summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/01-sim-allow.c50
-rwxr-xr-xtests/01-sim-allow.py40
-rw-r--r--tests/01-sim-allow.tests21
-rw-r--r--tests/02-sim-basic.c72
-rwxr-xr-xtests/02-sim-basic.py44
-rw-r--r--tests/02-sim-basic.tests30
-rw-r--r--tests/03-sim-basic_chains.c74
-rwxr-xr-xtests/03-sim-basic_chains.py45
-rw-r--r--tests/03-sim-basic_chains.tests32
-rw-r--r--tests/04-sim-multilevel_chains.c87
-rwxr-xr-xtests/04-sim-multilevel_chains.py56
-rw-r--r--tests/04-sim-multilevel_chains.tests44
-rw-r--r--tests/05-sim-long_jumps.c89
-rwxr-xr-xtests/05-sim-long_jumps.py64
-rw-r--r--tests/05-sim-long_jumps.tests30
-rw-r--r--tests/06-sim-actions.c78
-rwxr-xr-xtests/06-sim-actions.py49
-rw-r--r--tests/06-sim-actions.tests34
-rw-r--r--tests/07-sim-db_bug_looping.c68
-rwxr-xr-xtests/07-sim-db_bug_looping.py45
-rw-r--r--tests/07-sim-db_bug_looping.tests23
-rw-r--r--tests/08-sim-subtree_checks.c179
-rwxr-xr-xtests/08-sim-subtree_checks.py122
-rw-r--r--tests/08-sim-subtree_checks.tests47
-rw-r--r--tests/09-sim-syscall_priority_pre.c76
-rwxr-xr-xtests/09-sim-syscall_priority_pre.py47
-rw-r--r--tests/09-sim-syscall_priority_pre.tests26
-rw-r--r--tests/10-sim-syscall_priority_post.c76
-rwxr-xr-xtests/10-sim-syscall_priority_post.py47
-rw-r--r--tests/10-sim-syscall_priority_post.tests26
-rw-r--r--tests/11-basic-basic_errors.c243
-rwxr-xr-xtests/11-basic-basic_errors.py93
-rw-r--r--tests/11-basic-basic_errors.tests11
-rw-r--r--tests/12-sim-basic_masked_ops.c88
-rwxr-xr-xtests/12-sim-basic_masked_ops.py61
-rw-r--r--tests/12-sim-basic_masked_ops.tests48
-rw-r--r--tests/13-basic-attrs.c149
-rwxr-xr-xtests/13-basic-attrs.py68
-rw-r--r--tests/13-basic-attrs.tests11
-rw-r--r--tests/14-sim-reset.c62
-rwxr-xr-xtests/14-sim-reset.py43
-rw-r--r--tests/14-sim-reset.tests29
-rw-r--r--tests/15-basic-resolver.c170
-rwxr-xr-xtests/15-basic-resolver.py54
-rw-r--r--tests/15-basic-resolver.tests11
-rw-r--r--tests/16-sim-arch_basic.c169
-rwxr-xr-xtests/16-sim-arch_basic.py62
-rw-r--r--tests/16-sim-arch_basic.tests27
-rw-r--r--tests/17-sim-arch_merge.c111
-rwxr-xr-xtests/17-sim-arch_merge.py53
-rw-r--r--tests/17-sim-arch_merge.tests24
-rw-r--r--tests/18-sim-basic_allowlist.c74
-rwxr-xr-xtests/18-sim-basic_allowlist.py45
-rw-r--r--tests/18-sim-basic_allowlist.tests32
-rw-r--r--tests/19-sim-missing_syscalls.c65
-rwxr-xr-xtests/19-sim-missing_syscalls.py47
-rw-r--r--tests/19-sim-missing_syscalls.tests16
-rw-r--r--tests/20-live-basic_die.c70
-rwxr-xr-xtests/20-live-basic_die.py50
-rw-r--r--tests/20-live-basic_die.tests13
-rw-r--r--tests/21-live-basic_allow.c80
-rwxr-xr-xtests/21-live-basic_allow.py64
-rw-r--r--tests/21-live-basic_allow.tests11
-rw-r--r--tests/22-sim-basic_chains_array.c78
-rwxr-xr-xtests/22-sim-basic_chains_array.py48
-rw-r--r--tests/22-sim-basic_chains_array.tests31
-rw-r--r--tests/23-sim-arch_all_le_basic.c108
-rwxr-xr-xtests/23-sim-arch_all_le_basic.py56
-rw-r--r--tests/23-sim-arch_all_le_basic.tests23
-rw-r--r--tests/24-live-arg_allow.c93
-rwxr-xr-xtests/24-live-arg_allow.py63
-rw-r--r--tests/24-live-arg_allow.tests11
-rw-r--r--tests/25-sim-multilevel_chains_adv.c63
-rwxr-xr-xtests/25-sim-multilevel_chains_adv.py47
-rw-r--r--tests/25-sim-multilevel_chains_adv.tests30
-rw-r--r--tests/26-sim-arch_all_be_basic.c104
-rwxr-xr-xtests/26-sim-arch_all_be_basic.py54
-rw-r--r--tests/26-sim-arch_all_be_basic.tests23
-rw-r--r--tests/27-sim-bpf_blk_state.c103
-rwxr-xr-xtests/27-sim-bpf_blk_state.py53
-rw-r--r--tests/27-sim-bpf_blk_state.tests24
-rw-r--r--tests/28-sim-arch_x86.c71
-rwxr-xr-xtests/28-sim-arch_x86.py47
-rw-r--r--tests/28-sim-arch_x86.tests22
-rw-r--r--tests/29-sim-pseudo_syscall.c71
-rwxr-xr-xtests/29-sim-pseudo_syscall.py51
-rw-r--r--tests/29-sim-pseudo_syscall.tests18
-rw-r--r--tests/30-sim-socket_syscalls.c150
-rwxr-xr-xtests/30-sim-socket_syscalls.py67
-rw-r--r--tests/30-sim-socket_syscalls.tests53
-rw-r--r--tests/31-basic-version_check.c41
-rwxr-xr-xtests/31-basic-version_check.py35
-rw-r--r--tests/31-basic-version_check.tests11
-rw-r--r--tests/32-live-tsync_allow.c84
-rwxr-xr-xtests/32-live-tsync_allow.py64
-rw-r--r--tests/32-live-tsync_allow.tests11
-rw-r--r--tests/33-sim-socket_syscalls_be.c84
-rwxr-xr-xtests/33-sim-socket_syscalls_be.py49
-rw-r--r--tests/33-sim-socket_syscalls_be.tests31
-rw-r--r--tests/34-sim-basic_denylist.c74
-rwxr-xr-xtests/34-sim-basic_denylist.py45
-rw-r--r--tests/34-sim-basic_denylist.tests32
-rw-r--r--tests/35-sim-negative_one.c73
-rwxr-xr-xtests/35-sim-negative_one.py46
-rw-r--r--tests/35-sim-negative_one.tests18
-rw-r--r--tests/36-sim-ipc_syscalls.c118
-rwxr-xr-xtests/36-sim-ipc_syscalls.py58
-rw-r--r--tests/36-sim-ipc_syscalls.tests39
-rw-r--r--tests/37-sim-ipc_syscalls_be.c112
-rwxr-xr-xtests/37-sim-ipc_syscalls_be.py56
-rw-r--r--tests/37-sim-ipc_syscalls_be.tests27
-rw-r--r--tests/38-basic-pfc_coverage.c131
-rw-r--r--tests/38-basic-pfc_coverage.pfc668
-rwxr-xr-xtests/38-basic-pfc_coverage.sh46
-rw-r--r--tests/38-basic-pfc_coverage.tests11
-rw-r--r--tests/39-basic-api_level.c88
-rwxr-xr-xtests/39-basic-api_level.py83
-rw-r--r--tests/39-basic-api_level.tests11
-rw-r--r--tests/40-sim-log.c59
-rwxr-xr-xtests/40-sim-log.py47
-rw-r--r--tests/40-sim-log.tests21
-rw-r--r--tests/41-sim-syscall_priority_arch.c63
-rwxr-xr-xtests/41-sim-syscall_priority_arch.py44
-rw-r--r--tests/41-sim-syscall_priority_arch.tests19
-rw-r--r--tests/42-sim-adv_chains.c198
-rwxr-xr-xtests/42-sim-adv_chains.py128
-rw-r--r--tests/42-sim-adv_chains.tests54
-rw-r--r--tests/43-sim-a2_order.c132
-rwxr-xr-xtests/43-sim-a2_order.py62
-rw-r--r--tests/43-sim-a2_order.tests55
-rw-r--r--tests/44-live-a2_order.c178
-rwxr-xr-xtests/44-live-a2_order.py107
-rw-r--r--tests/44-live-a2_order.tests11
-rw-r--r--tests/45-sim-chain_code_coverage.c108
-rwxr-xr-xtests/45-sim-chain_code_coverage.py48
-rw-r--r--tests/45-sim-chain_code_coverage.tests16
-rw-r--r--tests/46-sim-kill_process.c78
-rwxr-xr-xtests/46-sim-kill_process.py47
-rw-r--r--tests/46-sim-kill_process.tests16
-rw-r--r--tests/47-live-kill_process.c102
-rwxr-xr-xtests/47-live-kill_process.py68
-rw-r--r--tests/47-live-kill_process.tests11
-rw-r--r--tests/48-sim-32b_args.c84
-rwxr-xr-xtests/48-sim-32b_args.py50
-rw-r--r--tests/48-sim-32b_args.tests38
-rw-r--r--tests/49-sim-64b_comparisons.c56
-rwxr-xr-xtests/49-sim-64b_comparisons.py45
-rw-r--r--tests/49-sim-64b_comparisons.tests25
-rw-r--r--tests/50-sim-hash_collision.c98
-rwxr-xr-xtests/50-sim-hash_collision.py61
-rw-r--r--tests/50-sim-hash_collision.tests18
-rw-r--r--tests/51-live-user_notification.c134
-rwxr-xr-xtests/51-live-user_notification.py64
-rw-r--r--tests/51-live-user_notification.tests11
-rw-r--r--tests/52-basic-load.c71
-rwxr-xr-xtests/52-basic-load.py38
-rw-r--r--tests/52-basic-load.tests11
-rw-r--r--tests/53-sim-binary_tree.c156
-rwxr-xr-xtests/53-sim-binary_tree.py96
-rw-r--r--tests/53-sim-binary_tree.tests65
-rw-r--r--tests/54-live-binary_tree.c130
-rwxr-xr-xtests/54-live-binary_tree.py96
-rw-r--r--tests/54-live-binary_tree.tests11
-rw-r--r--tests/55-basic-pfc_binary_tree.c134
-rw-r--r--tests/55-basic-pfc_binary_tree.pfc182
-rwxr-xr-xtests/55-basic-pfc_binary_tree.sh46
-rw-r--r--tests/55-basic-pfc_binary_tree.tests11
-rw-r--r--tests/56-basic-iterate_syscalls.c90
-rwxr-xr-xtests/56-basic-iterate_syscalls.py65
-rw-r--r--tests/56-basic-iterate_syscalls.tests11
-rw-r--r--tests/57-basic-rawsysrc.c64
-rwxr-xr-xtests/57-basic-rawsysrc.py46
-rw-r--r--tests/57-basic-rawsysrc.tests11
-rw-r--r--tests/58-live-tsync_notify.c117
-rwxr-xr-xtests/58-live-tsync_notify.py61
-rw-r--r--tests/58-live-tsync_notify.tests11
-rw-r--r--tests/59-basic-empty_binary_tree.c54
-rwxr-xr-xtests/59-basic-empty_binary_tree.py41
-rw-r--r--tests/59-basic-empty_binary_tree.tests16
-rw-r--r--tests/Makefile.am242
-rw-r--r--tests/Makefile.in1805
-rw-r--r--tests/miniseq.c58
-rwxr-xr-xtests/regression1127
-rwxr-xr-xtests/testdiff126
-rwxr-xr-xtests/testgen207
-rw-r--r--tests/util.c253
-rw-r--r--tests/util.h42
-rwxr-xr-xtests/util.py109
-rw-r--r--tests/valgrind_test.supp27
189 files changed, 15569 insertions, 0 deletions
diff --git a/tests/01-sim-allow.c b/tests/01-sim-allow.c
new file mode 100644
index 0000000..74e3f15
--- /dev/null
+++ b/tests/01-sim-allow.c
@@ -0,0 +1,50 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/01-sim-allow.py b/tests/01-sim-allow.py
new file mode 100755
index 0000000..d1dbf08
--- /dev/null
+++ b/tests/01-sim-allow.py
@@ -0,0 +1,40 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/01-sim-allow.tests b/tests/01-sim-allow.tests
new file mode 100644
index 0000000..bfdc470
--- /dev/null
+++ b/tests/01-sim-allow.tests
@@ -0,0 +1,21 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+01-sim-allow all,-x32 0-350 N N N N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+01-sim-allow 50
+
+test type: bpf-valgrind
+
+# Testname
+01-sim-allow
diff --git a/tests/02-sim-basic.c b/tests/02-sim-basic.c
new file mode 100644
index 0000000..ed61f90
--- /dev/null
+++ b/tests/02-sim-basic.c
@@ -0,0 +1,72 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+/*
+ * Just like mode 1 seccomp we allow 4 syscalls:
+ * read, write, exit, and rt_sigreturn
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx,
+ SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/02-sim-basic.py b/tests/02-sim-basic.py
new file mode 100755
index 0000000..2b0029c
--- /dev/null
+++ b/tests/02-sim-basic.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule_exactly(ALLOW, "read")
+ f.add_rule_exactly(ALLOW, "write")
+ f.add_rule_exactly(ALLOW, "close")
+ f.add_rule_exactly(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/02-sim-basic.tests b/tests/02-sim-basic.tests
new file mode 100644
index 0000000..07004a4
--- /dev/null
+++ b/tests/02-sim-basic.tests
@@ -0,0 +1,30 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+02-sim-basic all read 0 0x856B008 40 N N N ALLOW
+02-sim-basic all write 1 0x856B008 40 N N N ALLOW
+02-sim-basic all close 4 N N N N N ALLOW
+02-sim-basic all rt_sigreturn N N N N N N ALLOW
+02-sim-basic all open 0x856B008 4 N N N N KILL
+02-sim-basic x86 0-2 N N N N N N KILL
+02-sim-basic x86 7-172 N N N N N N KILL
+02-sim-basic x86 174-350 N N N N N N KILL
+02-sim-basic x86_64 4-14 N N N N N N KILL
+02-sim-basic x86_64 16-350 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+02-sim-basic 50
+
+test type: bpf-valgrind
+
+# Testname
+02-sim-basic
diff --git a/tests/03-sim-basic_chains.c b/tests/03-sim-basic_chains.c
new file mode 100644
index 0000000..64d6323
--- /dev/null
+++ b/tests/03-sim-basic_chains.c
@@ -0,0 +1,74 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx,
+ SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/03-sim-basic_chains.py b/tests/03-sim-basic_chains.py
new file mode 100755
index 0000000..f8d3373
--- /dev/null
+++ b/tests/03-sim-basic_chains.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule_exactly(ALLOW, "close")
+ f.add_rule_exactly(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/03-sim-basic_chains.tests b/tests/03-sim-basic_chains.tests
new file mode 100644
index 0000000..ef4353a
--- /dev/null
+++ b/tests/03-sim-basic_chains.tests
@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+03-sim-basic_chains all read 0 0x856B008 10 N N N ALLOW
+03-sim-basic_chains all read 1-10 0x856B008 10 N N N KILL
+03-sim-basic_chains all write 1-2 0x856B008 10 N N N ALLOW
+03-sim-basic_chains all write 3-10 0x856B008 10 N N N KILL
+03-sim-basic_chains all close N N N N N N ALLOW
+03-sim-basic_chains all rt_sigreturn N N N N N N ALLOW
+03-sim-basic_chains all open 0x856B008 4 N N N N KILL
+03-sim-basic_chains x86 0-2 N N N N N N KILL
+03-sim-basic_chains x86 7-172 N N N N N N KILL
+03-sim-basic_chains x86 174-350 N N N N N N KILL
+03-sim-basic_chains x86_64 4-14 N N N N N N KILL
+03-sim-basic_chains x86_64 16-350 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+03-sim-basic_chains 50
+
+test type: bpf-valgrind
+
+# Testname
+03-sim-basic_chains
diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c
new file mode 100644
index 0000000..e3e4f9b
--- /dev/null
+++ b/tests/04-sim-multilevel_chains.c
@@ -0,0 +1,87 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py
new file mode 100755
index 0000000..a5127a2
--- /dev/null
+++ b/tests/04-sim-multilevel_chains.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule(ALLOW, "openat")
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "read",
+ Arg(0, EQ, sys.stdin.fileno()),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize))
+ f.add_rule(ALLOW, "write",
+ Arg(0, EQ, sys.stdout.fileno()),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize))
+ f.add_rule(ALLOW, "write",
+ Arg(0, EQ, sys.stderr.fileno()),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize))
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests
new file mode 100644
index 0000000..b6f7576
--- /dev/null
+++ b/tests/04-sim-multilevel_chains.tests
@@ -0,0 +1,44 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+04-sim-multilevel_chains all openat 0 0x856B008 4 N N N ALLOW
+04-sim-multilevel_chains all close 4 N N N N N ALLOW
+04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFF N N N KILL
+04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL
+04-sim-multilevel_chains x86 read 0 0 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains x86_64 read 0 0 0x7FFFFFFFFFFFFFFE N N N KILL
+04-sim-multilevel_chains all read 1-10 0x856B008 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86 write 1-2 0 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains x86_64 write 1-2 0 0x7FFFFFFFFFFFFFFE N N N KILL
+04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFF N N N KILL
+04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL
+04-sim-multilevel_chains all write 3-10 0x856B008 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW
+04-sim-multilevel_chains x86 0-2 N N N N N N KILL
+04-sim-multilevel_chains x86 7-172 N N N N N N KILL
+04-sim-multilevel_chains x86 174-294 N N N N N N KILL
+04-sim-multilevel_chains x86 296-350 N N N N N N KILL
+04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL
+04-sim-multilevel_chains x86_64 16-256 N N N N N N KILL
+04-sim-multilevel_chains x86_64 258-350 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+04-sim-multilevel_chains 50
+
+test type: bpf-valgrind
+
+# Testname
+04-sim-multilevel_chains
diff --git a/tests/05-sim-long_jumps.c b/tests/05-sim-long_jumps.c
new file mode 100644
index 0000000..f8e9634
--- /dev/null
+++ b/tests/05-sim-long_jumps.c
@@ -0,0 +1,89 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Copyright (c) 2021 Microsoft Corporation <paulmoore@microsoft.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int iter, ctr;
+ char *syscall;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
+ if (rc != 0)
+ goto out;
+
+ /* same syscall, many chains */
+ for (iter = 0; iter < 100; iter++) {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 3,
+ SCMP_A0(SCMP_CMP_EQ, iter),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ if (rc != 0)
+ goto out;
+ }
+
+ /* many syscalls, same chain */
+ for (iter = 0, ctr = 0; iter < 10000 && ctr < 100; iter++) {
+ if (iter == SCMP_SYS(chdir))
+ continue;
+ syscall = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE,
+ iter);
+ if (syscall) {
+ free(syscall);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, iter, 1,
+ SCMP_A0(SCMP_CMP_NE, 0));
+ if (rc != 0)
+ goto out;
+ ctr++;
+ }
+ }
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/05-sim-long_jumps.py b/tests/05-sim-long_jumps.py
new file mode 100755
index 0000000..6d9d5d4
--- /dev/null
+++ b/tests/05-sim-long_jumps.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Copyright (c) 2021 Microsoft Corporation <paulmoore@microsoft.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule(ALLOW, "brk")
+ i = 0
+ while i < 100:
+ f.add_rule(ALLOW, "chdir",
+ Arg(0, EQ, i),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize))
+ i += 1
+ i = 0
+ ctr = 0
+ while i < 10000 and ctr < 100:
+ sc = i
+ i += 1
+ if sc == resolve_syscall(Arch(), "chdir"):
+ continue
+ try:
+ resolve_syscall(Arch(), sc)
+ except ValueError:
+ continue
+ f.add_rule(ALLOW, sc, Arg(0, NE, 0))
+ ctr += 1
+ f.add_rule(ALLOW, "close")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
+
diff --git a/tests/05-sim-long_jumps.tests b/tests/05-sim-long_jumps.tests
new file mode 100644
index 0000000..1f9f36b
--- /dev/null
+++ b/tests/05-sim-long_jumps.tests
@@ -0,0 +1,30 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2012 IBM Corp.
+# Copyright (c) 2021 Microsoft Corporation <paulmoore@microsoft.com>
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+05-sim-long_jumps all,-x32 brk 1 2 3 4 5 6 ALLOW
+05-sim-long_jumps all,-x32 9999 N N N N N N KILL
+05-sim-long_jumps x86 chdir 0-5 0x856B008 0x7FFFFFFE N N N ALLOW
+05-sim-long_jumps x86_64 chdir 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+05-sim-long_jumps x86 chdir 95-99 0x856B008 0x7FFFFFFE N N N ALLOW
+05-sim-long_jumps x86_64 chdir 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+05-sim-long_jumps x86 chdir 100 0x856B008 0x7FFFFFFE N N N KILL
+05-sim-long_jumps x86_64 chdir 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL
+05-sim-long_jumps all,-x32 close 1 N N N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+05-sim-long_jumps 50
+
+test type: bpf-valgrind
+
+# Testname
+05-sim-long_jumps
diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c
new file mode 100644
index 0000000..da636c9
--- /dev/null
+++ b/tests/06-sim-actions.c
@@ -0,0 +1,78 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_api_set(3);
+ if (rc != 0)
+ return EOPNOTSUPP;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(openat), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/06-sim-actions.py b/tests/06-sim-actions.py
new file mode 100755
index 0000000..253061d
--- /dev/null
+++ b/tests/06-sim-actions.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import errno
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ set_api(3)
+
+ f = SyscallFilter(KILL)
+ f.add_rule(ALLOW, "read")
+ f.add_rule(LOG, "rt_sigreturn")
+ f.add_rule(ERRNO(errno.EPERM), "write")
+ f.add_rule(TRAP, "close")
+ f.add_rule(TRACE(1234), "openat")
+ f.add_rule(KILL_PROCESS, "fstat")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests
new file mode 100644
index 0000000..1ef38b3
--- /dev/null
+++ b/tests/06-sim-actions.tests
@@ -0,0 +1,34 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+06-sim-actions all read 4 0x856B008 80 N N N ALLOW
+06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
+06-sim-actions all close 4 N N N N N TRAP
+06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234)
+06-sim-actions all fstat N N N N N N KILL_PROCESS
+06-sim-actions all rt_sigreturn N N N N N N LOG
+06-sim-actions x86 0-2 N N N N N N KILL
+06-sim-actions x86 7-107 N N N N N N KILL
+06-sim-actions x86 109-172 N N N N N N KILL
+06-sim-actions x86 174-294 N N N N N N KILL
+06-sim-actions x86 296-350 N N N N N N KILL
+06-sim-actions x86_64 6-14 N N N N N N KILL
+06-sim-actions x86_64 16-256 N N N N N N KILL
+06-sim-actions x86_64 258-350 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+06-sim-actions 50
+
+test type: bpf-valgrind
+
+# Testname
+06-sim-actions
diff --git a/tests/07-sim-db_bug_looping.c b/tests/07-sim-db_bug_looping.c
new file mode 100644
index 0000000..e3fec81
--- /dev/null
+++ b/tests/07-sim-db_bug_looping.c
@@ -0,0 +1,68 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright IBM Corp. 2012
+ * Author: Ashley Lai <adlai@us.ibm.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* The next three seccomp_rule_add_exact() calls for read must
+ * go together in this order to catch an infinite loop. */
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A1(SCMP_CMP_EQ, 0x0));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/07-sim-db_bug_looping.py b/tests/07-sim-db_bug_looping.py
new file mode 100755
index 0000000..5fcdf11
--- /dev/null
+++ b/tests/07-sim-db_bug_looping.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # the next three seccomp_rule_add_exact() calls for read must go together
+ # in this order to catch an infinite loop.
