fix(sandbox): drop CAP_FOWNER/SETUID/SETGID via setpriv (#3280)

[Dongni-Yang]

Summary

Follow-up to #3328, which dropped 5/8 of the caps named in issue #3280 and left CAP_FOWNER, CAP_SETUID, CAP_SETGID present because the entrypoint's gosu-based privilege separation prevented dropping them from the bounding set (gosu needs CAP_SETUID in permitted to do its setuid() syscall, but the bounding set can only be modified with CAP_SETPCAP, which only root holds — there's no point in the entrypoint where the drop can happen without breaking either gosu or the privilege transition).

This PR resolves the chicken-and-egg by replacing gosu with setpriv (util-linux, already present in the image). setpriv does reuid + bounding-set drop atomically inside a single process: setuid first (still holds CAP_SETUID), then strip the bounding set (still root long enough to hold CAP_SETPCAP), then exec — no exec between the setuid and the bounding-set drop.

After this PR, all 8 caps named in issue #3280 are absent from the sandbox-user process's CapBnd (verified live; see Test plan).

Stacking note

Stacked on PR #3328. The full PR diff shows 4 commits:

Commit	From PR
fix(sandbox): tighten bounding-set caps and surface residuals	#3328
test(sandbox): inventory dangerous-cap set in bounding-set assertion	#3328
fix(sandbox): replace gosu with setpriv to drop all bounding-set caps	this PR (05954bf49)
test(sandbox): require all 8 issue-3280 caps absent after step-down	this PR (a5ea1712c)

Reviewers should focus on the bottom two commits. Merge after #3328 lands; I'll rebase if #3328 changes during review.

Changes

scripts/lib/sandbox-init.sh

Add init_step_down_prefixes() and two file-scope arrays:

• STEP_DOWN_PREFIX_SANDBOX — defaults to (gosu sandbox); upgraded by init_step_down_prefixes() to (setpriv --reuid=sandbox --regid=sandbox --init-groups --bounding-set=-setuid,-setgid,-fowner,-chown,-kill --) when setpriv + CAP_SETPCAP are available.
• STEP_DOWN_PREFIX_GATEWAY — same shape, gateway user.

If setpriv is missing or CAP_SETPCAP is unavailable, the arrays stay at the gosu fallback (matching the previous behavior) and a [SECURITY WARNING] is logged so the residual cap retention surfaces in the entrypoint log (matches report_residual_capabilities() from #3328).

Implementation notes:

• File-scope default is (gosu …), not () — hardens against a theoretical privesc regression: if init_step_down_prefixes() were ever skipped by a future refactor, an empty array would expand to nothing, and exec "${STEP_DOWN_PREFIX_SANDBOX[@]}" "${NEMOCLAW_CMD[@]}" would run the agent as root. The gosu default makes the failure mode safe.
• --init-groups (not --clear-groups) — gateway is a member of the sandbox group via usermod -aG sandbox gateway in Dockerfile.base:99, required to write the chmod 660 /sandbox/.openclaw/openclaw.json (setgid'd config dir per OpenClaw UI "Enable Dreaming" doesn't work because of GatewayRequestError: EACCES: permission denied #2681). --clear-groups would strip that membership and break mutateConfigFile with EACCES. --init-groups matches gosu's setgroups + initgroups behaviour. (Addresses CodeRabbit comment.)
• Plain array assignment (no declare -ga) — bash 3.2 on macOS rejects declare -g, which would break macOS CI when any test sources sandbox-init.sh. File-scope ARR=() is global by default in bash 3.2+; the function-internal reassignment without local targets the same global. (Addresses CodeRabbit comment.)
• setpriv uses unprefixed cap names (per setpriv --list), unlike capsh which uses cap_*. The arrays follow the setpriv convention.
• Per-assignment # shellcheck disable=SC2034 — the prefix arrays are consumed cross-file (by scripts/nemoclaw-start.sh and agents/hermes/start.sh), which shellcheck cannot follow from sandbox-init.sh alone.

scripts/nemoclaw-start.sh (4 sites) and agents/hermes/start.sh (3 sites)

Replace all gosu <user> invocations with "${STEP_DOWN_PREFIX_<USER>[@]}":

