Skip to content

Commit 6525bab

Browse files
committed
fix(sandbox): convert new Landlock path-skip warning to OCSF
PR #677 added a warn!() for inaccessible Landlock paths in best-effort mode. Convert to ConfigStateChangeBuilder with degraded state so it flows through the OCSF shorthand format consistently.
1 parent 445bf21 commit 6525bab

File tree

4 files changed

+23
-20
lines changed

4 files changed

+23
-20
lines changed

crates/openshell-sandbox/src/proxy.rs

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2075,9 +2075,7 @@ async fn handle_forward_proxy(
20752075
.severity(SeverityId::Low)
20762076
.status(StatusId::Failure)
20772077
.dst_endpoint(Endpoint::from_domain(&host_lc, port))
2078-
.message(format!(
2079-
"Failed to clone OPA engine for forward L7: {e}"
2080-
))
2078+
.message(format!("Failed to clone OPA engine for forward L7: {e}"))
20812079
.build();
20822080
ocsf_emit!(event);
20832081
regorus::Engine::new()

crates/openshell-sandbox/src/sandbox/linux/landlock.rs

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -169,11 +169,16 @@ fn try_open_path(path: &Path, compatibility: &LandlockCompatibility) -> Result<O
169169
"Skipping non-existent Landlock path (best-effort mode)"
170170
);
171171
} else {
172-
warn!(
173-
path = %path.display(),
174-
error = %err,
175-
reason,
176-
"Skipping inaccessible Landlock path (best-effort mode)"
172+
openshell_ocsf::ocsf_emit!(
173+
openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
174+
.severity(openshell_ocsf::SeverityId::Medium)
175+
.status(openshell_ocsf::StatusId::Failure)
176+
.state(openshell_ocsf::StateId::Other, "degraded")
177+
.message(format!(
178+
"Skipping inaccessible Landlock path (best-effort) [path:{} error:{err}]",
179+
path.display()
180+
))
181+
.build()
177182
);
178183
}
179184
Ok(None)

crates/openshell-sandbox/src/sandbox/linux/netns.rs

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -283,17 +283,17 @@ impl NetworkNamespace {
283283
&proxy_port_str,
284284
&log_prefix,
285285
) {
286-
openshell_ocsf::ocsf_emit!(openshell_ocsf::ConfigStateChangeBuilder::new(
287-
crate::ocsf_ctx()
288-
)
289-
.severity(openshell_ocsf::SeverityId::Medium)
290-
.status(openshell_ocsf::StatusId::Failure)
291-
.state(openshell_ocsf::StateId::Disabled, "failed")
292-
.message(format!(
293-
"Failed to install IPv4 bypass detection rules [ns:{}]: {e}",
294-
self.name
295-
))
296-
.build());
286+
openshell_ocsf::ocsf_emit!(
287+
openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
288+
.severity(openshell_ocsf::SeverityId::Medium)
289+
.status(openshell_ocsf::StatusId::Failure)
290+
.state(openshell_ocsf::StateId::Disabled, "failed")
291+
.message(format!(
292+
"Failed to install IPv4 bypass detection rules [ns:{}]: {e}",
293+
self.name
294+
))
295+
.build()
296+
);
297297
return Err(e);
298298
}
299299

crates/openshell-sandbox/src/ssh.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@ use openshell_ocsf::{
1717
FindingInfo, SeverityId, SshActivityBuilder, StatusId, ocsf_emit,
1818
};
1919
use rand_core::OsRng;
20-
use tracing::warn;
2120
use russh::keys::{Algorithm, PrivateKey};
2221
use russh::server::{Auth, Handle, Session};
2322
use russh::{ChannelId, CryptoVec};
@@ -31,6 +30,7 @@ use std::sync::{Arc, Mutex, mpsc};
3130
use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
3231
use tokio::io::{AsyncReadExt, AsyncWriteExt};
3332
use tokio::net::TcpListener;
33+
use tracing::warn;
3434

3535
const PREFACE_MAGIC: &str = "NSSH1";
3636
#[cfg(test)]

0 commit comments

Comments
 (0)