docs: document the Kratos Landlock filesystem sandbox#2550
Open
gaultier wants to merge 11 commits into
Open
Conversation
Documents the new Landlock-based filesystem sandbox shipped with Kratos: the unconfigurable Jsonnet-worker layer (all channels), the kratos serve sandbox on Network/OEL, the `security.landlock.*` configuration knobs, symlink/cert-renewal caveats, the local `$ref` breaking change for identity schemas, and EPERM troubleshooting steps. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds short callouts on identity-schema, courier-template, Jsonnet, TLS, production, and troubleshooting pages so self-hosted operators discover the filesystem-sandbox restrictions (auto-allowed paths, the local-\$ref breaking change, cert-renewal symlink swaps, and EPERM debugging) from the pages they already read. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drops the "Breaking change" heading and "after the upgrade" / "keep the previous behaviour" phrasing so the page reads as a feature reference rather than a release note. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Leaf grants on individual cert/key files do require a restart after a symlink swap, but a grant on the containing directory (e.g. /etc/letsencrypt) covers both the live/ symlink and the new archive/ target, so certbot and cert-manager renewals are transparent. Document this on both the TLS guide and the canonical Landlock page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Single-process Go program that asserts the directory-grant claim in the Landlock sandbox page: with RWDirs on a directory, a symlink under it can be re-pointed to a sibling file at runtime and reads through the symlink keep working without any rule update. Mirrors the cert-manager / certbot renewal pattern. Linux 5.13+ only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Kratos now walks the loaded config at startup and allow-lists every file:// URI it finds — identity schemas, OIDC mappers, courier templates, web-hook bodies, tokenizer JWKS files, and any future file:// field. Update the canonical Landlock page to describe the generic auto-discovery (and the caveat about legacy bare paths), flip the SMTP and courier-template callouts from "you must add to allowed_paths" to "auto-allowed, no action required", and broaden the production guide accordingly. Also adds SMTP client cert/key paths to the auto-allowed list. The $ref-inside-schema-body case still requires manual allow-listing (auto-discovery walks the config, not the JSON bodies the config points at). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gaultier
requested review from
aeneasr,
piotrmsc,
unatasha8,
vinckr,
wassimoo and
zepatrik
as code owners
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (10)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Impl: https://github.com/ory-corp/cloud/pull/11693
Summary
docs/security-compliance/landlock-sandbox.mdxdescribing the Landlock sandbox shipping with Kratos: the unconfigurable Jsonnet-worker layer (OSS / Network / OEL) and thekratos servesandbox (Network / OEL). Covers what is auto-allowed (everyfile://URI in the config, TLS material, SMTP client certs, the courier template directory, the SQLite database directory, etc.), thesecurity.landlock.*configuration, the symlink / cert-renewal nuance (leaf grant ⇒ restart, directory grant ⇒ transparent), the local$ref-in-identity-schemas case, and anEPERMtroubleshooting walkthrough (audit log +strace).Tracks the changeset at
cloud/.changesets/next/2026-04-27_17-36-12.md.Test plan
/docs/security-compliance/landlock-sandbox— the page appears under Security and compliance without manual sidebar wiring.🤖 Generated with Claude Code