[All Platform][Security]OpenShell 0.0.26 does not enforce Landlock filesystem policy — /sandbox writable on all platforms

[zNeill]

Description

Description

OpenShell 0.0.26 receives correct filesystem_policy from NemoClaw (include_workdir: false, /sandbox in read_only) but does not apply Landlock ruleset to sandbox process. /sandbox is writable on all tested platforms.

Reproduction Steps

1. nemoclaw onboard (any platform, any provider)
2. nemoclaw connect
3. touch /sandbox/testfile
4. echo "test" > /sandbox/testfile
5. cat /sandbox/testfile

Actual Result

Step 3-5: All succeed. File created and written in /sandbox.
/proc/1/attr/current = "unconfined" (no Landlock applied to process)

Expected Result

Step 3: Permission denied (/sandbox is Landlock read-only)

Root Cause
nemoclaw status --json confirms policy is correctly delivered:
filesystem_policy:
include_workdir: false
read_only:
- /sandbox
- /sandbox/.openclaw
read_write:
- /tmp
- /sandbox/.openclaw-data
- /sandbox/.nemoclaw
landlock:
compatibility: best_effort

OpenShell receives the policy but does not apply Landlock ruleset.

Impact:

• Agents can create/modify arbitrary files in /sandbox home directory
• NemoClaw onboard summary displays "Landlock + seccomp + netns"
  which is misleading — Landlock is not enforced
• PR fix(sandbox): restrict /sandbox to read-only via Landlock (#804) #1121 (restrict /sandbox to read-only) is ineffective

Environment:NemoClaw: v0.0.11
OpenShell: 0.0.26
Affected platforms: ALL

• Brev GPU (kernel 5.15.0-107, kernel 6.8.0-57)
• Standard Ubuntu (kernel 6.8.0-57)
• Landlock compiled (CONFIG_SECURITY_LANDLOCK=y)
• Landlock in LSM (lockdown,capability,landlock,yama,apparmor)

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw-SWQA-RelBlckr-Recommended

---

[NVB# 6066573]

[NVB#6066573]

[wscurran]

✨
Possibly related open PRs:

• #1121 fix(sandbox): restrict /sandbox to read-only via Landlock (#804)

---

Possibly related open PRs:

• #1121 fix(sandbox): restrict /sandbox to read-only via Landlock (#804)

[prekshivyas]

Investigation

Filed NVIDIA/OpenShell#803 with detailed root cause analysis.

Key finding: OpenShell's Landlock enforcement code runs AFTER drop_privileges() (process.rs#L184-187), meaning it tries to open path file descriptors as the unprivileged sandbox user (uid 998), not root. When path opens fail, the best_effort handler silently returns success and the sandbox runs unconfined.

Previous fixes (#584, #664) improved logging and per-path error handling but didn't address the fundamental ordering issue. Both fixes shipped in v0.0.26 — the version QA tested.

NemoClaw-side mitigations already in place:

• DAC: root:root 444 on openclaw.json, root:root 755 on .openclaw directory
• Sticky bit (1755) on .nemoclaw to prevent renaming blueprints/
• chattr +i on .openclaw (root mode only)
• Config integrity hash check at startup

These provide defense-in-depth but Landlock was supposed to be the primary enforcement layer.

[prekshivyas]

Update: The upstream OpenShell fix has merged and shipped.

• bug(sandbox): Landlock not enforced on Landlock-capable kernels — best_effort silently returns Ok() OpenShell#803 — closed April 13
• fix(sandbox): two-phase Landlock to fix privilege ordering and add enforcement tests OpenShell#810 (two-phase Landlock fix) — merged April 13
• First release containing the fix: v0.0.29 (April 14)
• Latest release: v0.0.30 (April 15)

NemoClaw is currently pinned to MAX_VERSION="0.0.26" in scripts/install-openshell.sh. Remaining steps to close this issue:

1. Bump MAX_VERSION in scripts/install-openshell.sh to >=0.0.29
2. Run e2e verification to confirm Landlock is enforced (touch /sandbox/testfile should fail with permission denied)
3. Verify nemoclaw <name> status --json shows Landlock as active