+ f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule(ALLOW, "read", Arg(1, EQ, 0))
+ f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/07-sim-db_bug_looping.tests b/tests/07-sim-db_bug_looping.tests
new file mode 100644
index 0000000..a7ec72b
--- /dev/null
+++ b/tests/07-sim-db_bug_looping.tests
@@ -0,0 +1,23 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+07-sim-db_bug_looping all read 1 0x856B008 10 N N N ALLOW
+07-sim-db_bug_looping all read 2-10 0 10 N N N ALLOW
+07-sim-db_bug_looping all read 0 0x856B008 10 N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+07-sim-db_bug_looping 50
+
+test type: bpf-valgrind
+
+# Testname
+07-sim-db_bug_looping
diff --git a/tests/08-sim-subtree_checks.c b/tests/08-sim-subtree_checks.c
new file mode 100644
index 0000000..cc35e54
--- /dev/null
+++ b/tests/08-sim-subtree_checks.c
@@ -0,0 +1,179 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* the syscall and argument numbers are all fake to make the test
+ * simpler */
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1,
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1,
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 2,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 2,
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 2,
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 2,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 11));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 33));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 2,
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 2,
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 2,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 11));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 33));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2,
+ SCMP_A1(SCMP_CMP_NE, 1),
+ SCMP_A2(SCMP_CMP_EQ, 0));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2,
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 1,
+ SCMP_A1(SCMP_CMP_NE, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1007, 2,
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 2,
+ SCMP_A2(SCMP_CMP_EQ, 2),
+ SCMP_A3(SCMP_CMP_NE, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 1,
+ SCMP_A3(SCMP_CMP_NE, 3));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/08-sim-subtree_checks.py b/tests/08-sim-subtree_checks.py
new file mode 100755
index 0000000..66dac3c
--- /dev/null
+++ b/tests/08-sim-subtree_checks.py
@@ -0,0 +1,122 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # the syscall and argument numbers are all fake to make the test simpler
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(1, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1001,
+ Arg(1, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1001,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1002,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 3))
+ f.add_rule_exactly(ALLOW, 1002,
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2))
+
+ f.add_rule_exactly(ALLOW, 1003,
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1003,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 3))
+
+ f.add_rule_exactly(ALLOW, 1004,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 3))
+ f.add_rule_exactly(ALLOW, 1004,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 11))
+ f.add_rule_exactly(ALLOW, 1004,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 33))
+ f.add_rule_exactly(ALLOW, 1004,
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2))
+
+ f.add_rule_exactly(ALLOW, 1005,
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1005,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 3))
+ f.add_rule_exactly(ALLOW, 1005,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 11))
+ f.add_rule_exactly(ALLOW, 1005,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 33))
+
+ f.add_rule_exactly(ALLOW, 1006,
+ Arg(1, NE, 1),
+ Arg(2, EQ, 0))
+ f.add_rule_exactly(ALLOW, 1006,
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1006,
+ Arg(1, NE, 1))
+
+ f.add_rule_exactly(TRAP, 1007,
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 3))
+ f.add_rule_exactly(ALLOW, 1007,
+ Arg(2, EQ, 2),
+ Arg(3, NE, 3))
+ f.add_rule_exactly(ALLOW, 1007,
+ Arg(3, NE, 3))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/08-sim-subtree_checks.tests b/tests/08-sim-subtree_checks.tests
new file mode 100644
index 0000000..6c29c21
--- /dev/null
+++ b/tests/08-sim-subtree_checks.tests
@@ -0,0 +1,47 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+08-sim-subtree_checks all,-x32 1000 0-10 1 N N N N ALLOW
+08-sim-subtree_checks all,-x32 1000 0-10 0 N N N N KILL
+08-sim-subtree_checks all,-x32 1001 0-10 1 N N N N ALLOW
+08-sim-subtree_checks all,-x32 1001 0-10 0 N N N N KILL
+08-sim-subtree_checks all,-x32 1002 0-5 1 2 0-5 N N ALLOW
+08-sim-subtree_checks all,-x32 1002 0-5 2 1 0-5 N N KILL
+08-sim-subtree_checks all,-x32 1003 0-5 1 2 0-5 N N ALLOW
+08-sim-subtree_checks all,-x32 1003 0-5 2 1 0-5 N N KILL
+08-sim-subtree_checks all,-x32 1004 0 11 5-10 10 10 1-5 ALLOW
+08-sim-subtree_checks all,-x32 1004 0 1 2 0-5 N N ALLOW
+08-sim-subtree_checks all,-x32 1004 1-5 1 2 0-5 N N ALLOW
+08-sim-subtree_checks all,-x32 1004 1-5 1 2 30-35 N N ALLOW
+08-sim-subtree_checks all,-x32 1004 1-5 2 1 30-35 N N KILL
+08-sim-subtree_checks all,-x32 1005 0 11 5-10 10 10 1-5 ALLOW
+08-sim-subtree_checks all,-x32 1005 0 1 2 0-5 N N ALLOW
+08-sim-subtree_checks all,-x32 1005 1-5 1 2 0-5 N N ALLOW
+08-sim-subtree_checks all,-x32 1005 1-5 1 2 30-35 N N ALLOW
+08-sim-subtree_checks all,-x32 1005 1-5 2 1 30-35 N N KILL
+08-sim-subtree_checks all,-x32 1006 0-10 1 2 N N N ALLOW
+08-sim-subtree_checks all,-x32 1006 0-10 1 3 N N N KILL
+08-sim-subtree_checks all,-x32 1006 10 2-100 2 N N N ALLOW
+08-sim-subtree_checks all,-x32 1007 0 0 2 3 N N TRAP
+08-sim-subtree_checks all,-x32 1007 1 1 1 0-2 1 1 ALLOW
+08-sim-subtree_checks all,-x32 1007 1 1 2 0-2 1 1 ALLOW
+08-sim-subtree_checks all,-x32 1007 1 1 2 4-6 1 1 ALLOW
+08-sim-subtree_checks all,-x32 1007 1 1 0 3 1 1 KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+08-sim-subtree_checks 50
+
+
+test type: bpf-valgrind
+
+# Testname
+08-sim-subtree_checks
diff --git a/tests/09-sim-syscall_priority_pre.c b/tests/09-sim-syscall_priority_pre.c
new file mode 100644
index 0000000..fbcd27d
--- /dev/null
+++ b/tests/09-sim-syscall_priority_pre.c
@@ -0,0 +1,76 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* the syscall and argument numbers are all fake to make the test
+ * simpler */
+
+ rc = seccomp_syscall_priority(ctx, 1000, 3);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_syscall_priority(ctx, 1001, 2);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_syscall_priority(ctx, 1002, 1);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1,
+ SCMP_A0(SCMP_CMP_EQ, 0));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/09-sim-syscall_priority_pre.py b/tests/09-sim-syscall_priority_pre.py
new file mode 100755
index 0000000..2ba5ea0
--- /dev/null
+++ b/tests/09-sim-syscall_priority_pre.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # the syscall and argument numbers are all fake to make the test simpler
+ f.syscall_priority(1000, 3)
+ f.syscall_priority(1001, 2)
+ f.syscall_priority(1002, 1)
+ f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0))
+ f.add_rule_exactly(ALLOW, 1002)
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/09-sim-syscall_priority_pre.tests b/tests/09-sim-syscall_priority_pre.tests
new file mode 100644
index 0000000..a983967
--- /dev/null
+++ b/tests/09-sim-syscall_priority_pre.tests
@@ -0,0 +1,26 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+09-sim-syscall_priority_pre all,-x32 999 N N N N N N KILL
+09-sim-syscall_priority_pre all,-x32 1000-1002 0 1 N N N N ALLOW
+09-sim-syscall_priority_pre all,-x32 1000 0 2 N N N N KILL
+09-sim-syscall_priority_pre all,-x32 1001-1002 0 2 N N N N ALLOW
+09-sim-syscall_priority_pre all,-x32 1000-1001 1 1 N N N N KILL
+09-sim-syscall_priority_pre all,-x32 1003 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+09-sim-syscall_priority_pre 50
+
+test type: bpf-valgrind
+
+# Testname
+09-sim-syscall_priority_pre
diff --git a/tests/10-sim-syscall_priority_post.c b/tests/10-sim-syscall_priority_post.c
new file mode 100644
index 0000000..48ed9c0
--- /dev/null
+++ b/tests/10-sim-syscall_priority_post.c
@@ -0,0 +1,76 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* the syscall and argument numbers are all fake to make the test
+ * simpler */
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1,
+ SCMP_A0(SCMP_CMP_EQ, 0));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_syscall_priority(ctx, 1000, 3);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_syscall_priority(ctx, 1001, 2);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_syscall_priority(ctx, 1002, 1);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/10-sim-syscall_priority_post.py b/tests/10-sim-syscall_priority_post.py
new file mode 100755
index 0000000..01292d4
--- /dev/null
+++ b/tests/10-sim-syscall_priority_post.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # the syscall and argument numbers are all fake to make the test simpler
+ f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0))
+ f.add_rule_exactly(ALLOW, 1002)
+ f.syscall_priority(1000, 3)
+ f.syscall_priority(1001, 2)
+ f.syscall_priority(1002, 1)
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/10-sim-syscall_priority_post.tests b/tests/10-sim-syscall_priority_post.tests
new file mode 100644
index 0000000..b05235c
--- /dev/null
+++ b/tests/10-sim-syscall_priority_post.tests
@@ -0,0 +1,26 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+10-sim-syscall_priority_post all,-x32 999 N N N N N N KILL
+10-sim-syscall_priority_post all,-x32 1000-1002 0 1 N N N N ALLOW
+10-sim-syscall_priority_post all,-x32 1000 0 2 N N N N KILL
+10-sim-syscall_priority_post all,-x32 1001-1002 0 2 N N N N ALLOW
+10-sim-syscall_priority_post all,-x32 1000-1001 1 1 N N N N KILL
+10-sim-syscall_priority_post all,-x32 1003 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+10-sim-syscall_priority_post 50
+
+test type: bpf-valgrind
+
+# Testname
+10-sim-syscall_priority_post
diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
new file mode 100644
index 0000000..c065b42
--- /dev/null
+++ b/tests/11-basic-basic_errors.c
@@ -0,0 +1,243 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright IBM Corp. 2012
+ * Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ scmp_filter_ctx ctx;
+ uint32_t attr;
+ unsigned int api;
+ struct seccomp_notif *req = NULL;
+ struct seccomp_notif_resp *resp = NULL;
+
+ /* get the api level */
+ api = seccomp_api_get();
+
+ /* seccomp_init errors */
+ ctx = seccomp_init(SCMP_ACT_ALLOW + 1);
+ if (ctx != NULL)
+ return -1;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* ensure that seccomp_reset(NULL, ...) is accepted */
+ rc = seccomp_reset(NULL, SCMP_ACT_ALLOW);
+ if (rc != 0)
+ return -1;
+
+ /* seccomp_load error */
+ rc = seccomp_load(ctx);
+ if (rc != -EINVAL)
+ return -1;
+
+ /* seccomp_syscall_priority errors */
+ rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 1);
+ if (rc != -EINVAL)
+ return -1;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ else {
+ rc = seccomp_syscall_priority(ctx, -10, 1);
+ if (rc != -EINVAL)
+ return -1;
+ }
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp_rule_add errors */
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, 0));
+ if (rc != -EINVAL)
+ return -1;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ else {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+ if (rc != -EACCES)
+ return -1;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL - 1, SCMP_SYS(read), 0);
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 7);
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 7,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 0),
+ SCMP_A2(SCMP_CMP_EQ, 0),
+ SCMP_A3(SCMP_CMP_EQ, 0),
+ SCMP_A4(SCMP_CMP_EQ, 0),
+ SCMP_A5(SCMP_CMP_EQ, 0),
+ SCMP_CMP(6, SCMP_CMP_EQ, 0));
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1,
+ SCMP_A0(_SCMP_CMP_MIN, 0));
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1,
+ SCMP_A0(_SCMP_CMP_MAX, 0));
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, -10001, 0);
+ if (rc != -EDOM)
+ return -1;
+ }
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp_rule_add_exact error */
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ return -1;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ return -1;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1,
+ SCMP_A0(SCMP_CMP_EQ, 2));
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0);
+ if (rc != -EINVAL)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* errno values beyond MAX_ERRNO */
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(0xffff), 0, 0);
+ if (rc != -EINVAL)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp_export_pfc errors */
+ rc = seccomp_export_pfc(ctx, STDOUT_FILENO);
+ if (rc != -EINVAL)
+ return -1;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ else {
+ rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1);
+ if (rc != -ECANCELED)
+ return -1;
+ }
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp_export_bpf errors */
+ rc = seccomp_export_bpf(ctx, STDOUT_FILENO);
+ if (rc != -EINVAL)
+ return -1;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ else {
+ rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1);
+ if (rc != -ECANCELED)
+ return -1;
+ }
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp_attr_* errors */
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ rc = seccomp_attr_get(ctx, 1000, &attr);
+ if (rc != -EINVAL)
+ return -1;
+ rc = seccomp_attr_set(ctx, 1000, 1);
+ if (rc != -EINVAL)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp_merge() errors */
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ rc = seccomp_merge(ctx, NULL);
+ if (rc == 0)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+
+ /* seccomp notify errors */
+ if (api >= 5) {
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return -1;
+ rc = seccomp_notify_alloc(NULL, NULL);
+ if (rc != 0)
+ return -1;
+ rc = seccomp_notify_alloc(&req, NULL);
+ if (rc != 0)
+ return -1;
+ rc = seccomp_notify_alloc(NULL, &resp);
+ if (rc != 0)
+ return -1;
+ seccomp_notify_free(NULL, NULL);
+ seccomp_notify_free(req, resp);
+ req = NULL;
+ resp = NULL;
+ rc = seccomp_notify_receive(-1, NULL);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_respond(-1, NULL);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_id_valid(-1, 0);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_fd(NULL);
+ if (rc == 0)
+ return -1;
+ rc = seccomp_notify_fd(ctx);
+ if (rc == 0)
+ return -1;
+ seccomp_release(ctx);
+ ctx = NULL;
+ }
+
+ return 0;
+}
diff --git a/tests/11-basic-basic_errors.py b/tests/11-basic-basic_errors.py
new file mode 100755
index 0000000..a2689ca
--- /dev/null
+++ b/tests/11-basic-basic_errors.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ # this test differs from the native test for obvious reasons
+ try:
+ f = SyscallFilter(ALLOW + 1)
+ except RuntimeError:
+ pass
+
+ f = SyscallFilter(ALLOW)
+ try:
+ f.reset(KILL + 1)
+ except ValueError:
+ pass
+
+ f = SyscallFilter(ALLOW)
+ try:
+ f.syscall_priority(-10000, 1)
+ except RuntimeError:
+ pass
+
+ f = SyscallFilter(ALLOW)
+ try:
+ f.add_rule(ALLOW, "read")
+ except RuntimeError:
+ pass
+ try:
+ f.add_rule(KILL - 1, "read")
+ except RuntimeError:
+ pass
+ try:
+ f.add_rule(KILL, "read",
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2),
+ Arg(3, EQ, 3),
+ Arg(4, EQ, 4),
+ Arg(5, EQ, 5),
+ Arg(6, EQ, 6),
+ Arg(7, EQ, 7))
+ except RuntimeError:
+ pass
+ try:
+ f.add_rule(KILL, -1001)
+ except RuntimeError:
+ pass
+
+ f = SyscallFilter(ALLOW)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ try:
+ f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 2))
+ except RuntimeError:
+ pass
+
+ f = SyscallFilter(ALLOW)
+ try:
+ f.add_rule(ERRNO(0xffff), "read")
+ except RuntimeError:
+ pass
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/11-basic-basic_errors.tests b/tests/11-basic-basic_errors.tests
new file mode 100644
index 0000000..3593392
--- /dev/null
+++ b/tests/11-basic-basic_errors.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: basic
+
+# Test command
+11-basic-basic_errors
diff --git a/tests/12-sim-basic_masked_ops.c b/tests/12-sim-basic_masked_ops.c
new file mode 100644
index 0000000..1506715
--- /dev/null
+++ b/tests/12-sim-basic_masked_ops.c
@@ -0,0 +1,88 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* the syscall and argument numbers are all fake to make the test
+ * simpler */
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_EQ, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_MASKED_EQ, 0x00ff, 1),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_MASKED_EQ, 0xffff, 11),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_MASKED_EQ, 0xffff, 111),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_MASKED_EQ, 0xff00, 1000),
+ SCMP_A2(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/12-sim-basic_masked_ops.py b/tests/12-sim-basic_masked_ops.py
new file mode 100755
index 0000000..48cf63a
--- /dev/null
+++ b/tests/12-sim-basic_masked_ops.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # the syscall and argument numbers are all fake to make the test simpler
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(0, EQ, 0),
+ Arg(1, EQ, 1),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(0, EQ, 0),
+ Arg(1, MASKED_EQ, 0x00ff, 1),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(0, EQ, 0),
+ Arg(1, MASKED_EQ, 0xffff, 11),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(0, EQ, 0),
+ Arg(1, MASKED_EQ, 0xffff, 111),
+ Arg(2, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1000,
+ Arg(0, EQ, 0),
+ Arg(1, MASKED_EQ, 0xff00, 1000),
+ Arg(2, EQ, 2))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/12-sim-basic_masked_ops.tests b/tests/12-sim-basic_masked_ops.tests
new file mode 100644
index 0000000..5a722f8
--- /dev/null
+++ b/tests/12-sim-basic_masked_ops.tests
@@ -0,0 +1,48 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+12-sim-basic_masked_ops all,-x32 1000 0 1 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x01 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x02-0x0A 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x101 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 11 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x0B 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x0C-0x6E 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x1000B 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 111 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x6F 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x70-0x100 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x102-0x200 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x10002-0x1000A 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x1000C-0x1006E 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x1006F 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 1000 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x3E8 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x2FF 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x300-0x3FF 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x400 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x402-0x4FF 2 N N N KILL
+12-sim-basic_masked_ops all,-x32 1000 0 0x10300-0x103FF 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x00000000F00003E8 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x00000000800003E8 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x00000001800003E8 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x00000001000003E8 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0x0000000F000003E8 2 N N N ALLOW
+12-sim-basic_masked_ops all,-x32 1000 0 0xFFFFFFFFFFFF03E8 2 N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+12-sim-basic_masked_ops 50
+
+test type: bpf-valgrind
+
+# Testname
+12-sim-basic_masked_ops
diff --git a/tests/13-basic-attrs.c b/tests/13-basic-attrs.c
new file mode 100644
index 0000000..e3c5881
--- /dev/null
+++ b/tests/13-basic-attrs.c
@@ -0,0 +1,149 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ uint32_t val = (uint32_t)(-1);
+ scmp_filter_ctx ctx = NULL;
+
+ rc = seccomp_api_set(5);
+ if (rc != 0)
+ return EOPNOTSUPP;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_ACT_DEFAULT, &val);
+ if (rc != 0)
+ goto out;
+ if (val != SCMP_ACT_ALLOW) {
+ rc = -1;
+ goto out;
+ }
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_DEFAULT, val);
+ if (rc != -EACCES) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_ACT_BADARCH, &val);
+ if (rc != 0)
+ goto out;
+ if (val != SCMP_ACT_ALLOW) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_NNP, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 0) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+ if (rc != 0 && rc != -EOPNOTSUPP)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_TSYNC, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 1) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_TSKIP, 1);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_TSKIP, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 1) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_LOG, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 1) {
+ rc = -1;
+ goto out;
+ }
+
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_SSB, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 1) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_OPTIMIZE, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 2) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_SYSRAWRC, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 1) {
+ rc = -1;
+ goto out;
+ }
+
+ rc = 0;
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/13-basic-attrs.py b/tests/13-basic-attrs.py
new file mode 100755
index 0000000..48c25a0
--- /dev/null
+++ b/tests/13-basic-attrs.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ set_api(5)
+
+ f = SyscallFilter(ALLOW)
+ if f.get_attr(Attr.ACT_DEFAULT) != ALLOW:
+ raise RuntimeError("Failed getting Attr.ACT_DEFAULT")
+ try:
+ f.set_attr(Attr.ACT_DEFAULT, ALLOW)
+ except RuntimeError:
+ pass
+ f.set_attr(Attr.ACT_BADARCH, ALLOW)
+ if f.get_attr(Attr.ACT_BADARCH) != ALLOW:
+ raise RuntimeError("Failed getting Attr.ACT_BADARCH")
+ f.set_attr(Attr.CTL_NNP, 0)
+ if f.get_attr(Attr.CTL_NNP) != 0:
+ raise RuntimeError("Failed getting Attr.CTL_NNP")
+ if f.get_attr(Attr.CTL_TSYNC) != 0:
+ raise RuntimeError("Failed getting Attr.CTL_TSYNC")
+ f.set_attr(Attr.API_TSKIP, 0)
+ if f.get_attr(Attr.API_TSKIP) != 0:
+ raise RuntimeError("Failed getting Attr.API_TSKIP")
+ f.set_attr(Attr.CTL_LOG, 1)
+ if f.get_attr(Attr.CTL_LOG) != 1:
+ raise RuntimeError("Failed getting Attr.CTL_LOG")
+ f.set_attr(Attr.CTL_SSB, 1)
+ if f.get_attr(Attr.CTL_SSB) != 1:
+ raise RuntimeError("Failed getting Attr.CTL_SSB")
+ f.set_attr(Attr.CTL_OPTIMIZE, 2)
+ if f.get_attr(Attr.CTL_OPTIMIZE) != 2:
+ raise RuntimeError("Failed getting Attr.CTL_OPTIMIZE")
+ f.set_attr(Attr.API_SYSRAWRC, 1)
+ if f.get_attr(Attr.API_SYSRAWRC) != 1:
+ raise RuntimeError("Failed getting Attr.API_SYSRAWRC")
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/13-basic-attrs.tests b/tests/13-basic-attrs.tests
new file mode 100644
index 0000000..2288787
--- /dev/null
+++ b/tests/13-basic-attrs.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+test type: basic
+
+# Test command
+13-basic-attrs
diff --git a/tests/14-sim-reset.c b/tests/14-sim-reset.c
new file mode 100644
index 0000000..3dd3181
--- /dev/null
+++ b/tests/14-sim-reset.c
@@ -0,0 +1,62 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_reset(ctx, SCMP_ACT_KILL);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/14-sim-reset.py b/tests/14-sim-reset.py
new file mode 100755
index 0000000..66463c8
--- /dev/null
+++ b/tests/14-sim-reset.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule(ALLOW, "read")
+ f.reset()
+ f.add_rule(ALLOW, "write")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/14-sim-reset.tests b/tests/14-sim-reset.tests
new file mode 100644
index 0000000..584fbb0
--- /dev/null
+++ b/tests/14-sim-reset.tests
@@ -0,0 +1,29 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+14-sim-reset all read 0 0x856B008 40 N N N KILL
+14-sim-reset all write 1 0x856B008 40 N N N ALLOW
+14-sim-reset all close 4 N N N N N KILL
+14-sim-reset all rt_sigreturn N N N N N N KILL
+14-sim-reset all open 0x856B008 4 N N N N KILL
+14-sim-reset x86 0-3 N N N N N N KILL
+14-sim-reset x86 5-360 N N N N N N KILL
+14-sim-reset x86_64 0 N N N N N N KILL
+14-sim-reset x86_64 2-360 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+14-sim-reset 50
+
+test type: bpf-valgrind
+
+# Testname
+14-sim-reset
diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
new file mode 100644
index 0000000..6db69e8
--- /dev/null
+++ b/tests/15-basic-resolver.c
@@ -0,0 +1,170 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <seccomp.h>
+
+unsigned int arch_list[] = {
+ SCMP_ARCH_NATIVE,
+ SCMP_ARCH_X86,
+ SCMP_ARCH_X86_64,
+ SCMP_ARCH_X32,
+ SCMP_ARCH_ARM,
+ SCMP_ARCH_AARCH64,
+ SCMP_ARCH_MIPS,
+ SCMP_ARCH_MIPS64,
+ SCMP_ARCH_MIPS64N32,
+ SCMP_ARCH_MIPSEL,
+ SCMP_ARCH_MIPSEL64,
+ SCMP_ARCH_MIPSEL64N32,
+ SCMP_ARCH_PPC,
+ SCMP_ARCH_PPC64,
+ SCMP_ARCH_PPC64LE,
+ SCMP_ARCH_S390,
+ SCMP_ARCH_S390X,
+ SCMP_ARCH_PARISC,
+ SCMP_ARCH_PARISC64,
+ SCMP_ARCH_RISCV64,
+ -1
+};
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int iter = 0;
+ unsigned int arch;
+ char *name = NULL;
+
+ if (seccomp_syscall_resolve_name("open") != __SNR_open)
+ goto fail;
+ if (seccomp_syscall_resolve_name("read") != __SNR_read)
+ goto fail;
+ if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+ goto fail;
+
+ rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+ if (rc != __SNR_openat)
+ goto fail;
+
+ while ((arch = arch_list[iter++]) != -1) {
+ int sys;
+ int nr_open;
+ int nr_read;
+ int nr_socket;
+ int nr_shmctl;
+
+ if (seccomp_syscall_resolve_name_arch(arch,
+ "INVALID") != __NR_SCMP_ERROR)
+ goto fail;
+ name = seccomp_syscall_resolve_num_arch(arch, __NR_SCMP_ERROR);
+ if (name != NULL)
+ goto fail;
+
+ nr_open = seccomp_syscall_resolve_name_arch(arch, "open");
+ if (nr_open == __NR_SCMP_ERROR)
+ goto fail;
+ nr_read = seccomp_syscall_resolve_name_arch(arch, "read");
+ if (nr_read == __NR_SCMP_ERROR)
+ goto fail;
+ nr_socket = seccomp_syscall_resolve_name_rewrite(arch, "socket");
+ if (nr_socket == __NR_SCMP_ERROR)
+ goto fail;
+ nr_shmctl = seccomp_syscall_resolve_name_rewrite(arch, "shmctl");
+ if (nr_shmctl == __NR_SCMP_ERROR)
+ goto fail;
+
+ name = seccomp_syscall_resolve_num_arch(arch, nr_open);
+ if (name == NULL || strcmp(name, "open") != 0)
+ goto fail;
+ free(name);
+ name = NULL;
+
+ name = seccomp_syscall_resolve_num_arch(arch, nr_read);
+ if (name == NULL || strcmp(name, "read") != 0)
+ goto fail;
+ free(name);
+ name = NULL;
+
+ name = seccomp_syscall_resolve_num_arch(arch, nr_socket);
+ if (name == NULL ||
+ (strcmp(name, "socket") != 0 &&
+ strcmp(name, "socketcall") != 0))
+ goto fail;
+ free(name);
+ name = NULL;
+
+ name = seccomp_syscall_resolve_num_arch(arch, nr_shmctl);
+ if (name == NULL ||
+ (strcmp(name, "shmctl") != 0 && strcmp(name, "ipc") != 0))
+ goto fail;
+ free(name);
+ name = NULL;
+
+ /* socket pseudo-syscalls */
+ if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) {
+ for (sys = -101; sys >= -120; sys--) {
+ name = seccomp_syscall_resolve_num_arch(arch,
+ sys);
+ if (name == NULL)
+ goto fail;
+ free(name);
+ name = NULL;
+ }
+ }
+ /* ipc pseudo-syscalls */
+ if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) {
+ for (sys = -201; sys >= -204; sys--) {
+ name = seccomp_syscall_resolve_num_arch(arch,
+ sys);
+ if (name == NULL)
+ goto fail;
+ free(name);
+ name = NULL;
+ }
+ for (sys = -211; sys >= -214; sys--) {
+ name = seccomp_syscall_resolve_num_arch(arch,
+ sys);
+ if (name == NULL)
+ goto fail;
+ free(name);
+ name = NULL;
+ }
+ for (sys = -221; sys >= -224; sys--) {
+ name = seccomp_syscall_resolve_num_arch(arch,
+ sys);
+ if (name == NULL)
+ goto fail;
+ free(name);
+ name = NULL;
+ }
+ }
+ }
+
+ return 0;
+
+fail:
+ if (name != NULL)
+ free(name);
+ return 1;
+}
diff --git a/tests/15-basic-resolver.py b/tests/15-basic-resolver.py
