Agent Diagnostic
Investigated the sandbox seccomp filter implementation in crates/openshell-sandbox/src/sandbox/linux/seccomp.rs. The build_filter_rules() function (line 153) unconditionally blocks AF_NETLINK sockets alongside AF_PACKET, AF_BLUETOOTH, and AF_VSOCK:
let mut blocked_domains = vec![
libc::AF_PACKET,
libc::AF_BLUETOOTH,
libc::AF_VSOCK,
libc::AF_NETLINK, // <-- always blocked, not configurable
];Confirmed that:
- The block applies to all network modes (Block, Proxy, Allow) — there is no policy option to relax it.
- Node.js (libuv) calls
uv_interface_addresses() during startup, which uses getifaddrs(), which requires an AF_NETLINK socket on Linux.
- The same workload succeeds via
oc exec into the Kubernetes pod (no OpenShell seccomp), confirming the seccomp filter is the sole cause.
NODE_OPTIONS="--no-network-family-autodetection" is not allowed in NODE_OPTIONS by Node.js, and --no-network-family-autodetection as a direct flag does not exist in Node 22.
Description
Actual behavior: Node.js 22+ workloads (e.g., OpenClaw) crash immediately on sandbox startup with:
SystemError [ERR_SYSTEM_ERROR]: A system error occurred: uv_interface_addresses returned Unknown system error 1 (Unknown system error 1)
Expected behavior: Node.js workloads should start successfully inside the sandbox. The getifaddrs() call is read-only — it enumerates network interface addresses and does not enable proxy bypass. Proxy enforcement is handled by iptables rules in the network namespace, not by blocking netlink sockets.
Reproduction Steps
- Run:
OPENSHELL_GATEWAY_ENDPOINT=http://localhost:8080 openshell sandbox create --forward 18789 --from openclaw -- openclaw-start
- Observe the
uv_interface_addresses error in the output.
- Compare with
oc exec <pod> -n openshell -- openclaw gateway --allow-unconfigured which succeeds.
Proposed Fix
Remove libc::AF_NETLINK from the hardcoded blocked_domains list in build_filter_rules(), or make it configurable via sandbox policy. AF_PACKET, AF_BLUETOOTH, and AF_VSOCK should remain blocked as they represent actual proxy bypass vectors.
Environment
- Node.js: v22.22.1
- OpenShell: main branch (316c788)
- OS: Linux (sandbox container)
Agent Diagnostic
Investigated the sandbox seccomp filter implementation in
crates/openshell-sandbox/src/sandbox/linux/seccomp.rs. Thebuild_filter_rules()function (line 153) unconditionally blocksAF_NETLINKsockets alongsideAF_PACKET,AF_BLUETOOTH, andAF_VSOCK:Confirmed that:
uv_interface_addresses()during startup, which usesgetifaddrs(), which requires anAF_NETLINKsocket on Linux.oc execinto the Kubernetes pod (no OpenShell seccomp), confirming the seccomp filter is the sole cause.NODE_OPTIONS="--no-network-family-autodetection"is not allowed inNODE_OPTIONSby Node.js, and--no-network-family-autodetectionas a direct flag does not exist in Node 22.Description
Actual behavior: Node.js 22+ workloads (e.g., OpenClaw) crash immediately on sandbox startup with:
Expected behavior: Node.js workloads should start successfully inside the sandbox. The
getifaddrs()call is read-only — it enumerates network interface addresses and does not enable proxy bypass. Proxy enforcement is handled by iptables rules in the network namespace, not by blocking netlink sockets.Reproduction Steps
OPENSHELL_GATEWAY_ENDPOINT=http://localhost:8080 openshell sandbox create --forward 18789 --from openclaw -- openclaw-startuv_interface_addresseserror in the output.oc exec <pod> -n openshell -- openclaw gateway --allow-unconfiguredwhich succeeds.Proposed Fix
Remove
libc::AF_NETLINKfrom the hardcodedblocked_domainslist inbuild_filter_rules(), or make it configurable via sandbox policy.AF_PACKET,AF_BLUETOOTH, andAF_VSOCKshould remain blocked as they represent actual proxy bypass vectors.Environment