[Security] MEDIUM: Silent isolation degradation in locked profile — caller cannot detect failure

[piyushsingariya]

Summary

In the locked Docker profile (--cap-drop ALL with only CHOWN, DAC_OVERRIDE, FOWNER, SETUID, SETGID caps added), isolation=auto attempts IsolationNamespace (CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWPID), but this fails at runtime because creating user namespaces requires capabilities that the locked profile drops. External command spawning fails with "operation not permitted", but the sandbox does not surface this failure to the caller — there is no error return, no callback, and no way to distinguish "isolation applied successfully" from "isolation failed, running unconstrained."

Observed behavior (locked profile, isolation=auto)

docker exec agentic-bash-locked agentic-bash run --isolation auto \
  --cmd 'ln -s /etc/passwd /home/user/link; cat /home/user/link'
# Output: error: fork/exec /usr/bin/ln: operation not permitted

The external command fails entirely — not with a clean error message, but with an opaque fork/exec failure. The sandbox appears to "work" (no crash, no error from the sandbox API), but external commands are silently unusable.

Related code

• isolation/namespace_linux.go — namespace strategy does not propagate SysProcAttr errors back to the sandbox API
• sandbox/sandbox.go — no mechanism to query the effective isolation level after initialization

Impact

• Operators deploying the sandbox in capability-restricted environments (Kubernetes with securityContext, locked Docker profiles) may believe isolation is active when it is not
• Silent failure mode makes it impossible to build reliable "require isolation or fail" logic around the sandbox
• Shell-only operations (builtins, pure shell scripts) succeed while all external commands fail — behavior is unpredictable and confusing

Fix

1. Return an error from sandbox.New() if the requested isolation level is unavailable in the current environment
2. Expose effective isolation level: Add Sandbox.EffectiveIsolation() to let callers verify what was actually applied
3. Add an IsolationStrict option: When set, fail fast if the requested isolation level cannot be achieved, rather than degrading silently
4. Pre-flight check: Validate namespace/Landlock availability at sandbox creation time, not at first command execution

Severity

Medium — does not directly enable escape, but means operators cannot rely on isolation guarantees in constrained environments, and may ship systems they believe are isolated when they are not.