[Security] --allow-full-filesystem-access bypasses MCP log hiding via /host mount #764
Description
Summary
When --allow-full-filesystem-access is used, the host filesystem is mounted at /host. The tmpfs overlay for /tmp/gh-aw/mcp-logs/ only covers the direct path, not the /host/tmp/gh-aw/mcp-logs/ path. This allows the agent to read MCP server logs through the /host mount.
Reproduction
sudo awf --allow-full-filesystem-access --allow-domains example.com \
"cat /host/tmp/gh-aw/mcp-logs/*.log"This will successfully read MCP logs even though /tmp/gh-aw/mcp-logs/ has a tmpfs overlay.
Root Cause
In src/docker-manager.ts, the tmpfs overlay for MCP logs is added at:
- Normal mode:
/tmp/gh-aw/mcp-logs - Chroot mode:
/host/tmp/gh-aw/mcp-logs
But when --allow-full-filesystem-access is used in normal mode, the host is also mounted at /host, making /host/tmp/gh-aw/mcp-logs accessible. The tmpfs only covers the direct /tmp/gh-aw/mcp-logs path.
Impact
MCP server logs may contain:
- Workflow execution details
- Tool invocation parameters
- Internal state information
- Potentially sensitive data passed through MCP tool calls
Proposed Fix
When --allow-full-filesystem-access is enabled and the host is mounted at /host, also add a tmpfs overlay for /host/tmp/gh-aw/mcp-logs.
Added By
PR #706 (feat: hide /tmp/gh-aw/mcp-logs/ from agent containers). The Copilot PR reviewer flagged this exact gap but it was suppressed due to low confidence scoring.