new file mode 100755
index 0000000..3ce3389
--- /dev/null
+++ b/tests/15-basic-resolver.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ f = SyscallFilter(KILL)
+ # this differs from the native test as we don't support the syscall
+ # resolution functions by themselves
+ f.add_rule(ALLOW, "open")
+ f.add_rule(ALLOW, "read")
+ try:
+ f.add_rule(ALLOW, "INVALID")
+ except RuntimeError:
+ pass
+
+ sys_num = resolve_syscall(Arch(), "open")
+ sys_name = resolve_syscall(Arch(), sys_num)
+ if (sys_name != b"open"):
+ raise RuntimeError("Test failure")
+ sys_num = resolve_syscall(Arch(), "read")
+ sys_name = resolve_syscall(Arch(), sys_num)
+ if (sys_name != b"read"):
+ raise RuntimeError("Test failure")
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/15-basic-resolver.tests b/tests/15-basic-resolver.tests
new file mode 100644
index 0000000..c3f239b
--- /dev/null
+++ b/tests/15-basic-resolver.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+15-basic-resolver
diff --git a/tests/16-sim-arch_basic.c b/tests/16-sim-arch_basic.c
new file mode 100644
index 0000000..0b141e1
--- /dev/null
+++ b/tests/16-sim-arch_basic.c
@@ -0,0 +1,169 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* NOTE: not strictly necessary since we get the native arch by default
+ * but it serves as a good sanity check for the code and boosts
+ * our code coverage numbers */
+ rc = seccomp_arch_exist(ctx, seccomp_arch_native());
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ /* NOTE: we are using a different approach to test for the native arch
+ * to exercise slightly different code paths */
+ rc = seccomp_arch_exist(ctx, 0);
+ if (rc != -EEXIST)
+ goto out;
+
+ /* NOTE: more sanity/coverage tests (see above) */
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+ /* not strictly necessary, but let's exercise the code paths */
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_X32);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_ARM);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_AARCH64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_MIPSEL);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_MIPSEL64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_MIPSEL64N32);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_PPC64LE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_RISCV64);
+ if (rc != 0)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/16-sim-arch_basic.py b/tests/16-sim-arch_basic.py
new file mode 100755
index 0000000..846553f
--- /dev/null
+++ b/tests/16-sim-arch_basic.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # NOTE: some of these arch functions are not strictly necessary, but are
+ # here for test sanity/coverage
+ f.remove_arch(Arch())
+ f.add_arch(Arch())
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_arch(Arch("x86_64"))
+ f.add_arch(Arch("x32"))
+ f.add_arch(Arch("arm"))
+ f.add_arch(Arch("aarch64"))
+ f.add_arch(Arch("mipsel"))
+ f.add_arch(Arch("mipsel64"))
+ f.add_arch(Arch("mipsel64n32"))
+ f.add_arch(Arch("ppc64le"))
+ f.add_arch(Arch("riscv64"))
+ f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "socket")
+ f.add_rule(ALLOW, "connect")
+ f.add_rule(ALLOW, "shutdown")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/16-sim-arch_basic.tests b/tests/16-sim-arch_basic.tests
new file mode 100644
index 0000000..f580167
--- /dev/null
+++ b/tests/16-sim-arch_basic.tests
@@ -0,0 +1,27 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+16-sim-arch_basic +all_le read 0 0x856B008 10 N N N ALLOW
+16-sim-arch_basic +all_le read 1-10 0x856B008 10 N N N KILL
+16-sim-arch_basic +all_le write 1-2 0x856B008 10 N N N ALLOW
+16-sim-arch_basic +all_le write 3-10 0x856B008 10 N N N KILL
+16-sim-arch_basic +all_le close N N N N N N ALLOW
+16-sim-arch_basic +all_le open 0x856B008 4 N N N N KILL
+16-sim-arch_basic +x86 socket 1 N N N N N ALLOW
+16-sim-arch_basic +x86 connect 3 N N N N N ALLOW
+16-sim-arch_basic +x86 shutdown 13 N N N N N ALLOW
+16-sim-arch_basic +x86_64 socket 0 1 2 N N N ALLOW
+16-sim-arch_basic +x86_64 connect 0 1 2 N N N ALLOW
+16-sim-arch_basic +x86_64 shutdown 0 1 2 N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+16-sim-arch_basic
diff --git a/tests/17-sim-arch_merge.c b/tests/17-sim-arch_merge.c
new file mode 100644
index 0000000..6716c7e
--- /dev/null
+++ b/tests/17-sim-arch_merge.c
@@ -0,0 +1,111 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx_64 = NULL, ctx_32 = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out_all;
+
+ ctx_32 = seccomp_init(SCMP_ACT_KILL);
+ if (ctx_32 == NULL) {
+ rc = -ENOMEM;
+ goto out_all;
+ }
+ ctx_64 = seccomp_init(SCMP_ACT_KILL);
+ if (ctx_64 == NULL) {
+ rc = -ENOMEM;
+ goto out_all;
+ }
+
+ rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out_all;
+ rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
+ if (rc != 0)
+ goto out_all;
+
+ rc = seccomp_merge(ctx_64, ctx_32);
+ if (rc != 0)
+ goto out_all;
+
+ /* NOTE: ctx_32 is no longer valid at this point */
+
+ rc = util_filter_output(&opts, ctx_64);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx_64);
+ return (rc < 0 ? -rc : rc);
+out_all:
+ seccomp_release(ctx_32);
+ goto out;
+}
diff --git a/tests/17-sim-arch_merge.py b/tests/17-sim-arch_merge.py
new file mode 100755
index 0000000..24f2f6a
--- /dev/null
+++ b/tests/17-sim-arch_merge.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f32 = SyscallFilter(KILL)
+ f64 = SyscallFilter(KILL)
+ f32.remove_arch(Arch())
+ f64.remove_arch(Arch())
+ f32.add_arch(Arch("x86"))
+ f64.add_arch(Arch("x86_64"))
+ f32.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f32.add_rule(ALLOW, "close")
+ f64.add_rule(ALLOW, "socket")
+ f64.add_rule(ALLOW, "connect")
+ f64.add_rule(ALLOW, "shutdown")
+ f64.merge(f32)
+ return f64
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/17-sim-arch_merge.tests b/tests/17-sim-arch_merge.tests
new file mode 100644
index 0000000..0f56578
--- /dev/null
+++ b/tests/17-sim-arch_merge.tests
@@ -0,0 +1,24 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+17-sim-arch_merge +x86 read 0 0x856B008 10 N N N ALLOW
+17-sim-arch_merge +x86 read 1-10 0x856B008 10 N N N KILL
+17-sim-arch_merge +x86 write 1-2 0x856B008 10 N N N ALLOW
+17-sim-arch_merge +x86 write 3-10 0x856B008 10 N N N KILL
+17-sim-arch_merge +x86 close N N N N N N ALLOW
+17-sim-arch_merge +x86 open 0x856B008 4 N N N N KILL
+17-sim-arch_merge +x86_64 socket 0 1 2 N N N ALLOW
+17-sim-arch_merge +x86_64 connect 0 1 2 N N N ALLOW
+17-sim-arch_merge +x86_64 shutdown 0 1 2 N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+17-sim-arch_merge
diff --git a/tests/18-sim-basic_allowlist.c b/tests/18-sim-basic_allowlist.c
new file mode 100644
index 0000000..e30274f
--- /dev/null
+++ b/tests/18-sim-basic_allowlist.c
@@ -0,0 +1,74 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx,
+ SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/18-sim-basic_allowlist.py b/tests/18-sim-basic_allowlist.py
new file mode 100755
index 0000000..dbee3ac
--- /dev/null
+++ b/tests/18-sim-basic_allowlist.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule_exactly(ALLOW, "close")
+ f.add_rule_exactly(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/18-sim-basic_allowlist.tests b/tests/18-sim-basic_allowlist.tests
new file mode 100644
index 0000000..dba88ce
--- /dev/null
+++ b/tests/18-sim-basic_allowlist.tests
@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+18-sim-basic_allowlist all read 0 0x856B008 10 N N N ALLOW
+18-sim-basic_allowlist all read 1-10 0x856B008 10 N N N KILL
+18-sim-basic_allowlist all write 1-2 0x856B008 10 N N N ALLOW
+18-sim-basic_allowlist all write 3-10 0x856B008 10 N N N KILL
+18-sim-basic_allowlist all close N N N N N N ALLOW
+18-sim-basic_allowlist all rt_sigreturn N N N N N N ALLOW
+18-sim-basic_allowlist all open 0x856B008 4 N N N N KILL
+18-sim-basic_allowlist x86 0-2 N N N N N N KILL
+18-sim-basic_allowlist x86 7-172 N N N N N N KILL
+18-sim-basic_allowlist x86 174-350 N N N N N N KILL
+18-sim-basic_allowlist x86_64 4-14 N N N N N N KILL
+18-sim-basic_allowlist x86_64 16-350 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+18-sim-basic_allowlist 50
+
+test type: bpf-valgrind
+
+# Testname
+18-sim-basic_allowlist
diff --git a/tests/19-sim-missing_syscalls.c b/tests/19-sim-missing_syscalls.c
new file mode 100644
index 0000000..4461ed6
--- /dev/null
+++ b/tests/19-sim-missing_syscalls.c
@@ -0,0 +1,65 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tuxcall), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tuxcall), 0);
+ if (rc != -EDOM)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/19-sim-missing_syscalls.py b/tests/19-sim-missing_syscalls.py
new file mode 100755
index 0000000..aa888da
--- /dev/null
+++ b/tests/19-sim-missing_syscalls.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_rule(ALLOW, "tuxcall")
+ try:
+ f.add_rule_exactly(ALLOW, "tuxcall")
+ except RuntimeError:
+ pass
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/19-sim-missing_syscalls.tests b/tests/19-sim-missing_syscalls.tests
new file mode 100644
index 0000000..6725733
--- /dev/null
+++ b/tests/19-sim-missing_syscalls.tests
@@ -0,0 +1,16 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+19-sim-missing_syscalls +x86 0-350 N N N N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+19-sim-missing_syscalls
diff --git a/tests/20-live-basic_die.c b/tests/20-live-basic_die.c
new file mode 100644
index 0000000..7c556b0
--- /dev/null
+++ b/tests/20-live-basic_die.c
@@ -0,0 +1,70 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int action;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_action_parse(argv[1]);
+ if (rc == -1)
+ goto out;
+ action = rc;
+
+ if (action == SCMP_ACT_TRAP) {
+ rc = util_trap_install();
+ if (rc != 0)
+ goto out;
+ }
+
+ ctx = seccomp_init(action);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ rc = util_file_write("/dev/null");
+ if (rc != 0)
+ goto out;
+
+ rc = 160;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/20-live-basic_die.py b/tests/20-live-basic_die.py
new file mode 100755
index 0000000..26013f6
--- /dev/null
+++ b/tests/20-live-basic_die.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ action = util.parse_action(sys.argv[1])
+ if action == TRAP:
+ util.install_trap()
+ f = SyscallFilter(action)
+ f.add_rule(ALLOW, "getpid")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "sigreturn")
+ f.add_rule(ALLOW, "exit_group")
+ f.load()
+ try:
+ util.write_file("/dev/null")
+ except OSError as ex:
+ quit(ex.errno)
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/20-live-basic_die.tests b/tests/20-live-basic_die.tests
new file mode 100644
index 0000000..cade132
--- /dev/null
+++ b/tests/20-live-basic_die.tests
@@ -0,0 +1,13 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: live
+
+# Testname API Result
+20-live-basic_die 1 KILL
+20-live-basic_die 1 TRAP
+20-live-basic_die 1 ERRNO
diff --git a/tests/21-live-basic_allow.c b/tests/21-live-basic_allow.c
new file mode 100644
index 0000000..3c80c17
--- /dev/null
+++ b/tests/21-live-basic_allow.c
@@ -0,0 +1,80 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_action_parse(argv[1]);
+ if (rc != SCMP_ACT_ALLOW) {
+ rc = 1;
+ goto out;
+ }
+
+ rc = util_trap_install();
+ if (rc != 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_TRAP);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ rc = util_file_write("/dev/null");
+ if (rc != 0)
+ goto out;
+
+ rc = 160;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/21-live-basic_allow.py b/tests/21-live-basic_allow.py
new file mode 100755
index 0000000..3bf5317
--- /dev/null
+++ b/tests/21-live-basic_allow.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ action = util.parse_action(sys.argv[1])
+ if not action == ALLOW:
+ quit(1)
+ util.install_trap()
+ f = SyscallFilter(TRAP)
+ # NOTE: additional syscalls required for python
+ f.add_rule(ALLOW, "stat")
+ f.add_rule(ALLOW, "fstat")
+ f.add_rule(ALLOW, "open")
+ f.add_rule(ALLOW, "openat")
+ f.add_rule(ALLOW, "mmap")
+ f.add_rule(ALLOW, "munmap")
+ f.add_rule(ALLOW, "read")
+ f.add_rule(ALLOW, "write")
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "sigreturn")
+ f.add_rule(ALLOW, "sigaltstack")
+ f.add_rule(ALLOW, "brk")
+ f.add_rule(ALLOW, "exit_group")
+ f.load()
+
+ try:
+ util.write_file("/dev/null")
+ except OSError as ex:
+ quit(ex.errno)
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/21-live-basic_allow.tests b/tests/21-live-basic_allow.tests
new file mode 100644
index 0000000..73027dc
--- /dev/null
+++ b/tests/21-live-basic_allow.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: live
+
+# Testname API Result
+21-live-basic_allow 1 ALLOW
diff --git a/tests/22-sim-basic_chains_array.c b/tests/22-sim-basic_chains_array.c
new file mode 100644
index 0000000..2127f1e
--- /dev/null
+++ b/tests/22-sim-basic_chains_array.c
@@ -0,0 +1,78 @@
+/**
+ * Seccomp Library test program
+ *
+ * Author: Paul Moore <paul@paul-moore.com>, Vitaly Shukela <vi0oss@gmail.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+ struct scmp_arg_cmp arg_cmp;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ arg_cmp = SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO);
+ rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW,
+ SCMP_SYS(read), 1, &arg_cmp);
+ if (rc != 0)
+ goto out;
+
+ arg_cmp = SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO);
+ rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW,
+ SCMP_SYS(write), 1, &arg_cmp);
+ if (rc != 0)
+ goto out;
+
+ arg_cmp = SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO);
+ rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW,
+ SCMP_SYS(write), 1, &arg_cmp);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW,
+ SCMP_SYS(close), 0, NULL);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW,
+ SCMP_SYS(rt_sigreturn), 0, NULL);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/22-sim-basic_chains_array.py b/tests/22-sim-basic_chains_array.py
new file mode 100755
index 0000000..bde2461
--- /dev/null
+++ b/tests/22-sim-basic_chains_array.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+# NOTE: this is identical to 03-sim-basic_chains.py but is here to satisfy the
+# need for an equivalent Python test for each native C test
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule_exactly(ALLOW, "close")
+ f.add_rule_exactly(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/22-sim-basic_chains_array.tests b/tests/22-sim-basic_chains_array.tests
new file mode 100644
index 0000000..b8867b7
--- /dev/null
+++ b/tests/22-sim-basic_chains_array.tests
@@ -0,0 +1,31 @@
+#
+# libseccomp regression test automation data
+#
+# Author: Vitaly Shukela <vi0oss@gmail.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+22-sim-basic_chains_array all read 0 0x856B008 10 N N N ALLOW
+22-sim-basic_chains_array all read 1-10 0x856B008 10 N N N KILL
+22-sim-basic_chains_array all write 1-2 0x856B008 10 N N N ALLOW
+22-sim-basic_chains_array all write 3-10 0x856B008 10 N N N KILL
+22-sim-basic_chains_array all close N N N N N N ALLOW
+22-sim-basic_chains_array all rt_sigreturn N N N N N N ALLOW
+22-sim-basic_chains_array all open 0x856B008 4 N N N N KILL
+22-sim-basic_chains_array x86 0-2 N N N N N N KILL
+22-sim-basic_chains_array x86 7-172 N N N N N N KILL
+22-sim-basic_chains_array x86 174-350 N N N N N N KILL
+22-sim-basic_chains_array x86_64 4-14 N N N N N N KILL
+22-sim-basic_chains_array x86_64 16-350 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+22-sim-basic_chains_array 50
+
+test type: bpf-valgrind
+
+# Testname
+22-sim-basic_chains_array
diff --git a/tests/23-sim-arch_all_le_basic.c b/tests/23-sim-arch_all_le_basic.c
new file mode 100644
index 0000000..32739e5
--- /dev/null
+++ b/tests/23-sim-arch_all_le_basic.c
@@ -0,0 +1,108 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("x86"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("x86_64"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("x32"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("arm"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("aarch64"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel64"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel64n32"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64le"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("riscv64"));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/23-sim-arch_all_le_basic.py b/tests/23-sim-arch_all_le_basic.py
new file mode 100755
index 0000000..33eedb1
--- /dev/null
+++ b/tests/23-sim-arch_all_le_basic.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_arch(Arch("x86_64"))
+ f.add_arch(Arch("x32"))
+ f.add_arch(Arch("arm"))
+ f.add_arch(Arch("aarch64"))
+ f.add_arch(Arch("mipsel"))
+ f.add_arch(Arch("mipsel64"))
+ f.add_arch(Arch("mipsel64n32"))
+ f.add_arch(Arch("ppc64le"))
+ f.add_arch(Arch("riscv64"))
+ f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/23-sim-arch_all_le_basic.tests b/tests/23-sim-arch_all_le_basic.tests
new file mode 100644
index 0000000..5e1142b
--- /dev/null
+++ b/tests/23-sim-arch_all_le_basic.tests
@@ -0,0 +1,23 @@
+#
+# libseccomp regression test automation data
+#
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+23-sim-arch_all_le_basic +all_le read 0 0x856B008 10 N N N ALLOW
+23-sim-arch_all_le_basic +all_le read 1-10 0x856B008 10 N N N KILL
+23-sim-arch_all_le_basic +all_le write 1-2 0x856B008 10 N N N ALLOW
+23-sim-arch_all_le_basic +all_le write 3-10 0x856B008 10 N N N KILL
+23-sim-arch_all_le_basic +all_le close N N N N N N ALLOW
+23-sim-arch_all_le_basic +all_le rt_sigreturn N N N N N N ALLOW
+23-sim-arch_all_le_basic +all_le open 0x856B008 4 N N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+23-sim-arch_all_le_basic
diff --git a/tests/24-live-arg_allow.c b/tests/24-live-arg_allow.c
new file mode 100644
index 0000000..f6e746f
--- /dev/null
+++ b/tests/24-live-arg_allow.c
@@ -0,0 +1,93 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int fd;
+ scmp_filter_ctx ctx = NULL;
+ const char buf[] = "testing";
+ ssize_t buf_len = strlen(buf);
+
+ rc = util_action_parse(argv[1]);
+ if (rc != SCMP_ACT_ALLOW) {
+ rc = 1;
+ goto out;
+ }
+
+ rc = util_trap_install();
+ if (rc != 0)
+ goto out;
+
+ fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+ if (fd < 0) {
+ rc = errno;
+ goto out;
+ }
+
+ ctx = seccomp_init(SCMP_ACT_TRAP);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, fd));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ if (write(fd, buf, buf_len) < buf_len) {
+ rc = errno;
+ goto out;
+ }
+ if (close(fd) < 0) {
+ rc = errno;
+ goto out;
+ }
+
+ rc = 160;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/24-live-arg_allow.py b/tests/24-live-arg_allow.py
new file mode 100755
index 0000000..42d2389
--- /dev/null
+++ b/tests/24-live-arg_allow.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ action = util.parse_action(sys.argv[1])
+ if not action == ALLOW:
+ quit(1)
+ util.install_trap()
+
+ fd = os.open("/dev/null", os.O_WRONLY|os.O_CREAT)
+
+ f = SyscallFilter(TRAP)
+ # NOTE: additional syscalls required for python
+ f.add_rule(ALLOW, "write", Arg(0, EQ, fd))
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "munmap")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "sigaltstack")
+ f.add_rule(ALLOW, "exit_group")
+ f.add_rule(ALLOW, "brk")
+ f.load()
+
+ try:
+ if not os.write(fd, b"testing") == len("testing"):
+ raise IOError("failed to write the full test string")
+ quit(160)
+ except OSError as ex:
+ quit(ex.errno)
+ os.close(fd)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/24-live-arg_allow.tests b/tests/24-live-arg_allow.tests
new file mode 100644
index 0000000..5d89be5
--- /dev/null
+++ b/tests/24-live-arg_allow.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: live
+
+# Testname API Result
+24-live-arg_allow 1 ALLOW
diff --git a/tests/25-sim-multilevel_chains_adv.c b/tests/25-sim-multilevel_chains_adv.c
new file mode 100644
index 0000000..870e47f
--- /dev/null
+++ b/tests/25-sim-multilevel_chains_adv.c
@@ -0,0 +1,63 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <stdlib.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 10, 2,
+ SCMP_A0(SCMP_CMP_EQ, 11),
+ SCMP_A1(SCMP_CMP_NE, 12));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 20, 3,
+ SCMP_A0(SCMP_CMP_EQ, 21),
+ SCMP_A1(SCMP_CMP_NE, 22),
+ SCMP_A2(SCMP_CMP_EQ, 23));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/25-sim-multilevel_chains_adv.py b/tests/25-sim-multilevel_chains_adv.py
new file mode 100755
index 0000000..2657e9a
--- /dev/null
+++ b/tests/25-sim-multilevel_chains_adv.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.add_rule_exactly(ALLOW, 10,
+ Arg(0, EQ, 11),
+ Arg(1, NE, 12))
+ f.add_rule_exactly(ALLOW, 20,
+ Arg(0, EQ, 21),
+ Arg(1, NE, 22),
+ Arg(2, EQ, 23))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/25-sim-multilevel_chains_adv.tests b/tests/25-sim-multilevel_chains_adv.tests
new file mode 100644
index 0000000..c090a2e
--- /dev/null
+++ b/tests/25-sim-multilevel_chains_adv.tests
@@ -0,0 +1,30 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+25-sim-multilevel_chains_adv all,-x32 0-9 N N N N N N KILL
+25-sim-multilevel_chains_adv all,-x32 10 0x0000000b 0x00000000 N N N N ALLOW
+25-sim-multilevel_chains_adv x86_64 10 0x10000000b 0x00000000 N N N N KILL
+25-sim-multilevel_chains_adv x86_64 10 0x0000000b 0x10000000c N N N N ALLOW
+25-sim-multilevel_chains_adv all,-x32 11-19 N N N N N N KILL
+25-sim-multilevel_chains_adv all,-x32 20 0x00000015 0x00000000 0x00000017 N N N ALLOW
+25-sim-multilevel_chains_adv all,-x32 20 0x00000015 0x00000016 0x00000017 N N N KILL
+25-sim-multilevel_chains_adv x86_64 20 0x100000015 0x00000000 0x00000017 N N N KILL
+25-sim-multilevel_chains_adv x86_64 20 0x00000015 0x00000000 0x100000017 N N N KILL
+25-sim-multilevel_chains_adv all,-x32 21-30 N N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+25-sim-multilevel_chains_adv 50
+
+test type: bpf-valgrind
+
+# Testname
+25-sim-multilevel_chains_adv
diff --git a/tests/26-sim-arch_all_be_basic.c b/tests/26-sim-arch_all_be_basic.c
new file mode 100644
index 0000000..d31ce12
--- /dev/null
+++ b/tests/26-sim-arch_all_be_basic.c
@@ -0,0 +1,104 @@
+/**
+ * Seccomp Library test program
+ *
+ * Author: Markos Chandras <markos.chandras@imgtec.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips64"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips64n32"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("parisc"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("parisc64"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("s390"));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("s390x"));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/26-sim-arch_all_be_basic.py b/tests/26-sim-arch_all_be_basic.py
new file mode 100755
index 0000000..3a177b4
--- /dev/null
+++ b/tests/26-sim-arch_all_be_basic.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Author: Markos Chandras <markos.chandras@imgtec.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("mips"))
+ f.add_arch(Arch("mips64"))
+ f.add_arch(Arch("mips64n32"))
+ f.add_arch(Arch("parisc"))
+ f.add_arch(Arch("parisc64"))
+ f.add_arch(Arch("ppc"))
+ f.add_arch(Arch("ppc64"))
+ f.add_arch(Arch("s390"))
+ f.add_arch(Arch("s390x"))
+ f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/26-sim-arch_all_be_basic.tests b/tests/26-sim-arch_all_be_basic.tests
new file mode 100644
index 0000000..5eac610
--- /dev/null
+++ b/tests/26-sim-arch_all_be_basic.tests
@@ -0,0 +1,23 @@
+#
+# libseccomp regression test automation data
+#
+# Author: Markos Chandras <markos.chandras@imgtec.com>
+#
+# Similar to 23-sim-arch_all_basic but for big-endian architectures
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+26-sim-arch_all_be_basic +all_be read 0 0x856B008 10 N N N ALLOW
+26-sim-arch_all_be_basic +all_be read 1-10 0x856B008 10 N N N KILL
+26-sim-arch_all_be_basic +all_be write 1-2 0x856B008 10 N N N ALLOW
+26-sim-arch_all_be_basic +all_be write 3-10 0x856B008 10 N N N KILL
+26-sim-arch_all_be_basic +all_be close N N N N N N ALLOW
+26-sim-arch_all_be_basic +all_be rt_sigreturn N N N N N N ALLOW
+26-sim-arch_all_be_basic +all_be open 0x856B008 4 N N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+26-sim-arch_all_be_basic
diff --git a/tests/27-sim-bpf_blk_state.c b/tests/27-sim-bpf_blk_state.c
new file mode 100644
index 0000000..2d9b6f2
--- /dev/null
+++ b/tests/27-sim-bpf_blk_state.c
@@ -0,0 +1,103 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 4));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 5));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 6));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 7));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 8));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 9));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 11));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 12));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 13));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 14));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 15));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1,
+ SCMP_A0(SCMP_CMP_GE, 16));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/27-sim-bpf_blk_state.py b/tests/27-sim-bpf_blk_state.py
new file mode 100755
index 0000000..5967f62
--- /dev/null
+++ b/tests/27-sim-bpf_blk_state.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 3))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 4))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 5))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 6))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 7))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 8))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 9))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 11))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 12))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 13))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 14))
+ f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 15))
+ f.add_rule_exactly(KILL, 1000, Arg(0, GE, 16))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/27-sim-bpf_blk_state.tests b/tests/27-sim-bpf_blk_state.tests
new file mode 100644
index 0000000..cd1da6e
--- /dev/null
+++ b/tests/27-sim-bpf_blk_state.tests
@@ -0,0 +1,24 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+27-sim-bpf_blk_state all,-x32 1000 0-2 N N N N N ALLOW
+27-sim-bpf_blk_state all,-x32 1000 3-9 N N N N N KILL
+27-sim-bpf_blk_state all,-x32 1000 10 N N N N N ALLOW
+27-sim-bpf_blk_state all,-x32 1000 11-32 N N N N N KILL
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+27-sim-bpf_blk_state 50
+
+test type: bpf-valgrind
+
+# Testname
+27-sim-bpf_blk_state
diff --git a/tests/28-sim-arch_x86.c b/tests/28-sim-arch_x86.c
new file mode 100644
index 0000000..fa6302f
--- /dev/null
+++ b/tests/28-sim-arch_x86.c
@@ -0,0 +1,71 @@
+/**
+ * Seccomp Library test program
+ *
+ * This test triggered a bug in libseccomp erroneously allowing the close()
+ * syscall on x32 instead of 'KILL'ing it, as it should do for unsupported
+ * architectures.
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Authors: Paul Moore <pmoore@redhat.com>
+ * Mathias Krause <minipli@googlemail.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ /* add x86-64 and x86 (in that order!) but explicitly leave out x32 */
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/28-sim-arch_x86.py b/tests/28-sim-arch_x86.py
new file mode 100755
index 0000000..f133c95
--- /dev/null
+++ b/tests/28-sim-arch_x86.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+# Adapted from 29-sim-arch_x86.c by Mathias Krause <minipli@googlemail.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ f.remove_arch(Arch())
+ # add x86-64 and x86 (in that order!) but explicitly leave out x32
+ f.add_arch(Arch("x86_64"))
+ f.add_arch(Arch("x86"))
+ f.add_rule(ERRNO(1), "close")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/28-sim-arch_x86.tests b/tests/28-sim-arch_x86.tests
new file mode 100644
index 0000000..e8a38dc
--- /dev/null
+++ b/tests/28-sim-arch_x86.tests
@@ -0,0 +1,22 @@
+#
+# libseccomp regression test automation data
+#
+# This test triggered a bug in libseccomp erroneously allowing the close()
+# syscall on x32 instead of 'KILL'ing it, as it should do for unsupported
+# architectures.
