SECURITY CHANGE: Keep ai-worker in docker group but block dangerous
docker subcommands via a wrapper script.
Approach:
- docker group membership preserved (ps, start, stop, compose still work)
- Docker binary wrapped with a script that blocks dangerous subcommands
- BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag
- ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi,
pull, build, run, compose, system, network ls, volume ls
The wrapper is installed in both system packages and ai-worker's
personal profile to ensure it takes precedence over the real docker.
This is effective for the LLM agent threat model — the agent uses CLI
commands and blocked subcommands simply return an error.
Files modified:
- users/ai-worker.nix — restored docker group, kept sudo audit rules
- modules/nixos/security/ai-worker-restricted.nix — added docker wrapper
script with blacklist logic and NixOS module integration
- modules/nixos/security/README-ai-worker.md — documentation update
Hermes
993b9c559c