feat: add no-new-privileges and ptrace syscall blocking

[Copilot]

AWF uses Docker's default seccomp profile with no custom syscall restrictions for process inspection. Combined with NET_ADMIN capability, this allows dangerous syscalls like ptrace and process_vm_readv/process_vm_writev to be available to code running in the container.

Changes

• seccomp-profile.json: Added ptrace, process_vm_readv, process_vm_writev to blocked syscalls
• docker-manager.ts: Added no-new-privileges:true to security_opt to prevent privilege escalation via setuid binaries
• docker-manager.test.ts: Updated hardening test to verify no-new-privileges:true

Defense-in-depth

The SYS_PTRACE capability was already dropped, but seccomp provides an additional layer:

{
  "names": ["ptrace", "process_vm_readv", "process_vm_writev"],
  "action": "SCMP_ACT_ERRNO",
  "errnoRet": 1,
  "comment": "Block process inspection/modification"
}

security_opt: [
  'no-new-privileges:true',
  `seccomp=${config.workDir}/seccomp-profile.json`,
],

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Missing Seccomp/AppArmor hardening - default syscall restrictions only</issue_title>
<issue_description>## Priority
P1 - Medium-High

Summary

AWF uses Docker's default seccomp profile with no custom syscall restrictions. Combined with the NET_ADMIN capability, this creates an unnecessarily large attack surface. Dangerous syscalls like ptrace are available to code running in the container.

Current Behavior

The agent container runs with:

• Default Docker seccomp profile (allows ~300 syscalls)
• NET_ADMIN capability (required for iptables)
• No AppArmor profile

// src/docker-manager.ts:305-310
cap_add: ['NET_ADMIN'],
// No seccomp or AppArmor configuration

Security Impact

Code running in the container can:

• Use ptrace to inspect/modify other processes
• Use process_vm_readv/process_vm_writev for memory access
• Load kernel modules (if root)
• Potentially escape container via unpatched vulnerabilities

Proposed Solution

Add Custom Seccomp Profile

Create containers/agent/seccomp.json:

{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "names": ["ptrace", "process_vm_readv", "process_vm_writev"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block process inspection/modification"
    },
    {
      "names": ["init_module", "finit_module", "delete_module"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block kernel module operations"
    },
    {
      "names": ["kexec_load", "kexec_file_load"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block kernel replacement"
    },
    {
      "names": ["reboot"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block system reboot"
    },
    {
      "names": ["swapon", "swapoff"],
      "action": "SCMP_ACT_ERRNO",
      "errnoRet": 1,
      "comment": "Block swap manipulation"
    }
  ]
}

Integrate in Docker Manager

// src/docker-manager.ts
security_opt: [
  'no-new-privileges:true',
  'seccomp=/path/to/seccomp.json'
],

Implementation Steps

1. Create containers/agent/seccomp.json with restricted syscalls
2. Modify src/docker-manager.ts to apply seccomp profile
3. Add no-new-privileges to prevent privilege escalation
4. Test that iptables setup still works (needs specific syscalls)
5. Test that common tools (curl, git, node, npm) still work

Files to Create/Modify

• New: containers/agent/seccomp.json - Custom seccomp profile
• Modify: src/docker-manager.ts:305-310 - Add security options
• New: Tests for seccomp restrictions

Testing

• Verify ptrace is blocked: strace ls should fail
• Verify iptables still works for setup
• Verify curl, git, node, npm work normally
• Verify no regression in existing functionality

Related

• NET_ADMIN capability issue (separate concern, should be addressed together)</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Missing Seccomp/AppArmor hardening - default syscall restrictions only #134

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Smoke Test Results (Run #20378117886)

Last 2 Merged PRs:

• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors
• feat(cli): add container hardening measures #96: feat(cli): add container hardening measures

Test Results:

• ✅ GitHub MCP: Retrieved 2 merged PRs
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20378117886.txt
• ✅ Bash Tool: Verified file content

Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #139 🗺️

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors
• feat: add install script with sha256 validation #108: feat: add install script with sha256 validation

✅ GitHub MCP - PASS
✅ File writing - PASS
✅ Bash tool - PASS
❌ Playwright MCP - FAIL (tunnel connection errors)

Status: FAIL

💥 [THE END] — Illustrated by Smoke Claude fer issue #139 🗺️

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	66.1%	708/1071
Statements	66.27%	729/1100
Functions	70.73%	87/123
Branches	60.89%	232/381

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[Copilot]

Pull request overview

This PR enhances container security by adding the no-new-privileges security option and blocking dangerous process inspection syscalls (ptrace, process_vm_readv, process_vm_writev) through the seccomp profile. This implements a defense-in-depth approach where capabilities (SYS_PTRACE) were already dropped, and now seccomp provides an additional layer of protection against process inspection and privilege escalation attacks.

Key Changes:

• Added no-new-privileges:true to prevent privilege escalation via setuid binaries
• Blocked ptrace, process_vm_readv, and process_vm_writev syscalls in the seccomp profile
• Updated tests to verify the new no-new-privileges security option

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
containers/agent/seccomp-profile.json	Added new syscall blocking rule for ptrace and process memory access syscalls
src/docker-manager.ts	Added no-new-privileges:true to security_opt array and updated comment to reflect both security mechanisms
src/docker-manager.test.ts	Added test assertion to verify no-new-privileges is enabled in the security configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.