+#
+# Author: Mathias Krause <minipli@googlemail.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+28-sim-arch_x86 +x86,+x86_64 read N N N N N N ALLOW
+28-sim-arch_x86 +x86,+x86_64 close N N N N N N ERRNO(1)
+28-sim-arch_x86 +arm,+x32 read N N N N N N KILL
+28-sim-arch_x86 +arm,+x32 close N N N N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+28-sim-arch_x86
diff --git a/tests/29-sim-pseudo_syscall.c b/tests/29-sim-pseudo_syscall.c
new file mode 100644
index 0000000..acf9c19
--- /dev/null
+++ b/tests/29-sim-pseudo_syscall.c
@@ -0,0 +1,71 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* NOTE: we have to be careful here because some ABIs use syscall
+ * offsets which could interfere with our test, x86 is safe */
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc < 0)
+ goto out;
+
+ /* SCMP_SYS(sysmips) == 4294957190 (unsigned) */
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sysmips), 0);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(sysmips), 0);
+ if (rc == 0)
+ goto out;
+ /* -10001 == 4294957295 (unsigned) */
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, -11001, 0);
+ if (rc == 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/29-sim-pseudo_syscall.py b/tests/29-sim-pseudo_syscall.py
new file mode 100755
index 0000000..d7ab33b
--- /dev/null
+++ b/tests/29-sim-pseudo_syscall.py
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_rule(KILL, "sysmips")
+ try:
+ f.add_rule_exactly(KILL, "sysmips")
+ except RuntimeError:
+ pass
+ try:
+ f.add_rule_exactly(KILL, -10001)
+ except RuntimeError:
+ pass
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/29-sim-pseudo_syscall.tests b/tests/29-sim-pseudo_syscall.tests
new file mode 100644
index 0000000..45f8dce
--- /dev/null
+++ b/tests/29-sim-pseudo_syscall.tests
@@ -0,0 +1,18 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2015 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+29-sim-pseudo_syscall +x86 0-10 N N N N N N ALLOW
+29-sim-pseudo_syscall +x86 4294957190 N N N N N N ALLOW
+29-sim-pseudo_syscall +x86 4294957295 N N N N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+29-sim-pseudo_syscall
diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c
new file mode 100644
index 0000000..e87d107
--- /dev/null
+++ b/tests/30-sim-socket_syscalls.c
@@ -0,0 +1,150 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/30-sim-socket_syscalls.py b/tests/30-sim-socket_syscalls.py
new file mode 100755
index 0000000..2e06fa7
--- /dev/null
+++ b/tests/30-sim-socket_syscalls.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_arch(Arch("x86_64"))
+ f.add_arch(Arch("x32"))
+ f.add_arch(Arch("ppc64le"))
+ f.add_arch(Arch("mipsel"))
+ f.add_rule(ALLOW, "socket")
+ f.add_rule(ALLOW, "bind")
+ f.add_rule(ALLOW, "connect")
+ f.add_rule(ALLOW, "listen")
+ f.add_rule(ALLOW, "accept")
+ f.add_rule(ALLOW, "accept4")
+ f.add_rule(ALLOW, "getsockname")
+ f.add_rule(ALLOW, "getpeername")
+ f.add_rule(ALLOW, "socketpair")
+ f.add_rule(ALLOW, "send")
+ f.add_rule(ALLOW, "recv")
+ f.add_rule(ALLOW, "sendto")
+ f.add_rule(ALLOW, "recvfrom")
+ f.add_rule(ALLOW, "shutdown")
+ f.add_rule(ALLOW, "setsockopt")
+ f.add_rule(ALLOW, "getsockopt")
+ f.add_rule(ALLOW, "sendmsg")
+ f.add_rule(ALLOW, "recvmsg")
+ f.add_rule(ALLOW, "accept4")
+ f.add_rule(ALLOW, "sendmmsg")
+ f.add_rule(ALLOW, "recvmmsg")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/30-sim-socket_syscalls.tests b/tests/30-sim-socket_syscalls.tests
new file mode 100644
index 0000000..a34620b
--- /dev/null
+++ b/tests/30-sim-socket_syscalls.tests
@@ -0,0 +1,53 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+# socket
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 1 N N N N N ALLOW
+# connect
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 3 N N N N N ALLOW
+# accept
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 5 N N N N N ALLOW
+# accept4
+30-sim-socket_syscalls +ppc64le socketcall 18 N N N N N ALLOW
+# shutdown
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 13 N N N N N ALLOW
+# socket
+30-sim-socket_syscalls +x86 359 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +ppc64le 326 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +mipsel 4183 0 1 2 N N N ALLOW
+# connect
+30-sim-socket_syscalls +x86 362 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +ppc64le 328 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +mipsel 4170 0 1 2 N N N ALLOW
+# accept
+30-sim-socket_syscalls +ppc64le 330 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +mipsel 4168 0 1 2 N N N ALLOW
+# accept4
+30-sim-socket_syscalls +x86 364 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +ppc64le 344 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +mipsel 4334 0 1 2 N N N ALLOW
+# shutdown
+30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +ppc64le 338 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +mipsel 4182 0 1 2 N N N ALLOW
+# direct syscalls
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept 5 N N N N N ALLOW
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept 0 1 2 N N N KILL
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept4 18 1 2 N N N ALLOW
+30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept4 0 1 2 N N N KILL
+30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW
+30-sim-socket_syscalls +x86_64 shutdown 0 1 2 N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+30-sim-socket_syscalls
diff --git a/tests/31-basic-version_check.c b/tests/31-basic-version_check.c
new file mode 100644
index 0000000..112f666
--- /dev/null
+++ b/tests/31-basic-version_check.c
@@ -0,0 +1,41 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+ const struct scmp_version *ver;
+
+ ver = seccomp_version();
+ if (ver == NULL)
+ return -1;
+
+ if (ver->major != SCMP_VER_MAJOR ||
+ ver->minor != SCMP_VER_MINOR ||
+ ver->micro != SCMP_VER_MICRO)
+ return -2;
+
+ return 0;
+}
diff --git a/tests/31-basic-version_check.py b/tests/31-basic-version_check.py
new file mode 100755
index 0000000..e958bf1
--- /dev/null
+++ b/tests/31-basic-version_check.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+# NOTE: this is a NULL test since we don't support the seccomp_version() API
+# via the libseccomp python bindings
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/31-basic-version_check.tests b/tests/31-basic-version_check.tests
new file mode 100644
index 0000000..feeda66
--- /dev/null
+++ b/tests/31-basic-version_check.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+31-basic-version_check
diff --git a/tests/32-live-tsync_allow.c b/tests/32-live-tsync_allow.c
new file mode 100644
index 0000000..26f7af2
--- /dev/null
+++ b/tests/32-live-tsync_allow.c
@@ -0,0 +1,84 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_action_parse(argv[1]);
+ if (rc != SCMP_ACT_ALLOW) {
+ rc = 1;
+ goto out;
+ }
+
+ rc = util_trap_install();
+ if (rc != 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_TRAP);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ rc = util_file_write("/dev/null");
+ if (rc != 0)
+ goto out;
+
+ rc = 160;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/32-live-tsync_allow.py b/tests/32-live-tsync_allow.py
new file mode 100755
index 0000000..da8d4cb
--- /dev/null
+++ b/tests/32-live-tsync_allow.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ action = util.parse_action(sys.argv[1])
+ if not action == ALLOW:
+ quit(1)
+ util.install_trap()
+ f = SyscallFilter(TRAP)
+ f.set_attr(Attr.CTL_TSYNC, 1)
+ # NOTE: additional syscalls required for python
+ f.add_rule(ALLOW, "stat")
+ f.add_rule(ALLOW, "fstat")
+ f.add_rule(ALLOW, "open")
+ f.add_rule(ALLOW, "openat")
+ f.add_rule(ALLOW, "mmap")
+ f.add_rule(ALLOW, "munmap")
+ f.add_rule(ALLOW, "read")
+ f.add_rule(ALLOW, "write")
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "sigreturn")
+ f.add_rule(ALLOW, "sigaltstack")
+ f.add_rule(ALLOW, "brk")
+ f.add_rule(ALLOW, "exit_group")
+ f.load()
+ try:
+ util.write_file("/dev/null")
+ except OSError as ex:
+ quit(ex.errno)
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/32-live-tsync_allow.tests b/tests/32-live-tsync_allow.tests
new file mode 100644
index 0000000..2e8a3bd
--- /dev/null
+++ b/tests/32-live-tsync_allow.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: live
+
+# Testname API Result
+32-live-tsync_allow 2 ALLOW
diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c
new file mode 100644
index 0000000..e770771
--- /dev/null
+++ b/tests/33-sim-socket_syscalls_be.c
@@ -0,0 +1,84 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_S390);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py
new file mode 100755
index 0000000..c3cd628
--- /dev/null
+++ b/tests/33-sim-socket_syscalls_be.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("s390"))
+ f.add_arch(Arch("s390x"))
+ f.add_arch(Arch("ppc"))
+ f.add_rule(ALLOW, "socket")
+ f.add_rule(ALLOW, "connect")
+ f.add_rule(ALLOW, "accept")
+ f.add_rule(ALLOW, "accept4")
+ f.add_rule(ALLOW, "shutdown")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests
new file mode 100644
index 0000000..11e2552
--- /dev/null
+++ b/tests/33-sim-socket_syscalls_be.tests
@@ -0,0 +1,31 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL
+33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW
+33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+33-sim-socket_syscalls_be
diff --git a/tests/34-sim-basic_denylist.c b/tests/34-sim-basic_denylist.c
new file mode 100644
index 0000000..e17406f
--- /dev/null
+++ b/tests/34-sim-basic_denylist.c
@@ -0,0 +1,74 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx,
+ SCMP_ACT_KILL, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/34-sim-basic_denylist.py b/tests/34-sim-basic_denylist.py
new file mode 100755
index 0000000..05a202d
--- /dev/null
+++ b/tests/34-sim-basic_denylist.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ f.add_rule_exactly(KILL, "read", Arg(0, EQ, sys.stdin.fileno()))
+ f.add_rule_exactly(KILL, "write", Arg(0, EQ, sys.stdout.fileno()))
+ f.add_rule_exactly(KILL, "write", Arg(0, EQ, sys.stderr.fileno()))
+ f.add_rule_exactly(KILL, "close")
+ f.add_rule_exactly(KILL, "rt_sigreturn")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/34-sim-basic_denylist.tests b/tests/34-sim-basic_denylist.tests
new file mode 100644
index 0000000..ed2491a
--- /dev/null
+++ b/tests/34-sim-basic_denylist.tests
@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+34-sim-basic_denylist all read 0 0x856B008 10 N N N KILL
+34-sim-basic_denylist all read 1-10 0x856B008 10 N N N ALLOW
+34-sim-basic_denylist all write 1-2 0x856B008 10 N N N KILL
+34-sim-basic_denylist all write 3-10 0x856B008 10 N N N ALLOW
+34-sim-basic_denylist all close N N N N N N KILL
+34-sim-basic_denylist all rt_sigreturn N N N N N N KILL
+34-sim-basic_denylist all open 0x856B008 4 N N N N ALLOW
+34-sim-basic_denylist x86 0-2 N N N N N N ALLOW
+34-sim-basic_denylist x86 7-172 N N N N N N ALLOW
+34-sim-basic_denylist x86 174-350 N N N N N N ALLOW
+34-sim-basic_denylist x86_64 4-14 N N N N N N ALLOW
+34-sim-basic_denylist x86_64 16-350 N N N N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+34-sim-basic_denylist 50
+
+test type: bpf-valgrind
+
+# Testname
+34-sim-basic_denylist
diff --git a/tests/35-sim-negative_one.c b/tests/35-sim-negative_one.c
new file mode 100644
index 0000000..0452d9b
--- /dev/null
+++ b/tests/35-sim-negative_one.c
@@ -0,0 +1,73 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_TSKIP, 1);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_syscall_priority(ctx, -1, 100);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, -1, 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/35-sim-negative_one.py b/tests/35-sim-negative_one.py
new file mode 100755
index 0000000..d94fda5
--- /dev/null
+++ b/tests/35-sim-negative_one.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_arch(Arch("x86_64"))
+ f.set_attr(Attr.API_TSKIP, 1)
+ f.syscall_priority(-1, 100)
+ f.add_rule(ALLOW, -1)
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/35-sim-negative_one.tests b/tests/35-sim-negative_one.tests
new file mode 100644
index 0000000..7d929de
--- /dev/null
+++ b/tests/35-sim-negative_one.tests
@@ -0,0 +1,18 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+35-sim-negative_one +x86 -1 N N N N N N ALLOW
+35-sim-negative_one +x86_64 -1 N N N N N N ALLOW
+35-sim-negative_one +x32 -1 N N N N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+35-sim-negative_one
diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c
new file mode 100644
index 0000000..c9b575e
--- /dev/null
+++ b/tests/36-sim-ipc_syscalls.c
@@ -0,0 +1,118 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semop), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semtimedop), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semget), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semctl), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgsnd), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgrcv), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgget), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgctl), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmat), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmdt), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py
new file mode 100755
index 0000000..90a8e9f
--- /dev/null
+++ b/tests/36-sim-ipc_syscalls.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.add_arch(Arch("x86_64"))
+ f.add_arch(Arch("x32"))
+ f.add_arch(Arch("ppc64le"))
+ f.add_arch(Arch("mipsel"))
+ f.add_rule(ALLOW, "semop")
+ f.add_rule(ALLOW, "semtimedop")
+ f.add_rule(ALLOW, "semget")
+ f.add_rule(ALLOW, "semctl")
+ f.add_rule(ALLOW, "msgsnd")
+ f.add_rule(ALLOW, "msgrcv")
+ f.add_rule(ALLOW, "msgget")
+ f.add_rule(ALLOW, "msgctl")
+ f.add_rule(ALLOW, "shmat")
+ f.add_rule(ALLOW, "shmdt")
+ f.add_rule(ALLOW, "shmget")
+ f.add_rule(ALLOW, "shmctl")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests
new file mode 100644
index 0000000..90e5445
--- /dev/null
+++ b/tests/36-sim-ipc_syscalls.tests
@@ -0,0 +1,39 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW
+36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW
+36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+36-sim-ipc_syscalls
diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c
new file mode 100644
index 0000000..d1bd57e
--- /dev/null
+++ b/tests/37-sim-ipc_syscalls_be.c
@@ -0,0 +1,112 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_S390);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semop), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semtimedop), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semget), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semctl), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgsnd), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgrcv), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgget), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgctl), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmat), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmdt), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py
new file mode 100755
index 0000000..18a09d0
--- /dev/null
+++ b/tests/37-sim-ipc_syscalls_be.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("s390"))
+ f.add_arch(Arch("s390x"))
+ f.add_arch(Arch("ppc"))
+ f.add_rule(ALLOW, "semop")
+ f.add_rule(ALLOW, "semtimedop")
+ f.add_rule(ALLOW, "semget")
+ f.add_rule(ALLOW, "semctl")
+ f.add_rule(ALLOW, "msgsnd")
+ f.add_rule(ALLOW, "msgrcv")
+ f.add_rule(ALLOW, "msgget")
+ f.add_rule(ALLOW, "msgctl")
+ f.add_rule(ALLOW, "shmat")
+ f.add_rule(ALLOW, "shmdt")
+ f.add_rule(ALLOW, "shmget")
+ f.add_rule(ALLOW, "shmctl")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests
new file mode 100644
index 0000000..96a5c81
--- /dev/null
+++ b/tests/37-sim-ipc_syscalls_be.tests
@@ -0,0 +1,27 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW
+37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+37-sim-ipc_syscalls_be
diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c
new file mode 100644
index 0000000..c6829ac
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.c
@@ -0,0 +1,131 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int fd;
+ scmp_filter_ctx ctx = NULL;
+
+ /* stdout */
+ fd = 1;
+
+ rc = seccomp_api_set(3);
+ if (rc != 0)
+ return EOPNOTSUPP;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL) {
+ rc = ENOMEM;
+ goto out;
+ }
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
+ if (rc < 0)
+ goto out;
+
+ /* NOTE: the syscalls and their arguments have been picked to achieve
+ * the highest possible code coverage, this is not a useful
+ * real world filter configuration */
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 0);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 4,
+ SCMP_A0(SCMP_CMP_EQ, 0),
+ SCMP_A1(SCMP_CMP_GE, 1),
+ SCMP_A2(SCMP_CMP_GT, 2),
+ SCMP_A3(SCMP_CMP_MASKED_EQ, 0x0f, 3));
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(write), 3,
+ SCMP_A0(SCMP_CMP_NE, 0),
+ SCMP_A1(SCMP_CMP_LE, 1),
+ SCMP_A2(SCMP_CMP_LT, 2));
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(close), 0);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1), SCMP_SYS(exit), 0);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0);
+ if (rc < 0)
+ goto out;
+
+ /* verify the prioritized, but no-rule, syscall */
+ rc = seccomp_syscall_priority(ctx, SCMP_SYS(poll), 255);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_export_pfc(ctx, fd);
+ if (rc < 0)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ close(fd);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc
new file mode 100644
index 0000000..3109280
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.pfc
@@ -0,0 +1,668 @@
+#
+# pseudo filter code start
+#
+# filter for arch x86_64 (3221225534)
+if ($arch == 3221225534)
+ # filter for syscall "exit_group" (231) [priority: 65535]
+ if ($syscall == 231)
+ action LOG;
+ # filter for syscall "exit" (60) [priority: 65535]
+ if ($syscall == 60)
+ action TRACE(1);
+ # filter for syscall "fstat" (5) [priority: 65535]
+ if ($syscall == 5)
+ action KILL_PROCESS;
+ # filter for syscall "close" (3) [priority: 65535]
+ if ($syscall == 3)
+ action ERRNO(1);
+ # filter for syscall "open" (2) [priority: 65535]
+ if ($syscall == 2)
+ action KILL;
+ # filter for syscall "write" (1) [priority: 65527]
+ if ($syscall == 1)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ # filter for syscall "read" (0) [priority: 65525]
+ if ($syscall == 0)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ if ($a1.hi32 > 0)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 >= 1)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch x86 (1073741827)
+if ($arch == 1073741827)
+ # filter for syscall "exit_group" (252) [priority: 65535]
+ if ($syscall == 252)
+ action LOG;
+ # filter for syscall "fstat" (108) [priority: 65535]
+ if ($syscall == 108)
+ action KILL_PROCESS;
+ # filter for syscall "close" (6) [priority: 65535]
+ if ($syscall == 6)
+ action ERRNO(1);
+ # filter for syscall "open" (5) [priority: 65535]
+ if ($syscall == 5)
+ action KILL;
+ # filter for syscall "exit" (1) [priority: 65535]
+ if ($syscall == 1)
+ action TRACE(1);
+ # filter for syscall "write" (4) [priority: 65532]
+ if ($syscall == 4)
+ if ($a0 == 0)
+ else
+ if ($a1 > 1)
+ else
+ if ($a2 >= 2)
+ else
+ action TRAP;
+ # filter for syscall "read" (3) [priority: 65531]
+ if ($syscall == 3)
+ if ($a0 == 0)
+ if ($a1 >= 1)
+ if ($a2 > 2)
+ if ($a3 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch x32 (3221225534)
+if ($arch == 3221225534)
+ # filter for syscall "exit_group" (1073742055) [priority: 65535]
+ if ($syscall == 1073742055)
+ action LOG;
+ # filter for syscall "exit" (1073741884) [priority: 65535]
+ if ($syscall == 1073741884)
+ action TRACE(1);
+ # filter for syscall "fstat" (1073741829) [priority: 65535]
+ if ($syscall == 1073741829)
+ action KILL_PROCESS;
+ # filter for syscall "close" (1073741827) [priority: 65535]
+ if ($syscall == 1073741827)
+ action ERRNO(1);
+ # filter for syscall "open" (1073741826) [priority: 65535]
+ if ($syscall == 1073741826)
+ action KILL;
+ # filter for syscall "write" (1073741825) [priority: 65532]
+ if ($syscall == 1073741825)
+ if ($a0 == 0)
+ else
+ if ($a1 > 1)
+ else
+ if ($a2 >= 2)
+ else
+ action TRAP;
+ # filter for syscall "read" (1073741824) [priority: 65531]
+ if ($syscall == 1073741824)
+ if ($a0 == 0)
+ if ($a1 >= 1)
+ if ($a2 > 2)
+ if ($a3 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch arm (1073741864)
+if ($arch == 1073741864)
+ # filter for syscall "exit_group" (248) [priority: 65535]
+ if ($syscall == 248)
+ action LOG;
+ # filter for syscall "fstat" (108) [priority: 65535]
+ if ($syscall == 108)
+ action KILL_PROCESS;
+ # filter for syscall "close" (6) [priority: 65535]
+ if ($syscall == 6)
+ action ERRNO(1);
+ # filter for syscall "open" (5) [priority: 65535]
+ if ($syscall == 5)
+ action KILL;
+ # filter for syscall "exit" (1) [priority: 65535]
+ if ($syscall == 1)
+ action TRACE(1);
+ # filter for syscall "write" (4) [priority: 65532]
+ if ($syscall == 4)
+ if ($a0 == 0)
+ else
+ if ($a1 > 1)
+ else
+ if ($a2 >= 2)
+ else
+ action TRAP;
+ # filter for syscall "read" (3) [priority: 65531]
+ if ($syscall == 3)
+ if ($a0 == 0)
+ if ($a1 >= 1)
+ if ($a2 > 2)
+ if ($a3 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch aarch64 (3221225655)
+if ($arch == 3221225655)
+ # filter for syscall "open" (4294957130) [priority: 65535]
+ if ($syscall == 4294957130)
+ action KILL;
+ # filter for syscall "exit_group" (94) [priority: 65535]
+ if ($syscall == 94)
+ action LOG;
+ # filter for syscall "exit" (93) [priority: 65535]
+ if ($syscall == 93)
+ action TRACE(1);
+ # filter for syscall "fstat" (80) [priority: 65535]
+ if ($syscall == 80)
+ action KILL_PROCESS;
+ # filter for syscall "close" (57) [priority: 65535]
+ if ($syscall == 57)
+ action ERRNO(1);
+ # filter for syscall "write" (64) [priority: 65527]
+ if ($syscall == 64)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ # filter for syscall "read" (63) [priority: 65525]
+ if ($syscall == 63)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ if ($a1.hi32 > 0)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 >= 1)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch mipsel (1073741832)
+if ($arch == 1073741832)
+ # filter for syscall "exit_group" (4246) [priority: 65535]
+ if ($syscall == 4246)
+ action LOG;
+ # filter for syscall "fstat" (4108) [priority: 65535]
+ if ($syscall == 4108)
+ action KILL_PROCESS;
+ # filter for syscall "close" (4006) [priority: 65535]
+ if ($syscall == 4006)
+ action ERRNO(1);
+ # filter for syscall "open" (4005) [priority: 65535]
+ if ($syscall == 4005)
+ action KILL;
+ # filter for syscall "exit" (4001) [priority: 65535]
+ if ($syscall == 4001)
+ action TRACE(1);
+ # filter for syscall "write" (4004) [priority: 65532]
+ if ($syscall == 4004)
+ if ($a0 == 0)
+ else
+ if ($a1 > 1)
+ else
+ if ($a2 >= 2)
+ else
+ action TRAP;
+ # filter for syscall "read" (4003) [priority: 65531]
+ if ($syscall == 4003)
+ if ($a0 == 0)
+ if ($a1 >= 1)
+ if ($a2 > 2)
+ if ($a3 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch mipsel64 (3221225480)
+if ($arch == 3221225480)
+ # filter for syscall "exit_group" (5205) [priority: 65535]
+ if ($syscall == 5205)
+ action LOG;
+ # filter for syscall "exit" (5058) [priority: 65535]
+ if ($syscall == 5058)
+ action TRACE(1);
+ # filter for syscall "fstat" (5005) [priority: 65535]
+ if ($syscall == 5005)
+ action KILL_PROCESS;
+ # filter for syscall "close" (5003) [priority: 65535]
+ if ($syscall == 5003)
+ action ERRNO(1);
+ # filter for syscall "open" (5002) [priority: 65535]
+ if ($syscall == 5002)
+ action KILL;
+ # filter for syscall "write" (5001) [priority: 65527]
+ if ($syscall == 5001)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ # filter for syscall "read" (5000) [priority: 65525]
+ if ($syscall == 5000)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ if ($a1.hi32 > 0)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 >= 1)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch mipsel64n32 (3758096392)
+if ($arch == 3758096392)
+ # filter for syscall "exit_group" (6205) [priority: 65535]
+ if ($syscall == 6205)
+ action LOG;
+ # filter for syscall "exit" (6058) [priority: 65535]
+ if ($syscall == 6058)
+ action TRACE(1);
+ # filter for syscall "fstat" (6005) [priority: 65535]
+ if ($syscall == 6005)
+ action KILL_PROCESS;
+ # filter for syscall "close" (6003) [priority: 65535]
+ if ($syscall == 6003)
+ action ERRNO(1);
+ # filter for syscall "open" (6002) [priority: 65535]
+ if ($syscall == 6002)
+ action KILL;
+ # filter for syscall "write" (6001) [priority: 65532]
+ if ($syscall == 6001)
+ if ($a0 == 0)
+ else
+ if ($a1 > 1)
+ else
+ if ($a2 >= 2)
+ else
+ action TRAP;
+ # filter for syscall "read" (6000) [priority: 65531]
+ if ($syscall == 6000)
+ if ($a0 == 0)
+ if ($a1 >= 1)
+ if ($a2 > 2)
+ if ($a3 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch ppc64le (3221225493)
+if ($arch == 3221225493)
+ # filter for syscall "exit_group" (234) [priority: 65535]
+ if ($syscall == 234)
+ action LOG;
+ # filter for syscall "fstat" (108) [priority: 65535]
+ if ($syscall == 108)
+ action KILL_PROCESS;
+ # filter for syscall "close" (6) [priority: 65535]
+ if ($syscall == 6)
+ action ERRNO(1);
+ # filter for syscall "open" (5) [priority: 65535]
+ if ($syscall == 5)
+ action KILL;
+ # filter for syscall "exit" (1) [priority: 65535]
+ if ($syscall == 1)
+ action TRACE(1);
+ # filter for syscall "write" (4) [priority: 65527]
+ if ($syscall == 4)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ # filter for syscall "read" (3) [priority: 65525]
+ if ($syscall == 3)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ if ($a1.hi32 > 0)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 >= 1)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# filter for arch riscv64 (3221225715)
+if ($arch == 3221225715)
+ # filter for syscall "open" (4294957130) [priority: 65535]
+ if ($syscall == 4294957130)
+ action KILL;
+ # filter for syscall "exit_group" (94) [priority: 65535]
+ if ($syscall == 94)
+ action LOG;
+ # filter for syscall "exit" (93) [priority: 65535]
+ if ($syscall == 93)
+ action TRACE(1);
+ # filter for syscall "fstat" (80) [priority: 65535]
+ if ($syscall == 80)
+ action KILL_PROCESS;
+ # filter for syscall "close" (57) [priority: 65535]
+ if ($syscall == 57)
+ action ERRNO(1);
+ # filter for syscall "write" (64) [priority: 65527]
+ if ($syscall == 64)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a1.hi32 > 0)
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 > 1)
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ else
+ if ($a2.hi32 > 0)
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 >= 2)
+ else
+ action TRAP;
+ else
+ action TRAP;
+ # filter for syscall "read" (63) [priority: 65525]
+ if ($syscall == 63)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 0)
+ if ($a1.hi32 > 0)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 >= 1)
+ if ($a2.hi32 > 0)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ else
+ if ($a2.hi32 == 0)
+ if ($a2.lo32 > 2)
+ if ($a3.hi32 & 0x00000000 == 0)
+ if ($a3.lo32 & 0x0000000f == 3)
+ action KILL;
+ # default action
+ action ALLOW;
+# invalid architecture action
+action KILL;
+#
+# pseudo filter code end
+#
diff --git a/tests/38-basic-pfc_coverage.sh b/tests/38-basic-pfc_coverage.sh
new file mode 100755
index 0000000..d22947a
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+####
+# functions
+
+#
+# Dependency check
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function check_deps() {
+ [[ -z "$1" ]] && return
+ which "$1" >& /dev/null
+ return $?
+}
+
+#
+# Dependency verification
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function verify_deps() {
+ [[ -z "$1" ]] && return
+ if ! check_deps "$1"; then
+ echo "error: install \"$1\" and include it in your \$PATH"
+ exit 1
+ fi
+}
+
+####
+# functions
+
+verify_deps diff
+
+# compare output to the known good output, fail if different
+./38-basic-pfc_coverage | \
+ diff -q ${srcdir:=.}/38-basic-pfc_coverage.pfc - > /dev/null
diff --git a/tests/38-basic-pfc_coverage.tests b/tests/38-basic-pfc_coverage.tests
new file mode 100644
index 0000000..7514903
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+38-basic-pfc_coverage.sh
diff --git a/tests/39-basic-api_level.c b/tests/39-basic-api_level.c
new file mode 100644
index 0000000..6c31be1
--- /dev/null
+++ b/tests/39-basic-api_level.c
@@ -0,0 +1,88 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ unsigned int api;
+
+ api = seccomp_api_get();
+ if (api < 1)
+ return -1;
+
+ rc = seccomp_api_set(1);
+ if (rc != 0)
+ return -2;
+ api = seccomp_api_get();
+ if (api != 1)
+ return -3;
+
+ rc = seccomp_api_set(2);
+ if (rc != 0)
+ return -4;
+ api = seccomp_api_get();
+ if (api != 2)
+ return -5;
+
+ rc = seccomp_api_set(3);
+ if (rc != 0)
+ return -6;
+ api = seccomp_api_get();
+ if (api != 3)
+ return -7;
+
+ rc = seccomp_api_set(4);
+ if (rc != 0)
+ return -8;
+ api = seccomp_api_get();
+ if (api != 4)
+ return -9;
+
+ rc = seccomp_api_set(5);
+ if (rc != 0)
+ return -10;
+ api = seccomp_api_get();
+ if (api != 5)
+ return -11;
+
+ rc = seccomp_api_set(6);
+ if (rc != 0)
+ return -12;
+ api = seccomp_api_get();
+ if (api != 6)
+ return -13;
+
+ /* Attempt to set a high, invalid API level */
+ rc = seccomp_api_set(1024);
+ if (rc != -EINVAL)
+ return -1001;
+ /* Ensure that the previously set API level didn't change */
+ api = seccomp_api_get();
+ if (api != 6)
+ return -1002;
+
+ return 0;
+}
diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py
new file mode 100755
index 0000000..352568e
--- /dev/null
+++ b/tests/39-basic-api_level.py
@@ -0,0 +1,83 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Copyright (c) 2017 Canonical Ltd.
