High | `no-new-privileges:true`; SYS_CHROOT/SYS_ADMIN explicitly dropped |
| T-10 | EoP | Agent escapes chroot via kernel module load | Low | Critical | Seccomp blocks `init_module`, `finit_module`, `delete_module` |
| T-11 | Tampering | Squid config injection via malicious domain in `--allow-domains` | Low | High | Multi-layer validation: `validateDomainOrPattern()` + `assertSafeForSquidConfig()` |

---

## 🎯 Attack Surface Map

| Surface | Entry Point | Current Protections | Risk |
|---|---|---|---|
| **CLI domain input** | `src/cli.ts:1734` | `SQUID_DANGEROUS_CHARS`, `validateDomainOrPattern()` | 🟢 Low |
| **URL regex input** | `src/squid-config.ts:172` | `assertSafeForSquidConfig()` (backslash allowed) | 🟡 Medium — backslash permitted |
| **Shell command arg** | `src/cli.ts:983-1001` | `escapeShellArg()` single-quote wrapping | 🟢 Low |
| **Squid proxy (HTTP)** | `172.30.0.10:3128` | Domain ACL; IP literal block; default deny | 🟢 Low |
| **Squid proxy (HTTPS)** | `172.30.0.10:3128` | CONNECT method; no SSL inspection by default | 🟡 Medium — SNI-only, no URL inspection |
| **iptables DNAT** | `setup-iptables.sh:341-342` | Redirect all 80/443 to Squid; loopback/self exemptions | 🟢 Low |
| **Agent bind mounts** | `src/docker-manager.ts:891-1000` | Selective paths; system binaries read-only | 🟡 Medium — `/tmp` rw shared with host |
| **Environment passthrough** | `src/docker-manager.ts:726-800` | `EXCLUDED_ENV_VARS`; credential isolation | 🟡 Medium — `--env` bypasses exclusions |
| **OIDC token** | `src/docker-manager.ts:759-760` | None — always passed when set | 🟡 Medium — see F-03 |
| **API proxy sidecar** | `172.30.0.30:10000-10002,10004` | Optional; credential injection; `no-new-privileges` | 🟢 Low |
| **Host iptables** | `src/host-iptables.ts` | `FW_WRAPPER` chain; subnet restriction | 🟢 Low |

---

## 📋 Evidence Collection

<details>
<summary>Key evidence: seccomp profile defaultAction</summary>

```
File: containers/agent/seccomp-profile.json
defaultAction: SCMP_ACT_ERRNO   (deny-all default)
Blocked groups: ptrace/process_vm_readv/writev | kexec/reboot/kernel-modules | umount
Non-blocking groups count: 2 (explicit allow)
```
</details>

