docs: add threat model for post-PR #205 simplified architecture

[Copilot]

Documents the threat model evolution after removing Docker-in-Docker support in PR #205, showing how architectural simplification strengthened security posture.

Changes

• docs/threat-model.md (new): Comprehensive threat analysis covering:

  • Pre-PR feat: remove Docker-in-Docker support #205: Docker wrapper approach (4 defense layers, 500+ lines of security code)
  • Post-PR feat: remove Docker-in-Docker support #205: Simplified architecture (3 defense layers, no Docker socket)
  • Attack surface comparison: 100% reduction in wrapper code, eliminated container escape vectors
  • Remaining risks: DNS tunneling via trusted servers (low), localhost access (by design), filesystem access (out of scope)
  • Defense primitives: host iptables (DOCKER-USER chain), container NAT rules, Squid ACL, capability dropping (capsh --drop=cap_net_admin), seccomp profile

• Cross-references: Added links from security-architecture.md and README.md to detailed threat model

• Fixed outdated reference: Removed "Docker-in-Docker capabilities" from docs-site/index.md (no longer supported)

Key Security Properties

Before	After
Docker socket mounted + wrapper script	No Docker socket, no docker CLI
500+ lines security-critical code	Standard Linux primitives only
Wrapper bypasses possible	Attack vector eliminated

Defense through simplification: fewer layers means fewer opportunities for misconfiguration or bugs.

Original prompt

Update threat modeling documentation for post-PR #205 architecture

Task Description

Update the threat modeling documentation to reflect the simplified security model after Docker-in-Docker removal in PR #205.

Requirements

Update or create threat modeling documentation file (e.g., docs/threat-model.md or docs/security.md) with the following sections:

Content to Include

Pre-PR #205 Threat Model (Historical Context)

Attack Chain:

1. Attacker gains execution inside agent container
2. Attempts to escape via Docker socket
3. docker-wrapper blocks dangerous flags (--privileged, --network host, --add-host)
4. If wrapper bypassed → spawned container still on awf-net → Squid blocks unauthorized domains

Defense Layers:

• Docker wrapper script (100 lines of security-critical code)
• Docker socket permission controls
• Network injection for spawned containers
• Squid proxy domain filtering

Post-PR #205 Threat Model (Current)

Attack Chain:

1. Attacker gains execution inside agent container
2. Attempts to escape via Docker socket → FAILS (no docker-cli, socket not mounted)
3. Attempts to modify iptables → FAILS (NET_ADMIN capability dropped via capsh)
4. Attempts DNS exfiltration to unauthorized servers → BLOCKED (host-level iptables)
5. Attempts HTTP/HTTPS exfiltration → BLOCKED (Squid ACL)

Defense Layers (Simplified):

• Host-level iptables (DOCKER-USER chain with FW_WRAPPER)
• Container-level NAT rules (setup-iptables.sh)
• Squid proxy L7 domain filtering
• Capability dropping (NET_ADMIN removed before command execution)
• Seccomp profile (blocks ptrace, kexec, mount syscalls)
• No-new-privileges flag

Security Improvements

Attack Surface Reduction:

• ✅ Removed 500+ lines of security-critical code (docker-wrapper.sh + tests + integration)
• ✅ Eliminated Docker socket attack vector entirely
• ✅ Simpler threat model → easier to audit and maintain
• ✅ Fewer escape vectors (no --privileged, --network host, --add-host attacks possible)

Remaining Attack Vectors:

Attack Vector	Mitigation
iptables rule bypass	Requires NET_ADMIN (dropped by capsh before execution)
DNS exfiltration to unauthorized servers	Blocked by host-level iptables (only trusted DNS allowed)
Proxy pivot (connect to wrong proxy)	NAT rules force all traffic to Squid at 172.30.0.10
Localhost service exploitation	Allowed by design (required for stdio MCP servers)
Filesystem-based exfiltration	Out of scope (firewall provides network control only)

Conclusion

The post-PR #205 threat model is simpler and more robust:

• Fewer layers means fewer opportunities for bypass due to misconfiguration or wrapper bugs
• Removed Docker socket eliminates entire class of container escape attacks
• Defense through simplification: less code = fewer bugs = stronger security posture

File Location

Suggest placing in: docs/security/threat-model.md or docs/threat-model.md

References

• PR feat: remove Docker-in-Docker support #205: feat: remove Docker-in-Docker support #205
• Comprehensive impact analysis in ~/.claude/plans/
• Related: Task Improve links in readme to AW project #1 (README documentation update)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.