fix(jailer): pin landlock to 0.4.4 and fix markdown style

- Pin `landlock` dependency to exact patch version "0.4.4" per CI
  requirement (was "0.4").
- Run `mdformat .` to fix markdown style failures in CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Pavitra Bhalla <pavitra@superserve.ai>

Author: pavitrabhalla

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,10 +1,6 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: '[Bug] Title'
-labels: 'Quality: Bug'
-assignees: ''
----
+______________________________________________________________________
+
+## name: Bug report about: Create a report to help us improve title: '[Bug] Title' labels: 'Quality: Bug' assignees: ''
 
 # Describe the bug
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,10 +1,6 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: '[Feature Request] Title'
-labels: ''
-assignees: ''
----
+______________________________________________________________________
+
+## name: Feature request about: Suggest an idea for this project title: '[Feature Request] Title' labels: '' assignees: ''
 
 # Feature Request
 

CHANGELOG.md

@@ -21,16 +21,19 @@ and this project adheres to
   support for Vsock Unix domain socket path overriding on snapshot restore. More
   information can be found in the
   [docs](docs/vsock.md/#unix-domain-socket-renaming).
+
 - [#5824](https://github.com/firecracker-microvm/firecracker/pull/5824): Add
   optional rate limiting to serial console output, configurable via the
   `rate_limiter` field on `PUT /serial`. A new metric is exposed under `uart`:
   `rate_limiter_dropped_bytes`.
+
 - [#5799](https://github.com/firecracker-microvm/firecracker/pull/5799): Add
   per-callsite rate limiting for error, warn, and info level log messages. Each
   callsite independently allows up to 10 messages per 5-second window. When
   logging resumes after suppression, a warn-level summary reports the count of
   suppressed messages. A new `rate_limited_log_count` metric tracks the total
   number of suppressed messages.
+
 - [#5789](https://github.com/firecracker-microvm/firecracker/pull/5789): Add
   rate-limiter support to virtio-pmem device to allow control over I/O bandwidth
   generated by the FLUSH requests from the guest.

CONTRIBUTING.md

@@ -225,5 +225,5 @@ message automatically.
 
 Forgot to add DCO to a commit? Amend it with `git commit --amend -s`.
 
-[^1]: Performance improvements in non-hot paths are unlikely to be considered
-    valuable.
+\[^1\]: Performance improvements in non-hot paths are unlikely to be considered
+valuable.

SPECIFICATION.md

@@ -59,12 +59,12 @@ on the following:
    are full will be lost. Any such events will be signaled through the
    `lost-logs` and `lost-metrics` counters.
 
-[^1]: CPU ms are actual ms of a user space thread's on-CPU runtime; useful for
-    getting consistent measurements for some performance metrics.
+\[^1\]: CPU ms are actual ms of a user space thread's on-CPU runtime; useful for
+getting consistent measurements for some performance metrics.
 
-[^2]: No logs are currently produced in the span of time between the `jailer`
-    process start-up and the logging system initialization in the
-    `firecracker` process.
+\[^2\]: No logs are currently produced in the span of time between the `jailer`
+process start-up and the logging system initialization in the `firecracker`
+process.
 
 [1]: https://aws.amazon.com/ec2/instance-types/m5/
 [2]: https://aws.amazon.com/ec2/instance-types/m6/

docs/jailer.md

@@ -106,7 +106,7 @@ Here is an example on how to set multiple resource limits using this argument:
   escapes the `pivot_root` chroot via a kernel exploit, Landlock (enforced by a
   separate LSM path) independently prevents access to files outside the jail.
   The flag operates in best-effort mode — on kernels without Landlock support
-  (< 5.13) it has no effect.
+  (\< 5.13) it has no effect.
 - The jailer adheres to the "end of command options" convention, meaning all
   parameters specified after `--` are forwarded to Firecracker. For example,
   this can be paired with the `--config-file` Firecracker argument to specify a

docs/memory-hotplug.md

@@ -333,5 +333,4 @@ driver may be able to trick the backend to access unplugged memory. This is not
 possible in Firecracker itself as unplugged memory slots are `mprotect`-ed.
 
 [^uffd]: snapshotting/handling-page-faults-on-snapshot-resume.md#userfaultfd
-
 [^vhost-user]: api_requests/block-vhost-user.md

docs/prod-host-setup.md

@@ -461,6 +461,6 @@ sudo modprobe $KVM_VENDOR_MOD
 To validate that the change took effect, the file
 `/sys/module/kvm/parameters/nx_huge_pages` should say `never`.
 
-[^1]: Look for `GRUB_CMDLINE_LINUX` in file `/etc/default/grub` in RPM-based
-    systems, and
-    [this doc for Ubuntu](https://wiki.ubuntu.com/Kernel/KernelBootParameters).
+\[^1\]: Look for `GRUB_CMDLINE_LINUX` in file `/etc/default/grub` in RPM-based
+systems, and
+[this doc for Ubuntu](https://wiki.ubuntu.com/Kernel/KernelBootParameters).

src/jailer/Cargo.toml

@@ -15,7 +15,7 @@ bench = false
 tracing = ["log-instrument", "utils/tracing"]
 
 [dependencies]
-landlock = "0.4"
+landlock = "0.4.4"
 libc = "0.2.186"
 log-instrument = { path = "../log-instrument", optional = true }
 regex = { version = "1.12.3", default-features = false, features = ["std"] }