feat(scripts): enforce build jails on linux

[jdx]

Summary

• add Linux native jailed-build enforcement with Landlock write restrictions and a seccomp network filter
• run Linux jail setup in the child process before exec so the parent aube process is not restricted
• keep network: true as the package-level escape hatch and fail closed when the Linux jail cannot be fully enforced
• update jailed-build docs/settings reference and extend allow-builds BATS coverage to Linux

Validation

• cargo check -p aube-scripts
• cargo test -p aube-scripts
• cargo test -p aube-settings meta::tests::workspace_yaml_keys_deserialize_onto_workspace_config
• cargo build -p aube
• mise run test:bats test/allow_builds.bats
• cargo fmt --check
• cargo clippy --all-targets -- -D warnings
• git diff --check
• AUBE_ENABLE_GLOBAL_VIRTUAL_STORE=false mise run docs:build

Note: plain mise run docs:build failed before VitePress because docs install hit the existing global virtual store missing-index path for @algolia/abtesting@1.16.2; rerunning with the documented per-project install override passed.

---

Note

Medium Risk
Adds Linux-native sandboxing for dependency lifecycle scripts using landlock and seccomp, which is security-sensitive and could break builds on kernels/architectures that can’t fully enforce the policy.

Overview
Adds Linux-native enforcement for jailBuilds by applying Landlock filesystem rules and a seccomp network filter in the child process via pre_exec, so the parent aube process stays unrestricted and scripts fail closed if the jail can’t be fully enforced.

Updates the jailed-build environment to point TMPDIR/TMP/TEMP at the temporary jail home, wires in new Linux-only deps (landlock, seccompiler, libc), and refreshes docs/settings/tests to treat native jail enforcement as supported on macOS and Linux (including BATS coverage for write/network denial and permission grants).

^{Reviewed by Cursor Bugbot for commit cd29edf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Implements Linux-native build jail enforcement using Landlock filesystem write restrictions (ABI v2, kernel ≥ 5.19) and a seccomp network filter that blocks socket()/socketpair() for AF_INET/AF_INET6 in the child process via pre_exec before exec. Previously-flagged issues — PR_SET_NO_NEW_PRIVS ordering, ABI V3 blocking LTS kernels, and missing /tmp write access — are all correctly addressed in this revision.

Confidence Score: 5/5

Safe to merge; all previously flagged P1s are resolved and the remaining finding is a minor documentation gap about seccomp coverage scope.

The three P1s from prior review rounds (PR_SET_NO_NEW_PRIVS placement, ABI V3 vs V2, /tmp write access) are all addressed. The only new finding is a P2 about connect/send syscalls being unfiltered — exploitable only via inherited non-O_CLOEXEC socket FDs, which Tokio's O_CLOEXEC discipline makes highly unlikely. P2-only result leaves confidence at 5.

crates/aube-scripts/src/linux_jail.rs — the seccomp filter scope note; no blocking issue.

Important Files Changed

Filename	Overview
crates/aube-scripts/src/linux_jail.rs	New file: implements Landlock ABI V2 write restrictions and a seccomp network filter (socket/socketpair for AF_INET/AF_INET6 only). PR_SET_NO_NEW_PRIVS is correctly set at the top of apply_landlock before restrict_self(). Minor gap: connect/bind/send syscalls are not filtered, leaving a theoretical path for inherited non-O_CLOEXEC socket FDs.
crates/aube-scripts/src/lib.rs	Adds Linux-specific spawn_jailed_shell with pre_exec applying Landlock and seccomp. TMPDIR/TMP/TEMP redirected to jail home in apply_jail_env; std::env::temp_dir() used in Landlock policy to allow writes to the system temp dir for scripts that hardcode /tmp.
Cargo.toml	Adds landlock 0.4, libc 0.2, and seccompiler 0.5 to workspace dependencies; libc is deduplicated from aube/Cargo.toml.
test/allow_builds.bats	Extends macOS-only jail tests to Linux (platform skip guard updated); adds auth-token clearing to the baseline install test to avoid credential leakage in CI.
docs/package-manager/jailed-builds.md	Documents Linux Landlock ABI v2 (kernel ≥ 5.19) and the truncate caveat for kernel ≥ 6.2; accurately describes fail-closed behavior.
crates/aube-settings/settings.toml	Updates jailBuilds and jailBuildPermissions docs to reflect write allowlist working on both macOS and Linux.

_{Reviews (3): Last reviewed commit: "fix(scripts): harden linux build jail pe..." | Re-trigger Greptile}

[greptile-apps]

Landlock ABI::V3 requires kernel ≥ 6.2, blocking common LTS distros

ABI::V3 was introduced in Linux 6.2 (it added LANDLOCK_ACCESS_FS_TRUNCATE). Combined with CompatLevel::HardRequirement, any kernel between 5.13 and 6.1 will fail the handle_access call, causing all jailed builds to fail-close. This covers widely deployed distributions: Ubuntu 22.04 LTS ships kernel 5.15, Debian 12 ("Bookworm") ships 6.1, RHEL/Rocky/AlmaLinux 9 ship 5.14. Users on those systems who enable jailBuilds: true will see a hard error even though Landlock is fully available and capable of enforcing the meaningful access controls (V1/V2 rights cover almost all of the policy). At minimum the required kernel version (≥ 6.2) should be documented in jailed-builds.md; optionally consider downgrading to ABI::V2 (kernel ≥ 5.19) which is sufficient for the write-restriction goal and covers more of the installed base.