PVF: Fix unshare "no such file or directory" error (#2426)

polkadot/node/core/pvf/tests/it/main.rs

@@ -18,6 +18,8 @@
 
 use assert_matches::assert_matches;
 use parity_scale_codec::Encode as _;
+#[cfg(all(feature = "ci-only-tests", target_os = "linux"))]
+use polkadot_node_core_pvf::SecurityStatus;
 use polkadot_node_core_pvf::{
 	start, testing::build_workers_and_get_paths, Config, InvalidCandidate, Metrics, PrepareError,
 	PrepareJobKind, PvfPrepData, ValidationError, ValidationHost, JOB_TIMEOUT_WALL_CLOCK_FACTOR,
@@ -122,6 +124,11 @@ impl TestHost {
 			.unwrap();
 		result_rx.await.unwrap()
 	}
+
+	#[cfg(all(feature = "ci-only-tests", target_os = "linux"))]
+	async fn security_status(&self) -> SecurityStatus {
+		self.host.lock().await.security_status.clone()
+	}
 }
 
 #[tokio::test]
@@ -402,3 +409,28 @@ async fn prepare_can_run_serially() {
 	// Prepare a different wasm blob to prevent skipping work.
 	let _stats = host.precheck_pvf(halt::wasm_binary_unwrap(), Default::default()).await.unwrap();
 }
+
+// CI machines should be able to enable all the security features.
+#[cfg(all(feature = "ci-only-tests", target_os = "linux"))]
+#[tokio::test]
+async fn all_security_features_work() {
+	// Landlock is only available starting Linux 5.13, and we may be testing on an old kernel.
+	let sysinfo = sc_sysinfo::gather_sysinfo();
+	// The version will look something like "5.15.0-87-generic".
+	let version = sysinfo.linux_kernel.unwrap();
+	let version_split: Vec<&str> = version.split(".").collect();
+	let major: u32 = version_split[0].parse().unwrap();
+	let minor: u32 = version_split[1].parse().unwrap();
+	let can_enable_landlock = if major >= 6 { true } else { minor >= 13 };
+
+	let host = TestHost::new().await;
+
+	assert_eq!(
+		host.security_status().await,
+		SecurityStatus {
+			can_enable_landlock,
+			can_enable_seccomp: true,
+			can_unshare_user_namespace_and_change_root: true,
+		}
+	);
+}