Summary
Set no-new-privileges as the default Docker security option for all clawker agent containers. This prevents any process inside the container from gaining privileges via SUID binaries or file capabilities.
Context
During a live penetration test from inside an agent container (2026-04-01), the following was confirmed:
NoNewPrivs is currently not set (value 0 in /proc/self/status)- The container image ships 13 SUID binaries (
su, sudo, mount, newgrp, passwd, chfn, chsh, gpasswd, chage, expiry, umount, ssh-keysign, ssh-agent)
- The capability bounding set includes
NET_ADMIN — meaning root can flush iptables (the firewall)
No privilege escalation was achieved (the agent user isn't in sudoers and root's password is unknown), but no-new-privileges would eliminate the entire class of SUID/file-capability escalation as a defense-in-depth measure.
Proof of concept
NoNewPrivs=0 (current default): ping 127.0.0.1 → succeeds (gains cap_net_raw)
After prctl(SET_NO_NEW_PRIVS, 1): ping 127.0.0.1 → fails (cap_net_raw blocked)
Proposal
Add no-new-privileges to the default HostConfig.SecurityOpt in CreateContainer(). The flag is already supported via --security-opt on clawker run / clawker create — this just makes it the default.
What it blocks
All future SUID and file-capability privilege escalation CVEs inside the container.
What it breaks
ping stops working inside containers (loses cap_net_raw from file capabilities). Nothing else the agent does relies on SUID or file capabilities.
Implementation
internal/cmd/container/shared/container_create.go — add "no-new-privileges" to the default SecurityOpt slice in the host config construction.
Related
- Pentest report:
.claude/artifacts/redteam/live-pentest-2026-04-01.md
- Prior red team finding:
.claude/artifacts/redteam/report-2026-03-30.md (RECON-01)
Also consider as a follow-up: dropping NET_ADMIN and NET_RAW from the capability bounding set after firewall rules are applied, so that even a root compromise cannot modify iptables.
Summary
Set
no-new-privilegesas the default Docker security option for all clawker agent containers. This prevents any process inside the container from gaining privileges via SUID binaries or file capabilities.Context
During a live penetration test from inside an agent container (2026-04-01), the following was confirmed:
NoNewPrivsis currently not set (value 0 in/proc/self/status)su,sudo,mount,newgrp,passwd,chfn,chsh,gpasswd,chage,expiry,umount,ssh-keysign,ssh-agent)NET_ADMIN— meaning root can flush iptables (the firewall)No privilege escalation was achieved (the agent user isn't in sudoers and root's password is unknown), but
no-new-privilegeswould eliminate the entire class of SUID/file-capability escalation as a defense-in-depth measure.Proof of concept
Proposal
Add
no-new-privilegesto the defaultHostConfig.SecurityOptinCreateContainer(). The flag is already supported via--security-optonclawker run/clawker create— this just makes it the default.What it blocks
All future SUID and file-capability privilege escalation CVEs inside the container.
What it breaks
pingstops working inside containers (losescap_net_rawfrom file capabilities). Nothing else the agent does relies on SUID or file capabilities.Implementation
internal/cmd/container/shared/container_create.go— add"no-new-privileges"to the defaultSecurityOptslice in the host config construction.Related
.claude/artifacts/redteam/live-pentest-2026-04-01.md.claude/artifacts/redteam/report-2026-03-30.md(RECON-01)Also consider as a follow-up: dropping
NET_ADMINandNET_RAWfrom the capability bounding set after firewall rules are applied, so that even a root compromise cannot modify iptables.