[Ubuntu 24.04][Security] shields status does not cross-check sandbox filesystem — drift after host-root tamper goes undetected

[cr7258]

Description

Description

nemoclaw  shields status reads only the host-side declarative state file
(~/.nemoclaw/state/shields-.json) and does not cross-check the actual
sandbox filesystem. After a host-root actor (docker exec / kubectl exec as root)
reverts /sandbox/.openclaw perms from 444 root:root back to 660 sandbox:sandbox,
shields status continues to report "UP (lockdown active)" with no drift signal,
and the sandbox uid can then write openclaw.json undetected. Guards against the
declared-vs-actual state divergence described in DevTest T5997825.

Environment

Device:        Ubuntu 24.04 x86_64 dev host
OS:            Ubuntu 24.04.4 LTS
Architecture:  x86_64
Node.js:       v22.22.2
npm:           10.9.7
Docker:        29.4.1
OpenShell CLI: openshell 0.0.44
NemoClaw:      v0.0.50-50-g206737f83
OpenClaw:      2026.5.18

Steps to Reproduce

1. Onboard a sandbox.

2. nemoclaw my-assistant shields up
3. nemoclaw my-assistant shields status
     → "Shields: UP (lockdown active)"  /  "Policy: restrictive"

4. Confirm baseline perms inside sandbox:
     CTR=$(docker ps --filter name=openshell-my-assistant -q)
     docker exec "$CTR" stat -c "%a %U:%G %n" \
       /sandbox/.openclaw /sandbox/.openclaw/openclaw.json /sandbox/.openclaw/.config-hash
     → 755 root:root /sandbox/.openclaw
       444 root:root /sandbox/.openclaw/openclaw.json
       444 root:root /sandbox/.openclaw/.config-hash

5. Host-root tamper via docker exec:
     docker exec "$CTR" bash -c '
       chmod 2770 /sandbox/.openclaw
       chown sandbox:sandbox /sandbox/.openclaw
       chmod 660 /sandbox/.openclaw/openclaw.json /sandbox/.openclaw/.config-hash
       chown sandbox:sandbox /sandbox/.openclaw/openclaw.json /sandbox/.openclaw/.config-hash
     '

6. nemoclaw my-assistant shields status
     → still "Shields: UP (lockdown active)"  (DRIFT NOT DETECTED)

7. Confirm config is now mutable from sandbox uid:
     docker exec --user sandbox "$CTR" bash -c \
       'echo TAMPERED > /sandbox/.openclaw/openclaw.json; echo exit=$?'
     → exit=0  (write succeeded)

8. nemoclaw my-assistant shields status
     → still "Shields: UP (lockdown active)"  (post-tamper-write drift still undetected)

Expected Result

At steps 6 and 8, shields status MUST surface drift between declared state
(host JSON: shieldsDown=false) and actual sandbox filesystem state (660
sandbox:sandbox, mutable). Any of the following is acceptable:
- "Shields: UP (DRIFTED)" / "INCONSISTENT"
- "Shields: UP (verification failed: openclaw.json mode 660, expected 444)"
- Non-zero exit code with a clear error
The status MUST NOT continue reporting a clean "UP (lockdown active)".

Actual Result

Step 6 (after host-root tamper, before write):
  Shields: UP (lockdown active)
  Policy:  restrictive
  exit=0

Step 7 (sandbox uid write succeeds):
  exit=0
  cat /sandbox/.openclaw/openclaw.json → TAMPERED

Step 8 (after actual tampering write):
  Shields: UP (lockdown active)
  Policy:  restrictive
  exit=0

The status command never reads the sandbox filesystem — it only reflects the
host-side ~/.nemoclaw/state/shields-.json declarative state.

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Security

---

[NVB#6222239]

[laitingsheng]

Duplicate of #4242

[cr7258]

Close #4242 as we map this GitHub issue to the nvbug to track it internally.