fix(security): surface immutable symlink hardening status#1499
Merged
cv merged 2 commits intoNVIDIA:mainfrom Apr 6, 2026
Merged
fix(security): surface immutable symlink hardening status#1499cv merged 2 commits intoNVIDIA:mainfrom
cv merged 2 commits intoNVIDIA:mainfrom
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughAdded symlink validation and conditional hardening to the startup script ( Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Init as Startup Script
participant Validator as validate_openclaw_symlinks()
participant FS as /sandbox/.openclaw (filesystem)
participant Hardener as harden_openclaw_symlinks()
participant Chattr as `chattr` binary
Init->>Validator: invoke (non-root & root paths)
Validator->>FS: read symlinks (readlink -f)
FS-->>Validator: resolved targets
Validator-->>Init: success/fail (return 0/1)
alt hardening available
Init->>Hardener: invoke (root path)
Hardener->>Chattr: check availability (command -v)
Chattr-->>Hardener: exists
Hardener->>FS: apply chattr +i to files/dirs
FS-->>Hardener: success/failure per path
Hardener-->>Init: log counts, return 0 (tolerant)
else chattr missing
Hardener->>Chattr: not found
Hardener-->>Init: log and return 0 (skip hardening)
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
Author
This was referenced Apr 5, 2026
cv
approved these changes
Apr 5, 2026
13ernkastel
force-pushed
the
codex/pr-1137-hardening-observability-mainline
branch
from
2842c2f to
d1c4baa
Compare
Contributor
Author
|
Maintainers: this PR has been rebased onto current |
tranzmatt
pushed a commit
to tranzmatt/NemoClaw
that referenced
this pull request
Apr 6, 2026
## Summary This follow-up builds on NVIDIA#1137 and improves the observability around immutable symlink hardening without changing the underlying defense-in-depth approach. ## What Changed - factors `.openclaw` symlink validation into a reusable helper so both startup paths use the same validation logic - adds explicit security logging when immutable hardening succeeds, is partial, or is skipped because `chattr` is unavailable - extends the gateway-isolation E2E to fail if `chattr` is missing from the image, so the mitigation cannot silently disappear ## Why The original immutable-hardening fix is directionally strong, but the `chattr` path is intentionally best-effort and currently silent. That makes the mitigation harder to trust and harder to debug because: - a missing `chattr` binary looks the same as successful hardening - partial `chattr +i` failures are suppressed with no visibility - the image can regress and stop shipping `chattr` without CI catching it These changes make the mitigation easier to audit while staying compatible with the current layered hardening model. ## Validation - `bash -n scripts/nemoclaw-start.sh` - `bash -n test/e2e-gateway-isolation.sh` - `git diff --check` - not run: `test/e2e-gateway-isolation.sh` (`docker` is not installed in this environment) ## Relationship To NVIDIA#1137 This is a repost of the follow-up originally opened as `latenighthackathon#1`, now targeted at `NVIDIA/NemoClaw` as requested. ## Note This replaces `NVIDIA#1467`, which GitHub auto-closed because the repository's contributor open-PR limit was hit at the time. Signed-off-by: 13ernkastel <LennonCMJ@live.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Enhanced startup process validation to ensure system integrity and correct configuration * Improved security hardening mechanisms with comprehensive logging and graceful fallback handling when system features are unavailable * **Tests** * Updated end-to-end integration tests to verify system hardening capabilities and feature availability <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
gemini2026
pushed a commit
to gemini2026/NemoClaw
that referenced
this pull request
Apr 14, 2026
## Summary This follow-up builds on NVIDIA#1137 and improves the observability around immutable symlink hardening without changing the underlying defense-in-depth approach. ## What Changed - factors `.openclaw` symlink validation into a reusable helper so both startup paths use the same validation logic - adds explicit security logging when immutable hardening succeeds, is partial, or is skipped because `chattr` is unavailable - extends the gateway-isolation E2E to fail if `chattr` is missing from the image, so the mitigation cannot silently disappear ## Why The original immutable-hardening fix is directionally strong, but the `chattr` path is intentionally best-effort and currently silent. That makes the mitigation harder to trust and harder to debug because: - a missing `chattr` binary looks the same as successful hardening - partial `chattr +i` failures are suppressed with no visibility - the image can regress and stop shipping `chattr` without CI catching it These changes make the mitigation easier to audit while staying compatible with the current layered hardening model. ## Validation - `bash -n scripts/nemoclaw-start.sh` - `bash -n test/e2e-gateway-isolation.sh` - `git diff --check` - not run: `test/e2e-gateway-isolation.sh` (`docker` is not installed in this environment) ## Relationship To NVIDIA#1137 This is a repost of the follow-up originally opened as `latenighthackathon#1`, now targeted at `NVIDIA/NemoClaw` as requested. ## Note This replaces `NVIDIA#1467`, which GitHub auto-closed because the repository's contributor open-PR limit was hit at the time. Signed-off-by: 13ernkastel <LennonCMJ@live.