fix(sandbox): grant /dev/pts so OpenClaw tmux-session flow can allocate a PTY (#4513)

[yimoj]

Summary

The reopened #4513: PR #4606 installed tmux in the sandbox image, but OpenClaw's bundled tmux-session flow still failed with create window failed: fork failed: Permission denied, and #4640 then degraded the e2e drive to a soft skip. This grants /dev/pts in the OpenClaw sandbox landlock filesystem policy so the flow can actually allocate a PTY, and restores the e2e to a hard assertion.

Related Issue

Fixes #4513

Changes

Root cause (diagnosed, not assumed): it is not fork/seccomp/nproc — plain fork() works and nproc (512) is nearly empty. It is PTY allocation. The OpenShell sandbox landlock filesystem_policy grants /dev/null and /dev/urandom but never /dev/pts, so forkpty() opening /dev/ptmx (→ /dev/pts/ptmx) and a /dev/pts/<n> slave is denied with EACCES. tmux surfaces that EACCES as create window failed: fork failed: Permission denied.

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml: add /dev/pts to filesystem_policy.read_write with the PTY rationale. Grant the directory, not /dev/ptmx — the supervisor refuses to chown the /dev/ptmx symlink, and the devpts directory grant covers ptmx + slaves via the landlock path hierarchy.
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml and agents/openclaw/policy-permissive.yaml: mirror /dev/pts so shields down never removes a live filesystem path (OpenShell rejects live filesystem removals). Same base+permissive pattern as the prior /home/linuxbrew ([Sandbox] brew policy preset cannot bootstrap Homebrew: sandbox lacks filesystem write to /home/linuxbrew #3913) and GPU /proc additions, which permissive-runtime already unions on shields-down.
• test/e2e/test-sandbox-operations.sh (TC-SBX-09): restore the lifecycle drive to a hard assertion (drop the test(e2e): skip TC-SBX-09 lifecycle drive when sandbox blocks tmux fork #4640 fork-failure soft skip), add an explicit openpty() probe that pins the root cause, and fail loudly if devpts ever regresses. The PTY_OK sentinel is emitted by a shell && echo (not inside the python source) so a Python traceback echoing the source line cannot make the probe falsely pass.
• test/runner.test.ts: assert both OpenClaw policies grant /dev/pts (and not /dev/ptmx), and that TC-SBX-09 no longer skips on fork failure.
• docs/reference/network-policies.mdx, docs/security/best-practices.mdx: list /dev/pts as a default writable path with the tmux rationale.

Verification

Reporter-workflow E2E — exact tmux-session/forkpty flow inside the hardened NemoClaw sandbox.

Reproduced and verified hermetically with the real openshell-sandbox supervisor (which applies the live seccomp + landlock + RLIMIT_NPROC hardening; no gateway/GPU needed), running inside ghcr.io/nvidia/nemoclaw/sandbox-base + tmux, driven by the actual edited openclaw-sandbox.yaml as the policy data.

Command (same shape as TC-SBX-09):

openshell-sandbox --policy-rules sandbox-policy.rego --policy-data <openclaw-sandbox.yaml> -- \
  bash -lc 'export TMUX_TMPDIR=/tmp; python3 -c "import os; _,s=os.openpty(); print(os.ttyname(s))";
            tmux new-session -d -s smoke "sleep 30"; tmux list-sessions; tmux kill-session -t smoke; echo TMUX_FLOW_OK'

Logs:

# BEFORE (committed policy, no /dev/pts):
-- openpty --  PermissionError: [Errno 13] Permission denied
-- tmux --     create window failed: fork failed: Permission denied      (new/list/kill RC=1/1/1)

# AFTER (this PR's policy, /dev/pts granted):
-- openpty --  /dev/pts/0
-- tmux --     smoke: 1 windows (created ...)                            (new/list/kill RC=0/0/0)  TMUX_FLOW_OK

This is the exact bundled tmux-session lifecycle (new-session → list-sessions → kill-session) the reporter hit. Pipeline coverage: the restored TC-SBX-09 (test/e2e/test-sandbox-operations.sh) drives this same lifecycle plus the openpty() root-cause probe against a live OpenShell sandbox on the scheduled E2E job, now as a hard assertion (a fork failed is a failure, not a skip).