+# Authors: Paul Moore <paul@paul-moore.com>
+# Tyler Hicks <tyhicks@canonical.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ api = get_api()
+ if (api < 1):
+ raise RuntimeError("Failed getting initial API level")
+
+ set_api(1)
+ api = get_api()
+ if api != 1:
+ raise RuntimeError("Failed getting API level 1")
+
+ set_api(2)
+ api = get_api()
+ if api != 2:
+ raise RuntimeError("Failed getting API level 2")
+
+ set_api(3)
+ api = get_api()
+ if api != 3:
+ raise RuntimeError("Failed getting API level 3")
+
+ set_api(4)
+ api = get_api()
+ if api != 4:
+ raise RuntimeError("Failed getting API level 4")
+
+ set_api(5)
+ api = get_api()
+ if api != 5:
+ raise RuntimeError("Failed getting API level 5")
+
+ set_api(6)
+ api = get_api()
+ if api != 6:
+ raise RuntimeError("Failed getting API level 6")
+
+ # Attempt to set a high, invalid API level
+ try:
+ set_api(1024)
+ except ValueError:
+ pass
+ else:
+ raise RuntimeError("Missing failure when setting invalid API level")
+ # Ensure that the previously set API level didn't change
+ api = get_api()
+ if api != 6:
+ raise RuntimeError("Failed getting old API level after setting an invalid API level")
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/39-basic-api_level.tests b/tests/39-basic-api_level.tests
new file mode 100644
index 0000000..4093f98
--- /dev/null
+++ b/tests/39-basic-api_level.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+39-basic-api_level
diff --git a/tests/40-sim-log.c b/tests/40-sim-log.c
new file mode 100644
index 0000000..cdd2a5e
--- /dev/null
+++ b/tests/40-sim-log.c
@@ -0,0 +1,59 @@
+/**
+ * Seccomp Library test program
+ *
+ * Originally 01-sim-allow.c but updated to use SCMP_ACT_LOG.
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ *
+ * Copyright (c) 2017 Canonical Ltd.
+ * Author: Tyler Hicks <tyhicks@canonical.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_api_set(3);
+ if (rc != 0)
+ return EOPNOTSUPP;
+
+ ctx = seccomp_init(SCMP_ACT_LOG);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/40-sim-log.py b/tests/40-sim-log.py
new file mode 100755
index 0000000..63b217e
--- /dev/null
+++ b/tests/40-sim-log.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Originally 01-sim-allow.py but updated to use LOG.
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+# Copyright (c) 2017 Canonical Ltd.
+# Author: Tyler Hicks <tyhicks@canonical.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ set_api(3)
+
+ f = SyscallFilter(LOG)
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/40-sim-log.tests b/tests/40-sim-log.tests
new file mode 100644
index 0000000..5a036e8
--- /dev/null
+++ b/tests/40-sim-log.tests
@@ -0,0 +1,21 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright Canonical Ltd. 2017
+# Author: Tyler Hicks <tyhicks@canonical.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+40-sim-log all,-x32 0-350 N N N N N N LOG
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+40-sim-log 50
+
+test type: bpf-valgrind
+
+# Testname
+40-sim-log
diff --git a/tests/41-sim-syscall_priority_arch.c b/tests/41-sim-syscall_priority_arch.c
new file mode 100644
index 0000000..2f3c88b
--- /dev/null
+++ b/tests/41-sim-syscall_priority_arch.c
@@ -0,0 +1,63 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+
+ rc = seccomp_syscall_priority(ctx, SCMP_SYS(socket), 128);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/41-sim-syscall_priority_arch.py b/tests/41-sim-syscall_priority_arch.py
new file mode 100755
index 0000000..a865a5e
--- /dev/null
+++ b/tests/41-sim-syscall_priority_arch.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86"))
+ f.syscall_priority("socket", 128)
+ f.add_rule_exactly(ALLOW, "socket")
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/41-sim-syscall_priority_arch.tests b/tests/41-sim-syscall_priority_arch.tests
new file mode 100644
index 0000000..ad60682
--- /dev/null
+++ b/tests/41-sim-syscall_priority_arch.tests
@@ -0,0 +1,19 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+41-sim-syscall_priority_arch +x86 102 1 N N N N N ALLOW
+41-sim-syscall_priority_arch +x86 102 18 N N N N N KILL
+41-sim-syscall_priority_arch +x86 359 N N N N N N ALLOW
+41-sim-syscall_priority_arch +x86 364 N N N N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+41-sim-syscall_priority_arch
diff --git a/tests/42-sim-adv_chains.c b/tests/42-sim-adv_chains.c
new file mode 100644
index 0000000..67d0f36
--- /dev/null
+++ b/tests/42-sim-adv_chains.c
@@ -0,0 +1,198 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 2,
+ SCMP_A0(SCMP_CMP_EQ, 1),
+ SCMP_A1(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1002, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != -EEXIST) {
+ rc = EEXIST;
+ goto out;
+ }
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 1,
+ SCMP_A0(SCMP_CMP_NE, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1003, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1004, 1,
+ SCMP_A0(SCMP_CMP_NE, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 1,
+ SCMP_A0(SCMP_CMP_NE, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2,
+ SCMP_A0(SCMP_CMP_EQ, 1),
+ SCMP_A1(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 2,
+ SCMP_A0(SCMP_CMP_EQ, 1),
+ SCMP_A1(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 2,
+ SCMP_A0(SCMP_CMP_NE, 1),
+ SCMP_A1(SCMP_CMP_NE, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 3,
+ SCMP_A0(SCMP_CMP_NE, 1),
+ SCMP_A1(SCMP_CMP_NE, 2),
+ SCMP_A2(SCMP_CMP_NE, 3));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1009, 2,
+ SCMP_A0(SCMP_CMP_EQ, 1),
+ SCMP_A1(SCMP_CMP_NE, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1009, 1,
+ SCMP_A0(SCMP_CMP_NE, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1010, 2,
+ SCMP_A0(SCMP_CMP_NE, 1),
+ SCMP_A1(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1010, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1011, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1011, 2,
+ SCMP_A0(SCMP_CMP_NE, 1),
+ SCMP_A2(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1012, 1,
+ SCMP_A0(SCMP_CMP_MASKED_EQ, 0x0000, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1013, 2,
+ SCMP_A0(SCMP_CMP_NE, 1),
+ SCMP_A1(SCMP_CMP_NE, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1013, 2,
+ SCMP_A0(SCMP_CMP_LT, 1),
+ SCMP_A1(SCMP_CMP_NE, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1014, 2,
+ SCMP_A3(SCMP_CMP_GE, 1),
+ SCMP_A4(SCMP_CMP_GE, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1014, 2,
+ SCMP_A0(SCMP_CMP_NE, 1),
+ SCMP_A1(SCMP_CMP_NE, 2));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1015, 2,
+ SCMP_A0(SCMP_CMP_EQ, 4),
+ SCMP_A1(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1015, 2,
+ SCMP_A0(SCMP_CMP_EQ, 4),
+ SCMP_A1(SCMP_CMP_NE, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/42-sim-adv_chains.py b/tests/42-sim-adv_chains.py
new file mode 100755
index 0000000..83e5a18
--- /dev/null
+++ b/tests/42-sim-adv_chains.py
@@ -0,0 +1,128 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+
+ f.add_rule_exactly(ALLOW, 1001,
+ Arg(0, EQ, 1),
+ Arg(1, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1001)
+
+ f.add_rule_exactly(ALLOW, 1002,
+ Arg(0, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1002,
+ Arg(0, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1003,
+ Arg(0, NE, 1))
+ f.add_rule_exactly(TRAP, 1003,
+ Arg(0, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1004,
+ Arg(0, EQ, 1))
+ f.add_rule_exactly(TRAP, 1004,
+ Arg(0, NE, 1))
+
+ f.add_rule_exactly(ALLOW, 1005,
+ Arg(0, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1005,
+ Arg(0, NE, 1))
+
+ f.add_rule_exactly(ALLOW, 1006,
+ Arg(0, EQ, 1),
+ Arg(1, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1006,
+ Arg(0, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1007,
+ Arg(0, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1007,
+ Arg(0, EQ, 1),
+ Arg(1, EQ, 2))
+
+ f.add_rule_exactly(ALLOW, 1008,
+ Arg(0, NE, 1),
+ Arg(1, NE, 2))
+ f.add_rule_exactly(ALLOW, 1008,
+ Arg(0, NE, 1),
+ Arg(1, NE, 2),
+ Arg(2, NE, 3))
+
+ f.add_rule_exactly(ALLOW, 1009,
+ Arg(0, EQ, 1),
+ Arg(1, NE, 2))
+ f.add_rule_exactly(ALLOW, 1009,
+ Arg(0, NE, 1))
+
+ f.add_rule_exactly(ALLOW, 1010,
+ Arg(0, NE, 1),
+ Arg(1, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1010,
+ Arg(0, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1011,
+ Arg(0, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1011,
+ Arg(0, NE, 1),
+ Arg(2, EQ, 1))
+
+ f.add_rule_exactly(ALLOW, 1012,
+ Arg(0, MASKED_EQ, 0x0000, 1))
+
+ f.add_rule_exactly(ALLOW, 1013,
+ Arg(0, NE, 1),
+ Arg(2, NE, 2))
+ f.add_rule_exactly(ALLOW, 1013,
+ Arg(0, LT, 1),
+ Arg(2, NE, 2))
+
+ f.add_rule_exactly(ALLOW, 1014,
+ Arg(3, GE, 1),
+ Arg(4, GE, 2))
+ f.add_rule_exactly(ALLOW, 1014,
+ Arg(0, NE, 1),
+ Arg(1, NE, 2))
+
+ f.add_rule_exactly(ALLOW, 1015,
+ Arg(0, EQ, 4),
+ Arg(1, EQ, 1))
+ f.add_rule_exactly(ALLOW, 1015,
+ Arg(0, EQ, 4),
+ Arg(1, NE, 1))
+
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/42-sim-adv_chains.tests b/tests/42-sim-adv_chains.tests
new file mode 100644
index 0000000..600ad09
--- /dev/null
+++ b/tests/42-sim-adv_chains.tests
@@ -0,0 +1,54 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+42-sim-adv_chains all,-x32 1000 N N N N N N KILL
+42-sim-adv_chains all,-x32 1001 N N N N N N ALLOW
+42-sim-adv_chains all,-x32 1002 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1003 N N N N N N ALLOW
+42-sim-adv_chains all,-x32 1003 1 N N N N N TRAP
+42-sim-adv_chains all,-x32 1003 2 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1004 N N N N N N TRAP
+42-sim-adv_chains all,-x32 1004 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1004 2 N N N N N TRAP
+42-sim-adv_chains all,-x32 1005 N N N N N N ALLOW
+42-sim-adv_chains all,-x32 1005 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1005 2 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1006 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1007 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1008 2 3 N N N N ALLOW
+42-sim-adv_chains all,-x32 1008 2 3 3 N N N ALLOW
+42-sim-adv_chains all,-x32 1008 2 3 4 N N N ALLOW
+42-sim-adv_chains all,-x32 1009 N N N N N N ALLOW
+42-sim-adv_chains all,-x32 1009 2 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1009 1 3 N N N N ALLOW
+42-sim-adv_chains all,-x32 1010 N N N N N N KILL
+42-sim-adv_chains all,-x32 1010 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1010 2 2 N N N N ALLOW
+42-sim-adv_chains all,-x32 1011 1 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1011 2 4 1 N N N ALLOW
+42-sim-adv_chains all,-x32 1012 8 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1013 2 3 N N N N ALLOW
+42-sim-adv_chains all,-x32 1013 0 4 N N N N ALLOW
+42-sim-adv_chains all,-x32 1014 0 0 2 3 N N ALLOW
+42-sim-adv_chains all,-x32 1014 2 3 1 2 N N ALLOW
+42-sim-adv_chains all,-x32 1015 1 N N N N N KILL
+42-sim-adv_chains all,-x32 1015 4 N N N N N ALLOW
+42-sim-adv_chains all,-x32 1015 4 1 N N N N ALLOW
+42-sim-adv_chains all,-x32 1015 4 2 N N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+42-sim-adv_chains 50
+
+test type: bpf-valgrind
+
+# Testname
+42-sim-adv_chains
diff --git a/tests/43-sim-a2_order.c b/tests/43-sim-a2_order.c
new file mode 100644
index 0000000..89e6d11
--- /dev/null
+++ b/tests/43-sim-a2_order.c
@@ -0,0 +1,132 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* note - a "hole" was intentionally left between 64 and 128.
+ * reads of this size should fall through to the default action -
+ * SCMP_ACT_KILL in this test's case.
+ */
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_LE, 64));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 128));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 256));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(7), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 512));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(8), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 1024));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(9), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 2048));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(10), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 4096));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(11), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 8192));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(12), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 16384));
+ if (rc != 0)
+ goto out;
+
+ /* note - a "hole" was intentionally left between 16384 and 32768.
+ * writes of this size should fall through to the default action -
+ * SCMP_ACT_KILL in this test's case.
+ */
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_GE, 32768));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 128));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 256));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(7), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 512));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(8), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 1024));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(9), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 2048));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(10), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 4096));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(11), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 8192));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(12), SCMP_SYS(write), 1,
+ SCMP_A2(SCMP_CMP_LT, 16384));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/43-sim-a2_order.py b/tests/43-sim-a2_order.py
new file mode 100755
index 0000000..7cc5f94
--- /dev/null
+++ b/tests/43-sim-a2_order.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import errno
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ set_api(3)
+
+ f = SyscallFilter(KILL)
+ f.add_rule(ALLOW, "read", Arg(2, LE, 64))
+ f.add_rule(ERRNO(5), "read", Arg(2, GT, 128))
+ f.add_rule(ERRNO(6), "read", Arg(2, GT, 256))
+ f.add_rule(ERRNO(7), "read", Arg(2, GT, 512))
+ f.add_rule(ERRNO(8), "read", Arg(2, GT, 1024))
+ f.add_rule(ERRNO(9), "read", Arg(2, GT, 2048))
+ f.add_rule(ERRNO(10), "read", Arg(2, GT, 4096))
+ f.add_rule(ERRNO(11), "read", Arg(2, GT, 8192))
+ f.add_rule(ERRNO(12), "read", Arg(2, GT, 16384))
+ f.add_rule(ALLOW, "write", Arg(2, GE, 32768))
+ f.add_rule(ERRNO(5), "write", Arg(2, LT, 128))
+ f.add_rule(ERRNO(6), "write", Arg(2, LT, 256))
+ f.add_rule(ERRNO(7), "write", Arg(2, LT, 512))
+ f.add_rule(ERRNO(8), "write", Arg(2, LT, 1024))
+ f.add_rule(ERRNO(9), "write", Arg(2, LT, 2048))
+ f.add_rule(ERRNO(10), "write", Arg(2, LT, 4096))
+ f.add_rule(ERRNO(11), "write", Arg(2, LT, 8192))
+ f.add_rule(ERRNO(12), "write", Arg(2, LT, 16384))
+
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/43-sim-a2_order.tests b/tests/43-sim-a2_order.tests
new file mode 100644
index 0000000..fe4427e
--- /dev/null
+++ b/tests/43-sim-a2_order.tests
@@ -0,0 +1,55 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+43-sim-a2_order all read 4 0x856B008 30 N N N ALLOW
+43-sim-a2_order all read 4 0x856B008 64 N N N ALLOW
+43-sim-a2_order all read 4 0x856B008 65 N N N KILL
+43-sim-a2_order all read 4 0x856B008 128 N N N KILL
+43-sim-a2_order all read 4 0x856B008 129 N N N ERRNO(5)
+43-sim-a2_order all read 4 0x856B008 250 N N N ERRNO(5)
+43-sim-a2_order all read 4 0x856B008 256 N N N ERRNO(5)
+43-sim-a2_order all read 4 0x856B008 257 N N N ERRNO(6)
+43-sim-a2_order all read 4 0x856B008 512 N N N ERRNO(6)
+43-sim-a2_order all read 4 0x856B008 513 N N N ERRNO(7)
+43-sim-a2_order all read 4 0x856B008 1024 N N N ERRNO(7)
+43-sim-a2_order all read 4 0x856B008 1025 N N N ERRNO(8)
+43-sim-a2_order all read 4 0x856B008 2048 N N N ERRNO(8)
+43-sim-a2_order all read 4 0x856B008 2049 N N N ERRNO(9)
+43-sim-a2_order all read 4 0x856B008 4096 N N N ERRNO(9)
+43-sim-a2_order all read 4 0x856B008 4097 N N N ERRNO(10)
+43-sim-a2_order all read 4 0x856B008 8192 N N N ERRNO(10)
+43-sim-a2_order all read 4 0x856B008 8193 N N N ERRNO(11)
+43-sim-a2_order all read 4 0x856B008 16384 N N N ERRNO(11)
+43-sim-a2_order all read 4 0x856B008 16385 N N N ERRNO(12)
+43-sim-a2_order all write 4 0x856B008 65 N N N ERRNO(5)
+43-sim-a2_order all write 4 0x856B008 128 N N N ERRNO(6)
+43-sim-a2_order all write 4 0x856B008 129 N N N ERRNO(6)
+43-sim-a2_order all write 4 0x856B008 250 N N N ERRNO(6)
+43-sim-a2_order all write 4 0x856B008 256 N N N ERRNO(7)
+43-sim-a2_order all write 4 0x856B008 257 N N N ERRNO(7)
+43-sim-a2_order all write 4 0x856B008 512 N N N ERRNO(8)
+43-sim-a2_order all write 4 0x856B008 513 N N N ERRNO(8)
+43-sim-a2_order all write 4 0x856B008 1024 N N N ERRNO(9)
+43-sim-a2_order all write 4 0x856B008 1025 N N N ERRNO(9)
+43-sim-a2_order all write 4 0x856B008 2048 N N N ERRNO(10)
+43-sim-a2_order all write 4 0x856B008 2049 N N N ERRNO(10)
+43-sim-a2_order all write 4 0x856B008 4096 N N N ERRNO(11)
+43-sim-a2_order all write 4 0x856B008 4097 N N N ERRNO(11)
+43-sim-a2_order all write 4 0x856B008 8192 N N N ERRNO(12)
+43-sim-a2_order all write 4 0x856B008 8193 N N N ERRNO(12)
+43-sim-a2_order all write 4 0x856B008 16384 N N N KILL
+43-sim-a2_order all write 4 0x856B008 16385 N N N KILL
+43-sim-a2_order all write 4 0x856B008 32768 N N N ALLOW
+
+# Testname StressCount
+test type: bpf-valgrind
+
+# Testname
+43-sim-a2_order
diff --git a/tests/44-live-a2_order.c b/tests/44-live-a2_order.c
new file mode 100644
index 0000000..4af0b89
--- /dev/null
+++ b/tests/44-live-a2_order.c
@@ -0,0 +1,178 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define DEFAULT_ACTION_ERRNO 100
+#define DEFAULT_ACTION SCMP_ACT_ERRNO(DEFAULT_ACTION_ERRNO)
+
+struct size_and_rc {
+ int size;
+ int expected_rc;
+};
+
+static const struct size_and_rc test_cases[] = {
+ {1, 1},
+ {10, 10},
+ {50, 50},
+ {100, -DEFAULT_ACTION_ERRNO},
+ {200, -5},
+ {256, -5},
+ {257, -6},
+ {400, -6},
+ {800, -7},
+ {1600, -8},
+ {3200, -9},
+ {4095, -9},
+ {4096, -9},
+ {4097, -10},
+ {8000, -10},
+ {8192, -10},
+ {16383, -11},
+ {16384, -11},
+ {16385, -12},
+ {35000, -12},
+};
+
+static int do_read(int sz, int expected_rc)
+{
+ char *buf = NULL;
+ int rc = -1000, zero_fd = -1;
+
+ zero_fd = open("/dev/zero", O_RDONLY);
+ if (zero_fd <= 0)
+ goto error;
+
+ buf = malloc(sz);
+ if (buf == NULL)
+ goto error;
+
+ rc = read(zero_fd, buf, sz);
+ if(rc < 0) {
+ if (expected_rc == -errno)
+ rc = 0;
+ } else {
+ if (rc == expected_rc)
+ rc = 0;
+ }
+
+error:
+ if (zero_fd >= 0)
+ close(zero_fd);
+ if (buf)
+ free(buf);
+ return rc;
+}
+
+int main(int argc, char *argv[])
+{
+ int rc, i;
+ scmp_filter_ctx ctx = NULL;
+
+ ctx = seccomp_init(DEFAULT_ACTION);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_LE, 64));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 128));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 256));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(7), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 512));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(8), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 1024));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(9), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 2048));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(10), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 4096));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(11), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 8192));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(12), SCMP_SYS(read), 1,
+ SCMP_A2(SCMP_CMP_GT, 16384));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ for (i = 0; i < sizeof(test_cases) / sizeof(test_cases[0]); i++) {
+ rc = do_read(test_cases[i].size,
+ test_cases[i].expected_rc);
+ if (rc < 0)
+ goto out;
+ }
+
+ rc = 160;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/44-live-a2_order.py b/tests/44-live-a2_order.py
new file mode 100755
index 0000000..4bd56a1
--- /dev/null
+++ b/tests/44-live-a2_order.py
@@ -0,0 +1,107 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import sys
+
+import util
+
+from seccomp import *
+
+DEFAULT_ACTION_ERRNO = 100
+DEFAULT_ACTION = ERRNO(DEFAULT_ACTION_ERRNO)
+
+test_cases = [
+ {'sz': 1, 'exp_rc': 1},
+ {'sz': 10, 'exp_rc': 10},
+ {'sz': 50, 'exp_rc': 50},
+ {'sz': 100, 'exp_rc': -DEFAULT_ACTION_ERRNO},
+ {'sz': 200, 'exp_rc': -5},
+ {'sz': 256, 'exp_rc': -5},
+ {'sz': 257, 'exp_rc': -6},
+ {'sz': 400, 'exp_rc': -6},
+ {'sz': 800, 'exp_rc': -7},
+ {'sz': 1600, 'exp_rc': -8},
+ {'sz': 3200, 'exp_rc': -9},
+ {'sz': 4095, 'exp_rc': -9},
+ {'sz': 4096, 'exp_rc': -9},
+ {'sz': 4097, 'exp_rc': -10},
+ {'sz': 8000, 'exp_rc': -10},
+ {'sz': 8192, 'exp_rc': -10},
+ {'sz': 16383, 'exp_rc': -11},
+ {'sz': 16384, 'exp_rc': -11},
+ {'sz': 16385, 'exp_rc': -12},
+ {'sz': 35000, 'exp_rc': -12},
+]
+
+def do_read():
+ fd = os.open("/dev/zero", os.O_RDONLY)
+ for x in test_cases:
+ try:
+ os.read(fd, x['sz'])
+ if x['exp_rc'] < 0:
+ os.close(fd)
+ raise IOError("Erroneously read %d bytes. Expected rc = %d" %
+ (x['sz'], x['exp_rc']))
+ except OSError as ex:
+ if -ex.errno != x['exp_rc']:
+ os.close(fd)
+ raise IOError("Expected errno %d but os.read(%d bytes) caused errno %d" %
+ (-x['exp_rc'], x['sz'], ex.errno))
+ os.close(fd)
+
+def test():
+ f = SyscallFilter(DEFAULT_ACTION)
+ f.add_rule(ALLOW, "read", Arg(2, LE, 64))
+ f.add_rule(ERRNO(5), "read", Arg(2, GT, 128))
+ f.add_rule(ERRNO(6), "read", Arg(2, GT, 256))
+ f.add_rule(ERRNO(7), "read", Arg(2, GT, 512))
+ f.add_rule(ERRNO(8), "read", Arg(2, GT, 1024))
+ f.add_rule(ERRNO(9), "read", Arg(2, GT, 2048))
+ f.add_rule(ERRNO(10), "read", Arg(2, GT, 4096))
+ f.add_rule(ERRNO(11), "read", Arg(2, GT, 8192))
+ f.add_rule(ERRNO(12), "read", Arg(2, GT, 16384))
+ # NOTE: additional syscalls required for python
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "sigaltstack")
+ f.add_rule(ALLOW, "exit_group")
+ f.add_rule(ALLOW, "exit")
+ f.add_rule(ALLOW, "brk")
+ f.add_rule(ALLOW, "open")
+ f.add_rule(ALLOW, "openat")
+ f.add_rule(ALLOW, "stat")
+ f.add_rule(ALLOW, "write")
+ f.load()
+
+ do_read()
+
+ # all reads behaved as expected
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/44-live-a2_order.tests b/tests/44-live-a2_order.tests
new file mode 100644
index 0000000..40b8cca
--- /dev/null
+++ b/tests/44-live-a2_order.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: live
+
+# Testname API Result
+44-live-a2_order 1 ALLOW
diff --git a/tests/45-sim-chain_code_coverage.c b/tests/45-sim-chain_code_coverage.c
new file mode 100644
index 0000000..1ae8dab
--- /dev/null
+++ b/tests/45-sim-chain_code_coverage.c
@@ -0,0 +1,108 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdbool.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ /* the syscall and argument numbers are all fake to make the test
+ * simpler */
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1,
+ SCMP_A0(SCMP_CMP_GE, 1));
+ if (rc != 0)
+ goto out;
+
+ /* db_chain_lt() path #1 - due to "A1" > "A0" */
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1,
+ SCMP_A1(SCMP_CMP_GE, 2));
+ if (rc != 0)
+ goto out;
+
+ /* db_chain_lt() path #2 - due to "GT" > "GE" */
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1,
+ SCMP_A0(SCMP_CMP_GT, 3));
+ if (rc != 0)
+ goto out;
+
+ /* db_chain_lt() path #3 - due to the second mask (0xff) being greater
+ * than the first (0xf) */
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, 0xf, 4));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, 0xff, 5));
+ if (rc != 0)
+ goto out;
+
+ /* db_chain_lt() path #4 - due to datum (6) > previous datum (5) */
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, 0xff, 6));
+ if (rc != 0)
+ goto out;
+
+ /* attempt to hit some of the lvl_prv and lvl_nxt code in db.c */
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 5,
+ SCMP_A0(SCMP_CMP_NE, 7),
+ SCMP_A1(SCMP_CMP_LT, 8),
+ SCMP_A2(SCMP_CMP_EQ, 9),
+ SCMP_A3(SCMP_CMP_GE, 10),
+ SCMP_A4(SCMP_CMP_GT, 11),
+ SCMP_A5(SCMP_CMP_MASKED_EQ, 0xffff, 12));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 5,
+ SCMP_A0(SCMP_CMP_NE, 7),
+ SCMP_A1(SCMP_CMP_LT, 8),
+ SCMP_A2(SCMP_CMP_EQ, 9),
+ SCMP_A3(SCMP_CMP_GE, 10),
+ SCMP_A4(SCMP_CMP_GT, 11),
+ SCMP_A5(SCMP_CMP_MASKED_EQ, 0xffff, 13));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/45-sim-chain_code_coverage.py b/tests/45-sim-chain_code_coverage.py
new file mode 100755
index 0000000..32ea547
--- /dev/null
+++ b/tests/45-sim-chain_code_coverage.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # the syscall and argument numbers are all fake to make the test simpler
+ f.add_rule_exactly(ALLOW, 1008, Arg(0, GE, 1))
+ f.add_rule_exactly(ALLOW, 1008, Arg(1, GE, 2))
+ f.add_rule_exactly(ALLOW, 1008, Arg(0, GT, 3))
+ f.add_rule_exactly(ALLOW, 1008, Arg(2, MASKED_EQ, 0xf, 4))
+ f.add_rule_exactly(ALLOW, 1008, Arg(2, MASKED_EQ, 0xff, 5))
+ f.add_rule_exactly(ALLOW, 1008, Arg(2, MASKED_EQ, 0xff, 6))
+
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/45-sim-chain_code_coverage.tests b/tests/45-sim-chain_code_coverage.tests
new file mode 100644
index 0000000..c013912
--- /dev/null
+++ b/tests/45-sim-chain_code_coverage.tests
@@ -0,0 +1,16 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+45-sim-chain_code_coverage all,-x32 1008 1 1 1 1 1 1 ALLOW
+45-sim-chain_code_coverage all,-x32 1008 1 2 1 1 1 1 ALLOW
+45-sim-chain_code_coverage all,-x32 1008 4 1 1 1 1 1 ALLOW
+45-sim-chain_code_coverage all,-x32 1008 1 1 0x14 1 1 1 ALLOW
+45-sim-chain_code_coverage all,-x32 1008 4 1 0x15 1 1 1 ALLOW
+45-sim-chain_code_coverage all,-x32 1008 4 1 0x106 1 1 1 ALLOW
diff --git a/tests/46-sim-kill_process.c b/tests/46-sim-kill_process.c
new file mode 100644
index 0000000..961a047
--- /dev/null
+++ b/tests/46-sim-kill_process.c
@@ -0,0 +1,78 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_api_set(3);
+ if (rc != 0)
+ return -rc;
+
+ ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(write), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_THREAD, SCMP_SYS(open), 0);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(close), 1,
+ SCMP_A0(SCMP_CMP_GT, 100));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/46-sim-kill_process.py b/tests/46-sim-kill_process.py
new file mode 100755
index 0000000..81b72be
--- /dev/null
+++ b/tests/46-sim-kill_process.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ set_api(3)
+ f = SyscallFilter(KILL_PROCESS)
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86_64"))
+ f.add_rule_exactly(ALLOW, "read")
+ f.add_rule_exactly(ERRNO(5), "write")
+ f.add_rule_exactly(KILL, "open")
+ f.add_rule_exactly(ERRNO(6), "close", Arg(0, GT, 100))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/46-sim-kill_process.tests b/tests/46-sim-kill_process.tests
new file mode 100644
index 0000000..f31a378
--- /dev/null
+++ b/tests/46-sim-kill_process.tests
@@ -0,0 +1,16 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+46-sim-kill_process +x86_64 0 N N N N N N ALLOW
+46-sim-kill_process +x86_64 1 N N N N N N ERRNO(5)
+46-sim-kill_process +x86_64 2 N N N N N N KILL
+46-sim-kill_process +x86_64 3 100 N N N N N KILL_PROCESS
+46-sim-kill_process +x86_64 3 101 N N N N N ERRNO(6)
+46-sim-kill_process +x86_64 4 N N N N N N KILL_PROCESS
diff --git a/tests/47-live-kill_process.c b/tests/47-live-kill_process.c
new file mode 100644
index 0000000..47d5833
--- /dev/null
+++ b/tests/47-live-kill_process.c
@@ -0,0 +1,102 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+
+static const unsigned int allowlist[] = {
+ SCMP_SYS(clone),
+ SCMP_SYS(exit),
+ SCMP_SYS(exit_group),
+ SCMP_SYS(futex),
+ SCMP_SYS(madvise),
+ SCMP_SYS(mmap),
+ SCMP_SYS(mprotect),
+ SCMP_SYS(munmap),
+ SCMP_SYS(nanosleep),
+ SCMP_SYS(set_robust_list),
+};
+
+/**
+ * Child thread created via pthread_create()
+ *
+ * This thread will call a disallowed syscall. It should
+ * cause the entire program to die (and not just this
+ * thread.)
