fix(sandbox): emit warning when Landlock filesystem sandbox degrades silently#599
Open
johntmyers wants to merge 2 commits intomainfrom
Open
fix(sandbox): emit warning when Landlock filesystem sandbox degrades silently#599johntmyers wants to merge 2 commits intomainfrom
johntmyers wants to merge 2 commits intomainfrom
Conversation
…silently BestEffort Landlock previously swallowed failures at debug level, making sandbox bypass invisible to operators at default log levels. Upgrade the degradation log to warn with an actionable message pointing to the hard_requirement setting. Add info-level startup log showing the requested ABI and path counts so operators always know what Landlock protections are active. Closes #584
4 tasks
pimlock
previously approved these changes
Mar 25, 2026
Signed-off-by: John Myers <johntmyers@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
debug!towarn!so operators running at default log levels are alerted when the filesystem sandbox is bypassedinfo!-level startup log showing the requested ABI, compatibility mode, and path counts so operators always know what Landlock protections are activeRelated Issue
Closes #584
Changes
crates/openshell-sandbox/src/sandbox/linux/landlock.rsdebug!→warn!on Landlock failure (line 82-86): WhenBestEffortmode swallows a Landlock error, the operator now sees awarn!-level message with an actionable hint to sethard_requirementif they want this to be fatal. Previously this wasdebug!— invisible at production log levels.info!log at sandbox apply (lines 33-39): Logs the requested ABI version, compatibility mode, and number of read-only/read-write paths before applying Landlock rules. This gives operators a clear signal of what protections are being applied on every sandbox start.Both changes align Landlock's observability with the existing pattern in
netns.rs, which already useswarn!for similar degradation scenarios.Testing
cargo check -p openshell-sandbox— passescargo clippy -p openshell-sandbox— no new warningsmise run pre-commit— passes (license check failure is pre-existing onarchitecture/plans/files, unrelated)Checklist