Skip to content

ci: add ubuntu-22.04 low-ABI job + end-to-end degrade test#107

Open
dzerik wants to merge 1 commit into
multikernel:mainfrom
dzerik:ci/ubuntu-22.04-low-abi
Open

ci: add ubuntu-22.04 low-ABI job + end-to-end degrade test#107
dzerik wants to merge 1 commit into
multikernel:mainfrom
dzerik:ci/ubuntu-22.04-low-abi

Conversation

@dzerik

@dzerik dzerik commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Follow-up to the CI split-out agreed in #71 (the ci.yml review thread).

Motivation

The CI matrix only runs v6-capable runners (ubuntu-latest, ubuntu-24.04-arm), so the Protection opt-out path added in #71 — which lets a sandbox confine on kernels below Landlock ABI 6 by degrading the scopes the host lacks — has no automated coverage on a real low-ABI kernel. The synthetic test_protection resolution tests cover the mechanics, but nothing exercised a genuine build() + run() below v6.

What this adds

  • A dedicated rust-low-abi job on ubuntu-22.04. That image runs a 6.8 Azure kernel — Landlock ABI v4 — below the project's MIN_ABI = 6. The default strict_all() suite (test_sandbox, test_network, …) hard-requires v6 and would panic there, so the job runs only the host-ABI-independent resolution tests plus a new end-to-end degrade test, and reports the runner's ABI via sandlock check (so a future runner-image kernel bump that changes it is visible at a glance).
  • degraded_policy_confines_and_runs_below_v6: builds a fully-degradable policy, asserts every scope the host cannot provide resolves to Degraded (not Unavailable, which is what makes confine refuse), and runs a genuinely confined child. This is the test that gives a sub-v6 runner its purpose.
  • A workflow_dispatch trigger for manual runs.

Verification

Ran on real kernels across the low-ABI spectrum:

  • ABI v1 — Ubuntu 22.04, kernel 5.15
  • ABI v4 — the GHA ubuntu-22.04 runner itself (confirmed by the job's own sandlock check output)
  • ABI v5 — Rocky 9.6, kernel 5.14
  • ABI v8 — dev host

test_protection is 22/22 on every host; the degrade assertion fires on each sub-v6 kernel and the confined child runs.

Note on the ubuntu-latest check

Rust tests (ubuntu-latest) currently fails on main independently of this change: test_restore::test_restore_real_program_resumes fails on x86 (it passes on ubuntu-24.04-arm), introduced with the checkpoint/restore merge (#105). This PR doesn't touch that path, and the new rust-low-abi job is green. Happy to file that separately if it isn't already tracked.

@dzerik
ci: add ubuntu-22.04 low-ABI job + end-to-end degrade test
99beeba 
The CI matrix only had v6-capable runners (ubuntu-latest, ubuntu-24.04-arm),
so the Protection opt-out path added in multikernel#71 — which lets a sandbox confine on
kernels below Landlock ABI 6 by degrading the scopes the host lacks — had no
automated coverage on a real low-ABI kernel.

Add a dedicated rust-low-abi job on ubuntu-22.04 (a 6.8 Azure kernel,
Landlock ABI v4). The default strict_all() suite hard-requires v6 and would
panic there, so the job runs the host-ABI-independent resolution tests plus a
new end-to-end test, and reports the runner's Landlock ABI for visibility.

degraded_policy_confines_and_runs_below_v6 builds a fully-degradable policy,
asserts every scope the host cannot provide resolves to Degraded (not
Unavailable), and runs a genuinely confined child — proving confinement still
works below v6. Verified on real kernels via multipass: ABI 1 (Ubuntu 22.04),
ABI 5 (Rocky 9.6), ABI 8 (host).

Also add a workflow_dispatch trigger for manual runs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dzerik