You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bubblewrap setup mounts full /proc and /dev namespaces. Scripts can read /proc/self/mem, walk /proc/[pid]/cmdline for sibling processes, and access /dev/* devices.
Summary
The bubblewrap setup mounts full
/procand/devnamespaces. Scripts can read/proc/self/mem, walk/proc/[pid]/cmdlinefor sibling processes, and access/dev/*devices.Where
packages/runtime/src/band-server.ts:243-244Impact
/proc/[pid]/cmdlineexposes command lines of other processes, including the briefbase64 -dsubprocess that decodes secrets (see /proc and /dev fully mounted in bubblewrap sandbox #28)./proc/self/memcan be used to introspect or modify the band-runner process memory (limited by uid)./dev/*exposes raw device nodes (most are 0660 root:disk and not readable by band-runner, but/dev/null,/dev/zero,/dev/urandom, and/dev/ttyare).Fix
Replace the full mounts with minimal equivalents:
--proc /proc→ leave out, or use--ro-bind /proc/self /proc/selfif /proc/self is required--dev /dev→ use--dev-bind /dev/null /dev/null,--dev-bind /dev/zero /dev/zero,--dev-bind /dev/urandom /dev/urandomMost scripts only need
/dev/nulland/dev/urandom. Verify by running the skill tests after restricting.