XuebinMa · XuebinMa · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
@@ -36,15 +36,38 @@ pub(crate) fn resolve_default_sandbox() -> (Box<dyn Sandbox>, DefaultSandboxDiag
                 );
             }
         }
-        (
-            Box::new(agent_guard_sandbox::SeccompSandbox::new()),
-            DefaultSandboxDiagnosis {
-                selected_name: "seccomp",
-                selected_sandbox_type: "linux-seccomp",
-                fallback_to_noop: false,
-                reason: "Linux defaults to seccomp; Landlock is either disabled or unavailable on this host.".to_string(),
-            },
-        )
+        // The native Seccomp-BPF filter only loads when the `seccomp` Cargo
+        // feature is compiled in. Without it, `SeccompSandbox` silently runs an
+        // unfiltered `sh -c` compatibility shell (see `linux.rs`
+        // `execute_compat_shell`). Reporting that path as `selected="seccomp",
+        // fallback_to_noop=false` would tell operators (and execution receipts,
+        // which read `sandbox_type()`) that syscall isolation is active when it
+        // is not — so split the diagnosis on the feature and fall back to a
+        // truthful Noop backend when filtering is not actually present.
+        #[cfg(feature = "seccomp")]
+        {
+            (
+                Box::new(agent_guard_sandbox::SeccompSandbox::new()),
+                DefaultSandboxDiagnosis {
+                    selected_name: "seccomp",
+                    selected_sandbox_type: "linux-seccomp",
+                    fallback_to_noop: false,
+                    reason: "Linux defaults to seccomp; the native Seccomp-BPF filter is compiled in and loads in the child before exec. Landlock is either disabled or unavailable on this host.".to_string(),
+                },
+            )
+        }
+        #[cfg(not(feature = "seccomp"))]
+        {
+            (
+                Box::new(agent_guard_sandbox::NoopSandbox),
+                DefaultSandboxDiagnosis {
+                    selected_name: "none",
+                    selected_sandbox_type: "none",
+                    fallback_to_noop: true,
+                    reason: "Neither Landlock nor the 'seccomp' Cargo feature is compiled in, so the SDK has no OS-level syscall isolation and runs an unfiltered compatibility shell. Rebuild with --features seccomp (with libseccomp present) or --features landlock to enable enforcement.".to_string(),
+                },
+            )
+        }
     }
     #[cfg(all(target_os = "macos", feature = "macos-sandbox"))]
     {

@@ -93,8 +93,15 @@ fn test_gate_platform_selection_consistency() {
             assert_eq!(s_type, expected);
         }
 
-        #[cfg(not(feature = "landlock"))]
+        // Without Landlock, the backend is the native seccomp filter only when
+        // the `seccomp` feature is compiled in; otherwise the SDK reports a
+        // truthful "none" backend (unfiltered compat shell) rather than
+        // claiming syscall isolation it does not provide.
+        #[cfg(all(not(feature = "landlock"), feature = "seccomp"))]
         assert_eq!(s_type, "linux-seccomp");
+
+        #[cfg(all(not(feature = "landlock"), not(feature = "seccomp")))]
+        assert_eq!(s_type, "none");
     }
 
     #[cfg(all(target_os = "macos", feature = "macos-sandbox"))]