PR CI on head b75befddb: all required checks green — static-checks, build-typecheck, cli-test-shards (1–5), plugin-tests, unit-vitest-linux, ShellCheck, CodeQL, wsl-e2e, macos-e2e, dco-check, commit-lint, codebase-growth-guardrails (run 27184680225).

• npx prek run --all-files passes (all formatter/lint/security/docs hooks green; the heavy Test (CLI) hook shows only load-induced timeout flakes that pass in isolation — this change touches no src/ code)
• npm test — targeted suites pass (runner, policies, initial-policy, permissive-runtime, policy-tiers, shields); CI cli-test-shards (1–5) + plugin-tests + unit-vitest-linux all green on PR head
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates

Notes — known, pre-existing limitation (out of scope)

On an OpenClaw sandbox created before this change and upgraded without recreate, a shields down then shields up cycle can leave the sandbox in shields-down state: shields down adds /dev/pts via the permissive policy, and shields up restores the pre-upgrade live snapshot, which omits /dev/pts (OpenShell rejects the resulting live filesystem removal). This is identical to the existing /home/linuxbrew (#3913), GPU /proc, and Hermes /opt/hermes base-policy additions — shields-up restore has never normalized the snapshot for any path. Such a sandbox has not received the creation-locked filesystem fix anyway; the remediation (recreate / re-onboard) resolves both the tmux fix and this edge case. A symmetric snapshot-normalization in shields-restore would address the whole class and belongs in its own change.

---

Signed-off-by: Yimo Jiang yimoj@nvidia.com

Summary by CodeRabbit

• Bug Fixes

  • PTY allocation now works inside sandboxes, allowing terminal tools (tmux, script, interactive shells) and preventing "fork failed: Permission denied" failures.

• Documentation

  • Sandbox filesystem docs updated to include PTY device access and clarify configuration for terminal allocation tooling.

• Tests

  • End-to-end and unit tests tightened to assert PTY support and to fail when PTY allocation regresses.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dc6c5a87-c178-4dd6-85bd-6fb460d00efc

📥 Commits

Reviewing files that changed from the base of the PR and between b75befd and ab355ba.

📒 Files selected for processing (2)

• docs/reference/network-policies.mdx
• test/runner.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/reference/network-policies.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• test/runner.test.ts

---

📝 Walkthrough

Walkthrough

Adds /dev/pts to sandbox filesystem allowlists, updates documentation to document writable PTY paths, hardens TC‑SBX‑09 to probe PTY allocation (os.openpty()), and adds regression tests that assert the policy and test changes.

Changes

PTY Allocation Permission Fix for Tmux Session Flow

Layer / File(s)	Summary
PTY permissions in default and permissive sandbox policies agents/openclaw/policy-permissive.yaml, nemoclaw-blueprint/policies/openclaw-sandbox.yaml, nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml	All OpenClaw/NemoClaw sandbox policy files add /dev/pts to filesystem_policy.read_write with comments documenting directory-scoped grants required for forkpty/tmux PTY allocation.
Documentation of PTY filesystem access docs/reference/network-policies.mdx, docs/security/best-practices.mdx	Reference and security docs updated to list /dev/pts as writable and explain why PTY-allocating tools need writable /dev/pts.
TC-SBX-09 tmux test hardening with PTY probe test/e2e/test-sandbox-operations.sh	TC‑SBX‑09 comments rewritten to hard-gate on PTY allocation; adds an in-sandbox Python os.openpty() probe (emits PTY_OK on success), removes the soft-skip on fork/PTY failures, and changes tmux lifecycle handling to fail after cleanup.
Policy and test content regression assertions test/runner.test.ts	Adds YAML import and regression tests that parse sandbox policy YAMLs to assert /dev/pts is present in filesystem_policy.read_write and /dev/ptmx is not; validates the e2e test contains the os.openpty() probe and no longer skips on fork failure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4606: Also updates the TC‑SBX‑09 tmux-session test and enforces Landlock /dev/pts PTY allocation checks.
• NVIDIA/NemoClaw#4640: Modifies test_sbx_09_tmux_session_flow fork-failure handling; related to test lifecycle change.