+ */
+void *child_start(void *param)
+{
+ int fd;
+
+ /* make a disallowed syscall */
+ fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+ /* we should never get here. seccomp should kill the entire
+ * process when open() is called. */
+ if (fd >= 0)
+ close(fd);
+
+ return NULL;
+}
+
+int main(int argc, char *argv[])
+{
+ int rc, i;
+ scmp_filter_ctx ctx = NULL;
+ pthread_t child_thread;
+
+ ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ for (i = 0; i < sizeof(allowlist) / sizeof(allowlist[0]); i++) {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, allowlist[i], 0);
+ if (rc != 0)
+ goto out;
+ }
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ rc = pthread_create(&child_thread, NULL, child_start, NULL);
+ if (rc != 0)
+ goto out;
+
+ /* sleep for a bit to ensure that the child thread has time to run */
+ sleep(1);
+
+ /* we should never get here! */
+ rc = -EACCES;
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/47-live-kill_process.py b/tests/47-live-kill_process.py
new file mode 100755
index 0000000..8c62ee7
--- /dev/null
+++ b/tests/47-live-kill_process.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import sys
+import threading
+import time
+
+import util
+
+from seccomp import *
+
+def child_start(param):
+ param = 1
+
+ try:
+ fd = os.open("/dev/null", os.O_WRONLY)
+ except IOError as ex:
+ param = ex.errno
+ quit(ex.errno)
+
+def test():
+ f = SyscallFilter(KILL_PROCESS)
+ f.add_rule(ALLOW, "clone")
+ f.add_rule(ALLOW, "exit")
+ f.add_rule(ALLOW, "exit_group")
+ f.add_rule(ALLOW, "futex")
+ f.add_rule(ALLOW, "madvise")
+ f.add_rule(ALLOW, "mmap")
+ f.add_rule(ALLOW, "mprotect")
+ f.add_rule(ALLOW, "munmap")
+ f.add_rule(ALLOW, "nanosleep")
+ f.add_rule(ALLOW, "set_robust_list")
+ f.load()
+
+ param = 0
+ threading.Thread(target = child_start, args = (param, ))
+ thread.start()
+
+ time.sleep(1)
+
+ quit(-errno.EACCES)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/47-live-kill_process.tests b/tests/47-live-kill_process.tests
new file mode 100644
index 0000000..4f58ed4
--- /dev/null
+++ b/tests/47-live-kill_process.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: live
+
+# Testname API Result
+47-live-kill_process 3 KILL_PROCESS
diff --git a/tests/48-sim-32b_args.c b/tests/48-sim-32b_args.c
new file mode 100644
index 0000000..2d10519
--- /dev/null
+++ b/tests/48-sim-32b_args.c
@@ -0,0 +1,84 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ * Additions: Michael Weiser <michael.weiser@gmx.de>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+#include <inttypes.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+ struct args {
+ uint32_t action;
+ int syscall;
+ struct scmp_arg_cmp cmp;
+ } *a, f[] = {
+ {SCMP_ACT_ALLOW, 2000, SCMP_A0(SCMP_CMP_EQ, -1)},
+ {SCMP_ACT_ALLOW, 2064, SCMP_A0_64(SCMP_CMP_EQ, -1)},
+ {SCMP_ACT_ALLOW, 2032, SCMP_A0_32(SCMP_CMP_EQ, -1)},
+ {0},
+ };
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, -1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1064, 1,
+ SCMP_A0_64(SCMP_CMP_EQ, -1));
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1032, 1,
+ SCMP_A0_32(SCMP_CMP_EQ, -1));
+ if (rc != 0)
+ goto out;
+
+ for (a = f; a->syscall != 0; a++) {
+ rc = seccomp_rule_add_exact(ctx, a->action, a->syscall, 1,
+ a->cmp);
+ if (rc != 0)
+ goto out;
+ }
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/48-sim-32b_args.py b/tests/48-sim-32b_args.py
new file mode 100755
index 0000000..486c488
--- /dev/null
+++ b/tests/48-sim-32b_args.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(KILL)
+ # NOTE: this test is different from the native/c test as the bindings don't
+ # allow negative numbers (which is a good thing here)
+ f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0xffffffffffffffff))
+ f.add_rule_exactly(ALLOW, 1064, Arg(0, EQ, 0xffffffffffffffff))
+ f.add_rule_exactly(ALLOW, 1032, Arg(0, EQ, 0xffffffff))
+ # here we do not have static initializers to test but need to keep
+ # behaviour in sync with the native test
+ f.add_rule_exactly(ALLOW, 2000, Arg(0, EQ, 0xffffffffffffffff))
+ f.add_rule_exactly(ALLOW, 2064, Arg(0, EQ, 0xffffffffffffffff))
+ f.add_rule_exactly(ALLOW, 2032, Arg(0, EQ, 0xffffffff))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/48-sim-32b_args.tests b/tests/48-sim-32b_args.tests
new file mode 100644
index 0000000..4254742
--- /dev/null
+++ b/tests/48-sim-32b_args.tests
@@ -0,0 +1,38 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+48-sim-32b_args all_64 1000 0x0 N N N N N KILL
+48-sim-32b_args all_64 1000 0xffffffff N N N N N KILL
+48-sim-32b_args all_64 1000 0xffffffffffffffff N N N N N ALLOW
+48-sim-32b_args all_64 1032 0x0 N N N N N KILL
+48-sim-32b_args all_64 1032 0xffffffff N N N N N ALLOW
+48-sim-32b_args all_64 1032 0xffffffffffffffff N N N N N KILL
+48-sim-32b_args all_64 1064 0x0 N N N N N KILL
+48-sim-32b_args all_64 1064 0xffffffff N N N N N KILL
+48-sim-32b_args all_64 1064 0xffffffffffffffff N N N N N ALLOW
+48-sim-32b_args all_64 2000 0x0 N N N N N KILL
+48-sim-32b_args all_64 2000 0xffffffff N N N N N KILL
+48-sim-32b_args all_64 2000 0xffffffffffffffff N N N N N ALLOW
+48-sim-32b_args all_64 2032 0x0 N N N N N KILL
+48-sim-32b_args all_64 2032 0xffffffff N N N N N ALLOW
+48-sim-32b_args all_64 2032 0xffffffffffffffff N N N N N KILL
+48-sim-32b_args all_64 2064 0x0 N N N N N KILL
+48-sim-32b_args all_64 2064 0xffffffff N N N N N KILL
+48-sim-32b_args all_64 2064 0xffffffffffffffff N N N N N ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname StressCount
+48-sim-32b_args 50
+
+test type: bpf-valgrind
+
+# Testname
+48-sim-32b_args
diff --git a/tests/49-sim-64b_comparisons.c b/tests/49-sim-64b_comparisons.c
new file mode 100644
index 0000000..364a67d
--- /dev/null
+++ b/tests/49-sim-64b_comparisons.c
@@ -0,0 +1,56 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ return ENOMEM;
+
+
+ rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1,
+ SCMP_A0(SCMP_CMP_LT, 0x123456789abcUL));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/49-sim-64b_comparisons.py b/tests/49-sim-64b_comparisons.py
new file mode 100755
index 0000000..054cdea
--- /dev/null
+++ b/tests/49-sim-64b_comparisons.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import errno
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ set_api(3)
+
+ f = SyscallFilter(KILL)
+ f.add_rule_exactly(ALLOW, 1000, Arg(0, LT, 0x123456789abc))
+
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/49-sim-64b_comparisons.tests b/tests/49-sim-64b_comparisons.tests
new file mode 100644
index 0000000..053d5f1
--- /dev/null
+++ b/tests/49-sim-64b_comparisons.tests
@@ -0,0 +1,25 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+49-sim-64b_comparisons all_64 1000 0x000000000000 N N N N N ALLOW
+49-sim-64b_comparisons all_64 1000 0x123000000000 N N N N N ALLOW
+49-sim-64b_comparisons all_64 1000 0x1230f0000000 N N N N N ALLOW
+49-sim-64b_comparisons all_64 1000 0x123400000000 N N N N N ALLOW
+49-sim-64b_comparisons all_64 1000 0x123450000000 N N N N N ALLOW
+49-sim-64b_comparisons all_64 1000 0x123460000000 N N N N N KILL
+49-sim-64b_comparisons all_64 1000 0x1234f0000000 N N N N N KILL
+49-sim-64b_comparisons all_64 1000 0x123500000000 N N N N N KILL
+49-sim-64b_comparisons all_64 1000 0x1235f0000000 N N N N N KILL
+49-sim-64b_comparisons all_64 1000 0x123600000000 N N N N N KILL
+
+test type: bpf-valgrind
+
+# Testname
+49-sim-64b_comparisons
diff --git a/tests/50-sim-hash_collision.c b/tests/50-sim-hash_collision.c
new file mode 100644
index 0000000..24eba19
--- /dev/null
+++ b/tests/50-sim-hash_collision.c
@@ -0,0 +1,98 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_api_set(1);
+ if (rc != 0)
+ return -rc;
+
+ ctx = seccomp_init(SCMP_ACT_ERRNO(100));
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+
+ /* libseccomp utilizes a hash table to manage BPF blocks. It
+ * currently employs MurmurHash3 where the key is the hashed values
+ * of the BPF instruction blocks, the accumulator start, and the
+ * accumulator end. Changes to the hash algorithm will likely affect
+ * this test.
+ */
+
+ /* The following rules were derived from an issue reported by Tor:
+ * https://github.com/seccomp/libseccomp/issues/148
+ *
+ * In the steps below, syscall 1001 is configured similarly to how
+ * Tor configured socket. The fairly complex rules below led to
+ * a hash collision with rt_sigaction (syscall 1000) in this test.
+ */
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1001, 3,
+ SCMP_A0(SCMP_CMP_EQ, 1),
+ SCMP_A1(SCMP_CMP_MASKED_EQ, 0xf, 2),
+ SCMP_A2(SCMP_CMP_EQ, 3));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1001, 2,
+ SCMP_A0(SCMP_CMP_EQ, 1),
+ SCMP_A1(SCMP_CMP_MASKED_EQ, 0xf, 1));
+ if (rc != 0)
+ goto out;
+
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 2));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1000, 1,
+ SCMP_A0(SCMP_CMP_EQ, 1));
+ if (rc != 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/50-sim-hash_collision.py b/tests/50-sim-hash_collision.py
new file mode 100755
index 0000000..d3c5f2f
--- /dev/null
+++ b/tests/50-sim-hash_collision.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ set_api(1)
+ f = SyscallFilter(ERRNO(100))
+ f.remove_arch(Arch())
+ f.add_arch(Arch("x86_64"))
+
+ # libseccomp utilizes a hash table to manage BPF blocks. It currently
+ # employs MurmurHash3 where the key is the hashed values of the BPF
+ # instruction blocks, the accumulator start, and the accumulator end.
+ # Changes to the hash algorithm will likely affect this test.
+
+ # The following rules were derived from an issue reported by Tor:
+ # https://github.com/seccomp/libseccomp/issues/148
+ #
+ # In the steps below, syscall 1001 is configured similarly to how
+ # Tor configured socket. The fairly complex rules below led to
+ # a hash collision with rt_sigaction (syscall 1000) in this test.
+
+ f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 1), Arg(1, MASKED_EQ, 0xf, 2),
+ Arg(2, EQ, 3))
+ f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 1), Arg(1, MASKED_EQ, 0xf, 1))
+ f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 2))
+ f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 1))
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/50-sim-hash_collision.tests b/tests/50-sim-hash_collision.tests
new file mode 100644
index 0000000..f63f6f4
--- /dev/null
+++ b/tests/50-sim-hash_collision.tests
@@ -0,0 +1,18 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+50-sim-hash_collision x86_64 1000 1 N N N N N ALLOW
+50-sim-hash_collision x86_64 1000 2 N N N N N ALLOW
+50-sim-hash_collision x86_64 1000 3 N N N N N ERRNO(100)
+50-sim-hash_collision x86_64 1001 1 2 3 N N N ALLOW
+50-sim-hash_collision x86_64 1001 1 1 N N N N ALLOW
+50-sim-hash_collision x86_64 1001 2 N N N N N ERRNO(100)
+50-sim-hash_collision x86_64 1001 1 3 N N N N ERRNO(100)
+50-sim-hash_collision x86_64 1001 1 2 4 N N N ERRNO(100)
diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c
new file mode 100644
index 0000000..4847d8b
--- /dev/null
+++ b/tests/51-live-user_notification.c
@@ -0,0 +1,134 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <asm/unistd.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <signal.h>
+#include <syscall.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc, fd = -1, status;
+ struct seccomp_notif *req = NULL;
+ struct seccomp_notif_resp *resp = NULL;
+ scmp_filter_ctx ctx = NULL;
+ pid_t pid = 0, magic;
+
+ magic = getpid();
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL);
+ if (rc)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_notify_fd(ctx);
+ if (rc < 0)
+ goto out;
+ fd = rc;
+
+ pid = fork();
+ if (pid == 0)
+ exit(syscall(__NR_getpid) != magic);
+
+ rc = seccomp_notify_alloc(&req, &resp);
+ if (rc)
+ goto out;
+
+ rc = seccomp_notify_receive(fd, req);
+ if (rc)
+ goto out;
+ if (req->data.nr != __NR_getpid) {
+ rc = -EFAULT;
+ goto out;
+ }
+ rc = seccomp_notify_id_valid(fd, req->id);
+ if (rc)
+ goto out;
+
+ resp->id = req->id;
+ resp->val = magic;
+ resp->error = 0;
+ resp->flags = 0;
+ rc = seccomp_notify_respond(fd, resp);
+ if (rc)
+ goto out;
+
+ if (waitpid(pid, &status, 0) != pid) {
+ rc = -EFAULT;
+ goto out;
+ }
+
+ if (!WIFEXITED(status)) {
+ rc = -EFAULT;
+ goto out;
+ }
+ if (WEXITSTATUS(status)) {
+ rc = -EFAULT;
+ goto out;
+ }
+
+ rc = seccomp_reset(ctx, SCMP_ACT_ALLOW);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL);
+ if (rc)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_notify_fd(ctx);
+ if (rc < 0)
+ goto out;
+ if (rc != fd) {
+ rc = -EFAULT;
+ goto out;
+ } else
+ rc = 0;
+
+out:
+ if (fd >= 0)
+ close(fd);
+ if (pid)
+ kill(pid, SIGKILL);
+ seccomp_notify_free(req, resp);
+ seccomp_release(ctx);
+
+ if (rc != 0)
+ return (rc < 0 ? -rc : rc);
+ return 160;
+}
diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py
new file mode 100755
index 0000000..3449c44
--- /dev/null
+++ b/tests/51-live-user_notification.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import signal
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ magic = os.getuid() + 1
+ f = SyscallFilter(ALLOW)
+ f.add_rule(NOTIFY, "getuid")
+ f.load()
+ pid = os.fork()
+ if pid == 0:
+ val = os.getuid()
+ if val != magic:
+ raise RuntimeError("Response return value failed")
+ quit(1)
+ quit(0)
+ else:
+ notify = f.receive_notify()
+ if notify.syscall != resolve_syscall(Arch(), "getuid"):
+ raise RuntimeError("Notification failed")
+ f.respond_notify(NotificationResponse(notify, magic, 0, 0))
+ wpid, rc = os.waitpid(pid, 0)
+ if os.WIFEXITED(rc) == 0:
+ raise RuntimeError("Child process error")
+ if os.WEXITSTATUS(rc) != 0:
+ raise RuntimeError("Child process error")
+ f.reset(ALLOW)
+ f.add_rule(NOTIFY, "getppid")
+ f.load()
+ # no easy way to check the notification fd here
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/51-live-user_notification.tests b/tests/51-live-user_notification.tests
new file mode 100644
index 0000000..4c5e964
--- /dev/null
+++ b/tests/51-live-user_notification.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright Cisco Systems 2019
+# Author: Tycho Andersen <tycho@tycho.ws>
+#
+
+test type: live
+
+# Testname API Result
+51-live-user_notification 5 ALLOW
diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c
new file mode 100644
index 0000000..de3cb8f
--- /dev/null
+++ b/tests/52-basic-load.c
@@ -0,0 +1,71 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+ unsigned int api;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ api = seccomp_api_get();
+ if (api == 0) {
+ rc = -EFAULT;
+ goto out;
+ }
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ if (api >= 2) {
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+ if (rc != 0)
+ goto out;
+ }
+ if (api >= 3) {
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1);
+ if (rc != 0)
+ goto out;
+ }
+ if (api >= 4) {
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
+ if (rc != 0)
+ goto out;
+ }
+
+ rc = seccomp_load(ctx);
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/52-basic-load.py b/tests/52-basic-load.py
new file mode 100755
index 0000000..4395a79
--- /dev/null
+++ b/tests/52-basic-load.py
@@ -0,0 +1,38 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ f = SyscallFilter(ALLOW)
+ f.load()
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/52-basic-load.tests b/tests/52-basic-load.tests
new file mode 100644
index 0000000..510e2d3
--- /dev/null
+++ b/tests/52-basic-load.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+52-basic-load
diff --git a/tests/53-sim-binary_tree.c b/tests/53-sim-binary_tree.c
new file mode 100644
index 0000000..4aa5f13
--- /dev/null
+++ b/tests/53-sim-binary_tree.c
@@ -0,0 +1,156 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define ARG_COUNT_MAX 2
+
+struct syscall_errno {
+ int syscall;
+ int error;
+ int arg_cnt;
+ /* To make the test more interesting, arguments are added to several
+ * syscalls. To keep the test simple, the arguments always use
+ * SCMP_CMP_EQ.
+ */
+ int args[ARG_COUNT_MAX];
+};
+
+struct syscall_errno table[] = {
+ { SCMP_SYS(read), 0, 0, { 0, 0 } },
+ { SCMP_SYS(write), 1, 0, { 0, 0 } },
+ { SCMP_SYS(open), 2, 0, { 0, 0 } },
+ { SCMP_SYS(close), 3, 2, { 100, 101 } },
+ { SCMP_SYS(stat), 4, 0, { 0, 0 } },
+ { SCMP_SYS(fstat), 5, 0, { 0, 0 } },
+ { SCMP_SYS(lstat), 6, 0, { 0, 0 } },
+ { SCMP_SYS(poll), 7, 1, { 102, 0 } },
+ { SCMP_SYS(lseek), 8, 2, { 103, 104 } },
+ { SCMP_SYS(mmap), 9, 0, { 0, 0 } },
+ { SCMP_SYS(mprotect), 10, 0, { 0, 0 } },
+ { SCMP_SYS(munmap), 11, 0, { 0, 0 } },
+ { SCMP_SYS(brk), 12, 0, { 0, 0 } },
+ { SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } },
+ { SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } },
+ { SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } },
+ { SCMP_SYS(ioctl), 16, 0, { 0, 0 } },
+ { SCMP_SYS(pread64), 17, 1, { 105, 0 } },
+ { SCMP_SYS(pwrite64), 18, 0, { 0, 0 } },
+ { SCMP_SYS(readv), 19, 0, { 0, 0 } },
+ { SCMP_SYS(writev), 20, 0, { 0, 0 } },
+ { SCMP_SYS(access), 21, 0, { 0, 0 } },
+ { SCMP_SYS(pipe), 22, 0, { 0, 0 } },
+ { SCMP_SYS(select), 23, 2, { 106, 107 } },
+ { SCMP_SYS(sched_yield), 24, 0, { 0, 0 } },
+ { SCMP_SYS(mremap), 25, 2, { 108, 109 } },
+ { SCMP_SYS(msync), 26, 0, { 0, 0 } },
+ { SCMP_SYS(mincore), 27, 0, { 0, 0 } },
+ { SCMP_SYS(madvise), 28, 0, { 0, 0 } },
+ { SCMP_SYS(dup), 32, 1, { 112, 0 } },
+ { SCMP_SYS(dup2), 33, 0, { 0, 0 } },
+ { SCMP_SYS(pause), 34, 0, { 0, 0 } },
+ { SCMP_SYS(nanosleep), 35, 0, { 0, 0 } },
+ { SCMP_SYS(getitimer), 36, 0, { 0, 0 } },
+ { SCMP_SYS(alarm), 37, 0, { 0, 0 } },
+};
+
+const int table_size = sizeof(table) / sizeof(table[0]);
+
+int main(int argc, char *argv[])
+{
+ int rc, i;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL) {
+ rc = ENOMEM;
+ goto out;
+ }
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out;
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+ if (rc < 0)
+ goto out;
+
+ for (i = 0; i < table_size; i++) {
+ switch (table[i].arg_cnt) {
+ case 2:
+ rc = seccomp_rule_add(ctx,
+ SCMP_ACT_ERRNO(table[i].error),
+ table[i].syscall, 2,
+ SCMP_A0(SCMP_CMP_EQ,
+ table[i].args[0]),
+ SCMP_A1(SCMP_CMP_EQ,
+ table[i].args[1]));
+ break;
+ case 1:
+ rc = seccomp_rule_add(ctx,
+ SCMP_ACT_ERRNO(table[i].error),
+ table[i].syscall, 1,
+ SCMP_A0(SCMP_CMP_EQ,
+ table[i].args[0]));
+ break;
+ case 0:
+ default:
+ rc = seccomp_rule_add(ctx,
+ SCMP_ACT_ERRNO(table[i].error),
+ table[i].syscall, 0);
+ break;
+ }
+
+ if (rc < 0)
+ goto out;
+ }
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/53-sim-binary_tree.py b/tests/53-sim-binary_tree.py
new file mode 100755
index 0000000..8ee58cd
--- /dev/null
+++ b/tests/53-sim-binary_tree.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+table = [
+ {"syscall": "read", "error": 0, "arg_cnt": 0 },
+ {"syscall": "write", "error": 1, "arg_cnt": 0 },
+ {"syscall": "open", "error": 2, "arg_cnt": 0 },
+ {"syscall": "close", "error": 3, "arg_cnt": 2, "arg1": 100, "arg2": 101 },
+ {"syscall": "stat", "error": 4, "arg_cnt": 0 },
+ {"syscall": "fstat", "error": 5, "arg_cnt": 0 },
+ {"syscall": "lstat", "error": 6, "arg_cnt": 0 },
+ {"syscall": "poll", "error": 7, "arg_cnt": 1, "arg1": 102 },
+ {"syscall": "lseek", "error": 8, "arg_cnt": 2, "arg1": 103, "arg2": 104 },
+ {"syscall": "mmap", "error": 9, "arg_cnt": 0 },
+ {"syscall": "mprotect", "error": 10, "arg_cnt": 0 },
+ {"syscall": "munmap", "error": 11, "arg_cnt": 0 },
+ {"syscall": "brk", "error": 12, "arg_cnt": 0 },
+ {"syscall": "rt_sigaction", "error": 13, "arg_cnt": 0 },
+ {"syscall": "rt_sigprocmask", "error": 14, "arg_cnt": 0 },
+ {"syscall": "rt_sigreturn", "error": 15, "arg_cnt": 0 },
+ {"syscall": "ioctl", "error": 16, "arg_cnt": 0 },
+ {"syscall": "pread64", "error": 17, "arg_cnt": 1, "arg1": 105 },
+ {"syscall": "pwrite64", "error": 18, "arg_cnt": 0 },
+ {"syscall": "readv", "error": 19, "arg_cnt": 0 },
+ {"syscall": "writev", "error": 20, "arg_cnt": 0 },
+ {"syscall": "access", "error": 21, "arg_cnt": 0 },
+ {"syscall": "pipe", "error": 22, "arg_cnt": 0 },
+ {"syscall": "select", "error": 23, "arg_cnt": 2, "arg1": 106, "arg2": 107 },
+ {"syscall": "sched_yield", "error": 24, "arg_cnt": 0 },
+ {"syscall": "mremap", "error": 25, "arg_cnt": 2, "arg1": 108, "arg2": 109 },
+ {"syscall": "msync", "error": 26, "arg_cnt": 0 },
+ {"syscall": "mincore", "error": 27, "arg_cnt": 0 },
+ {"syscall": "madvise", "error": 28, "arg_cnt": 0 },
+ {"syscall": "dup", "error": 32, "arg_cnt": 1, "arg1": 112 },
+ {"syscall": "dup2", "error": 33, "arg_cnt": 0 },
+ {"syscall": "pause", "error": 34, "arg_cnt": 0 },
+ {"syscall": "nanosleep", "error": 35, "arg_cnt": 0 },
+ {"syscall": "getitimer", "error": 36, "arg_cnt": 0 },
+ {"syscall": "alarm", "error": 37, "arg_cnt": 0 },
+]
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ f.set_attr(Attr.CTL_OPTIMIZE, 2)
+
+ f.remove_arch(Arch())
+ f.add_arch(Arch("aarch64"))
+ f.add_arch(Arch("ppc64le"))
+ f.add_arch(Arch("x86_64"))
+
+ for entry in table:
+ if entry["arg_cnt"] == 2:
+ f.add_rule(ERRNO(entry["error"]), entry["syscall"],
+ Arg(0, EQ, entry["arg1"]),
+ Arg(1, EQ, entry["arg2"]))
+ elif entry["arg_cnt"] == 1:
+ f.add_rule(ERRNO(entry["error"]), entry["syscall"],
+ Arg(0, EQ, entry["arg1"]))
+ else:
+ f.add_rule(ERRNO(entry["error"]), entry["syscall"])
+
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/53-sim-binary_tree.tests b/tests/53-sim-binary_tree.tests
new file mode 100644
index 0000000..2ebaafd
--- /dev/null
+++ b/tests/53-sim-binary_tree.tests
@@ -0,0 +1,65 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019-2020 Oracle and/or its affiliates.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 read N N N N N N ERRNO(0)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 write N N N N N N ERRNO(1)
+53-sim-binary_tree +x86_64,+ppc64le open N N N N N N ERRNO(2)
+53-sim-binary_tree +aarch64 open N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close 100 1234 N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close 100 101 N N N N ERRNO(3)
+53-sim-binary_tree +x86_64,+ppc64le stat N N N N N N ERRNO(4)
+53-sim-binary_tree +aarch64 stat N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 fstat N N N N N N ERRNO(5)
+53-sim-binary_tree +x86_64,+ppc64le lstat N N N N N N ERRNO(6)
+53-sim-binary_tree +aarch64 lstat N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le poll 102 N N N N N ERRNO(7)
+53-sim-binary_tree +aarch64 poll 102 N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 lseek 103 104 N N N N ERRNO(8)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mmap N N N N N N ERRNO(9)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mprotect N N N N N N ERRNO(10)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 munmap N N N N N N ERRNO(11)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 brk N N N N N N ERRNO(12)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigaction N N N N N N ERRNO(13)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigprocmask N N N N N N ERRNO(14)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigreturn N N N N N N ERRNO(15)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 ioctl N N N N N N ERRNO(16)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 pread64 105 N N N N N ERRNO(17)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 pwrite64 N N N N N N ERRNO(18)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 readv N N N N N N ERRNO(19)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 writev N N N N N N ERRNO(20)
+53-sim-binary_tree +x86_64,+ppc64le access N N N N N N ERRNO(21)
+53-sim-binary_tree +aarch64 access N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le pipe N N N N N N ERRNO(22)
+53-sim-binary_tree +aarch64 pipe N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 select N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le select 106 107 N N N N ERRNO(23)
+53-sim-binary_tree +aarch64 select 106 107 N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 sched_yield N N N N N N ERRNO(24)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mremap N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mremap 108 109 N N N N ERRNO(25)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 msync N N N N N N ERRNO(26)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mincore N N N N N N ERRNO(27)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 madvise N N N N N N ERRNO(28)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 dup 112 N N N N N ERRNO(32)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 dup 5678 N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le dup2 N N N N N N ERRNO(33)
+53-sim-binary_tree +aarch64 dup2 N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le pause N N N N N N ERRNO(34)
+53-sim-binary_tree +aarch64 pause N N N N N N ALLOW
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 nanosleep N N N N N N ERRNO(35)
+53-sim-binary_tree +x86_64,+ppc64le,+aarch64 getitimer N N N N N N ERRNO(36)
+53-sim-binary_tree +x86_64,+ppc64le alarm N N N N N N ERRNO(37)
+53-sim-binary_tree +aarch64 alarm N N N N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+53-sim-binary_tree
diff --git a/tests/54-live-binary_tree.c b/tests/54-live-binary_tree.c
new file mode 100644
index 0000000..8d0d25d
--- /dev/null
+++ b/tests/54-live-binary_tree.c
@@ -0,0 +1,130 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+static const int denylist[] = {
+ SCMP_SYS(times),
+ SCMP_SYS(ptrace),
+ SCMP_SYS(getuid),
+ SCMP_SYS(syslog),
+ SCMP_SYS(getgid),
+ SCMP_SYS(setuid),
+ SCMP_SYS(setgid),
+ SCMP_SYS(geteuid),
+ SCMP_SYS(getegid),
+ SCMP_SYS(setpgid),
+ SCMP_SYS(getppid),
+ SCMP_SYS(getpgrp),
+ SCMP_SYS(setsid),
+ SCMP_SYS(setreuid),
+ SCMP_SYS(setregid),
+ SCMP_SYS(getgroups),
+ SCMP_SYS(setgroups),
+ SCMP_SYS(setresuid),
+ SCMP_SYS(getresuid),
+ SCMP_SYS(setresgid),
+ SCMP_SYS(getresgid),
+ SCMP_SYS(getpgid),
+ SCMP_SYS(setfsuid),
+ SCMP_SYS(setfsgid),
+};
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int fd;
+ int i;
+ scmp_filter_ctx ctx = NULL;
+ const char buf[] = "testing";
+ ssize_t buf_len = strlen(buf);
+
+ rc = util_action_parse(argv[1]);
+ if (rc != SCMP_ACT_ALLOW) {
+ rc = 1;
+ goto out;
+ }
+
+ rc = util_trap_install();
+ if (rc != 0)
+ goto out;
+
+ fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+ if (fd < 0) {
+ rc = errno;
+ goto out;
+ }
+
+ ctx = seccomp_init(SCMP_ACT_TRAP);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, fd));
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ if (rc != 0)
+ goto out;
+
+ for (i = 0; i < (sizeof(denylist) / sizeof(denylist[0])); i++) {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, denylist[i], 0);
+ if (rc != 0)
+ goto out;
+ }
+
+ rc = seccomp_load(ctx);
+ if (rc != 0)
+ goto out;
+
+ if (write(fd, buf, buf_len) < buf_len) {
+ rc = errno;
+ goto out;
+ }
+ if (close(fd) < 0) {
+ rc = errno;
+ goto out;
+ }
+
+ rc = 160;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/54-live-binary_tree.py b/tests/54-live-binary_tree.py
new file mode 100755
index 0000000..2bc7386
--- /dev/null
+++ b/tests/54-live-binary_tree.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+denylist = [
+ "times",
+ "ptrace",
+ "getuid",
+ "syslog",
+ "getgid",
+ "setuid",
+ "setgid",
+ "geteuid",
+ "getegid",
+ "setpgid",
+ "getppid",
+ "getpgrp",
+ "setsid",
+ "setreuid",
+ "setregid",
+ "getgroups",
+ "setgroups",
+ "setresuid",
+ "getresuid",
+ "setresgid",
+ "getresgid",
+ "getpgid",
+ "setfsuid",
+ "setfsgid",
+]
+
+def test():
+ action = util.parse_action(sys.argv[1])
+ if not action == ALLOW:
+ quit(1)
+ util.install_trap()
+ f = SyscallFilter(TRAP)
+ f.set_attr(Attr.CTL_TSYNC, 1)
+ f.set_attr(Attr.CTL_OPTIMIZE, 2)
+ # NOTE: additional syscalls required for python
+ f.add_rule(ALLOW, "stat")
+ f.add_rule(ALLOW, "fstat")
+ f.add_rule(ALLOW, "open")
+ f.add_rule(ALLOW, "openat")
+ f.add_rule(ALLOW, "mmap")
+ f.add_rule(ALLOW, "munmap")
+ f.add_rule(ALLOW, "read")
+ f.add_rule(ALLOW, "write")
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "sigreturn")
+ f.add_rule(ALLOW, "sigaltstack")
+ f.add_rule(ALLOW, "brk")
+ f.add_rule(ALLOW, "exit_group")
+
+ for syscall in denylist:
+ f.add_rule(KILL, syscall)
+
+ f.load()
+ try:
+ util.write_file("/dev/null")
+ except OSError as ex:
+ quit(ex.errno)
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/54-live-binary_tree.tests b/tests/54-live-binary_tree.tests
new file mode 100644
index 0000000..63575e9
--- /dev/null
+++ b/tests/54-live-binary_tree.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: live
+
+# Testname API Result
+54-live-binary_tree 1 ALLOW
diff --git a/tests/55-basic-pfc_binary_tree.c b/tests/55-basic-pfc_binary_tree.c
new file mode 100644
index 0000000..e364fd6
--- /dev/null
+++ b/tests/55-basic-pfc_binary_tree.c
@@ -0,0 +1,134 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define ARG_COUNT_MAX 2
+
+struct syscall_errno {
+ int syscall;
+ int error;
+ int arg_cnt;
+ /* To make the test more interesting, arguments are added to several
+ * syscalls. To keep the test simple, the arguments always use
+ * SCMP_CMP_EQ.
