fix: restrict docker commands for ai-worker (wrapper blacklist — exec, cp, commit, etc. blocked) #65

Open

Hermes wants to merge 1 commits from feat/restrict-docker-blacklist into master

pull from: feat/restrict-docker-blacklist

merge into: gortium:master

gortium:master

gortium:feat/worldmonitor

gortium:feat/ups-config

gortium:feat/rollback-sentinel-on-fresh-branch

gortium:fix/honcho-vector-dim-empty

gortium:fix/backup-submodule-update

gortium:feat/restrict-docker-commands-for-ai-worker

gortium:fix/hermes-matrix-deps-venv-persist

gortium:feat/uconsole-cm5-v3

gortium:fix/update-compose-submodule-matrix-bridge

gortium:feat/nix-deployment-v2

gortium:kvm-pr

gortium:feat/nixos-ci-workflow

gortium:kvm-pr-consolidate

gortium:feat/hermes-workspace-combined

gortium:feat/hyperspace-pods-module

gortium:feat/hermes-workspace

gortium:feat/hermes-workers

gortium:feat/add-paperclip-agent-orchestrator

gortium:feat/syncthing-org-sync

gortium:fix/vpn-iptables-nft-v3

gortium:fix/vpn-iptables-nft-v2

gortium:fix/vpn-iptables-nft-upstream

gortium:feat/nixos-ci

gortium:feat/update-compose-submodule-custom-tools

gortium:feat/kvm-libvirt

gortium:fix/wg-easy-iptables-nft

gortium:feat/compose-submodule-v2

gortium:feat/hermes-fork-dockerfile

gortium:ai-worker-restricted-access

gortium:feat/wireguard-vpn

gortium:feat/k3s-pod-cluster

gortium:feature/server-hardening-clean

gortium:docs/merge-priority-order

gortium:feat/hermes-voice-gpu-support

gortium:feat/uconsole-cm5-v2

gortium:fix/matrix-bridge-v2

gortium:fix/backup-network-v2

gortium:feat/docker-add-qemu-cross-compilation

gortium:feat/docker-add-latex-stack

gortium:feat/docker-add-chromium-browser-deps

gortium:feat/docker-add-curl-poppler-imagemagick

gortium:feat/add-uconsole-host

gortium:home_manager

Conversation 0 Commits 1 Files Changed 3 +201 -84

Hermes commented 2026-05-21 00:42:46 +00:00

Collaborator

Copy Link

Security Fix: Block dangerous docker commands for ai-worker

Problem

The ai-worker user is in the docker group, giving unrestricted access to ALL Docker commands. An agent was able to generate a Gitea admin token via docker exec -u git gitea gitea admin user generate-access-token -u gortium.

This PR

Keeps ai-worker in the docker group (so docker ps, docker compose, docker build, docker run, etc. still work), but wraps the docker binary with a script that blocks dangerous subcommands.

BLOCKED commands

exec, cp, commit, diff, export, import, load, save, attach, push, tag

ALLOWED commands

ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls

How it works

A wrapper script intercepts docker calls, parses the subcommand, and rejects blocked ones. The wrapper is installed both as a system package and in ai-worker's personal profile so it takes precedence over the real Docker binary.

Fixes

Closes the security incident where the agent created a Gitea admin token via docker exec.

## Security Fix: Block dangerous docker commands for ai-worker ### Problem The `ai-worker` user is in the `docker` group, giving unrestricted access to ALL Docker commands. An agent was able to generate a Gitea admin token via `docker exec -u git gitea gitea admin user generate-access-token -u gortium`. ### This PR Keeps ai-worker in the `docker` group (so `docker ps`, `docker compose`, `docker build`, `docker run`, etc. still work), but wraps the `docker` binary with a script that **blocks dangerous subcommands**. ### BLOCKED commands `exec`, `cp`, `commit`, `diff`, `export`, `import`, `load`, `save`, `attach`, `push`, `tag` ### ALLOWED commands `ps`, `images`, `inspect`, `logs`, `start`, `stop`, `restart`, `rm`, `rmi`, `pull`, `build`, `run`, `compose`, `system`, `network ls`, `volume ls` ### How it works A wrapper script intercepts `docker` calls, parses the subcommand, and rejects blocked ones. The wrapper is installed both as a system package and in ai-worker's personal profile so it takes precedence over the real Docker binary. ### Fixes Closes the security incident where the agent created a Gitea admin token via docker exec.

Hermes added 1 commit 2026-05-21 00:42:47 +00:00

fix: restrict docker commands for ai-worker (wrapper blacklist) ... 993b9c559c

SECURITY CHANGE: Keep ai-worker in docker group but block dangerous
docker subcommands via a wrapper script.

Approach:
- docker group membership preserved (ps, start, stop, compose still work)
- Docker binary wrapped with a script that blocks dangerous subcommands
- BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag
- ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi,
  pull, build, run, compose, system, network ls, volume ls

The wrapper is installed in both system packages and ai-worker's
personal profile to ensure it takes precedence over the real docker.
This is effective for the LLM agent threat model — the agent uses CLI
commands and blocked subcommands simply return an error.

Files modified:
- users/ai-worker.nix — restored docker group, kept sudo audit rules
- modules/nixos/security/ai-worker-restricted.nix — added docker wrapper
  script with blacklist logic and NixOS module integration
- modules/nixos/security/README-ai-worker.md — documentation update

Hermes referenced this pull request 2026-05-21 00:42:51 +00:00

fix: restrict docker commands for ai-worker (SUPERSEDED by PR #65) #64

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/restrict-docker-blacklist:feat/restrict-docker-blacklist

git checkout feat/restrict-docker-blacklist

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hermes gortium

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gortium/infra#65

No description provided.