Skip to content

[security] fix(sandbox): fail closed for unsupported Docker domain policies#152

Merged
tjb-tech merged 1 commit intoHKUDS:mainfrom
shaun0927:fix/docker-domain-policy-fail-closed
Apr 17, 2026
Merged

[security] fix(sandbox): fail closed for unsupported Docker domain policies#152
tjb-tech merged 1 commit intoHKUDS:mainfrom
shaun0927:fix/docker-domain-policy-fail-closed

Conversation

@shaun0927
Copy link
Copy Markdown
Contributor

@shaun0927 shaun0927 commented Apr 16, 2026

Closes #150.

Summary

This PR makes the Docker sandbox backend fail closed when allowed_domains / denied_domains are configured but not actually enforceable.

Concretely:

  • Docker sandbox keeps --network none
  • a warning is emitted when domain policies are configured under Docker mode
  • regression tests cover the fail-closed behavior

Why

Issue #120 / PR #121 introduced Docker sandboxing as part of the project’s safety-boundary story and exposed domain-policy settings through sandbox config.

The current Docker path, however, does not enforce those policy contents. Any non-empty allowed_domains list switches Docker networking from none to plain bridge.

That means two different policies such as:

  • allow github.com, deny example.com
  • allow internal.example, deny google.com

produce the same unrestricted bridge configuration.

Root cause

src/openharness/sandbox/docker_backend.py checks only whether allowed_domains is non-empty, but it does not propagate the policy contents into any enforcement layer.

So the current behavior is effectively:

  • empty list -> no network
  • non-empty list -> unrestricted bridge network

which is broader than the config semantics imply.

Change

  • keep Docker networking disabled when domain policies are configured
  • emit a warning explaining that Docker domain-policy enforcement is not implemented yet
  • update sandbox tests to lock in the fail-closed behavior

Before / After

Before

  • non-empty allowed_domains enabled --network bridge
  • configured policy contents had no effect on Docker runtime behavior

After

  • non-empty allowed_domains / denied_domains keeps --network none
  • operators get an explicit warning instead of a silent widening of egress

Compatibility

  • this changes behavior only for the Docker backend when domain policies are configured
  • the srt backend is unchanged
  • this does not attempt to design a full Docker egress-filtering system in one patch

Validation

  • PYTHONPATH=src pytest -q tests/test_sandbox/test_docker_backend.py tests/test_sandbox/test_adapter.py
  • PYTHONPATH=src ruff check src tests
  • targeted regression coverage added for the warning + fail-closed path

Notes

  • I chose the smallest safe fix here: fail closed until Docker domain-policy enforcement actually exists.
  • Full pytest -q on this local environment is currently blocked by unrelated collection errors caused by a missing optional pyperclip dependency; I did not change the command/UI modules involved in those collection failures.

@shaun0927
Fail closed when Docker domain policies are not enforceable
5b66648 
The Docker backend currently turns any non-empty allowed_domains list into
unrestricted bridge networking even though no per-domain enforcement exists.
Keep Docker networking disabled and emit a warning until the backend can
actually honor domain policies.

Constraint: Preserve a small, reviewable fix instead of designing a full Docker egress filter
Rejected: Keep bridge networking with docs-only clarification | leaves silently overbroad behavior in place
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: If Docker domain policies are re-enabled later, add true enforcement before widening network access
Tested: PYTHONPATH=src pytest -q tests/test_sandbox/test_docker_backend.py tests/test_sandbox/test_adapter.py
Tested: PYTHONPATH=src ruff check src tests
Not-tested: Full pytest suite in this environment (collection fails because optional pyperclip dependency is missing)
Related: HKUDS#150
@shaun0927 shaun0927 force-pushed the fix/docker-domain-policy-fail-closed branch from 2c45dd1 to 5b66648 Compare April 16, 2026 14:53
@tjb-tech tjb-tech merged commit 91c0e32 into HKUDS:main Apr 17, 2026
arik08 pushed a commit to arik08/MyHarness that referenced this pull request Apr 26, 2026
@shaun0927
fix(sandbox): fail closed for unsupported Docker domain policies (HKU…
7517433 
…DS#152)

The Docker backend currently turns any non-empty allowed_domains list into
unrestricted bridge networking even though no per-domain enforcement exists.
Keep Docker networking disabled and emit a warning until the backend can
actually honor domain policies.

Constraint: Preserve a small, reviewable fix instead of designing a full Docker egress filter
Rejected: Keep bridge networking with docs-only clarification | leaves silently overbroad behavior in place
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: If Docker domain policies are re-enabled later, add true enforcement before widening network access
Tested: PYTHONPATH=src pytest -q tests/test_sandbox/test_docker_backend.py tests/test_sandbox/test_adapter.py
Tested: PYTHONPATH=src ruff check src tests
Not-tested: Full pytest suite in this environment (collection fails because optional pyperclip dependency is missing)
Related: HKUDS#150
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Docker sandbox ignores allowed_domains/denied_domains contents and enables unrestricted bridge networking

2 participants

@shaun0927 @tjb-tech