+ */
+ int args[ARG_COUNT_MAX];
+};
+
+struct syscall_errno table[] = {
+ { SCMP_SYS(read), 0, 2, { 100, 101 } },
+ { SCMP_SYS(write), 1, 1, { 102, 0 } },
+ { SCMP_SYS(open), 2, 0, { 0, 0 } },
+ { SCMP_SYS(close), 3, 0, { 0, 0 } },
+ { SCMP_SYS(stat), 4, 0, { 0, 0 } },
+ { SCMP_SYS(fstat), 5, 1, { 103, 0 } },
+ { SCMP_SYS(lstat), 6, 0, { 0, 0 } },
+ { SCMP_SYS(poll), 7, 0, { 0, 0 } },
+ { SCMP_SYS(lseek), 8, 1, { 104, 0 } },
+ { SCMP_SYS(mmap), 9, 0, { 0, 0 } },
+ { SCMP_SYS(mprotect), 10, 1, { 105, 0 } },
+ { SCMP_SYS(munmap), 11, 0, { 0, 0 } },
+ { SCMP_SYS(brk), 12, 0, { 0, 0 } },
+ { SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } },
+ { SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } },
+ { SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } },
+ { SCMP_SYS(ioctl), 16, 0, { 0, 0 } },
+ { SCMP_SYS(pread64), 17, 1, { 106, 0 } },
+ { SCMP_SYS(pwrite64), 18, 2, { 107, 108 } },
+};
+
+const int table_size = sizeof(table) / sizeof(table[0]);
+
+int main(int argc, char *argv[])
+{
+ int rc, fd, i;
+ scmp_filter_ctx ctx = NULL;
+
+ /* stdout */
+ fd = 1;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL) {
+ rc = ENOMEM;
+ goto out;
+ }
+
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+ if (rc < 0)
+ goto out;
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+ if (rc < 0)
+ goto out;
+
+ for (i = 0; i < table_size; i++) {
+ switch (table[i].arg_cnt) {
+ case 2:
+ rc = seccomp_rule_add(ctx,
+ SCMP_ACT_ERRNO(table[i].error),
+ table[i].syscall, 2,
+ SCMP_A0(SCMP_CMP_EQ,
+ table[i].args[0]),
+ SCMP_A1(SCMP_CMP_EQ,
+ table[i].args[1]));
+ break;
+ case 1:
+ rc = seccomp_rule_add(ctx,
+ SCMP_ACT_ERRNO(table[i].error),
+ table[i].syscall, 1,
+ SCMP_A0(SCMP_CMP_EQ,
+ table[i].args[0]));
+ break;
+ case 0:
+ default:
+ rc = seccomp_rule_add(ctx,
+ SCMP_ACT_ERRNO(table[i].error),
+ table[i].syscall, 0);
+ break;
+ }
+
+ if (rc < 0)
+ goto out;
+ }
+
+ rc = seccomp_export_pfc(ctx, fd);
+ if (rc < 0)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ close(fd);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/55-basic-pfc_binary_tree.pfc b/tests/55-basic-pfc_binary_tree.pfc
new file mode 100644
index 0000000..ba3244c
--- /dev/null
+++ b/tests/55-basic-pfc_binary_tree.pfc
@@ -0,0 +1,182 @@
+#
+# pseudo filter code start
+#
+# filter for arch x86_64 (3221225534)
+if ($arch == 3221225534)
+ if ($syscall > 2)
+ if ($syscall > 10)
+ if ($syscall > 14)
+ # filter for syscall "pwrite64" (18) [priority: 65531]
+ if ($syscall == 18)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 107)
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 == 108)
+ action ERRNO(18);
+ # filter for syscall "pread64" (17) [priority: 65533]
+ if ($syscall == 17)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 106)
+ action ERRNO(17);
+ # filter for syscall "ioctl" (16) [priority: 65535]
+ if ($syscall == 16)
+ action ERRNO(16);
+ # filter for syscall "rt_sigreturn" (15) [priority: 65535]
+ if ($syscall == 15)
+ action ERRNO(15);
+ else # ($syscall <= 14)
+ # filter for syscall "rt_sigprocmask" (14) [priority: 65535]
+ if ($syscall == 14)
+ action ERRNO(14);
+ # filter for syscall "rt_sigaction" (13) [priority: 65535]
+ if ($syscall == 13)
+ action ERRNO(13);
+ # filter for syscall "brk" (12) [priority: 65535]
+ if ($syscall == 12)
+ action ERRNO(12);
+ # filter for syscall "munmap" (11) [priority: 65535]
+ if ($syscall == 11)
+ action ERRNO(11);
+ else # ($syscall <= 10)
+ if ($syscall > 6)
+ # filter for syscall "mprotect" (10) [priority: 65533]
+ if ($syscall == 10)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 105)
+ action ERRNO(10);
+ # filter for syscall "mmap" (9) [priority: 65535]
+ if ($syscall == 9)
+ action ERRNO(9);
+ # filter for syscall "lseek" (8) [priority: 65533]
+ if ($syscall == 8)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 104)
+ action ERRNO(8);
+ # filter for syscall "poll" (7) [priority: 65535]
+ if ($syscall == 7)
+ action ERRNO(7);
+ else # ($syscall <= 6)
+ # filter for syscall "lstat" (6) [priority: 65535]
+ if ($syscall == 6)
+ action ERRNO(6);
+ # filter for syscall "fstat" (5) [priority: 65533]
+ if ($syscall == 5)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 103)
+ action ERRNO(5);
+ # filter for syscall "stat" (4) [priority: 65535]
+ if ($syscall == 4)
+ action ERRNO(4);
+ # filter for syscall "close" (3) [priority: 65535]
+ if ($syscall == 3)
+ action ERRNO(3);
+ else # ($syscall <= 2)
+ # filter for syscall "open" (2) [priority: 65535]
+ if ($syscall == 2)
+ action ERRNO(2);
+ # filter for syscall "write" (1) [priority: 65533]
+ if ($syscall == 1)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 102)
+ action ERRNO(1);
+ # filter for syscall "read" (0) [priority: 65531]
+ if ($syscall == 0)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 100)
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 == 101)
+ action ERRNO(0);
+ # default action
+ action ALLOW;
+# filter for arch aarch64 (3221225655)
+if ($arch == 3221225655)
+ if ($syscall > 62)
+ if ($syscall > 139)
+ if ($syscall > 226)
+ # filter for syscall "lstat" (4294957133) [priority: 65535]
+ if ($syscall == 4294957133)
+ action ERRNO(6);
+ # filter for syscall "open" (4294957130) [priority: 65535]
+ if ($syscall == 4294957130)
+ action ERRNO(2);
+ # filter for syscall "poll" (4294957127) [priority: 65535]
+ if ($syscall == 4294957127)
+ action ERRNO(7);
+ # filter for syscall "stat" (4294957122) [priority: 65535]
+ if ($syscall == 4294957122)
+ action ERRNO(4);
+ else # ($syscall <= 226)
+ # filter for syscall "mprotect" (226) [priority: 65533]
+ if ($syscall == 226)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 105)
+ action ERRNO(10);
+ # filter for syscall "mmap" (222) [priority: 65535]
+ if ($syscall == 222)
+ action ERRNO(9);
+ # filter for syscall "munmap" (215) [priority: 65535]
+ if ($syscall == 215)
+ action ERRNO(11);
+ # filter for syscall "brk" (214) [priority: 65535]
+ if ($syscall == 214)
+ action ERRNO(12);
+ else # ($syscall <= 139)
+ if ($syscall > 68)
+ # filter for syscall "rt_sigreturn" (139) [priority: 65535]
+ if ($syscall == 139)
+ action ERRNO(15);
+ # filter for syscall "rt_sigprocmask" (135) [priority: 65535]
+ if ($syscall == 135)
+ action ERRNO(14);
+ # filter for syscall "rt_sigaction" (134) [priority: 65535]
+ if ($syscall == 134)
+ action ERRNO(13);
+ # filter for syscall "fstat" (80) [priority: 65533]
+ if ($syscall == 80)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 103)
+ action ERRNO(5);
+ else # ($syscall <= 68)
+ # filter for syscall "pwrite64" (68) [priority: 65531]
+ if ($syscall == 68)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 107)
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 == 108)
+ action ERRNO(18);
+ # filter for syscall "pread64" (67) [priority: 65533]
+ if ($syscall == 67)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 106)
+ action ERRNO(17);
+ # filter for syscall "write" (64) [priority: 65533]
+ if ($syscall == 64)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 102)
+ action ERRNO(1);
+ # filter for syscall "read" (63) [priority: 65531]
+ if ($syscall == 63)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 100)
+ if ($a1.hi32 == 0)
+ if ($a1.lo32 == 101)
+ action ERRNO(0);
+ else # ($syscall <= 62)
+ # filter for syscall "lseek" (62) [priority: 65533]
+ if ($syscall == 62)
+ if ($a0.hi32 == 0)
+ if ($a0.lo32 == 104)
+ action ERRNO(8);
+ # filter for syscall "close" (57) [priority: 65535]
+ if ($syscall == 57)
+ action ERRNO(3);
+ # filter for syscall "ioctl" (29) [priority: 65535]
+ if ($syscall == 29)
+ action ERRNO(16);
+ # default action
+ action ALLOW;
+# invalid architecture action
+action KILL;
+#
+# pseudo filter code end
+#
diff --git a/tests/55-basic-pfc_binary_tree.sh b/tests/55-basic-pfc_binary_tree.sh
new file mode 100755
index 0000000..a12c69c
--- /dev/null
+++ b/tests/55-basic-pfc_binary_tree.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+####
+# functions
+
+#
+# Dependency check
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function check_deps() {
+ [[ -z "$1" ]] && return
+ which "$1" >& /dev/null
+ return $?
+}
+
+#
+# Dependency verification
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function verify_deps() {
+ [[ -z "$1" ]] && return
+ if ! check_deps "$1"; then
+ echo "error: install \"$1\" and include it in your \$PATH"
+ exit 1
+ fi
+}
+
+####
+# functions
+
+verify_deps diff
+
+# compare output to the known good output, fail if different
+./55-basic-pfc_binary_tree | \
+ diff -q ${srcdir:=.}/55-basic-pfc_binary_tree.pfc - > /dev/null
diff --git a/tests/55-basic-pfc_binary_tree.tests b/tests/55-basic-pfc_binary_tree.tests
new file mode 100644
index 0000000..8269a64
--- /dev/null
+++ b/tests/55-basic-pfc_binary_tree.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: basic
+
+# Test command
+55-basic-pfc_binary_tree.sh
diff --git a/tests/56-basic-iterate_syscalls.c b/tests/56-basic-iterate_syscalls.c
new file mode 100644
index 0000000..5e7ab67
--- /dev/null
+++ b/tests/56-basic-iterate_syscalls.c
@@ -0,0 +1,90 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+ * Author: Giuseppe Scrivano <gscrivan@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <seccomp.h>
+
+unsigned int arch_list[] = {
+ SCMP_ARCH_NATIVE,
+ SCMP_ARCH_X86,
+ SCMP_ARCH_X86_64,
+ SCMP_ARCH_X32,
+ SCMP_ARCH_ARM,
+ SCMP_ARCH_AARCH64,
+ SCMP_ARCH_MIPS,
+ SCMP_ARCH_MIPS64,
+ SCMP_ARCH_MIPS64N32,
+ SCMP_ARCH_MIPSEL,
+ SCMP_ARCH_MIPSEL64,
+ SCMP_ARCH_MIPSEL64N32,
+ SCMP_ARCH_PPC,
+ SCMP_ARCH_PPC64,
+ SCMP_ARCH_PPC64LE,
+ SCMP_ARCH_S390,
+ SCMP_ARCH_S390X,
+ SCMP_ARCH_PARISC,
+ SCMP_ARCH_PARISC64,
+ SCMP_ARCH_RISCV64,
+ -1
+};
+
+static int test_arch(int arch, int init)
+{
+ int n, iter = 0;
+
+ for (iter = init; iter < init + 1000; iter++) {
+ char *name;
+
+ name = seccomp_syscall_resolve_num_arch(arch, iter);
+ if (name == NULL)
+ continue;
+
+ n = seccomp_syscall_resolve_name_arch(arch, name);
+ if (n != iter)
+ return 1;
+ }
+ return 0;
+}
+
+int main(int argc, char *argv[])
+{
+ int iter = 0;
+
+ for (iter = 0; arch_list[iter] != -1; iter++) {
+ int init = 0;
+ if (arch_list[iter] == SCMP_ARCH_X32)
+ init = 0x40000000;
+ else if (arch_list[iter] == SCMP_ARCH_MIPS)
+ init = 4000;
+ else if (arch_list[iter] == SCMP_ARCH_MIPS64)
+ init = 5000;
+ else if (arch_list[iter] == SCMP_ARCH_MIPS64N32)
+ init = 6000;
+ if (test_arch(arch_list[iter], init) < 0)
+ return 1;
+ }
+
+ return 0;
+}
diff --git a/tests/56-basic-iterate_syscalls.py b/tests/56-basic-iterate_syscalls.py
new file mode 100755
index 0000000..77a5b89
--- /dev/null
+++ b/tests/56-basic-iterate_syscalls.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+# Author: Giuseppe Scrivano <gscrivan@redhat.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+arch_list = ["x86",
+ "x86_64",
+ "x32",
+ "arm",
+ "aarch64",
+ "mipsel",
+ "mipsel64",
+ "mipsel64n32",
+ "ppc64le",
+ "riscv64"]
+
+def test_arch(arch, init):
+ for i in range(init, init + 1000):
+ sys_name = resolve_syscall(arch, i)
+ if sys_name is None:
+ continue
+ n = resolve_syscall(i, sys_name)
+ if i != n:
+ raise RuntimeError("Test failure")
+
+def test():
+ for i in arch_list:
+ init = 0
+ if i == "x32":
+ init = 0x40000000
+ elif i == "mipsel":
+ init = 4000
+ elif i == "mipsel64":
+ init = 5000
+ elif i == "mipsel64n32":
+ init = 6000
+ test_arch(Arch(i), init)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/56-basic-iterate_syscalls.tests b/tests/56-basic-iterate_syscalls.tests
new file mode 100644
index 0000000..a84415a
--- /dev/null
+++ b/tests/56-basic-iterate_syscalls.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+# Author: Giuseppe Scrivano <gscrivan@redhat.com>
+#
+
+test type: basic
+
+# Test command
+56-basic-iterate_syscalls
diff --git a/tests/57-basic-rawsysrc.c b/tests/57-basic-rawsysrc.c
new file mode 100644
index 0000000..4248c7a
--- /dev/null
+++ b/tests/57-basic-rawsysrc.c
@@ -0,0 +1,64 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ int fd;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = seccomp_api_set(3);
+ if (rc != 0)
+ return EOPNOTSUPP;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL) {
+ rc = ENOMEM;
+ goto out;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
+ if (rc != 0)
+ goto out;
+
+ /* we must use a closed/invalid fd for this to work */
+ fd = dup(2);
+ close(fd);
+ rc = seccomp_export_pfc(ctx, fd);
+ if (rc == -EBADF)
+ rc = 0;
+ else
+ rc = -1;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/57-basic-rawsysrc.py b/tests/57-basic-rawsysrc.py
new file mode 100755
index 0000000..a88461a
--- /dev/null
+++ b/tests/57-basic-rawsysrc.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+import os
+
+import util
+
+from seccomp import *
+
+def test():
+ # this test really isn't conclusive, but considering how python does error
+ # handling it may be the best we can do
+ f = SyscallFilter(ALLOW)
+ dummy = open("/dev/null", "w")
+ os.close(dummy.fileno())
+ try:
+ f = f.export_pfc(dummy)
+ except RuntimeError:
+ pass
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/57-basic-rawsysrc.tests b/tests/57-basic-rawsysrc.tests
new file mode 100644
index 0000000..fe71632
--- /dev/null
+++ b/tests/57-basic-rawsysrc.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+57-basic-rawsysrc
diff --git a/tests/58-live-tsync_notify.c b/tests/58-live-tsync_notify.c
new file mode 100644
index 0000000..e071284
--- /dev/null
+++ b/tests/58-live-tsync_notify.c
@@ -0,0 +1,117 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <asm/unistd.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <signal.h>
+#include <syscall.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc, fd = -1, status;
+ struct seccomp_notif *req = NULL;
+ struct seccomp_notif_resp *resp = NULL;
+ scmp_filter_ctx ctx = NULL;
+ pid_t pid = 0, magic;
+
+ magic = getpid();
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+ if (rc)
+ goto out;
+
+ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL);
+ if (rc)
+ goto out;
+
+ rc = seccomp_load(ctx);
+ if (rc < 0)
+ goto out;
+
+ rc = seccomp_notify_fd(ctx);
+ if (rc < 0)
+ goto out;
+ fd = rc;
+
+ pid = fork();
+ if (pid == 0)
+ exit(syscall(__NR_getpid) != magic);
+
+ rc = seccomp_notify_alloc(&req, &resp);
+ if (rc)
+ goto out;
+
+ rc = seccomp_notify_receive(fd, req);
+ if (rc)
+ goto out;
+ if (req->data.nr != __NR_getpid) {
+ rc = -EFAULT;
+ goto out;
+ }
+ rc = seccomp_notify_id_valid(fd, req->id);
+ if (rc)
+ goto out;
+
+ resp->id = req->id;
+ resp->val = magic;
+ resp->error = 0;
+ resp->flags = 0;
+ rc = seccomp_notify_respond(fd, resp);
+ if (rc)
+ goto out;
+
+ if (waitpid(pid, &status, 0) != pid) {
+ rc = -EFAULT;
+ goto out;
+ }
+
+ if (!WIFEXITED(status)) {
+ rc = -EFAULT;
+ goto out;
+ }
+ if (WEXITSTATUS(status)) {
+ rc = -EFAULT;
+ goto out;
+ }
+
+out:
+ if (fd >= 0)
+ close(fd);
+ if (pid)
+ kill(pid, SIGKILL);
+ seccomp_notify_free(req, resp);
+ seccomp_release(ctx);
+
+ if (rc != 0)
+ return (rc < 0 ? -rc : rc);
+ return 160;
+}
diff --git a/tests/58-live-tsync_notify.py b/tests/58-live-tsync_notify.py
new file mode 100755
index 0000000..ae01b06
--- /dev/null
+++ b/tests/58-live-tsync_notify.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import signal
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+ magic = os.getuid() + 1
+ f = SyscallFilter(ALLOW)
+ f.set_attr(Attr.CTL_TSYNC, 1)
+ f.add_rule(NOTIFY, "getuid")
+ f.load()
+ pid = os.fork()
+ if pid == 0:
+ val = os.getuid()
+ if val != magic:
+ raise RuntimeError("Response return value failed")
+ quit(1)
+ quit(0)
+ else:
+ notify = f.receive_notify()
+ if notify.syscall != resolve_syscall(Arch(), "getuid"):
+ raise RuntimeError("Notification failed")
+ f.respond_notify(NotificationResponse(notify, magic, 0, 0))
+ wpid, rc = os.waitpid(pid, 0)
+ if os.WIFEXITED(rc) == 0:
+ raise RuntimeError("Child process error")
+ if os.WEXITSTATUS(rc) != 0:
+ raise RuntimeError("Child process error")
+ quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/58-live-tsync_notify.tests b/tests/58-live-tsync_notify.tests
new file mode 100644
index 0000000..6c84891
--- /dev/null
+++ b/tests/58-live-tsync_notify.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: live
+
+# Testname API Result
+58-live-tsync_notify 6 ALLOW
diff --git a/tests/59-basic-empty_binary_tree.c b/tests/59-basic-empty_binary_tree.c
new file mode 100644
index 0000000..6b6485e
--- /dev/null
+++ b/tests/59-basic-empty_binary_tree.c
@@ -0,0 +1,54 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ struct util_options opts;
+ scmp_filter_ctx ctx = NULL;
+
+ rc = util_getopt(argc, argv, &opts);
+ if (rc < 0)
+ goto out;
+
+ ctx = seccomp_init(SCMP_ACT_ALLOW);
+ if (ctx == NULL)
+ return ENOMEM;
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+ if (rc < 0)
+ goto out;
+
+ rc = util_filter_output(&opts, ctx);
+ if (rc)
+ goto out;
+
+out:
+ seccomp_release(ctx);
+ return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/59-basic-empty_binary_tree.py b/tests/59-basic-empty_binary_tree.py
new file mode 100755
index 0000000..5acbbd4
--- /dev/null
+++ b/tests/59-basic-empty_binary_tree.py
@@ -0,0 +1,41 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2022 Oracle and/or its affiliates.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+ f = SyscallFilter(ALLOW)
+ f.set_attr(Attr.CTL_OPTIMIZE, 2)
+ return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/59-basic-empty_binary_tree.tests b/tests/59-basic-empty_binary_tree.tests
new file mode 100644
index 0000000..ff6dbc3
--- /dev/null
+++ b/tests/59-basic-empty_binary_tree.tests
@@ -0,0 +1,16 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2022 Oracle and/or its affiliates.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+59-basic-empty_binary_tree all,-x32 0-350 N N N N N N ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+59-basic-empty_binary_tree
diff --git a/tests/Makefile.am b/tests/Makefile.am
new file mode 100644
index 0000000..f0a1f8e
--- /dev/null
+++ b/tests/Makefile.am
@@ -0,0 +1,242 @@
+####
+# Seccomp Library Tests
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License
+# as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+if CODE_COVERAGE_ENABLED
+DBG_STATIC =
+else
+DBG_STATIC = -static
+endif
+
+AM_LDFLAGS = ${DBG_STATIC} -lpthread
+
+LDADD = util.la ../src/libseccomp.la ${CODE_COVERAGE_LIBS}
+
+check_LTLIBRARIES = util.la
+util_la_SOURCES = util.c util.h
+util_la_LDFLAGS = -module
+
+miniseq_LDADD =
+
+TESTS = regression
+
+check_PROGRAMS = \
+ miniseq \
+ 01-sim-allow \
+ 02-sim-basic \
+ 03-sim-basic_chains \
+ 04-sim-multilevel_chains \
+ 05-sim-long_jumps \
+ 06-sim-actions \
+ 07-sim-db_bug_looping \
+ 08-sim-subtree_checks \
+ 09-sim-syscall_priority_pre \
+ 10-sim-syscall_priority_post \
+ 11-basic-basic_errors \
+ 12-sim-basic_masked_ops \
+ 13-basic-attrs \
+ 14-sim-reset \
+ 15-basic-resolver \
+ 16-sim-arch_basic \
+ 17-sim-arch_merge \
+ 18-sim-basic_allowlist \
+ 19-sim-missing_syscalls \
+ 20-live-basic_die \
+ 21-live-basic_allow \
+ 22-sim-basic_chains_array \
+ 23-sim-arch_all_le_basic \
+ 24-live-arg_allow \
+ 25-sim-multilevel_chains_adv \
+ 26-sim-arch_all_be_basic \
+ 27-sim-bpf_blk_state \
+ 28-sim-arch_x86 \
+ 29-sim-pseudo_syscall \
+ 30-sim-socket_syscalls \
+ 31-basic-version_check \
+ 32-live-tsync_allow \
+ 33-sim-socket_syscalls_be \
+ 34-sim-basic_denylist \
+ 35-sim-negative_one \
+ 36-sim-ipc_syscalls \
+ 37-sim-ipc_syscalls_be \
+ 38-basic-pfc_coverage \
+ 39-basic-api_level \
+ 40-sim-log \
