namespace jail cannot run snap-provided tools (docker breaks warded director) #183
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard#183
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Defect
shell.Runner(via the namespace sandbox) cannot run a snap-provided tool. On a host where a wrapped or exec-target tool is a snap multiplexer (e.g./snap/bin/docker -> /usr/bin/snap), every jailed call breaks:Downstream hit:
ward'swarded directordied because it routesdockerthrough the jail (coilyco-flight-deck/ward#540). ward has since routed docker outside the sandbox as the object-level unblock; this issue is the general cli-guard hardening.Root cause (two layers)
installToolShim(cli/sandbox/sandbox_linux.go:155) resolves the tool withfilepath.EvalSymlinks, collapsing/snap/bin/dockerto/usr/bin/snapand stashing THAT asCLIGUARD_REALBIN_DOCKER.snapis a multiplexer keyed onargv[0]'s basename: exec it as/usr/bin/snapand it runs as snap itself, parsing the tool's args as snap subcommands.Deeper: even with a corrected
argv[0]=dockerand the uncollapsed/snap/bin/dockerpath, snap still cannot run inside the jail. Proven directly:snap-confine / snap's canonical-dir access needs privileges the jail strips (CAP_SYS_ADMIN cleared, mount seccomp-denied, private mount ns). So "stash /snap/bin/ + keep argv[0]" is NOT sufficient - a snap tool is fundamentally unjailable.
Correct fix
Detect a snap-multiplexer exec target (resolved real path basename ==
snap) and run it outside the jail - no-opWrapfor it, the same wayJailed()/NoSandbox()short-circuit. A snap exec target (docker) does not need gate re-entry; its descendants are isolated by the container boundary anyway.Security note: if a snap-provided tool is ever a security-wrapped re-entry tool (in
spec.Tools, meant to re-enter the gate), it cannot be jailed and silently escaping the gate would be a hole. cli-guard shouldlog/warn loudly in that case rather than skip silently. docker is only ever an exec target, never a wrapped tool, so it takes the quiet skip path.Repro harness
shell.Runner{Sandbox: spec}.Exec(ctx, "docker", "version", "--format", "..."):error: unknown flag \format'` (exit 64)Sandbox: nil->29.3.1(real docker)