Summary
A container isolation boundary concern was observed in run 24141696781: unprivileged processes in the agent sandbox can read host-identifying DMI metadata from /sys/class/dmi/id/*, including the product_uuid path.
No secret values were captured in this report. Validation used readability checks and byte-length-only measurements.
Boundary Type
Filesystem/runtime metadata isolation leak (host hardware identity exposure via sysfs).
Why this matters
Even without direct credential leakage, stable hardware identity fields can support environment fingerprinting and cross-run correlation, which weakens isolation guarantees for multi-tenant CI environments.
Reproduction (value-safe)
Run inside the agent container:
- Readability matrix:
for f in bios_vendor bios_version board_name board_vendor product_name product_uuid sys_vendor; do
p=/sys/class/dmi/id/$f
[ -e "$p" ] || continue
printf '%s ' "$p"
[ -r "$p" ] && echo readable || echo unreadable
done
- Length-only probe (no content output):
for f in bios_vendor bios_version board_name board_vendor product_name product_uuid sys_vendor; do
p=/sys/class/dmi/id/$f
[ -r "$p" ] || continue
printf '%s bytes=' "$f"
wc -c < "$p"
done
Observed Results
- All tested DMI files above were readable from the sandbox process.
- Non-zero byte lengths were observed for these fields, including
product_uuid.
- Cross-checks showed some other identity files were absent (
/etc/machine-id, /var/lib/dbus/machine-id), but DMI sysfs remained exposed.
Environment / Version
- Repository:
github/gh-aw-firewall
- Workflow run:
24141696781
- Lock file:
.github/workflows/secret-digger-codex.lock.yml
cli_version: field not present in lock metadatacompiler_version: v0.67.2GH_AW_INFO_CLI_VERSION: v0.67.2
Suggested mitigation
- Mask or unmount
/sys/class/dmi (or at least /sys/class/dmi/id/*) inside the agent container.
- If full masking is not possible, expose a minimal filtered sysfs view that excludes host-unique identifiers (especially UUID-like fields).
- Add an integration test to assert DMI identity files are unreadable in the sandbox.
Generated by Secret Digger (Codex) · ◷
Summary
A container isolation boundary concern was observed in run
24141696781: unprivileged processes in the agent sandbox can read host-identifying DMI metadata from/sys/class/dmi/id/*, including theproduct_uuidpath.No secret values were captured in this report. Validation used readability checks and byte-length-only measurements.
Boundary Type
Filesystem/runtime metadata isolation leak (host hardware identity exposure via sysfs).
Why this matters
Even without direct credential leakage, stable hardware identity fields can support environment fingerprinting and cross-run correlation, which weakens isolation guarantees for multi-tenant CI environments.
Reproduction (value-safe)
Run inside the agent container:
Observed Results
product_uuid./etc/machine-id,/var/lib/dbus/machine-id), but DMI sysfs remained exposed.Environment / Version
github/gh-aw-firewall24141696781.github/workflows/secret-digger-codex.lock.ymlcli_version: field not present in lock metadatacompiler_version:v0.67.2GH_AW_INFO_CLI_VERSION:v0.67.2Suggested mitigation
/sys/class/dmi(or at least/sys/class/dmi/id/*) inside the agent container.