bug: Landlock ruleset abandoned entirely when a single path does not exist #664
Description
Agent Diagnostic
Skills loaded: openshell-cli (for policy lifecycle context), create-spike (investigation workflow). Neither debug-openshell-cluster nor debug-inference are relevant - this is a source code defect, not a runtime configuration issue.
Investigation: Read crates/openshell-sandbox/src/sandbox/linux/landlock.rs (the full file, ~100 lines). Traced the apply() function: lines 43-78 execute inside a closure where PathFd::new(path).into_diagnostic()? on lines 59 and 68 propagates any single path failure out of the entire closure. The outer handler (lines 80-90) logs a WARN and returns Ok(()), applying zero Landlock rules.
Read crates/openshell-sandbox/src/lib.rs line 875: PROXY_BASELINE_READ_ONLY includes /app, which is injected into every proxy-mode sandbox. Container images without /app trigger the all-or-nothing failure.
Confirmed commit 6828e14 (PR #599, closes #584) upgraded the log level from debug to warn but did not address the root cause.
The agent cannot resolve this without a code change - the fix requires modifying the two for loops in apply() to handle PathFd::new() failures per-path with match instead of ?.
Description
A single missing path in the policy's read_only or read_write list causes the entire Landlock ruleset to be abandoned. Under best_effort compatibility (the default), the sandbox runs with zero filesystem restrictions - a silent, total security degradation.
Expected: skip individual paths that don't exist (with a per-path warning) and continue building the ruleset from the remaining valid paths. A missing optional path should degrade gracefully (only that specific path loses protection) rather than disabling all filesystem isolation.
Reproduction Steps
- Start an OpenShell gateway: openshell gateway start
- Create a sandbox with a policy that includes a non-existent path in read_only:
- Observe in sandbox logs: WARN ... Landlock filesystem sandbox is UNAVAILABLE
- Verify the sandbox can write to paths that should be read-only (e.g. /usr/local/bin/test-file) - confirming Landlock is completely disabled.
Environment
OS: Ubuntu 24.04 (WSL2)
Docker: Docker Desktop
OpenShell: v0.0.17
Logs
WARN openshell_sandbox::sandbox::linux::landlock: Landlock filesystem sandbox is UNAVAILABLE - running WITHOUT filesystem restrictions. Set landlock.compatibility to 'hard_requirement' to make this a fatal error.Agent-First Checklist
- I pointed my agent at the repo and had it investigate this issue
- I loaded relevant skills (e.g.,
debug-openshell-cluster,debug-inference,openshell-cli) - My agent could not resolve this — the diagnostic above explains why