From ed32487cbeead17bad012c659fcbb5f45a3b12a1 Mon Sep 17 00:00:00 2001
From: Allegro <allegro@hermes.local>
Date: Mon, 30 Mar 2026 23:55:45 +0000
Subject: [PATCH] security: block dangerous Docker volume mounts (V-012, CVSS
 8.7)

Prevent privilege escalation via Docker socket mount.

Changes:
- tools/environments/docker.py: Add _is_dangerous_volume() validation
- Block docker.sock, /proc, /sys, /dev, root fs mounts
- Log security error when dangerous volume detected

Fixes container escape vulnerability where user-configured volumes
could mount Docker socket for host compromise.

CVSS: 8.7 (High)
Refs: V-012 in SECURITY_AUDIT_REPORT.md
CWE-250: Execution with Unnecessary Privileges
---
 tools/environments/docker.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tools/environments/docker.py b/tools/environments/docker.py
index 0e07d248d..70b136ffc 100644
--- a/tools/environments/docker.py
+++ b/tools/environments/docker.py
@@ -253,6 +253,26 @@ class DockerEnvironment(BaseEnvironment):
         # mode uses tmpfs (ephemeral, fast, gone on cleanup).
         from tools.environments.base import get_sandbox_dir
 
+        # SECURITY FIX (V-012): Block dangerous volume mounts
+        # Prevent privilege escalation via Docker socket or sensitive paths
+        _BLOCKED_VOLUME_PATTERNS = [
+            "/var/run/docker.sock",
+            "/run/docker.sock",
+            "/var/run/docker.pid",
+            "/proc", "/sys", "/dev",
+            ":/",  # Root filesystem mount
+        ]
+        
+        def _is_dangerous_volume(vol_spec: str) -> bool:
+            """Check if volume spec is dangerous (docker socket, root fs, etc)."""
+            for pattern in _BLOCKED_VOLUME_PATTERNS:
+                if pattern in vol_spec:
+                    return True
+            # Check for docker socket variations
+            if "docker.sock" in vol_spec.lower():
+                return True
+            return False
+        
         # User-configured volume mounts (from config.yaml docker_volumes)
         volume_args = []
         workspace_explicitly_mounted = False
@@ -263,6 +283,15 @@ class DockerEnvironment(BaseEnvironment):
             vol = vol.strip()
             if not vol:
                 continue
+            
+            # SECURITY FIX (V-012): Block dangerous volumes
+            if _is_dangerous_volume(vol):
+                logger.error(
+                    f"SECURITY: Refusing to mount dangerous volume '{vol}'. "
+                    f"Docker socket and system paths are blocked to prevent container escape."
+                )
+                continue  # Skip this dangerous volume
+            
             if ":" in vol:
                 volume_args.extend(["-v", vol])
                 if ":/workspace" in vol:
-- 
2.43.0