Protection opt-out: --allow-degraded / --disable per-protection

README.md

@@ -68,6 +68,9 @@ Sandlock is implemented in **Rust** for performance and safety:
 | Landlock TCP port rules | 6.7 (ABI v4) |
 | Landlock IPC scoping | 6.12 (ABI v6) |
 
+Protections can be selectively waived per-policy when needed — see
+[`docs/sandbox-reference.md#protection-opt-out`](docs/sandbox-reference.md#protection-opt-out).
+
 ## Install
 
 ### From source

crates/sandlock-cli/src/main.rs

@@ -121,10 +121,44 @@ struct RunArgs {
     #[arg(long)]
     no_supervisor: bool,
 
+    /// Allow the named protection to degrade silently if the host kernel ABI lacks support.
+    /// Repeatable. Accepted values: fs-refer, fs-truncate, net-tcp, fs-ioctl-dev,
+    /// signal-scope, abstract-unix-socket-scope.
+    #[arg(long = "allow-degraded", value_name = "PROTECTION")]
+    allow_degraded: Vec<String>,
+
+    /// Disable the named protection entirely (no rule emitted, no error on missing ABI).
+    /// Repeatable. Accepts the same values as --allow-degraded.
+    #[arg(long = "disable", value_name = "PROTECTION")]
+    disable: Vec<String>,
+
     #[arg(last = true)]
     cmd: Vec<String>,
 }
 
+/// Parse a kebab-case protection name into a `Protection` value.
+///
+/// The canonical names match the Landlock kernel constants
+/// (`LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET` → `abstract-unix-socket-scope`,
+/// etc.) and are case-insensitive. Accepted: `fs-refer`, `fs-truncate`,
+/// `net-tcp`, `fs-ioctl-dev`, `signal-scope`,
+/// `abstract-unix-socket-scope`.
+fn parse_protection(s: &str) -> Result<sandlock_core::Protection, String> {
+    use sandlock_core::Protection;
+    match s.to_ascii_lowercase().as_str() {
+        "fs-refer" => Ok(Protection::FsRefer),
+        "fs-truncate" => Ok(Protection::FsTruncate),
+        "net-tcp" => Ok(Protection::NetTcp),
+        "fs-ioctl-dev" => Ok(Protection::FsIoctlDev),
+        "signal-scope" => Ok(Protection::SignalScope),
+        "abstract-unix-socket-scope" => Ok(Protection::AbstractUnixSocketScope),
+        other => Err(format!(
+            "unknown protection: {} (valid: fs-refer, fs-truncate, net-tcp, fs-ioctl-dev, signal-scope, abstract-unix-socket-scope)",
+            other,
+        )),
+    }
+}
+
 #[derive(Subcommand)]
 enum ProfileAction {
     /// List available profiles
@@ -221,6 +255,14 @@ async fn main() -> Result<()> {
                     println!("  Device ioctl:   {}", if v >= 5 { "supported (ABI v5+)" } else { "not supported" });
                     println!("  IPC scoping:    {}", if v >= 6 { "supported (ABI v6+)" } else { "not supported" });
                     println!("  Signal scoping: {}", if v >= 6 { "supported (ABI v6+)" } else { "not supported" });
+
+                    println!();
+                    println!("Per-protection availability (host Landlock ABI v{}):", v);
+                    for p in sandlock_core::Protection::all() {
+                        let available = v >= p.min_abi();
+                        let marker = if available { "available" } else { "unavailable" };
+                        println!("  {:<22} requires v{} — {}", format!("{:?}", p), p.min_abi(), marker);
+                    }
                 }
                 Err(e) => {
                     println!("  Landlock: unavailable ({})", e);
@@ -475,6 +517,14 @@ async fn run_command(args: RunArgs) -> Result<i32> {
         builder = builder.no_supervisor(true);
     }
 
+    // CLI overrides — protection policy
+    for s in &args.allow_degraded {
+        builder = builder.allow_degraded(parse_protection(s).map_err(|e| anyhow!(e))?);
+    }
+    for s in &args.disable {
+        builder = builder.disable(parse_protection(s).map_err(|e| anyhow!(e))?);
+    }
+
     let policy = builder.build()?;
     let cmd_strs: Vec<&str> = if let Some(ref shell_cmd) = args.exec_shell {
         vec!["/bin/sh", "-c", shell_cmd.as_str()]

crates/sandlock-core/src/error.rs

@@ -70,6 +70,19 @@ pub enum ConfinementError {
         feature: String,
     },
 
+    /// A `Protection` in `ProtectionState::Strict` is unavailable
+    /// because the host kernel's Landlock ABI is below the
+    /// protection's `min_abi()`. Build (or `confine`) refuses to
+    /// proceed; the caller can resolve by setting that protection to
+    /// `Degradable` or `Disabled`, or by running on a kernel that
+    /// supports it.
+    #[error("required protection {protection:?} is not available: host Landlock ABI is v{host_abi}, requires v{required_abi}")]
+    ProtectionUnavailable {
+        protection: crate::protection::Protection,
+        required_abi: u32,
+        host_abi: u32,
+    },
+
     #[error("landlock error: {0}")]
     Landlock(String),