Skip to content

feat(policy): add runtime baseline conflict controls#1629

Open
elezar wants to merge 2 commits into
mainfrom
1522-runtime-baseline-conflict-controls/elezar
Open

feat(policy): add runtime baseline conflict controls#1629
elezar wants to merge 2 commits into
mainfrom
1522-runtime-baseline-conflict-controls/elezar

Conversation

@elezar
Copy link
Copy Markdown
Member

@elezar elezar commented May 29, 2026
edited
Loading

Summary

Adds explicit filesystem policy controls for runtime baseline conflicts as an alternative to #1522. The default permits /proc read-only to read-write promotion for runtime baseline needs, while other conflicts such as device-node promotions require explicit policy opt-in.

Related Issue

Resolves #1486
Alternative to #1522.

Changes

  • Adds filesystem_policy.runtime_baseline_conflicts.read_only_to_read_write with reject_unlisted, promote_all, and reject_all modes.
  • Defaults omitted configuration to reject_unlisted with /proc in allow_promotion.
  • Rejects unlisted runtime baseline read-only to read-write conflicts and surfaces the startup error through policy enrichment.
  • Adds a follow-up commit that normalizes baseline conflict path comparisons and promotion patterns.
  • Updates policy schema and security architecture docs.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@elezar elezar requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners May 29, 2026 13:56
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

🌿 Preview your docs: https://nvidia-preview-pr-1629.docs.buildwithfern.com/openshell

@elezar elezar mentioned this pull request May 29, 2026
Open
10 tasks
elezar added 2 commits May 29, 2026 16:27
@elezar
feat(policy): add runtime baseline conflict controls
ba01362 
Signed-off-by: Evan Lezar <elezar@nvidia.com>
@elezar
refactor(policy): normalize runtime baseline paths
8310d74 
Signed-off-by: Evan Lezar <elezar@nvidia.com>
@elezar elezar force-pushed the 1522-runtime-baseline-conflict-controls/elezar branch from 93e19ff to 8310d74 Compare May 29, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: GPU sandboxes miss filesystem access for CUDA workloads

1 participant

@elezar