Isolation & security

Docker Runtime Hardening Contract

Status: Partially implemented — Docker profile enforcement is wired, standard is the compiled default, and rootless DinD is a recommended explicit grant; credential env-only posture remains

Shipped evidence

The hardening contract is no longer just a model. The launch path applies the profile decisions and the core decisions are unit-tested through pure launch-plan helpers.

Shipped pieces:

  • Four profiles exist (compat, standard, hardened, locked) with profile/grant defaults and runtime env names reserved against role-manifest override.
  • no-new-privileges is applied when sudo is off; sudo is provisioned at runtime only when the effective grant enables it.
  • cgroup/AppArmor probes run before launch; cgroup v1 fails closed for hardened/locked where the promised resource enforcement cannot be delivered.
  • Egress allowlist enforcement is wired through firewall-apply and fails closed under hardened/locked if the firewall cannot install the policy.
  • locked uses a Docker-internal role network.
  • DinD is tier-aware: none, rootless, and privileged are selectable; rootless uses docker:dind-rootless, fails closed where cgroup v2 is required, and is the recommended explicit grant for Docker workflows on cgroup v2. When DinD and allowlist networking are both active, the launch contract reports partial enforcement because inner containers bypass the role-container firewall.
  • The session contract and compact/debug telemetry report the effective profile decisions before launch.
  • cargo xtask profile-matrix standard records the default-flip compatibility matrix; the local cgroup-v2 run passed with expected rejects for runtime package installation without sudo and Docker workflows without DinD.
  • standard is the compiled-in default. compat remains available through CLI/config/workspace/role selection for legacy privileged DinD, standing sudo, or resource-unlimited workflows.
  • Host Docker socket exclusion has a regression test.
  • Schema, guide, and runtime reference docs for the shipped fields exist in Docker Security Profiles, Role manifest, Configuration, and Schema Versions.

Plan 043 sequencing

Plan 043 was written before WP-SUDO and WP4 landed. The keystone audit result is now complete:

Audit questionCurrent answerEvidence
Is NOPASSWD:ALL baked into the construct image?No. The construct installs the sudo package, but no sudoers entry is baked into the image.docker/construct/Dockerfile
Does jackin runtime code call sudo for its own privileged setup?No. Runtime setup that needs root uses Docker exec --user root, including sudo provisioning.crates/jackin-runtime/src/runtime/docker_profile.rs, crates/jackin-runtime/src/runtime/launch/launch_runtime.rs
How is passwordless sudo granted?Only when the resolved profile/grants set JACKIN_SUDO=1; the capsule helper writes /etc/sudoers.d/agent. When the grant is absent, the helper removes the file.crates/jackin-capsule/src/sudo_provision.rs
Does no-new-privileges compose with sudo?Yes. It is enabled when sudo is off and disabled when sudo is explicitly granted, avoiding silent setuid failure.crates/jackin-runtime/src/runtime/docker_profile.rs
Does built-in runtime behavior require full sudo?No built-in jackin runtime path currently requires in-container sudo. Runtime package installs remain a role/operator capability decision and should declare min_profile = "compat" or an explicit sudo grant.docs/content/docs/(public)/guides/docker-profiles.mdx

The remaining dependency order is:

  1. Keep the standard matrix green as new built-in roles and agent workflows are added.
  2. Continue the independent credential env-only posture work for hardened/locked.

Parallel hardening tracks remain independent: host.sock auth is already implemented for Linux peer credentials, DinD-inner egress residual risk is documented and tested as partial enforcement, signed releases still need end-to-end local verification, and credential env-only posture remains coordinated with the credential-exposure research.

Remaining work

  1. Credential env-only posture. Under hardened/locked, prefer env-only or otherwise reduced credential exposure and emit a credential_posture decision per agent auth type. Coordinate with Container credential exposure.

Rootless DinD default research is closed for this track: keep standard default DinD as none, recommend dind = "rootless" as the explicit Docker-workflow grant on cgroup v2, and reserve compat/privileged DinD for workflows that cannot run rootless.

Constraints that stay true

  • Agent bypass flags remain enabled; Docker is the enforceable boundary, not the agent's own permission model.
  • Host Docker socket exclusion is a hard rule.
  • Hardened Docker is still a shared-kernel boundary; do not describe it as hostile multi-tenant isolation.
  • OTLP host egress remains jackin-owned infrastructure and is always allowlisted for telemetry.
ItemRelationship
Apple Container backendmacOS 26 VM backend; rootless DinD validation informs Apple Container viability.
Network egress policyFuture proxy-sidecar egress and connection logs beyond Docker firewall rules.
Declarative resource limitsResource-budget schema and parser.
Process-level sandboxingPer-command isolation inside any Docker profile.
Session contract and explain modeActive profile inspection before launch.

On this page