File	Line	Role
nemoclaw-start.sh	795	auto-pair (sandbox)
nemoclaw-start.sh	1610	write_auth_profile + harden_auth_profiles (sandbox)
nemoclaw-start.sh	1614	final exec to NEMOCLAW_CMD (sandbox)
nemoclaw-start.sh	1720	OpenClaw gateway (gateway)
hermes/start.sh	294	Discord facade (gateway)
hermes/start.sh	586	final exec to NEMOCLAW_CMD (sandbox)
hermes/start.sh	607	Hermes gateway (gateway)

Non-root fallback path in nemoclaw-start.sh (lines 1488+) and the no-new-privileges history comments at 138-139 / 1490-1493 are unchanged — that path doesn't use a privilege-step-down tool at all.

test/e2e-gateway-isolation.sh

Flip CAP_FOWNER / CAP_SETUID / CAP_SETGID in test 14 from allowed to must-drop. Rewrite the test to exercise the full two-stage drop end-to-end: source sandbox-init.sh, run drop_capabilities() (stage 1: capsh), then exec STEP_DOWN_PREFIX_SANDBOX (stage 2: setpriv), then capture CapBnd.

test/sandbox-init.test.ts

Two new unit tests for init_step_down_prefixes():

• Falls back to gosu when setpriv/capsh are unavailable
• Uses setpriv with the issue-3280 bounding-set drop when available

Update the existing start_discord_facade snapshot test to expect the new STEP_DOWN_PREFIX_GATEWAY invocation instead of the legacy gosu gateway sh -c.

test/nemoclaw-start.test.ts

Initialise STEP_DOWN_PREFIX_SANDBOX=(gosu sandbox) and STEP_DOWN_PREFIX_GATEWAY=(gosu gateway) in the test scaffolding for both runLaunchBlock() and runPreGatewaySetup(). The extracted launch / setup blocks reference these arrays, and the test scaffolding doesn't source sandbox-init.sh, so without an explicit initialisation set -u fails on the unbound array and the stubbed gosu() never receives the call (this caused the user=gateway CI failure on the prior push).

Test plan

Forward case (full production image, post-build)

Built nemoclaw-3329-test directly from this branch's Dockerfile (63 steps, no overlay). Ran the full two-stage drop end-to-end with --cap-add CAP_SYS_ADMIN --cap-add CAP_SYS_PTRACE (worst-case permissive runtime):

Stage 1 (root, post-capsh):   CapBnd=00000000000001e9
Stage 2 (sandbox, post-setpriv): uid=998(sandbox) gid=998(sandbox) groups=sandbox
                                 CapBnd=0000000000000100  → cap_setpcap only
Issue #3280 caps absent: cap_sys_admin / cap_sys_ptrace / cap_net_raw /
                         cap_net_bind_service / cap_dac_override /
                         cap_fowner / cap_setuid / cap_setgid  ✅ (8/8)

Gateway path (full production image, post-build)

Same image, but invoking STEP_DOWN_PREFIX_GATEWAY instead:

uid=999(gateway) gid=999(gateway) groups=gateway sandbox   ← --init-groups OK
CapBnd=0000000000000100  → cap_setpcap only
/sandbox/.openclaw/openclaw.json (mode 660, sandbox:sandbox) writable by gateway ✅

This is the exact case CodeRabbit flagged: gateway must retain sandbox group membership to write the chmod 660 setgid'd config (per #2681). Confirmed.

Negative case (live container)

Rebuilt with -setuid removed from the setpriv --bounding-set arg. CapBnd=0x180 (bit 7 set = CAP_SETUID). Test correctly fails with "CAP_SETUID still present in sandbox-user CapBnd (issue #3280)" — matches the regression signature this PR is designed to catch.

Full regression baseline

npm test on this branch vs upstream/main:

	Test files failed	Tests failed	Tests passed
upstream/main (baseline)	22	67	3418
this branch	22	67	3420
Δ	0	0	+2

Net: 2 new passing tests (the new init_step_down_prefixes cases), zero new failures. All 67 baseline failures pre-date this PR (stale dist/, unrelated TypeScript files).

Targeted

• npx vitest run test/{sandbox-init,nemoclaw-start,seccomp-guard,service-env}.test.ts → 132/132 pass.
• bash -n clean on all 4 touched shell files.
• shfmt -d -i 2 -ci -bn clean.

