smolmachines: scope TSI allowlist to a per-bottle loopback alias (v2) #75

New Issue

Closed

opened 2026-05-27 15:58:22 -04:00 by didericis-claude · 1 comment

didericis-claude commented 2026-05-27 15:58:22 -04:00

Collaborator

Copy Link

Copy Source

Context

The Docker-Desktop fix (PR #74) routes the smolmachines agent through 127.0.0.1:<host port> loopback forwards instead of the bundle's docker-bridge IP. Necessary because Docker Desktop's daemon runs inside its own Linux VM and bridge IPs aren't reachable from macOS networking.

Side effect: the TSI allowlist is now 127.0.0.1/32, and TSI filters by IP only — no port granularity. So the agent VM can reach any service bound to macOS's loopback, not just the bundle's published ports: postgres on 5432, dev servers on 3000, other bottles' published ports, mDNSResponder, cupsd, etc. The docker backend keeps the bottle on a --internal docker network and doesn't have this issue.

See PRD 0023 open question #8 + the README "Smolmachines backend (experimental, macOS-only)" subsection for the full discussion.

Proposed fix

Bind each bottle's bundle ports on a per-bottle loopback alias (e.g. 127.0.0.2 for bottle A, 127.0.0.3 for B), set TSI's allowlist to that single /32. Macros loopback aliases require ifconfig lo0 alias <ip> — sudo on macOS. Options:

• A small setuid helper shipped alongside the launcher that adds aliases on-demand.
• A prompt-once setup step (./cli.py smolvm-setup) that adds a reserved /28 of aliases (127.0.0.16 .. 127.0.0.31) and assigns one per bottle from a pool.
• A privilege-helper LaunchDaemon (heavier, more macOS-native).

v2 candidate; v1 ships with the loopback widening documented.

Acceptance

• TSI allowlist = <per-bottle-loopback-alias>/32, not 127.0.0.1/32.
• Two simultaneous bottles can't see each other's published ports.
• Manual probe: agent VM cannot connect to a sentinel service on 127.0.0.1:<other-port> while the bottle is running.
• README + PRD 0023 updated to note the resolution.

## Context The Docker-Desktop fix (PR #74) routes the smolmachines agent through `127.0.0.1:<host port>` loopback forwards instead of the bundle's docker-bridge IP. Necessary because Docker Desktop's daemon runs inside its own Linux VM and bridge IPs aren't reachable from macOS networking. **Side effect**: the TSI allowlist is now `127.0.0.1/32`, and TSI filters by IP only — no port granularity. So the agent VM can reach **any service bound to macOS's loopback**, not just the bundle's published ports: postgres on 5432, dev servers on 3000, other bottles' published ports, mDNSResponder, cupsd, etc. The docker backend keeps the bottle on a `--internal` docker network and doesn't have this issue. See PRD 0023 open question #8 + the README "Smolmachines backend (experimental, macOS-only)" subsection for the full discussion. ## Proposed fix Bind each bottle's bundle ports on a per-bottle loopback alias (e.g. `127.0.0.2` for bottle A, `127.0.0.3` for B), set TSI's allowlist to that single /32. Macros loopback aliases require `ifconfig lo0 alias <ip>` — sudo on macOS. Options: - A small setuid helper shipped alongside the launcher that adds aliases on-demand. - A prompt-once setup step (`./cli.py smolvm-setup`) that adds a reserved /28 of aliases (`127.0.0.16` .. `127.0.0.31`) and assigns one per bottle from a pool. - A privilege-helper LaunchDaemon (heavier, more macOS-native). v2 candidate; v1 ships with the loopback widening documented. ## Acceptance - TSI allowlist = `<per-bottle-loopback-alias>/32`, not `127.0.0.1/32`. - Two simultaneous bottles can't see each other's published ports. - Manual probe: agent VM cannot connect to a sentinel service on `127.0.0.1:<other-port>` while the bottle is running. - README + PRD 0023 updated to note the resolution.

didericis-claude referenced this issue 2026-05-27 16:23:35 -04:00

feat(smolmachines): per-bottle loopback alias scopes TSI to single /32 #76

didericis-claude referenced this issue 2026-05-27 16:38:22 -04:00

feat(smolmachines): per-bottle loopback alias scopes TSI to single /32 #76

didericis-claude commented 2026-05-27 18:08:01 -04:00

Author

Collaborator

Copy Link

Copy Source

Resolved by #76. Each bottle now reserves a unique 127.0.0.16 .. 127.0.0.31 loopback alias, the bundle's port-forwards bind there, and the agent's TSI allowlist is the alias's /32. Smolvm 0.8.0 silently drops --allow-cidr when combined with --from, so the launcher patches smolvm's persistent state DB (~/Library/Application Support/smolvm/server/smolvm.db, vms.data BLOB) between machine create and machine start to set allowed_cidrs directly — smolvm reads it on start and TSI enforces.

End-to-end verified on Docker Desktop / macOS:

VM → 127.0.0.1:3000      → BLOCKED (Permission denied)   [host probe outside the bottle's /32]
VM → 8.8.8.8:53          → BLOCKED (Permission denied)
VM → 127.0.0.16:<bundle> → CONNECTED                     [bottle's own bundle, in allowlist]

The DB-patch hack is tagged temporary — when smolvm honors --allow-cidr with --from upstream, loopback_alias.force_allowlist becomes a no-op call to remove.

Resolved by #76. Each bottle now reserves a unique `127.0.0.16` .. `127.0.0.31` loopback alias, the bundle's port-forwards bind there, and the agent's TSI allowlist is the alias's `/32`. Smolvm 0.8.0 silently drops `--allow-cidr` when combined with `--from`, so the launcher patches smolvm's persistent state DB (`~/Library/Application Support/smolvm/server/smolvm.db`, `vms.data` BLOB) between `machine create` and `machine start` to set `allowed_cidrs` directly — smolvm reads it on start and TSI enforces. End-to-end verified on Docker Desktop / macOS: ``` VM → 127.0.0.1:3000 → BLOCKED (Permission denied) [host probe outside the bottle's /32] VM → 8.8.8.8:53 → BLOCKED (Permission denied) VM → 127.0.0.16:<bundle> → CONNECTED [bottle's own bundle, in allowlist] ``` The DB-patch hack is tagged temporary — when smolvm honors `--allow-cidr` with `--from` upstream, `loopback_alias.force_allowlist` becomes a no-op call to remove.

didericis-claude closed this issue 2026-05-27 18:08:01 -04:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

core-coverage-badge

ratchet-supervise-90

ratchet-manifest-90

ratchet-git-gate-90

ratchet-egress-core-90

ratchet-yaml-subset-90

ratchet-egress-addon-90

cover-global-90

table-drive-dlp-tests

flatten-deep-nesting

decompose-egress-dlp-config

cover-egress-addon-adapter

prd-egress-control-plane

prd-smolmachines-linux

fix-integration-test-failures

fix/macos-container-relative-dockerfile

prd-0054-install-script

commit-bottle-state

pr-211

move-codex-auth-to-contrib

feat/pipelock-skip-scan-extensions

prd-0049-named-labelled-agents

harden-git-gate-shell-rendering

No results found.

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#75