Isolation boundary finding from run 24126129940.
Summary
Within the agent container, runner-owned processes can read other runner-owned processes' /proc/<pid>/environ entries and observe token-like variable presence and non-zero length. In this run, AWF_ONE_SHOT_TOKENS was observable (key name + length only; value intentionally not captured).
This indicates an intra-UID process isolation gap for environment-resident secret material.
Boundary Type
Process isolation / secret exposure via procfs (/proc/<pid>/environ) across same UID.
Methodology
Focused deep-dive on process boundary controls:
- Process lineage and proc metadata correlation (
ps, /proc/<pid>/status, /proc/<pid>/stat)
- Same-UID key+length-only census over
/proc/<pid>/environ
- Cross-process syscall barriers tested with synthetic probes:
process_vm_readv (expected denied, observed EPERM)pidfd_open + pidfd_getfd (expected denied, observed EPERM)
Reproduction (value-safe)
- Identify active runner-owned PIDs in the process chain (e.g.,
awf-cmd-1.sh, bash, node, codex).
- For each PID, parse
/proc/<pid>/environ as NUL-separated entries.
- Check for
AWF_ONE_SHOT_TOKENS key presence only and compute length only from the matched entry.
- Observe non-zero length across multiple same-UID processes.
Observed Results
/proc/<pid>/environ for runner processes is mode 0400 and readable by same UID.AWF_ONE_SHOT_TOKENS key appeared in multiple runner-owned processes with non-zero length.- No secret values were extracted or logged.
- Additional hardening controls are present (
process_vm_readv and pidfd_getfd denied with EPERM), but procfs environ visibility remains.
Version Information
- Lock file:
.github/workflows/secret-digger-codex.lock.yml
cli_version field: not present in lock metadatacompiler_version: v0.67.2- Generated-by header:
gh-aw (v0.67.2)
Suggested Mitigations
- Avoid storing sensitive token material in process environments where possible.
- Consider process-level secret delivery mechanisms that are not exposed via procfs environ.
- Consider additional procfs isolation hardening where compatible with runner operation.
Generated by Secret Digger (Codex) · ◷
Isolation boundary finding from run
24126129940.Summary
Within the agent container, runner-owned processes can read other runner-owned processes'
/proc/<pid>/environentries and observe token-like variable presence and non-zero length. In this run,AWF_ONE_SHOT_TOKENSwas observable (key name + length only; value intentionally not captured).This indicates an intra-UID process isolation gap for environment-resident secret material.
Boundary Type
Process isolation / secret exposure via procfs (
/proc/<pid>/environ) across same UID.Methodology
Focused deep-dive on process boundary controls:
ps,/proc/<pid>/status,/proc/<pid>/stat)/proc/<pid>/environprocess_vm_readv(expected denied, observedEPERM)pidfd_open+pidfd_getfd(expected denied, observedEPERM)Reproduction (value-safe)
awf-cmd-1.sh,bash,node,codex)./proc/<pid>/environas NUL-separated entries.AWF_ONE_SHOT_TOKENSkey presence only and compute length only from the matched entry.Observed Results
/proc/<pid>/environfor runner processes is mode0400and readable by same UID.AWF_ONE_SHOT_TOKENSkey appeared in multiple runner-owned processes with non-zero length.process_vm_readvandpidfd_getfddenied withEPERM), but procfs environ visibility remains.Version Information
.github/workflows/secret-digger-codex.lock.ymlcli_versionfield: not present in lock metadatacompiler_version:v0.67.2gh-aw (v0.67.2)Suggested Mitigations