feat(devcontainer): add separate secure customer profile#10431
feat(devcontainer): add separate secure customer profile#10431viyatb-oai merged 12 commits intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fad8095c9e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
viyatb-oai
changed the title
viyatb-oai
changed the title
viyatb-oai
force-pushed
the
codex/viyatb/devcontainer-foundation
branch
from
eed40a5 to
58ab6db
Compare
viyatb-oai
changed the title
|
Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR. |
viyatb-oai
changed the title
|
Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 755e0dd339
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| host_network="$(echo "$host_ip" | sed 's/\.[0-9]*$/.0\/24/')" | ||
| iptables -A INPUT -s "$host_network" -j ACCEPT | ||
| iptables -A OUTPUT -d "$host_network" -j ACCEPT |
There was a problem hiding this comment.
The rule iptables -A OUTPUT -d "$host_network" -j ACCEPT whitelists the whole /24 around the Docker gateway, not just the host. Any proxy/service on a peer container in that subnet can relay traffic to arbitrary destinations, bypassing the allowed-domains ipset and weakening the intended default-deny egress policy.
Useful? React with 👍 / 👎.
| iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
| iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT |
There was a problem hiding this comment.
Allowing outbound DNS on port 53 to any destination (OUTPUT ... --dport 53) creates an unfiltered channel to arbitrary IPs. This bypasses the domain allowlist model and lets traffic leave even when non-allowlisted destinations are blocked. DNS should be constrained to Docker's resolver (or explicit trusted resolvers).
Useful? React with 👍 / 👎.
1 participant
Description
Keeps the existing Codex contributor devcontainer in place and adds a separate secure profile for customer use.
What changed
.devcontainer/devcontainer.jsonand the contributorDockerfilealigned withmain.devcontainer/devcontainer.secure.jsonand.devcontainer/Dockerfile.securepost_install.pypost-start.shinit-firewall.sh.devcontainer/README.mdto explain when to use each pathSecure profile behavior
The new secure profile is opt-in and is meant for running Codex in a stricter project container:
Resulting behavior
devcontainer.jsonremains the low-friction Codex contributor setupdevcontainer.secure.jsonis the customer-facing secure option