Security review

CWE	Status	Notes
CWE-269 Improper Privilege Management	✅ no issue	Saved-UID=0 inert — CAP_SETUID gone from bounding set, can't be regained.
CWE-273 Improper Check for Dropped Privileges	⚠️ no regression	Trusts setpriv. exec semantics → fail-closed on setpriv failure. E2E test 14 verifies in CI.
CWE-274 Improper Handling of Insufficient Privileges	⚠️ documented trade-off	SETPCAP-missing fallback is fail-open-for-availability + fail-loud-for-posture ([SECURITY WARNING] to log).
CWE-367 TOCTOU	✅ no issue	Check and use happen in same root process; CAP_SETPCAP preserved between them.
CWE-426 Untrusted Search Path	✅ no issue	PATH locked at entrypoint top; init runs as root pre-stepdown.
CWE-732 Incorrect Permission Assignment	✅ no issue	--init-groups preserves gateway's sandbox-group membership (chmod 660 config write still works).
CWE-77/78 Command Injection	✅ no issue	All setpriv argv literals; array expansion does not word-split.
CWE-200/209/532 Information Exposure	✅ no issue	Warnings contain only public cap names; log is root:600 (sandbox user can't read).
CWE-693 Protection Mechanism Failure	✅ no issue	setpriv 2.38.1, no known CVEs affecting bounding-set ops.

Net assessment: no new CWEs introduced. Sandbox-user CapBnd: 6 entries → 1 entry. Attack surface for setuid-root-binary cap regain: reduced to empty.

Risks and notes for review

• setpriv vs gosu setuid semantics. Both use the setuid syscall. setpriv --reuid sets ruid+euid but not saved UID (gosu uses setresuid which sets all three). Saved-UID=0 is inert here because using it requires CAP_SETUID in permitted, which is empty after the bounding-set drop on exec.
• No-new-privs interaction. setpriv performs the setuid syscall as root, which is unrestricted regardless of no_new_privs. Different failure mode from gosu (documented at nemoclaw-start.sh:138-139 and :1490-1493). Worth verifying on Spark/arm64 in CI.
• Defense-in-depth, not user-facing behaviour change. The agent shell continues to run as the sandbox user with the same supplementary groups; the only observable difference is cat /proc/self/status showing an empty CapBnd (apart from CAP_SETPCAP itself, which is harmless in an unprivileged process).
• Fallback warning is a log line, not an exit. If a runtime lacks setpriv or CAP_SETPCAP, the sandbox still boots (under the legacy gosu path) but emits [SECURITY WARNING] so the residual surfaces in docker logs.

Review feedback addressed

1. CodeRabbit: Bash 3.2 incompat (declare -ga) → replaced with plain array assignment.
2. CodeRabbit: --clear-groups removes gateway from sandbox group → switched to --init-groups; verified live.
3. Self-review: unset-array privesc regression risk → file-scope default initialised to (gosu …) instead of (); init_step_down_prefixes() only upgrades.
4. CI: shellcheck SC2034 → per-assignment # shellcheck disable=SC2034 with cross-file-consumption note.
5. CI: test/nemoclaw-start.test.ts:1201 user=gateway → scaffolding initialises STEP_DOWN_PREFIX_* in fallback form so the stubbed gosu still receives the call.

Closes #3280.

Signed-off-by: Dongni Yang dongniy@nvidia.com

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Security Improvements

  • Enhanced sandbox isolation through improved removal of dangerous capabilities from restricted environments
  • Updated privilege separation mechanism with better fallback handling and more flexible configuration
  • Improved capability-dropping logic for comprehensive restriction of high-risk permissions

• Tests

  • Updated integration tests to verify capability restrictions work as expected

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0ada17f2-810e-49ed-a0eb-61aedc2bdd8c

📥 Commits

Reviewing files that changed from the base of the PR and between a5ea171 and ca30710.

📒 Files selected for processing (4)

• agents/hermes/start.sh
• scripts/nemoclaw-start.sh
• test/nemoclaw-start.test.ts
• test/sandbox-init.test.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• test/sandbox-init.test.ts
• scripts/nemoclaw-start.sh
• test/nemoclaw-start.test.ts

---

📝 Walkthrough

Walkthrough

Implements setpriv-based privilege step-down prefixes, updates drop_capabilities to use capsh with residual-cap diagnostics, replaces gosu invocations across Hermes and Nemoclaw with STEP_DOWN_PREFIX_* prefixes, and adds tests asserting eight dangerous capabilities are removed from CapBnd.

