{ "schema": "b4-prime-sandbox-attestation/inside/v1", "run_date": "2026-06-10", "seccomp_variant": "startupsafe", "venue": "CI", "venue_identity": { "platform": "github-hosted-runner", "runner_os": "Linux", "runner_arch": "X64", "github_repository": "Huyen1974/tool-kiem-thu-ci", "github_run_id": "27247749834", "not_mac_local": true }, "attestation_profile_used": "startup-safe (execve allowed; no-subprocess structural via distroless)", "strict_started": false, "startupsafe_started": true, "startup_probe": ["strict_container_exit=255", "strict_started=false", "startupsafe_container_exit=0", "startupsafe_started=true"], "image_digest": "sha256:a75f623555d9a45749f28969de82db76ee6d183dc0de66371fcc8f52f38fb46e", "seccomp_strict_sha256": "68b07c179a8c338d8aedca940150982106c793b75daadfaa323109ac309e8dbe", "seccomp_safe_sha256": "d11c2bb0adb6d9135fe03fc10576772ffc427d080d4e4a438f0c9ddfafd09260", "runtime": "Docker version 28.0.4", "summary": {"total": 12, "pass": 12, "fail": 0, "unverified": 0}, "probes": [ {"probe_id": "PR-NET-1", "verdict": "PASS", "errno_or_exit": 1, "expected": "EPERM/ENETUNREACH/EAFNOSUPPORT", "actual": "[Errno 1] Operation not permitted", "matrix": "#27"}, {"probe_id": "PR-NET-2", "verdict": "PASS", "errno_or_exit": "n/a", "expected": "interfaces=={lo}", "actual": "['lo']", "matrix": "#27sib"}, {"probe_id": "PR-SOCK-1", "verdict": "PASS", "errno_or_exit": 1, "expected": "EPERM", "actual": "[Errno 1] Operation not permitted", "matrix": "#25sib"}, {"probe_id": "PR-ENV-1", "verdict": "PASS", "errno_or_exit": "n/a", "expected": "no secret env key", "actual": "{HOME,HOSTNAME,LANG,PATH,SSL_CERT_FILE}; leaked=[]", "matrix": "#28"}, {"probe_id": "PR-FS-RO-IN", "verdict": "PASS", "errno_or_exit": 30, "expected": "EROFS", "actual": "Read-only file system: /in/__probe", "matrix": "#33"}, {"probe_id": "PR-FS-ESC-1", "verdict": "PASS", "errno_or_exit": 30, "expected": "EROFS", "actual": "Read-only file system: /etc/__probe", "matrix": "#29"}, {"probe_id": "PR-FS-ESC-2", "verdict": "PASS", "errno_or_exit": 30, "expected": "EROFS/EACCES", "actual": "Read-only file system: /app/__probe", "matrix": "#29/#33"}, {"probe_id": "PR-FS-OUT-OK", "verdict": "PASS", "errno_or_exit": 0, "expected": "succeeds (control)", "actual": "WROTE ok", "matrix": "#33ctrl"}, {"probe_id": "PR-EXEC-1", "verdict": "PASS", "errno_or_exit": 2, "expected": "EPERM/ENOENT", "actual": "[Errno 2] No such file or directory (no /bin/sh)", "matrix": "#34/#25"}, {"probe_id": "PR-MOUNT-1", "verdict": "PASS", "errno_or_exit": "n/a", "expected": "/in ro,/out rw", "actual": "{in_ro:true,out_rw:true}", "matrix": "#29/#33"}, {"probe_id": "PR-SOCK-DOCKER", "verdict": "PASS", "errno_or_exit": "n/a", "expected": "absent", "actual": "False", "matrix": "#36"}, {"probe_id": "PR-PTRACE-1", "verdict": "PASS", "errno_or_exit": 1, "expected": "EPERM", "actual": "{rc:-1,errno:1}", "matrix": "#37"} ], "design_correction": { "strict_profile_unrunnable": true, "reason": "runc launches the entrypoint via execve after installing the seccomp filter; ERRNO on execve => container cannot start (run 27247543884: 'exec /usr/bin/python: operation not permitted', exit 255)", "resolution": "startup-safe profile (execve allowed); no-subprocess enforced structurally by distroless no-shell + no-new-privileges; PR-EXEC-1 -> ENOENT" } }