Suggested labels

fix, Sandbox, Integration: OpenClaw, E2E, documentation, area: sandbox

Suggested reviewers

• cjagwani

Poem

🐰 I hopped into the sandbox with care,
I nudged /dev/pts to be writable there.
Now tmux can spawn shells without dismay,
Tests probe PTYs so regressions stay away.
A tiny hop for code, a safer play.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: granting /dev/pts in sandbox policy to fix tmux PTY allocation failures, addressing the linked issue #4513.
Linked Issues check	✅ Passed	The PR fully addresses all coding objectives from linked issue #4513: modifies sandbox policies to grant /dev/pts for PTY allocation, adds openpty() probe test coverage, restores TC-SBX-09 as a hard assertion, updates regression tests in runner.test.ts, and documents the change.
Out of Scope Changes check	✅ Passed	All changes are within scope: policy YAML updates for /dev/pts, test enhancements for PTY regression coverage, and documentation updates explaining the filesystem policy change—all directly supporting issue #4513's objective.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[yimoj]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.

[coderabbitai]

🧹 Nitpick comments (3)

nemoclaw-blueprint/policies/openclaw-sandbox.yaml (1)

34-44: Run the network-policy e2e job for this policy delta.

Given this is a sandbox egress/SSRF-relevant policy change, please run the targeted network-policy-e2e workflow before merge to catch deny-by-default/hot-reload regressions early.

As per coding guidelines, changes under nemoclaw-blueprint/policies/** should run network-policy-e2e selectively.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml` around lines 34 - 44, This
change to openclaw-sandbox.yaml touches sandbox egress/SSRF policy and must be
validated by running the targeted network-policy-e2e workflow before merging;
please trigger the selective network-policy-e2e job (the targeted e2e for
changes under the policies blueprint) against this PR to catch deny-by-default
and hot-reload regressions for the openclaw-sandbox.yaml policy delta and attach
the passing job results to the review.

Source: Coding guidelines

test/runner.test.ts (1)

927-939: ⚡ Quick win

Extend PTY policy regression coverage to the agent permissive policy.

The assertion loop only covers two blueprint policy files, but this PR also changes agents/openclaw/policy-permissive.yaml for the same /dev/pts contract. Add it here to keep the regression guard complete.

Suggested patch

-    const policyDir = path.join(repoRoot, "nemoclaw-blueprint", "policies");
-    for (const policyFile of ["openclaw-sandbox.yaml", "openclaw-sandbox-permissive.yaml"]) {
-      it(`${policyFile} grants /dev/pts so PTY allocation (tmux) works`, () => {
-        const doc = YAML.parse(fs.readFileSync(path.join(policyDir, policyFile), "utf-8"));
+    for (const policyFile of [
+      path.join("nemoclaw-blueprint", "policies", "openclaw-sandbox.yaml"),
+      path.join("nemoclaw-blueprint", "policies", "openclaw-sandbox-permissive.yaml"),
+      path.join("agents", "openclaw", "policy-permissive.yaml"),
+    ]) {
+      it(`${policyFile} grants /dev/pts so PTY allocation (tmux) works`, () => {
+        const doc = YAML.parse(fs.readFileSync(path.join(repoRoot, policyFile), "utf-8"));
         const readWrite: string[] = doc.filesystem_policy?.read_write ?? [];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/runner.test.ts` around lines 927 - 939, The test iterates over only two
policy files but misses the updated agent permissive policy, so add
"agents/openclaw/policy-permissive.yaml" to the list passed to the for-loop (the
array iterating as for (const policyFile of [...]) ) so the assertions that
YAML.parse(fs.readFileSync(path.join(policyDir, policyFile), "utf-8")) produces
a filesystem_policy.read_write array containing "/dev/pts" and not "/dev/ptmx"
also run against that permissive policy; update the array of filenames used by
the test (referenced as policyFile and policyDir, and using YAML.parse and
read_write) to include the agent permissive policy.

docs/reference/network-policies.mdx (1)

31-33: ⚡ Quick win

Adjust docs style for the PTY explanation block.

