tanmay/Regolith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Secure IPC with per-group namespaces to prevent privilege escalation

Browse Source 
Each container now gets its own IPC directory (/data/ipc/{groupFolder}/)
instead of a shared global directory. Identity is determined by which
directory a request came from, not by self-reported data in IPC files.

Authorization enforced:
- send_message: only to chatJids belonging to the source group
- schedule_task: only for the source group (main can target any)
- pause/resume/cancel_task: only for tasks owned by source group

https://claude.ai/code/session_018nmxNEbtgJH7cKDyBSQGAw
This commit is contained in:
Claude
2026-02-01 17:44:25 +00:00
parent c255451ac3
commit 6a94aec5da
3 changed files with 141 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/container-runner.ts
View File

@@ -101,11 +101,13 @@ function buildVolumeMounts(group: RegisteredGroup, isMain: boolean): VolumeMount
});
}
const ipcDir = path.join(DATA_DIR, 'ipc');
fs.mkdirSync(path.join(ipcDir, 'messages'), { recursive: true });
fs.mkdirSync(path.join(ipcDir, 'tasks'), { recursive: true });
// Per-group IPC namespace: each group gets its own IPC directory
// This prevents cross-group privilege escalation via IPC
const groupIpcDir = path.join(DATA_DIR, 'ipc', group.folder);
fs.mkdirSync(path.join(groupIpcDir, 'messages'), { recursive: true });
fs.mkdirSync(path.join(groupIpcDir, 'tasks'), { recursive: true });
mounts.push({
hostPath: ipcDir,
hostPath: groupIpcDir,
containerPath: '/workspace/ipc',
readonly: false
});
@@ -337,17 +339,28 @@ export async function runContainerAgent(
});
}
export function writeTasksSnapshot(tasks: Array<{
id: string;
groupFolder: string;
prompt: string;
schedule_type: string;
schedule_value: string;
status: string;
next_run: string | null;
}>): void {
const ipcDir = path.join(DATA_DIR, 'ipc');
fs.mkdirSync(ipcDir, { recursive: true });
const tasksFile = path.join(ipcDir, 'current_tasks.json');
fs.writeFileSync(tasksFile, JSON.stringify(tasks, null, 2));
export function writeTasksSnapshot(
groupFolder: string,
isMain: boolean,
tasks: Array<{
id: string;
groupFolder: string;
prompt: string;
schedule_type: string;
schedule_value: string;
status: string;
next_run: string | null;
}>
): void {
// Write filtered tasks to the group's IPC directory
const groupIpcDir = path.join(DATA_DIR, 'ipc', groupFolder);
fs.mkdirSync(groupIpcDir, { recursive: true });
// Main sees all tasks, others only see their own
const filteredTasks = isMain
? tasks
: tasks.filter(t => t.groupFolder === groupFolder);
const tasksFile = path.join(groupIpcDir, 'current_tasks.json');
fs.writeFileSync(tasksFile, JSON.stringify(filteredTasks, null, 2));
}