fix: restrict docker commands for ai-worker (wrapper blacklist — exec, cp, commit, etc. blocked) #65
Open
Hermes
wants to merge 1 commits from
feat/restrict-docker-blacklist into master
pull from: feat/restrict-docker-blacklist
merge into: gortium:master
gortium:master
gortium:feat/worldmonitor
gortium:feat/ups-config
gortium:feat/rollback-sentinel-on-fresh-branch
gortium:fix/honcho-vector-dim-empty
gortium:fix/backup-submodule-update
gortium:feat/restrict-docker-commands-for-ai-worker
gortium:fix/hermes-matrix-deps-venv-persist
gortium:feat/uconsole-cm5-v3
gortium:fix/update-compose-submodule-matrix-bridge
gortium:feat/nix-deployment-v2
gortium:kvm-pr
gortium:feat/nixos-ci-workflow
gortium:kvm-pr-consolidate
gortium:feat/hermes-workspace-combined
gortium:feat/hyperspace-pods-module
gortium:feat/hermes-workspace
gortium:feat/hermes-workers
gortium:feat/add-paperclip-agent-orchestrator
gortium:feat/syncthing-org-sync
gortium:fix/vpn-iptables-nft-v3
gortium:fix/vpn-iptables-nft-v2
gortium:fix/vpn-iptables-nft-upstream
gortium:feat/nixos-ci
gortium:feat/update-compose-submodule-custom-tools
gortium:feat/kvm-libvirt
gortium:fix/wg-easy-iptables-nft
gortium:feat/compose-submodule-v2
gortium:feat/hermes-fork-dockerfile
gortium:ai-worker-restricted-access
gortium:feat/wireguard-vpn
gortium:feat/k3s-pod-cluster
gortium:feature/server-hardening-clean
gortium:docs/merge-priority-order
gortium:feat/hermes-voice-gpu-support
gortium:feat/uconsole-cm5-v2
gortium:fix/matrix-bridge-v2
gortium:fix/backup-network-v2
gortium:feat/docker-add-qemu-cross-compilation
gortium:feat/docker-add-latex-stack
gortium:feat/docker-add-chromium-browser-deps
gortium:feat/docker-add-curl-poppler-imagemagick
gortium:feat/add-uconsole-host
gortium:home_manager
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| 993b9c559c |
fix: restrict docker commands for ai-worker (wrapper blacklist)
SECURITY CHANGE: Keep ai-worker in docker group but block dangerous docker subcommands via a wrapper script. Approach: - docker group membership preserved (ps, start, stop, compose still work) - Docker binary wrapped with a script that blocks dangerous subcommands - BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag - ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls The wrapper is installed in both system packages and ai-worker's personal profile to ensure it takes precedence over the real docker. This is effective for the LLM agent threat model — the agent uses CLI commands and blocked subcommands simply return an error. Files modified: - users/ai-worker.nix — restored docker group, kept sudo audit rules - modules/nixos/security/ai-worker-restricted.nix — added docker wrapper script with blacklist logic and NixOS module integration - modules/nixos/security/README-ai-worker.md — documentation update |