This paragraph uses multiple em dashes and splits one sentence across multiple source lines. LLM pattern detected.

As per coding guidelines, use one sentence per line and flag multiple em dashes per paragraph.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/network-policies.mdx` around lines 31 - 33, The PTY
explanation for `/dev/pts` should be reformatted to follow the
one-sentence-per-line rule and avoid multiple em dashes: rewrite the paragraph
so each sentence occupies its own source line, remove or replace the em dashes
in the sentence mentioning `tmux`, `script`, and interactive shells (use commas
or a parenthetical phrase instead), and ensure the explanation about failure
mode (`fork failed: Permission denied`) remains a separate sentence for clarity;
update the `/dev/pts` paragraph accordingly in the network-policies PTY
explanation block.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/reference/network-policies.mdx`:
- Around line 31-33: The PTY explanation for `/dev/pts` should be reformatted to
follow the one-sentence-per-line rule and avoid multiple em dashes: rewrite the
paragraph so each sentence occupies its own source line, remove or replace the
em dashes in the sentence mentioning `tmux`, `script`, and interactive shells
(use commas or a parenthetical phrase instead), and ensure the explanation about
failure mode (`fork failed: Permission denied`) remains a separate sentence for
clarity; update the `/dev/pts` paragraph accordingly in the network-policies PTY
explanation block.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 34-44: This change to openclaw-sandbox.yaml touches sandbox
egress/SSRF policy and must be validated by running the targeted
network-policy-e2e workflow before merging; please trigger the selective
network-policy-e2e job (the targeted e2e for changes under the policies
blueprint) against this PR to catch deny-by-default and hot-reload regressions
for the openclaw-sandbox.yaml policy delta and attach the passing job results to
the review.

In `@test/runner.test.ts`:
- Around line 927-939: The test iterates over only two policy files but misses
the updated agent permissive policy, so add
"agents/openclaw/policy-permissive.yaml" to the list passed to the for-loop (the
array iterating as for (const policyFile of [...]) ) so the assertions that
YAML.parse(fs.readFileSync(path.join(policyDir, policyFile), "utf-8")) produces
a filesystem_policy.read_write array containing "/dev/pts" and not "/dev/ptmx"
also run against that permissive policy; update the array of filenames used by
the test (referenced as policyFile and policyDir, and using YAML.parse and
read_write) to include the agent permissive policy.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 76839e37-5309-41b6-b896-9118c68d7ce4

📥 Commits

Reviewing files that changed from the base of the PR and between d9db199 and b75befd.

📒 Files selected for processing (7)

• agents/openclaw/policy-permissive.yaml
• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• test/e2e/test-sandbox-operations.sh
• test/runner.test.ts

[yimoj]

@coderabbitai Addressed the two actionable nitpicks in ab355ba:

• Extended the /dev/pts regression loop in test/runner.test.ts to also cover agents/openclaw/policy-permissive.yaml.
• Reformatted the /dev/pts paragraph in network-policies.mdx to one-sentence-per-line without em dashes.

On the network-policy-e2e suggestion: this delta is filesystem-only (filesystem_policy.read_write gains /dev/pts) with no network_policies change, so the deny-by-default/hot-reload egress e2e isn't the relevant gate here. The targeted pipeline coverage for this change is the restored TC-SBX-09 (test/e2e/test-sandbox-operations.sh), which drives the PTY openpty() probe + the full tmux new/list/kill lifecycle against a live sandbox in the nightly E2E (now a hard assertion, no soft skip). That suite is Brev-gated and not dispatchable from a fork PR.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@yimoj: Thanks for the follow-up. Both fixes look good:

• test/runner.test.ts — extending the regression loop to also validate agents/openclaw/policy-permissive.yaml is the right call; all three policy files now have symmetric coverage.
• network-policies.mdx — one-sentence-per-line without em dashes is cleaner.

On the network-policy-e2e point: your reasoning is correct. The delta is confined to filesystem_policy.read_write; there are no network_policies changes, so the egress/hot-reload e2e gate isn't the relevant signal here. TC-SBX-09 with the hard assertion and the openpty() probe is precisely the right coverage for this change. Happy to close that suggestion out.

The PR looks good to merge from my side.

[yimoj]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.