fix(jailer): use ABI::V7 and bump landlock to 0.4.5

pavitrabhalla · claude · pavitrabhalla · commit c0f6eaaa04f6 · 2026-06-28T11:41:29.000-07:00
Per the Landlock crate maintainer's guidance, the ABI parameter should be
the highest version that has been tested, not a pinned older version.
Ruleset::default() uses SoftRequirement by default, so the crate
automatically downgrades to whatever the running kernel supports — no
behaviour change on older kernels.

- Bump landlock dependency from 0.4.4 to 0.4.5 (adds ABI::V7 support,
  Linux 6.15).
- Switch from ABI::V4 to ABI::V7.
- Update the prepare_ruleset doc comment to reflect best-effort
  semantics (no error on kernels with partial/no Landlock support).

Signed-off-by: Pavitra Bhalla &lt;pavitra@superserve.ai&gt;
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -79,6 +79,7 @@ and this project adheres to
   `rng-seed` FDT node for aarch64 guests which provides an initial random seed
   for the guest to use. This helps older aarch64 machines which do not have
   hardware random generators.
+
 - Added support for Linux 6.18 host kernels alongside the existing 5.10 and 6.1
   host kernels. See the [kernel support policy](docs/kernel-policy.md) for
   details.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/jailer/Cargo.toml b/src/jailer/Cargo.toml
@@ -15,7 +15,7 @@ bench = false
 tracing = ["log-instrument", "utils/tracing"]
 
 [dependencies]
-landlock = "0.4.4"
+landlock = "0.4.5"
 libc = "0.2.186"
 log-instrument = { path = "../log-instrument", optional = true }
 regex = { version = "1.12.3", default-features = false, features = ["std"] }
diff --git a/src/jailer/src/landlock.rs b/src/jailer/src/landlock.rs
@@ -35,10 +35,14 @@ use crate::JailerError;
 ///
 /// # Errors
 ///
-/// Returns [`JailerError::Landlock`] if the kernel does not support Landlock,
-/// if `jail_dir` cannot be opened, or if any ruleset syscall fails.
+/// Returns [`JailerError::Landlock`] if `jail_dir` cannot be opened or if any
+/// ruleset syscall fails. On kernels with partial or no Landlock support the
+/// ruleset is silently downgraded to the highest ABI the kernel supports
+/// (best-effort, per [`Ruleset::default`] semantics).
 pub fn prepare_ruleset(jail_dir: &Path) -> Result<RulesetCreated, JailerError> {
-    let abi = ABI::V4;
+    // V7 is the highest tested ABI. The crate's default SoftRequirement mode
+    // automatically downgrades to whatever the running kernel supports.
+    let abi = ABI::V7;
 
     let path_fd = PathFd::new(jail_dir).map_err(|err| {
         JailerError::Landlock(format!(