Changes

Privilege Step-Down and Capability Bounding Set Remediation

Layer / File(s)	Summary
Capability Dropping Refinement scripts/lib/sandbox-init.sh	drop_capabilities() now re-execs via capsh --drop=... with an explicit list; added report_residual_capabilities() to read /proc/self/status CapBnd and log remaining dangerous bits.
Privilege Step-Down Prefix Infrastructure scripts/lib/sandbox-init.sh	Added init_step_down_prefixes() and globals STEP_DOWN_PREFIX_SANDBOX / STEP_DOWN_PREFIX_GATEWAY; prefers setpriv --reuid/--regid --bounding-set when available, falls back to gosu otherwise; prefixes initialized at load time.
Hermes Entrypoint Integration agents/hermes/start.sh	Replaced gosu calls with ${STEP_DOWN_PREFIX_GATEWAY[@]} / ${STEP_DOWN_PREFIX_SANDBOX[@]} for Discord facade, root-path exec, and gateway launch while keeping existing wrappers and env sanitization.
Nemoclaw Entrypoint Integration scripts/nemoclaw-start.sh	Switched auto-pair, auth/profile execution, user command exec, and gateway startup to use STEP_DOWN_PREFIX_SANDBOX / STEP_DOWN_PREFIX_GATEWAY.
Test Validation test/e2e-gateway-isolation.sh, test/sandbox-init.test.ts, test/nemoclaw-start.test.ts	E2E Test 14 now sources sandbox-init.sh, runs the two-stage drop, captures CapBnd, and asserts absence of eight dangerous capability bits. Unit tests validate init_step_down_prefixes fallback and setpriv paths; test scaffolding initializes gosu fallbacks; Hermes test updated for gateway prefix usage.

🎯 4 (Complex) | ⏱️ ~45 minutes

• NVIDIA/NemoClaw#3328: Modifies sandbox-init.sh capability-dropping flow and related tests; directly related to bounding-set handling and diagnostics.

Suggested reviewers:

• ericksoa

"I hop the caps away tonight,
setpriv trims the bounding light,
gosu's fallback tucked in bed,
safer sandbox — softly said,
nibble bugs until they're right." 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: replacing gosu with setpriv to drop three specific Linux capabilities (CAP_FOWNER, CAP_SETUID, CAP_SETGID) and referencing the issue number.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/lib/sandbox-init.sh`:
- Around line 302-303: Replace the Bash 4+ specific declarations by assigning
empty arrays directly: remove the two uses of "declare -ga" for
STEP_DOWN_PREFIX_SANDBOX and STEP_DOWN_PREFIX_GATEWAY and instead initialize
those symbols with plain array assignments compatible with Bash 3.2 (i.e., set
each variable to an empty array using the array assignment syntax), ensuring the
script remains sourceable on macOS CI; locate the lines referencing
STEP_DOWN_PREFIX_SANDBOX and STEP_DOWN_PREFIX_GATEWAY and change their
initialization accordingly.
- Around line 313-318: When stepping down to the gateway user in the
STEP_DOWN_PREFIX_GATEWAY array, stop clearing supplementary groups so the
gateway process keeps the sandbox group needed to write
/sandbox/.openclaw/openclaw.json; update the setpriv invocation in
STEP_DOWN_PREFIX_GATEWAY (the one that currently includes --clear-groups) to
either remove --clear-groups or replace it with an explicit group list that
includes sandbox (e.g., use --groups=sandbox) so gateway retains group write
access required by mutateConfigFile.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9643b7c2-2a57-497f-a75b-33df3e7e7b5f

📥 Commits

Reviewing files that changed from the base of the PR and between 118541a and 3f5e404.

📒 Files selected for processing (5)

• agents/hermes/start.sh
• scripts/lib/sandbox-init.sh
• scripts/nemoclaw-start.sh
• test/e2e-gateway-isolation.sh
• test/sandbox-init.test.ts

[ericksoa]

Reviewed the setpriv step-down follow-up and the post-#3328 stack repair. The repaired head is mergeable against current main, CodeRabbit is green with only resolved/outdated threads, PR checks are green, and local validation passed bash syntax, build:cli, diff check, and the focused sandbox-init/nemoclaw-start tests. The full stack nightly also passed on the pre-repair stack head a5ea171.