security: harden default network bindings and container privileges#39
Merged
Miyamura80 merged 11 commits intomasterfrom Mar 23, 2026
Merged
security: harden default network bindings and container privileges#39Miyamura80 merged 11 commits intomasterfrom
Miyamura80 merged 11 commits intomasterfrom
Conversation
- Bind VNC default to 127.0.0.1 instead of 0.0.0.0 (users can override via config) - Bind monitor dashboard to 127.0.0.1 instead of 0.0.0.0 - Make SYS_ADMIN + /dev/fuse conditional on app_type=appimage (only app type that needs FUSE) - Add warning log when pulling custom images from remote registries - Delete historical IDEA.md (content already covered by README.md and CLAUDE.md) - Add TODO.md with security hardening roadmap Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR delivers a focused set of security hardening changes that harden default network bindings, remove unnecessary container privileges, and improve observability around trust-sensitive operations β all without breaking existing functionality (prior behavior is recoverable via explicit config overrides). Key changes:
Confidence Score: 4/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[DockerSession::create] --> B{custom_image?}
B -- Yes --> C[inspect_image]
C -- Ok --> D[Use local image]
C -- 404 --> E[warn! trust warning\npull from remote registry]
E --> F[stream pull with debug logs]
F --> D
C -- Other error --> G[AppError::Infra\nfail fast]
B -- No --> H[ensure_image built-in]
H --> D
D --> I[HostConfig::default\nno CAP_SYS_ADMIN\nno /dev/fuse]
I --> J{vnc_port set?}
J -- Yes --> K[bind host_ip = vnc_bind_addr\ndefault: 127.0.0.1\nformat_host_port for display]
J -- No --> L[VNC not exposed]
K --> M[Create + Start container]
L --> M
subgraph Config Validation
V1[parse_and_validate] --> V2{vnc_bind_addr\nvalid IpAddr?}
V2 -- No --> V3[AppError::Config]
V2 -- Yes --> V4[proceed]
end
subgraph Network Bindings
N1[VNC: vnc_bind_addr\ndefault 127.0.0.1\noverridable via config]
N2[Monitor dashboard: 127.0.0.1\nhardcoded, no override yet]
end
Reviews (10): Last reviewed commit: "test: add coverage for format_host_port ..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
- Merge redundant warn! + info! into single warn! for custom image pulls - Distinguish 404 (image not found) from other Docker errors in inspect_image to avoid misleading trust warnings on infrastructure hiccups Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Keep security-hardened inspect_image error handling (404 match) with master's formatting style. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Add comment explaining the asymmetry with VNC (which has vnc_bind_addr override). Add monitor_bind_addr to TODO.md as future work. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Add docstring note on DockerSession::create() explaining that only appimage containers get SYS_ADMIN+FUSE, and custom images wrapping AppImages will need a future needs_fuse config field. Added to TODO.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
AppImages are already launched with --appimage-extract-and-run (see deploy.rs), which bypasses FUSE entirely. SYS_ADMIN + /dev/fuse were never exercised at runtime, so remove them from container creation for all app types. This closes the container escape vector. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@greptileai review |
- Add comment pinning the bollard error variant match to 0.18.x so future maintainers know to re-verify after dependency bumps - Validate vnc_bind_addr as a legal IP address at config parse time instead of letting invalid values surface as cryptic Docker errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@greptileai review |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Remove the !is_empty() guard that let an empty string bypass IP validation and default to 0.0.0.0 in Docker. Add tests for invalid, empty, and valid vnc_bind_addr values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@greptileai review |
- Format IPv6 vnc_bind_addr with brackets in log output (e.g. [::1]:5900) - Use clearer test value for invalid vnc_bind_addr Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@greptileai review |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Extract format_host_port() helper in config.rs and use it in all four places that format vnc_bind_addr:port strings (docker/mod.rs, orchestration.rs, interactive.rs x2). Fixes broken dashboard links for IPv6 users. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@greptileai review |
Add tests for format_host_port() IPv4/IPv6 paths and IPv6 vnc_bind_addr acceptance in config validation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
@greptileai review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
0.0.0.0(world-accessible). Users who need LAN access can override viavnc_bind_addrin config.0.0.0.0. The dashboard has no authentication, so localhost-only is the safe default.app_type=appimage(needs FUSE to mount). Folder, docker_image, and vnc_attach containers now run without elevated privileges.warn!when pulling images from remote registries.Context
These are the low-risk, high-impact fixes from a security audit. They harden defaults without breaking any existing functionality β all previous behavior is still available via explicit config overrides.
Test plan
cargo testβ 403 passed, 0 failed, 11 ignored"vnc_bind_addr": "0.0.0.0"overrideπ€ Generated with Claude Code