Skip to content

fix: Implement proper sandbox enforcement with corrected Landlock#57

Merged
rexlunae merged 1 commit intomainfrom
fix/sandbox-enforcement
Feb 17, 2026
Merged

fix: Implement proper sandbox enforcement with corrected Landlock#57
rexlunae merged 1 commit intomainfrom
fix/sandbox-enforcement

Conversation

@rexlunae
Copy link
Copy Markdown
Owner

@rexlunae rexlunae commented Feb 17, 2026

Summary

Implements proper sandbox enforcement based on security findings from @aecs4u (PR #21), with a critical fix to the Landlock implementation.

Security Issues Fixed

Issue Status
PathValidation was no-op ✅ Fixed
Background commands bypassed sandbox ✅ Fixed
Yield-mode had unsandboxed window ✅ Fixed
Landlock semantics inverted CRITICAL FIX

The Landlock Bug (Critical)

The original PR #21 implementation misunderstood Landlock's security model:

// PR #21 code - THIS IS WRONG!
// PathBeneath::new() ALLOWS access, it doesn't deny it
for deny_path in &policy.deny_read {
    ruleset.add_rule(PathBeneath::new(deny_path, AccessFs::from_read(abi)))
}

Landlock is ALLOWLIST-based: you specify what IS allowed, and the kernel denies everything else. The original code would have ALLOWED access to credentials instead of denying them!

The Fix

// Correct implementation - allowlist model
// 1. Allow system paths (read-only)
for path in ['/usr', '/lib', '/bin', '/etc', '/proc', '/sys', '/dev'] {
    ruleset.add_rule(PathBeneath::new(path, AccessFs::from_read(abi)))
}
// 2. Allow temp paths (read+write)
for path in ['/tmp', '/var/tmp'] {
    ruleset.add_rule(PathBeneath::new(path, AccessFs::from_all(abi)))
}
// 3. Allow workspace (full access)
ruleset.add_rule(PathBeneath::new(workspace, AccessFs::from_all(abi)))

// Credentials are DENIED BY OMISSION - not in allowlist = blocked by kernel

Changes

  • src/sandbox.rs: Complete sandbox implementation with corrected Landlock
  • docs/SANDBOX.md: Comprehensive documentation (927 lines)
  • tests/sandbox_enforcement.rs: Integration tests

Sandbox Modes Supported

Mode Platform Strength
Landlock+Bubblewrap Linux 5.13+ Strongest (defense-in-depth)
Landlock Linux 5.13+ Strong (kernel-enforced)
Bubblewrap Linux Strong (namespace isolation)
macOS Sandbox macOS Strong (seatbelt)
Docker Cross-platform Strong (container)
Path Validation All Basic (software-only)

Attribution

References

@rexlunae rexlunae force-pushed the fix/sandbox-enforcement branch 2 times, most recently from 9221f2b to e004800 Compare February 17, 2026 00:57
@rexlunae
fix: Implement proper sandbox enforcement with corrected Landlock
512ef0a 
Based on security findings from @aecs4u (PR #21), with critical Landlock fix.

## Security Issues Fixed

1. **PathValidation was no-op** — now properly validates against deny lists
2. **Background commands bypassed sandbox** — now wrapped before spawning
3. **Landlock semantics were inverted** — CRITICAL: original code would ALLOW
   credentials instead of denying them

## Landlock Fix (the critical change)

The original implementation misunderstood Landlock's security model. Landlock
is ALLOWLIST-based: you specify what IS allowed, everything else is denied.

The fix:
- Allow system paths: /usr, /lib, /bin, /etc, /proc, /sys, /dev (read)
- Allow temp paths: /tmp, /var/tmp (read+write)
- Allow workspace (full access)
- Credentials denied BY OMISSION (not in allowlist = denied)

## Changes (cherry-picked from PR #21, sandbox commits only)

- src/sandbox.rs: Complete sandbox implementation with corrected Landlock
- docs/SANDBOX.md: Comprehensive documentation
- tests/sandbox_enforcement.rs: Integration tests

## Attribution

Security finding and initial implementation by @aecs4u.
Landlock semantics fix reviewed against Landlock API docs.

Closes #22
Supersedes #21
@rexlunae rexlunae force-pushed the fix/sandbox-enforcement branch from e004800 to 512ef0a Compare February 17, 2026 01:02
@rexlunae rexlunae merged commit 7ce4368 into main Feb 17, 2026
10 checks passed
@rexlunae rexlunae deleted the fix/sandbox-enforcement branch February 17, 2026 01:07
@rexlunae rexlunae mentioned this pull request Feb 17, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sandbox PathValidation and background command bypass

1 participant

@rexlunae