5. Single-Host Deployment without Namespacing

5. Single-Host Deployment without Namespacing

Multiple MCP instances or agents share the same host/VM/container, leading to shared memory, disk, or env variables.

Tech Detail:

  • /tmp used by multiple subprocesses
  • No Linux namespaces (unshare, cgroup, seccomp)
  • Shared env.json with unscoped secrets

Exploit Potential:

  • Tool A accesses Tool B’s /tmp/output.json
  • Env leakage via /proc/self/environ

Mitigation:

  • Per-tool Docker containers with AppArmor or gVisor
  • Use –mount=tmpfs, memory quotas, and noexec volumes
ON THIS PAGE