Error when Landlock ABI is too old for requested network/IPC features

congwang-mk · congwang-mk · commit 500fb1c6a205 · 2026-03-21T12:51:08.000-07:00
Signed-off-by: Cong Wang &lt;cwang@multikernel.io&gt;
diff --git a/src/sandlock/_landlock.py b/src/sandlock/_landlock.py
@@ -250,7 +250,8 @@ def confine(
 
     Raises:
         LandlockUnavailableError: If Landlock is not supported.
-        ConfinementError: If confinement setup fails.
+        ConfinementError: If confinement setup fails, or if network/IPC
+            features are requested but the kernel's Landlock ABI is too old.
     """
     abi = landlock_abi_version()
     if abi < 1:
@@ -272,15 +273,25 @@ def confine(
 
     # Network handled mask (ABI v4+)
     handled_net = 0
-    if abi >= 4:
+    if bind_ports is not None or connect_ports is not None:
+        if abi < 4:
+            raise ConfinementError(
+                f"Network port restrictions require Landlock ABI >= 4 "
+                f"(Linux >= 6.7), but this kernel only supports ABI v{abi}"
+            )
         if bind_ports is not None:
             handled_net |= LANDLOCK_ACCESS_NET_BIND_TCP
         if connect_ports is not None:
             handled_net |= LANDLOCK_ACCESS_NET_CONNECT_TCP
 
     # IPC scoping mask (ABI v6+)
     scoped = 0
-    if abi >= 6:
+    if isolate_ipc or isolate_signals:
+        if abi < 6:
+            raise ConfinementError(
+                f"IPC/signal isolation requires Landlock ABI >= 6 "
+                f"(Linux >= 6.12), but this kernel only supports ABI v{abi}"
+            )
         if isolate_ipc:
             scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
         if isolate_signals:
diff --git a/tests/test_landlock.py b/tests/test_landlock.py
@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: Apache-2.0
 """Tests for sandlock._landlock."""
 
+from unittest import mock
+
 import pytest
 
 from sandlock._landlock import (
@@ -13,8 +15,10 @@
     _FULL_ACCESS,
     _READ_ACCESS,
     _WRITE_ACCESS,
+    confine,
     landlock_abi_version,
 )
+from sandlock.exceptions import ConfinementError
 
 
 class TestAccessFlags:
@@ -49,6 +53,30 @@ def test_scope_flags_no_overlap(self):
         assert LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET & LANDLOCK_SCOPE_SIGNAL == 0
 
 
+class TestAbiVersionGuards:
+    """confine() must error when features need a newer ABI than available."""
+
+    @mock.patch("sandlock._landlock.landlock_abi_version", return_value=3)
+    def test_bind_ports_requires_abi4(self, _mock_abi):
+        with pytest.raises(ConfinementError, match="ABI >= 4"):
+            confine(readable=["/tmp"], bind_ports=[80])
+
+    @mock.patch("sandlock._landlock.landlock_abi_version", return_value=3)
+    def test_connect_ports_requires_abi4(self, _mock_abi):
+        with pytest.raises(ConfinementError, match="ABI >= 4"):
+            confine(readable=["/tmp"], connect_ports=[443])
+
+    @mock.patch("sandlock._landlock.landlock_abi_version", return_value=5)
+    def test_isolate_ipc_requires_abi6(self, _mock_abi):
+        with pytest.raises(ConfinementError, match="ABI >= 6"):
+            confine(readable=["/tmp"], isolate_ipc=True)
+
+    @mock.patch("sandlock._landlock.landlock_abi_version", return_value=5)
+    def test_isolate_signals_requires_abi6(self, _mock_abi):
+        with pytest.raises(ConfinementError, match="ABI >= 6"):
+            confine(readable=["/tmp"], isolate_signals=True)
+
+
 class TestLandlockAbiVersion:
     def test_returns_int(self):
         ver = landlock_abi_version()
