fix(sandbox): add docker-socket-proxy to restrict DinD API access (issue #337)#356
Open
manusjs wants to merge 1 commit into
Open
fix(sandbox): add docker-socket-proxy to restrict DinD API access (issue #337)#356manusjs wants to merge 1 commit into
manusjs wants to merge 1 commit into
Conversation
manusjs
force-pushed
the
feat/docker-socket-proxy
branch
from
ca32e54 to
bf5e6a6
Compare
…sue vxcontrol#337) Root cause fix for the Docker socket escape described in issue vxcontrol#337. When DOCKER_INSIDE=true, agent sandbox containers previously received the raw host /var/run/docker.sock, giving any process inside unrestricted access to the Docker daemon — enough to launch a privileged container with the host filesystem mounted and achieve a full host escape. This PR introduces a least-privilege socket proxy layer: docker-compose.yml — new docker-socket-proxy service A Tecnativa/docker-socket-proxy container (optional "dind" compose profile) that fronts the raw socket with a strict allowlist: ALLOW: CONTAINERS, IMAGES, NETWORKS, VOLUMES, INFO, PING, VERSION BLOCK: AUTH, BUILD, EXEC, SECRETS, CONFIGS, SWARM, SYSTEM, PLUGINS, … Agents can pull images and run sub-containers for tools, but cannot: - Create privileged or host-mounted containers - exec into the pentagi container or any sibling container - Read secrets, configs, or swarm tokens - Trigger system-level prune or shutdown operations The proxy socket is exposed via a named Docker volume (docker-proxy-socket) and mounted into pentagi at /var/run/docker-proxy/. backend/pkg/config/config.go New DOCKER_SANDBOX_SOCKET env var. When set, pentagi binds this path (intended to be the proxy socket) into sandbox containers instead of the raw DOCKER_SOCKET. backend/pkg/docker/client.go - sandboxSocket field on dockerClient; falls back to socket when not set - Bind-mount uses sandboxSocket instead of socket when DOCKER_INSIDE=true - Startup warning now mentions DOCKER_SANDBOX_SOCKET as the recommended configuration alongside DOCKER_INSIDE=false - Debug log includes docker_sandbox_socket field .env.example - Full setup instructions for the proxy (3-step: profile + env vars) - DOCKER_INSIDE default corrected to false (matches config.go envDefault) - DOCKER_NET_ADMIN default corrected to false - DOCKER_SANDBOX_SOCKET added with explanation Usage — to enable DinD with the proxy: docker compose --profile dind up DOCKER_INSIDE=true DOCKER_SANDBOX_SOCKET=/var/run/docker-proxy/docker.sock To disable DinD entirely (safest): DOCKER_INSIDE=false (the default)
manusjs
force-pushed
the
feat/docker-socket-proxy
branch
from
bf5e6a6 to
c54da27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause fix for #337. When DOCKER_INSIDE=true, sandbox containers received the raw host /var/run/docker.sock, allowing full host escape. This fronts the socket with Tecnativa/docker-socket-proxy — an allowlist proxy that permits only what agents need for DinD while blocking privileged container creation, exec into siblings, secrets, and system ops. Complements PR #355.