From 172a38c344a372296ea995258d2251be4245ba04 Mon Sep 17 00:00:00 2001 From: teknium1 Date: Mon, 9 Mar 2026 17:52:33 -0700 Subject: [PATCH] fix: Docker persistent bind mounts fail with Permission denied MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cap-drop ALL removes DAC_OVERRIDE, which root needs to write to bind-mounted directories owned by the host user (uid 1000). This broke persistent Docker sandboxes — the container couldn't write to /workspace or /root. Add back the minimum capabilities needed: - DAC_OVERRIDE: root can write to bind-mounted dirs owned by host user - CHOWN: package managers (pip, npm, apt) need to set file ownership - FOWNER: needed for operations on files owned by other users Still drops all other capabilities (NET_RAW, SYS_ADMIN, etc.) and keeps no-new-privileges. Security boundary is the container itself. Verified end-to-end: create files → destroy container → new container with same task_id → files persist on host and are accessible in the new container. --- tools/environments/docker.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/environments/docker.py b/tools/environments/docker.py index 85184fde..faf01b2a 100644 --- a/tools/environments/docker.py +++ b/tools/environments/docker.py @@ -22,10 +22,16 @@ logger = logging.getLogger(__name__) # Security flags applied to every container. # The container itself is the security boundary (isolated from host). -# We drop all capabilities, block privilege escalation, and limit PIDs. +# We drop all capabilities then add back the minimum needed: +# DAC_OVERRIDE - root can write to bind-mounted dirs owned by host user +# CHOWN/FOWNER - package managers (pip, npm, apt) need to set file ownership +# Block privilege escalation and limit PIDs. # /tmp is size-limited and nosuid but allows exec (needed by pip/npm builds). _SECURITY_ARGS = [ "--cap-drop", "ALL", + "--cap-add", "DAC_OVERRIDE", + "--cap-add", "CHOWN", + "--cap-add", "FOWNER", "--security-opt", "no-new-privileges", "--pids-limit", "256", "--tmpfs", "/tmp:rw,nosuid,size=512m",