Skip to content

docs: clarify container privilege drop in security architecture #385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mossaka merged 2 commits into from
Jan 22, 2026
Merged

docs: clarify container privilege drop in security architecture #385

Mossaka merged 2 commits into from
Jan 22, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited
Loading

The security architecture doc did not call out that the agent container drops CAP_NET_ADMIN after iptables setup, leaving the firewall rules immutable even if code escalates. This updates the NAT-table section to include that hardening detail.

  • Security architecture update: add explicit mention of dropping CAP_NET_ADMIN after iptables rule setup to prevent rule tampering.
**Container iptables (NAT table)** — ... After rule setup, the container drops `CAP_NET_ADMIN` capability, preventing malicious code from modifying firewall rules.
Original prompt

Expand line 95-96 in security-architecture.md to include the privilege drop:

Container iptables (NAT table) — Inside the agent container, NAT rules intercept outbound HTTP (port 80) and HTTPS (port 443) traffic, rewriting the
destination to Squid at 172.30.0.10:3128. This handles traffic from the agent process itself and any child processes (including stdio MCP servers).

The agent container uses a two-stage entrypoint for secure initialization:

  1. Stage 1 (setup-iptables.sh): Runs as root with NET_ADMIN capability to configure iptables NAT rules
  2. Stage 2 (entrypoint.sh): Permanently drops NET_ADMIN using capsh --drop=cap_net_admin, then switches to non-root user via gosu

This ensures that even if malicious code escalates to root inside the container, it cannot modify iptables rules to bypass the firewall—the capability has
been removed from the kernel's bounding set.

Custom agent used: technical-doc-writer
AI technical documentation writer for awf library using Astro Starlight

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Mossaka
docs: clarify container privilege drop in security architecture
54a27c3 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Expand security-architecture.md with privilege drop details docs: clarify container privilege drop in security architecture Jan 22, 2026
Copilot AI requested a review from Mossaka January 22, 2026 18:04
@Mossaka Mossaka marked this pull request as ready for review January 22, 2026 19:00
@Mossaka Mossaka merged commit cd1eb82 into main Jan 22, 2026
@Mossaka Mossaka deleted the copilot/expand-privilege-drop-description branch January 22, 2026 19:00
This was referenced Jan 22, 2026
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Mossaka Mossaka Mossaka approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka