fix(security): warn when Landlock may silently degrade

[fdzdev]

Summary

• The base sandbox policy uses landlock: compatibility: best_effort which silently drops filesystem restrictions on unsupported kernels (CWE-440, NVBUG 6002804)
• Adds a post-creation check in createSandbox() that warns on macOS hosts and Linux kernels < 5.13
• Warning only — never blocks sandbox creation (wrapped in try/catch)

Test plan

• nemoclaw onboard on macOS → see ⚠ Landlock: macOS host warning after sandbox creation
• nemoclaw onboard on Linux ≥ 5.13 → no warning
• nemoclaw onboard on Linux < 5.13 → see ⚠ Landlock: Kernel X.Y does not support Landlock warning
• If uname -r fails for any reason → no crash, no warning (try/catch)

Summary by CodeRabbit

• New Features
  • Added informative warnings after sandbox creation about potential filesystem restriction limitations. macOS users are notified that filesystem isolation depends on the Docker VM kernel. Linux users receive a best-effort check and alert if their kernel appears older than the minimum recommended level for full sandbox filesystem enforcement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7d06932a-dcdc-4458-a0f9-98d8fc44fbf5

📥 Commits

Reviewing files that changed from the base of the PR and between e06072c and 93db763.

📒 Files selected for processing (1)

• bin/lib/onboard.js

---

📝 Walkthrough

Walkthrough

Adds post-sandbox-creation warnings about Landlock filesystem isolation: an unconditional macOS warning about Docker VM kernel dependency, and a best-effort Linux kernel check via uname -r that warns if kernel < 5.13. Errors in detection are ignored; sandbox creation still returns the sandbox name.

Changes

Cohort / File(s)	Summary
Landlock Filesystem Restriction Warnings bin/lib/onboard.js	After reporting sandbox creation, emits Landlock-related warnings: unconditional macOS notice about Docker VM kernel dependency; on Linux, runs uname -r best-effort, parses major/minor, warns if version < 5.13. Detection errors are swallowed; original return value preserved.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 I hopped into a sandbox, snug and light,
Whispered of kernels in the quiet night.
If Linux sleeps below five-point-thirteen,
Or macOS runs inside a VM screen,
This rabbit warns — tread safe and bright! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(security): warn when Landlock may silently degrade' directly and clearly describes the main change: adding warnings when Landlock security isolation may silently degrade on unsupported systems.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cv]

The underlying issue is real — best_effort silently dropping Landlock is worth surfacing. The Linux host kernel check is straightforward and correct since Docker shares the host kernel.

The macOS path is weak though: it warns every macOS user unconditionally when it could just check the Docker VM's actual kernel version via docker info --format '{{.KernelVersion}}'. That gives you the VM kernel without even spinning up a container. If that's ≥ 5.13, there's nothing to warn about.

As-is, the macOS warning is noisy without being actionable — it tells the user "depends on the Docker VM kernel" but doesn't do the one thing that would answer the question.

[cv]

FYI — OpenShell is already tracking this upstream:

• Issue: sec(sandbox): BestEffort Landlock silently degrades to no filesystem sandbox OpenShell#584
• PR: fix(sandbox): emit warning when Landlock filesystem sandbox degrades silently OpenShell#599

Once that lands, OpenShell itself will report whether Landlock enforcement actually stuck, which makes the host-side kernel guessing here unnecessary.