From 3d2d2bf5d3c0757381fef466b653a77f6ea37e61 Mon Sep 17 00:00:00 2001
From: Facundo Fernandez <facu.tha@gmail.com>
Date: Mon, 30 Mar 2026 23:23:29 -0600
Subject: [PATCH] fix(security): warn when Landlock may silently degrade
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Check Docker VM kernel version on macOS via docker info (actionable, not unconditional)
- Check host kernel version on Linux via uname -r
- Warn only when kernel < 5.13 (Landlock minimum)
- Warning only — never blocks sandbox creation (wrapped in try/catch)

Made-with: Cursor
---
 bin/lib/onboard.js | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/bin/lib/onboard.js b/bin/lib/onboard.js
index f4d4e3935..026d32db8 100644
--- a/bin/lib/onboard.js
+++ b/bin/lib/onboard.js
@@ -2278,6 +2278,33 @@ async function createSandbox(gpu, model, provider, preferredInferenceApi = null,
   run(`bash "${path.join(SCRIPTS, "setup-dns-proxy.sh")}" ${GATEWAY_NAME} "${sandboxName}" 2>&1 || true`, { ignoreError: true });
 
   console.log(`  ✓ Sandbox '${sandboxName}' created`);
+
+  try {
+    if (process.platform === "darwin") {
+      const vmKernel = runCapture("docker info --format '{{.KernelVersion}}'", { ignoreError: true }).trim();
+      if (vmKernel) {
+        const parts = vmKernel.split(".");
+        const major = parseInt(parts[0], 10);
+        const minor = parseInt(parts[1], 10);
+        if (!isNaN(major) && !isNaN(minor) && (major < 5 || (major === 5 && minor < 13))) {
+          console.warn(`  ⚠ Landlock: Docker VM kernel ${vmKernel} does not support Landlock (requires ≥5.13).`);
+          console.warn("    Sandbox filesystem restrictions will silently degrade (best_effort mode).");
+        }
+      }
+    } else if (process.platform === "linux") {
+      const uname = runCapture("uname -r", { ignoreError: true }).trim();
+      if (uname) {
+        const parts = uname.split(".");
+        const major = parseInt(parts[0], 10);
+        const minor = parseInt(parts[1], 10);
+        if (!isNaN(major) && !isNaN(minor) && (major < 5 || (major === 5 && minor < 13))) {
+          console.warn(`  ⚠ Landlock: Kernel ${uname} does not support Landlock (requires ≥5.13).`);
+          console.warn("    Sandbox filesystem restrictions will silently degrade (best_effort mode).");
+        }
+      }
+    }
+  } catch {}
+
   return sandboxName;
 }