fix(sandbox): apply supervisor seccomp prelude

[johntmyers]

Summary

Apply a narrow seccomp prelude in openshell-sandbox before CLI parsing and async runtime initialization so the supervisor blocks privileged remount and kernel-surface syscalls at startup.

Update the sandbox docs to reflect the new two-phase seccomp model and startup enforcement order.

Related Issue

closes OS-119

Changes

• add a Linux supervisor-startup seccomp prelude and expose it through a public startup hardening hook
• replace #[tokio::main] with an explicit Tokio runtime so supervisor hardening runs before Clap, logging, and runtime setup
• add coverage for the new prelude rule set and document the updated startup hardening behavior

Testing

Additional validation run:

• cargo fmt --all

• cargo run -p openshell-sandbox -- --help

• mise run pre-commit was run, but it does not pass in this local workspace for unrelated reasons:

  • missing SPDX headers in architecture/plans/567-*
  • missing local z3 linker dependency while building openshell-prover tests

• Linux-target verification remains incomplete locally because x86_64-linux-gnu-gcc is not installed on this machine

• mise run pre-commit passes

• Unit tests added/updated

• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-891.docs.buildwithfern.com/openshell

[pimlock]

Potential follow-up: additional syscalls worth considering in the prelude denylist

Not blockers for this PR — listing here so they aren't lost. The current list is thematically consistent (mount-family + kernel-module loading + kexec + bpf/perf/userfaultfd), and drawing the line cleanly around OS-119 is defensible.

Highest value — historical CVE density, reachable without elevated capability

• add_key — inserts a key into a kernel keyring. The kernel keyring subsystem has been one of the most CVE-heavy in Linux: CVE-2016-0728 (refcount overflow → root), CVE-2022-1048 (UAF in KEYCTL_SESSION_TO_PARENT), CVE-2022-2588 (UAF exploited for container escape), and a long tail. No keyring use case in the supervisor.
• request_key — looks up a key and, on miss, can spawn a userspace helper (/sbin/request-key) with privilege. Same CVE surface as add_key, plus a helper-execution primitive.
• keyctl — the multiplexer for key manipulation (link, unlink, revoke, setperm, get_security, session). Shares the keyring's CVE history and is the most commonly-exploited of the three.

Three extra entry lines in build_supervisor_prelude_rules, no realistic impact on supervisor startup (pure Rust binary, no NSS/Kerberos/cifs/nfs path that touches the keyring).

Lower priority — already gated by capability the supervisor may not hold, or DoS-leaning

• reboot — restart/halt/power-off/kexec transition. Requires CAP_SYS_BOOT, which the sandbox pod likely doesn't grant, so blocking this is belt-and-suspenders against a capability-check bypass. Inside a non-initial PID namespace the effect is limited to signaling namespace init rather than rebooting the host.
• swapon / swapoff — enable/disable swap on a file or device. Requires CAP_SYS_ADMIN (which the supervisor does hold at startup). swapon on an attacker-controlled file gives the kernel a read/write primitive against that file; swapoff can force OOM storms or swap-in thrashing. Exotic but non-zero.

[johntmyers]

Thanks @pimlock I've captured the feedback as a new sub-issue under OS-101.