Skip to content

fix(server): validate discovered sandbox policy against restrictive baseline#340

Closed
drew wants to merge 1 commit intoNVIDIA:mainfrom
vincentkoc:codex/propose-fix-for-sandbox-policy-vulnerability
Closed

fix(server): validate discovered sandbox policy against restrictive baseline#340
drew wants to merge 1 commit intoNVIDIA:mainfrom
vincentkoc:codex/propose-fix-for-sandbox-policy-vulnerability

Conversation

@drew
Copy link
Collaborator

@drew drew commented Mar 16, 2026

Motivation

  • Prevent untrusted sandbox images from injecting a more permissive policy when the gateway omits a baseline, which could widen network/filesystem access and bypass the restrictive default.
  • Ensure the server enforces the same static-field, network-mode, and safety constraints for a sandbox-discovered policy as it does for baseline-backed updates.

Description

  • In crates/openshell-server/src/grpc.rs update_sandbox_policy, when spec.policy is None the server now constructs a restrictive baseline via openshell_policy::restrictive_default_policy() and validates the incoming policy against it before accepting and backfilling spec.policy.
  • The new path runs validate_static_fields_unchanged, validate_network_mode_unchanged, and validate_policy_safety against the restrictive baseline prior to persisting the discovered policy.
  • This preserves the intended backfill behavior for legitimately restrictive policies while blocking permissive policies originating from container disk discovery.

Testing

  • Ran cargo fmt --all -- --check, which completed successfully.
  • Attempted mise run pre-commit, which did not complete in this environment due to mise configuration/tool resolution warnings and no runnable tasks being detected.
  • Attempted targeted unit tests (cargo test -p openshell-server validate_network_mode_rejects_block_to_proxy and cargo test -p openshell-policy validate_sandbox_policy_accepts_default), but native dependency builds were long-running and did not complete within the session; no test failures were observed from completed tooling steps.

Codex Task

@drew drew added integration:aardvark Aardvark integration integration:codex Codex integration labels Mar 16, 2026
@github-actions
Copy link

github-actions bot commented Mar 16, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

@johntmyers johntmyers mentioned this pull request Mar 16, 2026
Closed
@johntmyers
Copy link
Collaborator

johntmyers commented Mar 16, 2026

Closing in favor of consolidated re-implementation. See #350 for tracking.

@johntmyers johntmyers closed this Mar 16, 2026
@johntmyers johntmyers mentioned this pull request Mar 16, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

integration:aardvark Aardvark integration integration:codex Codex integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@drew @johntmyers @vincentkoc