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Enhanced startup process validation to ensure system integrity and correct configuration * Improved security hardening mechanisms with comprehensive logging and graceful fallback handling when system features are unavailable * **Tests** * Updated end-to-end integration tests to verify system hardening capabilities and feature availability <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
cv
added a commit
that referenced
this pull request
Apr 17, 2026
…names (#1416) ## Summary Bundles the remaining sandbox command-hardening work with the Telegram fail-closed cleanup and the unsupported self-update-hint fix. This now includes the original `#1416` scope plus the changes that had temporarily been split into `#1500`. `#1499` remains separate on purpose. ## Linked Issues - Fixes #1029 ## Related PRs / Issues - follow-up to `#1392` - folds in `#1218` - folds in `#1215` - replaces `#1500` - keeps `#1499` separate - addresses `#896` ## Changes - re-validates sandbox names at the `createSandbox()` boundary and removes the remaining shell-string dependency from follow-on sandbox command paths - adds `runFile()` and uses argv-style execution for `setup-dns-proxy.sh` - replaces the dashboard readiness probe with the structured OpenShell helper path - requires an explicit Telegram chat allowlist before the bridge forwards prompts - adds `nemoclaw telegram` subcommands and `nemoclaw start --discover-chat-id` - preserves the reserved-sandbox-name guard added during the Telegram review follow-up - disables unsupported OpenClaw self-update hints in the generated sandbox config - propagates saved Telegram allowlists into the remote deploy env so deployed bridges stay fail-closed too - updates focused CLI/deploy tests to match the current services-based startup path on `main` ## Why These changes all tighten the default security posture around operator-managed sandboxes: - sandbox creation and follow-on helper execution rely less on shell-string construction - Telegram bridge access now fails closed unless the operator explicitly allowlists chat IDs - sandbox images stop advertising an unsupported in-container self-update path Keeping them together in `#1416` makes the remaining security review surface smaller while still leaving the separate immutable-hardening follow-up in `#1499` alone. ## Validation - `npm run build:cli` - `npx vitest run src/lib/deploy.test.ts src/lib/onboard-session.test.ts test/onboard.test.js test/cli.test.js test/runner.test.js test/service-env.test.js test/registry.test.js test/shellquote-sandbox.test.js` ## Risks / Notes - `npm run typecheck:cli` still hits the repo's existing `src/lib/*.test.ts -> ../../dist/lib/*` type-resolution issue in this environment, so validation here relies on the targeted build plus Vitest coverage above - `#1499` remains separate on purpose Signed-off-by: Chia Min Jun Lennon <LennonCMJ@live.com> --------- Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com> Signed-off-by: 13ernkastel <LennonCMJ@live.com> Co-authored-by: latenighthackathon <latenighthackathon@users.noreply.github.com> Co-authored-by: Test User <test@example.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This follow-up builds on #1137 and improves the observability around immutable symlink hardening without changing the underlying defense-in-depth approach.
What Changed
.openclawsymlink validation into a reusable helper so both startup paths use the same validation logicchattris unavailablechattris missing from the image, so the mitigation cannot silently disappearWhy
The original immutable-hardening fix is directionally strong, but the
chattrpath is intentionally best-effort and currently silent. That makes the mitigation harder to trust and harder to debug because:chattrbinary looks the same as successful hardeningchattr +ifailures are suppressed with no visibilitychattrwithout CI catching itThese changes make the mitigation easier to audit while staying compatible with the current layered hardening model.
Validation
bash -n scripts/nemoclaw-start.shbash -n test/e2e-gateway-isolation.shgit diff --checktest/e2e-gateway-isolation.sh(dockeris not installed in this environment)Relationship To #1137
This is a repost of the follow-up originally opened as
latenighthackathon/NemoClaw#1, now targeted atNVIDIA/NemoClawas requested.Note
This replaces
#1467, which GitHub auto-closed because the repository's contributor open-PR limit was hit at the time.Signed-off-by: 13ernkastel LennonCMJ@live.com
Summary by CodeRabbit
Chores
Tests