Skip to content

Default host path binds to read-only#520

Open
kgprs wants to merge 3 commits into
mainfrom
codex/default-host-binds-readonly
Open

Default host path binds to read-only#520
kgprs wants to merge 3 commits into
mainfrom
codex/default-host-binds-readonly

Conversation

@kgprs

@kgprs kgprs commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • normalize host-path bind mounts without an explicit mode to :ro by default
  • add MCP_GATEWAY_DOCKER_BIND_ALLOW_WRITABLE_PATHS as a path-scoped override for writable host binds
  • keep explicitly writable host-path binds blocked unless their source is under a configured writable root
  • update bind validation errors to point users at the read-only or writable env var as appropriate
  • add coverage for filesystem-style {{paths|volume|into}} profile config

Why This Is Needed

v0.43.0 hardened Docker volume handling so host-path binds must be read-only. That is a good default, but catalog entries such as the Filesystem server use the volume template helper:

volumes:
  - "{{filesystem.paths|volume|into}}"

With filesystem.paths=["/Users/user/Documents"], that evaluates to:

/Users/user/Documents:/Users/user/Documents

Before this PR, even when the user explicitly allowed the host root:

MCP_GATEWAY_DOCKER_BIND_ALLOWED_PATHS=/Users/user \
  docker mcp gateway run --transport streaming --profile test

the gateway rejected the bind before startup:

Can't start filesystem: validate volume for filesystem: unsafe docker volume "/Users/user/Documents:/Users/user/Documents": host path bind mounts must be read-only

This PR preserves the hardening by converting omitted host bind modes to read-only:

/Users/user/Documents:/Users/user/Documents:ro

Some servers do need write access to user-selected host paths. For that case, the new writable override is explicit and path-scoped:

MCP_GATEWAY_DOCKER_BIND_ALLOW_WRITABLE_PATHS=/Users/user/Documents \
  docker mcp gateway run --transport streaming --profile test

When the bind source is under MCP_GATEWAY_DOCKER_BIND_ALLOW_WRITABLE_PATHS, an omitted mode becomes writable:

/Users/user/Documents:/Users/user/Documents:rw

Explicit source:target:rw binds are also allowed under the configured writable root. Writable roots also count as allowed bind roots, so users do not need to set both env vars for the writable case. Sensitive system and credential paths remain blocked.

Validation

  • go test ./pkg/gateway -run 'TestApplyConfig(VolumeFilter|LongLivedRejectsWritableHostBind|ShortLivedRejectsWritableHostBind)|TestValidateDockerVolumeBinds'
  • go test ./pkg/gateway
  • go test ./pkg/eval
  • Attempted go test ./...; local integration tests in pkg failed before completion with environment/tooling issues including unknown flag: --gateway-arg and MCP initialize EOF. The directly touched gateway package passed.

@kgprs kgprs marked this pull request as ready for review June 23, 2026 08:29
@kgprs kgprs requested a review from a team as a code owner June 23, 2026 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kgprs