security(container-host-isolation): add docker security config

Author: hellomypastor

server/README.md

@@ -93,6 +93,20 @@ cp example.config.toml ~/.sandbox.toml
    network_mode = "bridge"  # Isolated container networking
    ```
 
+**Security hardening (applies to all Docker modes)**
+   ```toml
+   [docker]
+   # Drop dangerous capabilities and block privilege escalation by default
+   drop_capabilities = ["AUDIT_WRITE", "MKNOD", "NET_ADMIN", "NET_RAW", "SYS_ADMIN", "SYS_MODULE", "SYS_PTRACE", "SYS_TIME", "SYS_TTY_CONFIG"]
+   no_new_privileges = true
+   apparmor_profile = ""        # e.g. "docker-default" when AppArmor is available
+   # Limit fork bombs and optionally enforce seccomp / read-only rootfs
+   pids_limit = 512             # set to null to disable
+   seccomp_profile = ""        # path or profile name; empty uses Docker default
+   read_only_rootfs = false     # enable for stricter isolation if your image allows it
+   ```
+   Further reading on Docker container security: https://docs.docker.com/engine/security/
+
 ### Run the server
 
 Start the server using `uv`:
@@ -121,6 +135,8 @@ Once the server is running, interactive API documentation is available:
 - **Swagger UI**: [http://localhost:8080/docs](http://localhost:8080/docs)
 - **ReDoc**: [http://localhost:8080/redoc](http://localhost:8080/redoc)
 
+Further reading on Docker container security: https://docs.docker.com/engine/security/
+
 ### API authentication
 
 Authentication is enforced only when `server.api_key` is set. If the value is empty or missing, the middleware skips API Key checks (intended for local/dev). For production, always set a non-empty `server.api_key` and send it via the `OPEN-SANDBOX-API-KEY` header.

