5. Single-Host Deployment without Namespacing
5. Single-Host Deployment without Namespacing
Multiple MCP instances or agents share the same host/VM/container, leading to shared memory, disk, or env variables.
Tech Detail:
- /tmp used by multiple subprocesses
- No Linux namespaces (unshare, cgroup, seccomp)
- Shared env.json with unscoped secrets
Exploit Potential:
- Tool A accesses Tool B’s /tmp/output.json
- Env leakage via /proc/self/environ
Mitigation:
- Per-tool Docker containers with AppArmor or gVisor
- Use –mount=tmpfs, memory quotas, and noexec volumes