mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(docker): remove --read-only and allow exec on /tmp for package installs

Browse source 
The Docker sandbox previously used --read-only on the root filesystem and
noexec on /tmp. This broke 30+ skills that need to install packages:
- npm install -g (codex, claude-code, mcporter, powerpoint)
- pip install (20+ mlops/media/productivity skills)
- apt install (minecraft-modpack-server, ml-paper-writing)
- Build tools that compile in /tmp (pip wheels, node-gyp)

The container is already fully isolated from the host. Industry standard
(E2B, Docker Sandboxes, OpenAI Codex) does not use --read-only — the
container itself is the security boundary.

Retained security hardening:
- --cap-drop ALL (zero capabilities)
- --security-opt no-new-privileges (no escalation)
- --pids-limit 256 (no fork bombs)
- Size-limited tmpfs for /tmp, /var/tmp, /run
- nosuid on all tmpfs mounts
- noexec on /var/tmp and /run (rarely need exec there)
- Resource limits (CPU, memory, disk)
- Ephemeral containers (destroyed after use)

Fixes #189.
This commit is contained in:
teknium1 2026-03-02 01:09:34 -08:00
parent e265006fd6
commit 866fd9476b
3 changed files with 19 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -769,7 +769,7 @@ Hermes includes multiple layers of security beyond sandboxed terminals and exec
| **Write deny list with symlink resolution** | Protected paths (`~/.ssh/authorized_keys`, `/etc/shadow`, etc.) are resolved via `os.path.realpath()` before comparison, preventing symlink bypass |
| **Recursive delete false-positive fix** | Dangerous command detection uses precise flag-matching to avoid blocking safe commands |
| **Code execution sandbox** | `execute_code` scripts run in a child process with API keys and credentials stripped from the environment |
| **Container hardening** | Docker containers run with read-only root, all capabilities dropped, no privilege escalation, PID limits |
| **Container hardening** | Docker containers run with all capabilities dropped, no privilege escalation, PID limits, size-limited tmpfs |
| **DM pairing** | Cryptographically random pairing codes with 1-hour expiry and rate limiting |
| **User allowlists** | Default deny-all for messaging platforms; explicit allowlists or DM pairing required |