B4′ Deny-by-Default Sandbox Attestation Evidence (CI)

Verdict: B4_PRIME_PASS (12/12 probes) · Date: 2026-06-10 · Venue: GitHub-hosted ephemeral runner (Linux/X64), NOT Mac-local · Production mutation: NO · Codex: NO

Evidence, not authority. This bundle was produced by an authorized run on Huyen1974/tool-kiem-thu-ci (private, no secrets, no prod link). It attests the rev4 §12.1 L1 deny-by-default boundary that the offline MVP depends on. Bound to acceptance matrix #24–#37.

Venue identity (proves not Mac-local)

• platform: github-hosted-runner · runner_os: Linux · runner_arch: X64 · not_mac_local: true
• github_repository: Huyen1974/tool-kiem-thu-ci · github_run_id (PASS): 27247749834
• runtime: Docker version 28.0.4 · image_digest: sha256:a75f623555d9a45749f28969de82db76ee6d183dc0de66371fcc8f52f38fb46e
• seccomp_strict_sha256: 68b07c179a8c338d8aedca940150982106c793b75daadfaa323109ac309e8dbe
• seccomp_safe_sha256: d11c2bb0adb6d9135fe03fc10576772ffc427d080d4e4a438f0c9ddfafd09260

Design correction (honest, no fake-green)

The SSOT §5 strict profile denies execve. Under runc the container's own entrypoint is launched via execve after the seccomp filter is installed, so a profile that ERRNOs execve prevents the container from starting at all. Empirically confirmed in run 27247543884: exec /usr/bin/python: operation not permitted (exit 255), strict_started=false. The profile had never been run before, so this was never caught.

Resolution: attest with a startup-safe variant (strict deny set MINUS execve/execveat). "No subprocess" is then enforced structurally by the distroless no-shell image — PR-EXEC-1 attempts os.execv("/bin/sh", …) → ENOENT (there is no shell/binary to exec). All other seccomp denials (socket/connect/bind/ptrace/mount/modules) remain enforced under both profiles. The bundle records both profile hashes and both startup outcomes.

A second honest finding (run 27247543884): the container ran the harness under startup-safe but crashed writing /out (PermissionError [Errno 13]) because the host output dir was not writable by the container's nonroot uid 65532. Fixed by chmod 0777 on the host /out dir (the output mount is meant to be writable; this relaxes no deny boundary). Re-run 27247749834 → 12/12 PASS.

Probe results (run 27247749834, startup-safe profile) — 12/12 PASS

Probe	Verdict	errno	Observed	Matrix
PR-NET-1	PASS	1	socket()→EPERM (Operation not permitted)	#27
PR-NET-2	PASS	n/a	interfaces == ['lo']	#27 sib
PR-SOCK-1	PASS	1	socket(AF_INET)→EPERM	#25 sib
PR-ENV-1	PASS	n/a	env keyset {HOME,HOSTNAME,LANG,PATH,SSL_CERT_FILE}, no secrets	#28
PR-FS-RO-IN	PASS	30	open('/in/__probe','w')→EROFS	#33
PR-FS-ESC-1	PASS	30	open('/etc/__probe','w')→EROFS	#29
PR-FS-ESC-2	PASS	30	open('/app/__probe','w')→EROFS	#29/#33
PR-FS-OUT-OK	PASS	0	open('/out/report.md','w') wrote ok (positive control)	#33 ctrl
PR-EXEC-1	PASS	2	os.execv('/bin/sh')→ENOENT (no shell → no subprocess)	#34/#25
PR-MOUNT-1	PASS	n/a	/in ro, /out rw (mount table = 2 binds)	#29/#33
PR-SOCK-DOCKER	PASS	n/a	/var/run/docker.sock absent	#36
PR-PTRACE-1	PASS	1	ptrace(PTRACE_TRACEME)→EPERM	#37

summary: {total:12, pass:12, fail:0, unverified:0}. Container exit 0 (no probe FAILED). Machine bundle: reports/b4-prime-sandbox-attestation-evidence-2026-06-10.json. Raw logs: reports/b4-prime-sandbox-attestation-raw-log-index-2026-06-10.md.

Honesty bound

• The startup-safe profile does not seccomp-deny execve; "no subprocess" rests on the distroless image (no /bin/sh/host binaries) + no-new-privileges + the MVP holding no subprocess capability (L2 build-guard). This is the strongest runnable realization; the strict execve-deny is structurally incompatible with container startup and is recorded as such, not as a PASS.
• #35 (dynamic-import) is an L2 build-time check, attested by the guard harness, not an OS probe.