Skip to content

Commit dc78f40

Browse files
committed
fix: Block firewall binary variants in policy blocker deny list
1 parent 5ef9084 commit dc78f40

3 files changed

Lines changed: 6 additions & 2 deletions

File tree

.claude/hooks/devcontainer-policy-blocker.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,11 @@ done
105105
# --- Firewall tampering (all tiers) ---
106106
BLOCKED_FIREWALL=(
107107
'iptables '
108+
'iptables-legacy '
109+
'iptables-nft '
108110
'ip6tables '
111+
'ip6tables-legacy '
112+
'ip6tables-nft '
109113
'ipset '
110114
'nft '
111115
'init-firewall'

docs/DEVCONTAINER_PERMISSIONS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ Regardless of tier, these layers provide defense-in-depth:
2323
- **unicode-injection-scanner.sh**: Blocks zero-width chars, RTL overrides in file content
2424
- **firewall-edit-blocker.sh**: Blocks edits to `init-firewall.sh` and sudoers files
2525
- **devcontainer-policy-blocker.sh**: Catches denied patterns in chained commands (including firewall commands)
26-
- **Base deny rules (settings.json)**: gh secret/auth/ssh-key/gpg-key, git clean/config, uv self
26+
- **Base deny rules (settings.json)**: gh secret/auth/ssh-key/gpg-key, git clean/config, uv self, firewall commands (`sudo` is only denied in tier files since bare-metal users may need it)
2727

2828
## Denied Commands and Approved Alternatives
2929

tests/test_hooks.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -238,5 +238,5 @@ class TestPolicyBlockerFirewallPatterns:
238238

239239
def test_policy_blocker_blocks_firewall_commands(self) -> None:
240240
content = (HOOKS_DIR / "devcontainer-policy-blocker.sh").read_text(encoding="utf-8")
241-
for pattern in ["iptables ", "ip6tables ", "ipset ", "nft ", "init-firewall"]:
241+
for pattern in ["iptables ", "iptables-legacy ", "iptables-nft ", "ip6tables ", "ip6tables-legacy ", "ip6tables-nft ", "ipset ", "nft ", "init-firewall"]:
242242
assert pattern in content, f"devcontainer-policy-blocker missing firewall pattern: {pattern}"

0 commit comments

Comments
 (0)