fix: restrict docker commands for ai-worker (wrapper blacklist)

SECURITY CHANGE: Keep ai-worker in docker group but block dangerous docker subcommands via a wrapper script. Approach: - docker group membership preserved (ps, start, stop, compose still work) - Docker binary wrapped with a script that blocks dangerous subcommands - BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag - ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls The wrapper is installed in both system packages and ai-worker's personal profile to ensure it takes precedence over the real docker. This is effective for the LLM agent threat model — the agent uses CLI commands and blocked subcommands simply return an error. Files modified: - users/ai-worker.nix — restored docker group, kept sudo audit rules - modules/nixos/security/ai-worker-restricted.nix — added docker wrapper script with blacklist logic and NixOS module integration - modules/nixos/security/README-ai-worker.md — documentation update
2026-05-20 20:34:19 -04:00
parent 36359de6aa
commit 993b9c559c
3 changed files with 201 additions and 84 deletions
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -4,6 +4,8 @@
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
+    # ai-worker stays in docker group for normal docker operations (ps, start, stop, compose, ...)
+    # Dangerous commands (exec, cp, commit) are blocked by a wrapper script.
    extraGroups = [ "docker" ];
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
@@ -14,17 +16,14 @@
  };
  users.groups.ai-worker = {};

-  # Enable restricted AI worker SSH access for ollama benchmarking
-  # SECURITY: ai-worker can only:
-  #   - SSH into host from Hermes container
-  #   - Run docker commands (docker exec ollama ...) via docker group
-  #   - Run specific security audit commands
-  #   - NO access to infra repo (no bind mount)
-  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
-  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
+  # Enable restricted AI worker SSH access
+  # SECURITY: ai-worker is in docker group but docker commands are filtered:
+  #   ALLOWED: ps, images, logs, start, stop, restart, rm, rmi, pull, build, run, compose
+  #   BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push
+  # The filtering is done by a docker wrapper in ai-worker's PATH.
  services.aiWorkerAccess = true;
-  
-  # Restricted sudo for ai-worker - security checks only
+
+  # Restricted sudo for ai-worker - security checks only (not for docker)
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
@@ -69,15 +68,6 @@
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
-        # Docker service checks
-        {
-          command = "/run/current-system/sw/bin/docker ps";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker inspect *";
-          options = [ "NOPASSWD" ];
-        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";