<details>
<summary>Key evidence: capability model</summary>

```
iptables-init container: cap_add=[NET_ADMIN, NET_RAW], cap_drop=[ALL]
Agent container:         cap_add=[SYS_CHROOT, SYS_ADMIN], cap_drop=[NET_RAW, ...]
                         (SYS_CHROOT + SYS_ADMIN dropped via capsh before user code)
All containers:          security_opt=[no-new-privileges:true, seccomp=...]

Key evidence: domain injection prevention

// src/domain-patterns.ts:27
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// src/squid-config.ts:63-70
function assertSafeForSquidConfig(value: string): string {
  if (SQUID_DANGEROUS_CHARS.test(value)) {
    throw new Error(`SECURITY: Domain or pattern contains characters unsafe for Squid config...`);
  }
  return value;
}

Key evidence: iptables default-deny

# setup-iptables.sh:~454-462
iptables -A OUTPUT -p tcp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_TCP] " --log-level 4 --log-uid
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_UDP_AGENT] " --log-level 4 --log-uid
iptables -A OUTPUT -p udp -j DROP

Key evidence: --env flag bypasses EXCLUDED_ENV_VARS

// src/docker-manager.ts:798-799
if (config.additionalEnv) {
  Object.assign(environment, config.additionalEnv);  // No exclusion check
}

---

✅ Recommendations

🔴 Critical

None identified.

---

🟠 High

None identified.

---

🟡 Medium

F-02 — --env flag bypasses credential exclusion list

• Location: src/docker-manager.ts:798-799
• Issue: Object.assign(environment, config.additionalEnv) applies after exclusion checks, meaning --env ANTHROPIC_API_KEY=real-key will inject the key even when --enable-api-proxy is active and the key is supposed to be isolated.
• Recommendation: Apply EXCLUDED_ENV_VARS filtering to additionalEnv entries, or document explicitly that --env intentionally overrides credential isolation (operator responsibility). If the latter, add a logged warning when an excluded key name is used with --env while api-proxy is active.

F-03 — OIDC token unconditionally passed to agent

• Location: src/docker-manager.ts:759-760
• Issue: ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL are always forwarded when set in the host environment, including when --enable-api-proxy is active. An agent with network access and an OIDC token can request GitHub-signed JWTs claiming the workflow's identity for external service authentication.
• Recommendation: Evaluate whether the OIDC passthrough should be opt-in (e.g., a dedicated --enable-oidc flag) rather than opt-out, or add to EXCLUDED_ENV_VARS by default and only include when explicitly requested.

F-04 — /tmp host directory mounted read-write

• Location: src/docker-manager.ts:936 → agentVolumes.push('/tmp:/host/tmp:rw')
• Issue: The full host /tmp is bind-mounted writable into the chroot. AWF uses /tmp/awf-* work directories (config files, seccomp profiles, docker-compose.yml with secrets). An agent running in chroot mode can read and potentially overwrite these paths at /host/tmp/awf-*/.
• Recommendation: Consider using a more targeted mount (e.g., mount only a subdirectory /tmp/awf-agent-<run>/ rather than all of /tmp), or place the workDir outside /tmp in a directory not bind-mounted into the agent.

---

🔵 Low

F-05 — Squid client_lifetime 8 hours

• Location: src/squid-config.ts:643
• Issue: Very long-lived connections could persist after an AWF session conceptually ends (if the container isn't fully stopped). In practice, docker compose down -v tears everything down, so this only matters if cleanup fails.
• Recommendation: This is acceptable for long AI inference sessions. No change required; document as an intentional trade-off.

F-06 — Seccomp explicit SCMP_ACT_ERRNO groups are redundant

• Location: containers/agent/seccomp-profile.json
• Issue: Three groups explicitly set SCMP_ACT_ERRNO even though defaultAction: SCMP_ACT_ERRNO already applies to all unlisted syscalls. This is harmless defensive redundancy.
• Recommendation: No change needed; retain as belt-and-suspenders for clarity on most dangerous syscalls.

---

📈 Security Metrics

Metric	Value
Security-critical lines analyzed	8,089
Attack surfaces enumerated	11
STRIDE threats modeled	11
Critical findings	0
High findings	0
Medium findings	3
Low findings	2
Seccomp syscall groups blocked	3 explicit + all-others-by-default
Capability grants to agent	2 (SYS_CHROOT, SYS_ADMIN — both dropped pre-exec)
Container privilege mode	None (no privileged: true found)

---

🔗 CIS Docker Benchmark / NIST SP 800-190 Gaps

Guideline	Status	Notes
CIS 5.3: Do not use --privileged	✅ Pass	No privileged containers
CIS 5.6: Add only needed capabilities	✅ Pass	Explicit cap_add/cap_drop per container
CIS 5.21: Do not expose Docker socket	✅ Pass	No socket bind mount found
CIS 5.25: No sensitive host mounts	⚠️ Partial	/tmp mounted rw (F-04); /dev mounted ro
NIST SP 800-190 §4.3.1: Network segmentation	✅ Pass	Dedicated awf-net subnet; Squid as sole egress
NIST SP 800-190 §4.3.2: Egress filtering	✅ Pass	Domain allowlist + iptables default deny
Principle of Least Privilege	✅ Pass	Capabilities dropped; non-root user enforced

Generated by Daily Security Review and Threat Modeling · ● 1.6M · ◷

• expires on Apr 17, 2026, 1:12 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-17T13:12:59.994Z.

Closed by Workflow