fix(security): warn when Landlock may silently degrade

[fdzdev]

Summary

• The base sandbox policy uses landlock: compatibility: best_effort which silently drops filesystem restrictions on unsupported kernels (CWE-440, NVBUG 6002804)
• Adds a post-creation check in createSandbox() that warns on macOS hosts and Linux kernels < 5.13
• Warning only — never blocks sandbox creation (wrapped in try/catch)

Test plan

• nemoclaw onboard on macOS → see ⚠ Landlock: macOS host warning after sandbox creation
• nemoclaw onboard on Linux ≥ 5.13 → no warning
• nemoclaw onboard on Linux < 5.13 → see ⚠ Landlock: Kernel X.Y does not support Landlock warning
• If uname -r fails for any reason → no crash, no warning (try/catch)

Summary by CodeRabbit

• New Features
  • After creating a sandbox, the tool now shows immediate, user-facing warnings if the host’s kernel appears older than the recommended 5.13 threshold. macOS users are informed that filesystem isolation may depend on the Docker VM kernel; Linux users receive a best-effort check and alert about possible degraded filesystem enforcement.

[coderabbitai]

📝 Walkthrough

Walkthrough

After creating a sandbox, the code now performs a best-effort OS/kernel check and emits Landlock-related warnings: an unconditional macOS Docker VM kernel notice and a Linux uname -r check that warns if kernel < 5.13. Detection errors are ignored; sandbox creation still returns the name.

Changes

Cohort / File(s)	Summary
Landlock Filesystem Restriction Warnings bin/lib/onboard.js	After reporting "✓ Sandbox created", runs an OS-specific kernel check (on macOS uses docker info --format '{{.KernelVersion}}'; on Linux uses uname -r), parses major/minor, and warns when kernel < 5.13 about Landlock/docker VM limitations. All detection errors are suppressed; function still returns sandboxName.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 I hopped into a sandbox, soft and keen,
I sniffed the kernel, checked the machine.
If roots are old or VM walls confine,
I whisper warnings, gentle and fine.
Hop safe, dear devs — crunch carrots, not time! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding warnings when Landlock may silently degrade on unsupported kernels/systems.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cv]

The underlying issue is real — best_effort silently dropping Landlock is worth surfacing. The Linux host kernel check is straightforward and correct since Docker shares the host kernel.

The macOS path is weak though: it warns every macOS user unconditionally when it could just check the Docker VM's actual kernel version via docker info --format '{{.KernelVersion}}'. That gives you the VM kernel without even spinning up a container. If that's ≥ 5.13, there's nothing to warn about.

As-is, the macOS warning is noisy without being actionable — it tells the user "depends on the Docker VM kernel" but doesn't do the one thing that would answer the question.

[cv]

FYI — OpenShell is already tracking this upstream:

• Issue: sec(sandbox): BestEffort Landlock silently degrades to no filesystem sandbox OpenShell#584
• PR: fix(sandbox): emit warning when Landlock filesystem sandbox degrades silently OpenShell#599

Once that lands, OpenShell itself will report whether Landlock enforcement actually stuck, which makes the host-side kernel guessing here unnecessary.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/lib/onboard.js`:
- Around line 2283-2294: The macOS branch currently only prints the Landlock
warning when the Docker VM kernel parses as <5.13; change it so macOS always
emits the Landlock warning to match the PR/test plan: keep the existing
runCapture("docker info...") and parsing of vmKernel but always log a general
macOS Landlock warning (using process.platform === "darwin"), and if vmKernel is
present and parses to a version <5.13 add the existing specific message about
lack of Landlock support; if vmKernel is unparsable still emit the general
warning (and optionally include the raw vmKernel value) so the security signal
is never silently skipped.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 598da946-0617-4fc1-8498-b067424d8b1c

📥 Commits

Reviewing files that changed from the base of the PR and between 93db763 and 3d2d2bf.

📒 Files selected for processing (1)

• bin/lib/onboard.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

macOS Landlock warning is too narrow and misses the stated security signal.

Line [2283]–Line [2293] only warns on macOS when Docker VM kernel parses as < 5.13. The PR objective/test plan says macOS hosts should warn regardless, so this can silently skip the warning on macOS with kernel >= 5.13 (or unparsable versions).

Suggested fix

   try {
     if (process.platform === "darwin") {
       const vmKernel = runCapture("docker info --format '{{.KernelVersion}}'", { ignoreError: true }).trim();
-      if (vmKernel) {
-        const parts = vmKernel.split(".");
-        const major = parseInt(parts[0], 10);
-        const minor = parseInt(parts[1], 10);
-        if (!isNaN(major) && !isNaN(minor) && (major < 5 || (major === 5 && minor < 13))) {
-          console.warn(`  ⚠ Landlock: Docker VM kernel ${vmKernel} does not support Landlock (requires ≥5.13).`);
-          console.warn("    Sandbox filesystem restrictions will silently degrade (best_effort mode).");
-        }
-      }
+      console.warn(
+        vmKernel
+          ? `  ⚠ Landlock: macOS host (Docker VM kernel ${vmKernel}). Landlock enforcement may silently degrade (best_effort mode).`
+          : "  ⚠ Landlock: macOS host. Landlock enforcement may silently degrade (best_effort mode)."
+      );
     } else if (process.platform === "linux") {
       const uname = runCapture("uname -r", { ignoreError: true }).trim();
       if (uname) {
         const parts = uname.split(".");

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (process.platform === "darwin") {
	const vmKernel = runCapture("docker info --format '{{.KernelVersion}}'", { ignoreError: true }).trim();
	if (vmKernel) {
	const parts = vmKernel.split(".");
	const major = parseInt(parts[0], 10);
	const minor = parseInt(parts[1], 10);
	if (!isNaN(major) && !isNaN(minor) && (major < 5 || (major === 5 && minor < 13))) {
	console.warn(` ⚠ Landlock: Docker VM kernel ${vmKernel} does not support Landlock (requires ≥5.13).`);
	console.warn(" Sandbox filesystem restrictions will silently degrade (best_effort mode).");
	}
	}
	} else if (process.platform === "linux") {
	if (process.platform === "darwin") {
	const vmKernel = runCapture("docker info --format '{{.KernelVersion}}'", { ignoreError: true }).trim();
	console.warn(
	vmKernel
	? ` ⚠ Landlock: macOS host (Docker VM kernel ${vmKernel}). Landlock enforcement may silently degrade (best_effort mode).`
	: " ⚠ Landlock: macOS host. Landlock enforcement may silently degrade (best_effort mode)."
	);
	} else if (process.platform === "linux") {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bin/lib/onboard.js` around lines 2283 - 2294, The macOS branch currently only
prints the Landlock warning when the Docker VM kernel parses as <5.13; change it
so macOS always emits the Landlock warning to match the PR/test plan: keep the
existing runCapture("docker info...") and parsing of vmKernel but always log a
general macOS Landlock warning (using process.platform === "darwin"), and if
vmKernel is present and parses to a version <5.13 add the existing specific
message about lack of Landlock support; if vmKernel is unparsable still emit the
general warning (and optionally include the raw vmKernel value) so the security
signal is never silently skipped.

[fdzdev]

Addressed — macOS path now checks the Docker VM kernel via docker info --format '{{.KernelVersion}}' and only warns when < 5.13. No more unconditional warning.

Also noting this is an interim measure until openshell#599 lands upstream.