From 98c4e514e42219c4bb6a93a8858a3643fee33d9d Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:45:01 -0700
Subject: [PATCH] fix(server): validate discovered sandbox policy against
 restrictive baseline

---
 crates/openshell-server/src/grpc.rs | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/crates/openshell-server/src/grpc.rs b/crates/openshell-server/src/grpc.rs
index 422b6463..0bdea95f 100644
--- a/crates/openshell-server/src/grpc.rs
+++ b/crates/openshell-server/src/grpc.rs
@@ -1023,10 +1023,16 @@ impl OpenShell for OpenShellService {
             // Validate policy safety (no root, no path traversal, etc.).
             validate_policy_safety(&new_policy)?;
         } else {
-            // No baseline policy exists (sandbox created without one). The
-            // sandbox is syncing a locally-discovered or restrictive-default
-            // policy. Backfill spec.policy so future updates can validate
-            // against it.
+            // No baseline policy exists (sandbox created without one).
+            // Validate against the restrictive default before backfilling so
+            // untrusted sandbox images cannot inject a more permissive policy.
+            let restrictive_baseline = openshell_policy::restrictive_default_policy();
+            validate_static_fields_unchanged(&restrictive_baseline, &new_policy)?;
+            validate_network_mode_unchanged(&restrictive_baseline, &new_policy)?;
+            validate_policy_safety(&new_policy)?;
+
+            // Backfill spec.policy so future updates can validate against the
+            // same baseline that was accepted here.
             let mut sandbox = sandbox;
             if let Some(ref mut spec) = sandbox.spec {
                 spec.policy = Some(new_policy.clone());