server/README_zh.md

@@ -97,6 +97,21 @@ execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd
 network_mode = "bridge"  # 容器隔离网络
 ```
 
+**安全加固（适用于所有 Docker 模式）**
+```toml
+[docker]
+# 默认关闭危险能力、防止提权
+drop_capabilities = ["AUDIT_WRITE", "MKNOD", "NET_ADMIN", "NET_RAW", "SYS_ADMIN", "SYS_MODULE", "SYS_PTRACE", "SYS_TIME", "SYS_TTY_CONFIG"]
+no_new_privileges = true
+# 当宿主机启用了 AppArmor 时，可指定策略名称（如 "docker-default"）；否则留空
+apparmor_profile = ""
+# 限制进程数量，可选的 seccomp/只读根文件系统
+pids_limit = 512             # 设为 null 可关闭
+seccomp_profile = ""        # 配置文件路径或名称；为空使用 Docker 默认
+read_only_rootfs = false     # 如果镜像允许写 /，可开启以进一步隔离
+```
+更多 Docker 安全参考：https://docs.docker.com/engine/security/
+
 ### 启动服务
 
 使用 `uv` 启动服务：

server/example.config.toml

@@ -37,8 +37,19 @@ execd_image = "opensandbox/execd:latest"
 [docker]
 # Docker-specific knobs
 # -----------------------------------------------------------------
-# Supported values for network_mode: "host", "bridge"
+# Use bridge for network isolation
 network_mode = "bridge"
+# Drop dangerous capabilities and block privilege escalation
+drop_capabilities = ["AUDIT_WRITE", "MKNOD", "NET_ADMIN", "NET_RAW", "SYS_ADMIN", "SYS_MODULE", "SYS_PTRACE", "SYS_TIME", "SYS_TTY_CONFIG"]
+no_new_privileges = true
+# Optional: set an AppArmor profile name (e.g., "docker-default") when AppArmor is enabled
+apparmor_profile = ""
+# Limit process count to reduce host impact from fork bombs; set to null to disable
+pids_limit = 512
+# Seccomp profile: empty string uses Docker default; set to an absolute path for a custom profile
+seccomp_profile = ""
+# Make root filesystem read-only to avoid host writes via mounted volumes; disable if your image needs write access to /
+read_only_rootfs = true
 
 
 # -----------------------------------------------------------------

server/example.config.zh.toml

@@ -39,6 +39,17 @@ execd_image = "sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd
 # -----------------------------------------------------------------
 # Supported values for network_mode: "host", "bridge"
 network_mode = "bridge"
+# Drop dangerous capabilities and block privilege escalation
+drop_capabilities = ["AUDIT_WRITE", "MKNOD", "NET_ADMIN", "NET_RAW", "SYS_ADMIN", "SYS_MODULE", "SYS_PTRACE", "SYS_TIME", "SYS_TTY_CONFIG"]
+no_new_privileges = true
+# Optional: set an AppArmor profile name (e.g., "docker-default") when AppArmor is enabled
+apparmor_profile = ""
+# Limit process count to reduce host impact from fork bombs; set to null to disable
+pids_limit = 512
+# Seccomp profile: empty string uses Docker default; set to an absolute path for a custom profile
+seccomp_profile = ""
+# Make root filesystem read-only to avoid host writes via mounted volumes; disable if your image needs write access to /
+read_only_rootfs = true
 
 
 # -----------------------------------------------------------------

server/src/config.py

@@ -127,6 +127,47 @@ class DockerConfig(BaseModel):
         default="host",
         description="Docker network mode for sandbox containers (host, bridge, ...).",
     )
+    drop_capabilities: list[str] = Field(
+        default_factory=lambda: [
+            "AUDIT_WRITE",
+            "MKNOD",
+            "NET_ADMIN",
+            "NET_RAW",
+            "SYS_ADMIN",
+            "SYS_MODULE",
+            "SYS_PTRACE",
+            "SYS_TIME",
+            "SYS_TTY_CONFIG",
+        ],
+        description=(
+            "Linux capabilities to drop from sandbox containers. Defaults to a conservative set to reduce host impact."
+        ),
+    )
+    apparmor_profile: Optional[str] = Field(
+        default=None,
+        description=(
+            "Optional AppArmor profile name applied to sandbox containers. Leave unset to let Docker choose the default."
+        ),
+    )
+    no_new_privileges: bool = Field(
+        default=True,
+        description="Enable the kernel no_new_privileges flag to block privilege escalation inside the container.",
+    )
+    seccomp_profile: Optional[str] = Field(
+        default=None,
+        description=(
+            "Optional seccomp profile name or path applied to sandbox containers. Leave unset to use Docker's default profile."
+        ),
+    )
+    pids_limit: Optional[int] = Field(
+        default=512,
+        ge=1,
+        description="Maximum number of processes allowed per sandbox container. Set to null to disable the limit.",
+    )
+    read_only_rootfs: bool = Field(
+        default=False,
+        description="Mount the container root filesystem as read-only. Disable if images need write access to /.",
+    )
 
 
 class AppConfig(BaseModel):

server/src/services/docker.py

@@ -785,6 +785,22 @@ def _provision_sandbox(
         nano_cpus = parse_nano_cpus(resource_limits.get("cpu"))
 
         host_config_kwargs: Dict[str, Any] = {"network_mode": self.network_mode}
+        security_opts: list[str] = []
+        docker_cfg = self.app_config.docker
+        if docker_cfg.no_new_privileges:
+            security_opts.append("no-new-privileges:true")
+        if docker_cfg.apparmor_profile:
+            security_opts.append(f"apparmor={docker_cfg.apparmor_profile}")
+        if docker_cfg.seccomp_profile:
+            security_opts.append(f"seccomp={docker_cfg.seccomp_profile}")
+        if security_opts:
+            host_config_kwargs["security_opt"] = security_opts
+        if docker_cfg.drop_capabilities:
+            host_config_kwargs["cap_drop"] = docker_cfg.drop_capabilities
+        if docker_cfg.pids_limit is not None:
+            host_config_kwargs["pids_limit"] = docker_cfg.pids_limit
+        if docker_cfg.read_only_rootfs:
+            host_config_kwargs["read_only"] = True
         if mem_limit:
             host_config_kwargs["mem_limit"] = mem_limit
         if nano_cpus:

server/tests/test_docker_service.py

@@ -88,6 +88,37 @@ def test_env_allows_empty_string_and_skips_none():
     assert all(not item.startswith("NONE=") for item in environment)
 
 
+@patch("src.services.docker.docker")
+def test_create_sandbox_applies_security_defaults(mock_docker):
+    mock_client = MagicMock()
+    mock_client.containers.list.return_value = []
+    mock_client.api.create_host_config.return_value = {"host": "cfg"}
+    mock_client.api.create_container.return_value = {"Id": "cid"}
+    mock_client.containers.get.return_value = MagicMock()
+    mock_docker.from_env.return_value = mock_client
+
+    service = DockerSandboxService(config=_app_config())
+    request = CreateSandboxRequest(
+        image=ImageSpec(uri="python:3.11"),
+        timeout=120,
+        resourceLimits=ResourceLimits(root={}),
+        env={},
+        metadata={},
+        entrypoint=["python"],
+    )
+
+    with patch.object(service, "_ensure_image_available"), patch.object(
+        service, "_prepare_sandbox_runtime"
+    ):
+        service.create_sandbox(request)
+
+    host_kwargs = mock_client.api.create_host_config.call_args.kwargs
+    assert "no-new-privileges:true" in host_kwargs["security_opt"]
+    assert host_kwargs["cap_drop"] == service.app_config.docker.drop_capabilities
+    assert host_kwargs["pids_limit"] == service.app_config.docker.pids_limit
+    assert mock_client.api.create_container.call_args.kwargs["host_config"] == {"host": "cfg"}
+
+
 @patch("src.services.docker.docker")
 def test_create_sandbox_rejects_invalid_metadata(mock_docker):
     mock_client = MagicMock()