CI: Test Landlock on various kernels with UML

[mrcnski]

We already have a test-linux-oldkernel CI job for the purpose of testing the case where Landlock is not available in the kernel.

This can be extended to more kernel versions using UML: https://github.com/landlock-lsm/landlock-test-tools.

Here is an example using the above repository: https://github.com/landlock-lsm/rust-landlock/pull/41/files

@paritytech/ci

[bkchr]

Why do we need to test against multiple versions of the kernel? Isn't landlock itself versioned? Aka we only need to test against version X and Y?

[mrcnski]

Good point. After all, we don't test every kernel feature we use against multiple kernel versions.

But since landlock is a new kernel feature, and some bug or regression can potentially affect consensus, it might be good to test different kernels. And the tooling is already provided for us. All we'd have to do is extend the CI job we already have.

Even if we didn't use landlock, it seems good to test consensus-critical code (PVF execution) on multiple kernel versions, at least the most common ones according to telemetry.

[l0kod]

Testing with different versions of the kernel makes sense when relying on Landlock's features that may not be provided by the running kernel. It looks like you're only relying on ABI::V1 for now and I suggest to bump to ABI::V3 (the fourth is WIP). Anyway, providing a best-effort security policy for users is a good and pragmatic approach that I'm encouraging. You don't need to do anything special to support this mode with the Landlock Rust library, but you can make specific feature mandatory (I think it should not be necessary for your use case though).

The Rust library is tested with several kernel versions to make sure this best-effort mode works as expected and gives stability guarantees. You can either directly use https://github.com/landlock-lsm/landlock-test-tools or extract what makes sense for you. See landlock-lsm/rust-landlock#41