+ 41-sim-syscall_priority_arch \
+ 42-sim-adv_chains \
+ 43-sim-a2_order \
+ 44-live-a2_order \
+ 45-sim-chain_code_coverage \
+ 46-sim-kill_process \
+ 47-live-kill_process \
+ 48-sim-32b_args \
+ 49-sim-64b_comparisons \
+ 50-sim-hash_collision \
+ 51-live-user_notification \
+ 52-basic-load \
+ 53-sim-binary_tree \
+ 54-live-binary_tree \
+ 55-basic-pfc_binary_tree \
+ 56-basic-iterate_syscalls \
+ 57-basic-rawsysrc \
+ 58-live-tsync_notify \
+ 59-basic-empty_binary_tree
+
+EXTRA_DIST_TESTPYTHON = \
+ util.py \
+ 01-sim-allow.py \
+ 02-sim-basic.py \
+ 03-sim-basic_chains.py \
+ 04-sim-multilevel_chains.py \
+ 05-sim-long_jumps.py \
+ 06-sim-actions.py \
+ 07-sim-db_bug_looping.py \
+ 08-sim-subtree_checks.py \
+ 09-sim-syscall_priority_pre.py \
+ 10-sim-syscall_priority_post.py \
+ 11-basic-basic_errors.py \
+ 12-sim-basic_masked_ops.py \
+ 13-basic-attrs.py \
+ 14-sim-reset.py \
+ 15-basic-resolver.py \
+ 16-sim-arch_basic.py \
+ 17-sim-arch_merge.py \
+ 18-sim-basic_allowlist.py \
+ 19-sim-missing_syscalls.py \
+ 20-live-basic_die.py \
+ 21-live-basic_allow.py \
+ 22-sim-basic_chains_array.py \
+ 23-sim-arch_all_le_basic.py \
+ 24-live-arg_allow.py \
+ 25-sim-multilevel_chains_adv.py \
+ 26-sim-arch_all_be_basic.py \
+ 27-sim-bpf_blk_state.py \
+ 28-sim-arch_x86.py \
+ 29-sim-pseudo_syscall.py \
+ 30-sim-socket_syscalls.py \
+ 31-basic-version_check.py \
+ 32-live-tsync_allow.py \
+ 33-sim-socket_syscalls_be.py \
+ 34-sim-basic_denylist.py \
+ 35-sim-negative_one.py \
+ 36-sim-ipc_syscalls.py \
+ 37-sim-ipc_syscalls_be.py \
+ 39-basic-api_level.py \
+ 40-sim-log.py \
+ 41-sim-syscall_priority_arch.py \
+ 42-sim-adv_chains.py \
+ 43-sim-a2_order.py \
+ 44-live-a2_order.py \
+ 45-sim-chain_code_coverage.py \
+ 46-sim-kill_process.py \
+ 47-live-kill_process.py \
+ 48-sim-32b_args.py \
+ 49-sim-64b_comparisons.py \
+ 50-sim-hash_collision.py \
+ 51-live-user_notification.py \
+ 52-basic-load.py \
+ 53-sim-binary_tree.py \
+ 54-live-binary_tree.py \
+ 56-basic-iterate_syscalls.py \
+ 57-basic-rawsysrc.py \
+ 58-live-tsync_notify.py \
+ 59-basic-empty_binary_tree.py
+
+EXTRA_DIST_TESTCFGS = \
+ 01-sim-allow.tests \
+ 02-sim-basic.tests \
+ 03-sim-basic_chains.tests \
+ 04-sim-multilevel_chains.tests \
+ 05-sim-long_jumps.tests \
+ 06-sim-actions.tests \
+ 07-sim-db_bug_looping.tests \
+ 08-sim-subtree_checks.tests \
+ 09-sim-syscall_priority_pre.tests \
+ 10-sim-syscall_priority_post.tests \
+ 11-basic-basic_errors.tests \
+ 12-sim-basic_masked_ops.tests \
+ 13-basic-attrs.tests \
+ 14-sim-reset.tests \
+ 15-basic-resolver.tests \
+ 16-sim-arch_basic.tests \
+ 17-sim-arch_merge.tests \
+ 18-sim-basic_allowlist.tests \
+ 19-sim-missing_syscalls.tests \
+ 20-live-basic_die.tests \
+ 21-live-basic_allow.tests \
+ 22-sim-basic_chains_array.tests \
+ 23-sim-arch_all_le_basic.tests \
+ 24-live-arg_allow.tests \
+ 25-sim-multilevel_chains_adv.tests \
+ 26-sim-arch_all_be_basic.tests \
+ 27-sim-bpf_blk_state.tests \
+ 28-sim-arch_x86.tests \
+ 29-sim-pseudo_syscall.tests \
+ 30-sim-socket_syscalls.tests \
+ 31-basic-version_check.tests \
+ 32-live-tsync_allow.tests \
+ 33-sim-socket_syscalls_be.tests \
+ 34-sim-basic_denylist.tests \
+ 35-sim-negative_one.tests \
+ 36-sim-ipc_syscalls.tests \
+ 37-sim-ipc_syscalls_be.tests \
+ 38-basic-pfc_coverage.tests \
+ 39-basic-api_level.tests \
+ 40-sim-log.tests \
+ 41-sim-syscall_priority_arch.tests \
+ 42-sim-adv_chains.tests \
+ 43-sim-a2_order.tests \
+ 44-live-a2_order.tests \
+ 45-sim-chain_code_coverage.tests \
+ 46-sim-kill_process.tests \
+ 47-live-kill_process.tests \
+ 48-sim-32b_args.tests \
+ 49-sim-64b_comparisons.tests \
+ 50-sim-hash_collision.tests \
+ 51-live-user_notification.tests \
+ 52-basic-load.tests \
+ 53-sim-binary_tree.tests \
+ 54-live-binary_tree.tests \
+ 55-basic-pfc_binary_tree.tests \
+ 56-basic-iterate_syscalls.tests \
+ 57-basic-rawsysrc.tests \
+ 58-live-tsync_notify.tests \
+ 59-basic-empty_binary_tree.tests
+
+EXTRA_DIST_TESTSCRIPTS = \
+ 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \
+ 55-basic-pfc_binary_tree.sh 55-basic-pfc_binary_tree.pfc
+
+EXTRA_DIST_TESTTOOLS = regression testdiff testgen
+
+EXTRA_DIST_TESTVALGRIND = valgrind_test.supp
+
+EXTRA_DIST = \
+ ${EXTRA_DIST_TESTCFGS} \
+ ${EXTRA_DIST_TESTPYTHON} \
+ ${EXTRA_DIST_TESTSCRIPTS} \
+ ${EXTRA_DIST_TESTTOOLS} \
+ ${EXTRA_DIST_TESTVALGRIND}
+
+nodist_00_test_SOURCES = 00-test.c
+EXTRA_PROGRAMS = 00-test
+
+check-build:
+ ${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS}
+
+clean-local:
+ ${RM} -f 00-test *.pyc
diff --git a/tests/Makefile.in b/tests/Makefile.in
new file mode 100644
index 0000000..499342f
--- /dev/null
+++ b/tests/Makefile.in
@@ -0,0 +1,1805 @@
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+####
+# Seccomp Library Tests
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License
+# as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+check_PROGRAMS = miniseq$(EXEEXT) 01-sim-allow$(EXEEXT) \
+ 02-sim-basic$(EXEEXT) 03-sim-basic_chains$(EXEEXT) \
+ 04-sim-multilevel_chains$(EXEEXT) 05-sim-long_jumps$(EXEEXT) \
+ 06-sim-actions$(EXEEXT) 07-sim-db_bug_looping$(EXEEXT) \
+ 08-sim-subtree_checks$(EXEEXT) \
+ 09-sim-syscall_priority_pre$(EXEEXT) \
+ 10-sim-syscall_priority_post$(EXEEXT) \
+ 11-basic-basic_errors$(EXEEXT) \
+ 12-sim-basic_masked_ops$(EXEEXT) 13-basic-attrs$(EXEEXT) \
+ 14-sim-reset$(EXEEXT) 15-basic-resolver$(EXEEXT) \
+ 16-sim-arch_basic$(EXEEXT) 17-sim-arch_merge$(EXEEXT) \
+ 18-sim-basic_allowlist$(EXEEXT) \
+ 19-sim-missing_syscalls$(EXEEXT) 20-live-basic_die$(EXEEXT) \
+ 21-live-basic_allow$(EXEEXT) \
+ 22-sim-basic_chains_array$(EXEEXT) \
+ 23-sim-arch_all_le_basic$(EXEEXT) 24-live-arg_allow$(EXEEXT) \
+ 25-sim-multilevel_chains_adv$(EXEEXT) \
+ 26-sim-arch_all_be_basic$(EXEEXT) \
+ 27-sim-bpf_blk_state$(EXEEXT) 28-sim-arch_x86$(EXEEXT) \
+ 29-sim-pseudo_syscall$(EXEEXT) 30-sim-socket_syscalls$(EXEEXT) \
+ 31-basic-version_check$(EXEEXT) 32-live-tsync_allow$(EXEEXT) \
+ 33-sim-socket_syscalls_be$(EXEEXT) \
+ 34-sim-basic_denylist$(EXEEXT) 35-sim-negative_one$(EXEEXT) \
+ 36-sim-ipc_syscalls$(EXEEXT) 37-sim-ipc_syscalls_be$(EXEEXT) \
+ 38-basic-pfc_coverage$(EXEEXT) 39-basic-api_level$(EXEEXT) \
+ 40-sim-log$(EXEEXT) 41-sim-syscall_priority_arch$(EXEEXT) \
+ 42-sim-adv_chains$(EXEEXT) 43-sim-a2_order$(EXEEXT) \
+ 44-live-a2_order$(EXEEXT) 45-sim-chain_code_coverage$(EXEEXT) \
+ 46-sim-kill_process$(EXEEXT) 47-live-kill_process$(EXEEXT) \
+ 48-sim-32b_args$(EXEEXT) 49-sim-64b_comparisons$(EXEEXT) \
+ 50-sim-hash_collision$(EXEEXT) \
+ 51-live-user_notification$(EXEEXT) 52-basic-load$(EXEEXT) \
+ 53-sim-binary_tree$(EXEEXT) 54-live-binary_tree$(EXEEXT) \
+ 55-basic-pfc_binary_tree$(EXEEXT) \
+ 56-basic-iterate_syscalls$(EXEEXT) 57-basic-rawsysrc$(EXEEXT) \
+ 58-live-tsync_notify$(EXEEXT) \
+ 59-basic-empty_binary_tree$(EXEEXT)
+EXTRA_PROGRAMS = 00-test$(EXEEXT)
+subdir = tests
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_code_coverage.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/configure.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+util_la_LIBADD =
+am_util_la_OBJECTS = util.lo
+util_la_OBJECTS = $(am_util_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+util_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(util_la_LDFLAGS) $(LDFLAGS) -o $@
+nodist_00_test_OBJECTS = 00-test.$(OBJEXT)
+00_test_OBJECTS = $(nodist_00_test_OBJECTS)
+00_test_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+00_test_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+01_sim_allow_SOURCES = 01-sim-allow.c
+01_sim_allow_OBJECTS = 01-sim-allow.$(OBJEXT)
+01_sim_allow_LDADD = $(LDADD)
+01_sim_allow_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+02_sim_basic_SOURCES = 02-sim-basic.c
+02_sim_basic_OBJECTS = 02-sim-basic.$(OBJEXT)
+02_sim_basic_LDADD = $(LDADD)
+02_sim_basic_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+03_sim_basic_chains_SOURCES = 03-sim-basic_chains.c
+03_sim_basic_chains_OBJECTS = 03-sim-basic_chains.$(OBJEXT)
+03_sim_basic_chains_LDADD = $(LDADD)
+03_sim_basic_chains_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+04_sim_multilevel_chains_SOURCES = 04-sim-multilevel_chains.c
+04_sim_multilevel_chains_OBJECTS = 04-sim-multilevel_chains.$(OBJEXT)
+04_sim_multilevel_chains_LDADD = $(LDADD)
+04_sim_multilevel_chains_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+05_sim_long_jumps_SOURCES = 05-sim-long_jumps.c
+05_sim_long_jumps_OBJECTS = 05-sim-long_jumps.$(OBJEXT)
+05_sim_long_jumps_LDADD = $(LDADD)
+05_sim_long_jumps_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+06_sim_actions_SOURCES = 06-sim-actions.c
+06_sim_actions_OBJECTS = 06-sim-actions.$(OBJEXT)
+06_sim_actions_LDADD = $(LDADD)
+06_sim_actions_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+07_sim_db_bug_looping_SOURCES = 07-sim-db_bug_looping.c
+07_sim_db_bug_looping_OBJECTS = 07-sim-db_bug_looping.$(OBJEXT)
+07_sim_db_bug_looping_LDADD = $(LDADD)
+07_sim_db_bug_looping_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+08_sim_subtree_checks_SOURCES = 08-sim-subtree_checks.c
+08_sim_subtree_checks_OBJECTS = 08-sim-subtree_checks.$(OBJEXT)
+08_sim_subtree_checks_LDADD = $(LDADD)
+08_sim_subtree_checks_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+09_sim_syscall_priority_pre_SOURCES = 09-sim-syscall_priority_pre.c
+09_sim_syscall_priority_pre_OBJECTS = \
+ 09-sim-syscall_priority_pre.$(OBJEXT)
+09_sim_syscall_priority_pre_LDADD = $(LDADD)
+09_sim_syscall_priority_pre_DEPENDENCIES = util.la \
+ ../src/libseccomp.la $(am__DEPENDENCIES_1)
+10_sim_syscall_priority_post_SOURCES = 10-sim-syscall_priority_post.c
+10_sim_syscall_priority_post_OBJECTS = \
+ 10-sim-syscall_priority_post.$(OBJEXT)
+10_sim_syscall_priority_post_LDADD = $(LDADD)
+10_sim_syscall_priority_post_DEPENDENCIES = util.la \
+ ../src/libseccomp.la $(am__DEPENDENCIES_1)
+11_basic_basic_errors_SOURCES = 11-basic-basic_errors.c
+11_basic_basic_errors_OBJECTS = 11-basic-basic_errors.$(OBJEXT)
+11_basic_basic_errors_LDADD = $(LDADD)
+11_basic_basic_errors_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+12_sim_basic_masked_ops_SOURCES = 12-sim-basic_masked_ops.c
+12_sim_basic_masked_ops_OBJECTS = 12-sim-basic_masked_ops.$(OBJEXT)
+12_sim_basic_masked_ops_LDADD = $(LDADD)
+12_sim_basic_masked_ops_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+13_basic_attrs_SOURCES = 13-basic-attrs.c
+13_basic_attrs_OBJECTS = 13-basic-attrs.$(OBJEXT)
+13_basic_attrs_LDADD = $(LDADD)
+13_basic_attrs_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+14_sim_reset_SOURCES = 14-sim-reset.c
+14_sim_reset_OBJECTS = 14-sim-reset.$(OBJEXT)
+14_sim_reset_LDADD = $(LDADD)
+14_sim_reset_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+15_basic_resolver_SOURCES = 15-basic-resolver.c
+15_basic_resolver_OBJECTS = 15-basic-resolver.$(OBJEXT)
+15_basic_resolver_LDADD = $(LDADD)
+15_basic_resolver_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+16_sim_arch_basic_SOURCES = 16-sim-arch_basic.c
+16_sim_arch_basic_OBJECTS = 16-sim-arch_basic.$(OBJEXT)
+16_sim_arch_basic_LDADD = $(LDADD)
+16_sim_arch_basic_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+17_sim_arch_merge_SOURCES = 17-sim-arch_merge.c
+17_sim_arch_merge_OBJECTS = 17-sim-arch_merge.$(OBJEXT)
+17_sim_arch_merge_LDADD = $(LDADD)
+17_sim_arch_merge_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+18_sim_basic_allowlist_SOURCES = 18-sim-basic_allowlist.c
+18_sim_basic_allowlist_OBJECTS = 18-sim-basic_allowlist.$(OBJEXT)
+18_sim_basic_allowlist_LDADD = $(LDADD)
+18_sim_basic_allowlist_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+19_sim_missing_syscalls_SOURCES = 19-sim-missing_syscalls.c
+19_sim_missing_syscalls_OBJECTS = 19-sim-missing_syscalls.$(OBJEXT)
+19_sim_missing_syscalls_LDADD = $(LDADD)
+19_sim_missing_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+20_live_basic_die_SOURCES = 20-live-basic_die.c
+20_live_basic_die_OBJECTS = 20-live-basic_die.$(OBJEXT)
+20_live_basic_die_LDADD = $(LDADD)
+20_live_basic_die_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+21_live_basic_allow_SOURCES = 21-live-basic_allow.c
+21_live_basic_allow_OBJECTS = 21-live-basic_allow.$(OBJEXT)
+21_live_basic_allow_LDADD = $(LDADD)
+21_live_basic_allow_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+22_sim_basic_chains_array_SOURCES = 22-sim-basic_chains_array.c
+22_sim_basic_chains_array_OBJECTS = \
+ 22-sim-basic_chains_array.$(OBJEXT)
+22_sim_basic_chains_array_LDADD = $(LDADD)
+22_sim_basic_chains_array_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+23_sim_arch_all_le_basic_SOURCES = 23-sim-arch_all_le_basic.c
+23_sim_arch_all_le_basic_OBJECTS = 23-sim-arch_all_le_basic.$(OBJEXT)
+23_sim_arch_all_le_basic_LDADD = $(LDADD)
+23_sim_arch_all_le_basic_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+24_live_arg_allow_SOURCES = 24-live-arg_allow.c
+24_live_arg_allow_OBJECTS = 24-live-arg_allow.$(OBJEXT)
+24_live_arg_allow_LDADD = $(LDADD)
+24_live_arg_allow_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+25_sim_multilevel_chains_adv_SOURCES = 25-sim-multilevel_chains_adv.c
+25_sim_multilevel_chains_adv_OBJECTS = \
+ 25-sim-multilevel_chains_adv.$(OBJEXT)
+25_sim_multilevel_chains_adv_LDADD = $(LDADD)
+25_sim_multilevel_chains_adv_DEPENDENCIES = util.la \
+ ../src/libseccomp.la $(am__DEPENDENCIES_1)
+26_sim_arch_all_be_basic_SOURCES = 26-sim-arch_all_be_basic.c
+26_sim_arch_all_be_basic_OBJECTS = 26-sim-arch_all_be_basic.$(OBJEXT)
+26_sim_arch_all_be_basic_LDADD = $(LDADD)
+26_sim_arch_all_be_basic_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+27_sim_bpf_blk_state_SOURCES = 27-sim-bpf_blk_state.c
+27_sim_bpf_blk_state_OBJECTS = 27-sim-bpf_blk_state.$(OBJEXT)
+27_sim_bpf_blk_state_LDADD = $(LDADD)
+27_sim_bpf_blk_state_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+28_sim_arch_x86_SOURCES = 28-sim-arch_x86.c
+28_sim_arch_x86_OBJECTS = 28-sim-arch_x86.$(OBJEXT)
+28_sim_arch_x86_LDADD = $(LDADD)
+28_sim_arch_x86_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+29_sim_pseudo_syscall_SOURCES = 29-sim-pseudo_syscall.c
+29_sim_pseudo_syscall_OBJECTS = 29-sim-pseudo_syscall.$(OBJEXT)
+29_sim_pseudo_syscall_LDADD = $(LDADD)
+29_sim_pseudo_syscall_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+30_sim_socket_syscalls_SOURCES = 30-sim-socket_syscalls.c
+30_sim_socket_syscalls_OBJECTS = 30-sim-socket_syscalls.$(OBJEXT)
+30_sim_socket_syscalls_LDADD = $(LDADD)
+30_sim_socket_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+31_basic_version_check_SOURCES = 31-basic-version_check.c
+31_basic_version_check_OBJECTS = 31-basic-version_check.$(OBJEXT)
+31_basic_version_check_LDADD = $(LDADD)
+31_basic_version_check_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+32_live_tsync_allow_SOURCES = 32-live-tsync_allow.c
+32_live_tsync_allow_OBJECTS = 32-live-tsync_allow.$(OBJEXT)
+32_live_tsync_allow_LDADD = $(LDADD)
+32_live_tsync_allow_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+33_sim_socket_syscalls_be_SOURCES = 33-sim-socket_syscalls_be.c
+33_sim_socket_syscalls_be_OBJECTS = \
+ 33-sim-socket_syscalls_be.$(OBJEXT)
+33_sim_socket_syscalls_be_LDADD = $(LDADD)
+33_sim_socket_syscalls_be_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+34_sim_basic_denylist_SOURCES = 34-sim-basic_denylist.c
+34_sim_basic_denylist_OBJECTS = 34-sim-basic_denylist.$(OBJEXT)
+34_sim_basic_denylist_LDADD = $(LDADD)
+34_sim_basic_denylist_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+35_sim_negative_one_SOURCES = 35-sim-negative_one.c
+35_sim_negative_one_OBJECTS = 35-sim-negative_one.$(OBJEXT)
+35_sim_negative_one_LDADD = $(LDADD)
+35_sim_negative_one_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+36_sim_ipc_syscalls_SOURCES = 36-sim-ipc_syscalls.c
+36_sim_ipc_syscalls_OBJECTS = 36-sim-ipc_syscalls.$(OBJEXT)
+36_sim_ipc_syscalls_LDADD = $(LDADD)
+36_sim_ipc_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+37_sim_ipc_syscalls_be_SOURCES = 37-sim-ipc_syscalls_be.c
+37_sim_ipc_syscalls_be_OBJECTS = 37-sim-ipc_syscalls_be.$(OBJEXT)
+37_sim_ipc_syscalls_be_LDADD = $(LDADD)
+37_sim_ipc_syscalls_be_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+38_basic_pfc_coverage_SOURCES = 38-basic-pfc_coverage.c
+38_basic_pfc_coverage_OBJECTS = 38-basic-pfc_coverage.$(OBJEXT)
+38_basic_pfc_coverage_LDADD = $(LDADD)
+38_basic_pfc_coverage_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+39_basic_api_level_SOURCES = 39-basic-api_level.c
+39_basic_api_level_OBJECTS = 39-basic-api_level.$(OBJEXT)
+39_basic_api_level_LDADD = $(LDADD)
+39_basic_api_level_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+40_sim_log_SOURCES = 40-sim-log.c
+40_sim_log_OBJECTS = 40-sim-log.$(OBJEXT)
+40_sim_log_LDADD = $(LDADD)
+40_sim_log_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+41_sim_syscall_priority_arch_SOURCES = 41-sim-syscall_priority_arch.c
+41_sim_syscall_priority_arch_OBJECTS = \
+ 41-sim-syscall_priority_arch.$(OBJEXT)
+41_sim_syscall_priority_arch_LDADD = $(LDADD)
+41_sim_syscall_priority_arch_DEPENDENCIES = util.la \
+ ../src/libseccomp.la $(am__DEPENDENCIES_1)
+42_sim_adv_chains_SOURCES = 42-sim-adv_chains.c
+42_sim_adv_chains_OBJECTS = 42-sim-adv_chains.$(OBJEXT)
+42_sim_adv_chains_LDADD = $(LDADD)
+42_sim_adv_chains_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+43_sim_a2_order_SOURCES = 43-sim-a2_order.c
+43_sim_a2_order_OBJECTS = 43-sim-a2_order.$(OBJEXT)
+43_sim_a2_order_LDADD = $(LDADD)
+43_sim_a2_order_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+44_live_a2_order_SOURCES = 44-live-a2_order.c
+44_live_a2_order_OBJECTS = 44-live-a2_order.$(OBJEXT)
+44_live_a2_order_LDADD = $(LDADD)
+44_live_a2_order_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+45_sim_chain_code_coverage_SOURCES = 45-sim-chain_code_coverage.c
+45_sim_chain_code_coverage_OBJECTS = \
+ 45-sim-chain_code_coverage.$(OBJEXT)
+45_sim_chain_code_coverage_LDADD = $(LDADD)
+45_sim_chain_code_coverage_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+46_sim_kill_process_SOURCES = 46-sim-kill_process.c
+46_sim_kill_process_OBJECTS = 46-sim-kill_process.$(OBJEXT)
+46_sim_kill_process_LDADD = $(LDADD)
+46_sim_kill_process_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+47_live_kill_process_SOURCES = 47-live-kill_process.c
+47_live_kill_process_OBJECTS = 47-live-kill_process.$(OBJEXT)
+47_live_kill_process_LDADD = $(LDADD)
+47_live_kill_process_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+48_sim_32b_args_SOURCES = 48-sim-32b_args.c
+48_sim_32b_args_OBJECTS = 48-sim-32b_args.$(OBJEXT)
+48_sim_32b_args_LDADD = $(LDADD)
+48_sim_32b_args_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+49_sim_64b_comparisons_SOURCES = 49-sim-64b_comparisons.c
+49_sim_64b_comparisons_OBJECTS = 49-sim-64b_comparisons.$(OBJEXT)
+49_sim_64b_comparisons_LDADD = $(LDADD)
+49_sim_64b_comparisons_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+50_sim_hash_collision_SOURCES = 50-sim-hash_collision.c
+50_sim_hash_collision_OBJECTS = 50-sim-hash_collision.$(OBJEXT)
+50_sim_hash_collision_LDADD = $(LDADD)
+50_sim_hash_collision_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+51_live_user_notification_SOURCES = 51-live-user_notification.c
+51_live_user_notification_OBJECTS = \
+ 51-live-user_notification.$(OBJEXT)
+51_live_user_notification_LDADD = $(LDADD)
+51_live_user_notification_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+52_basic_load_SOURCES = 52-basic-load.c
+52_basic_load_OBJECTS = 52-basic-load.$(OBJEXT)
+52_basic_load_LDADD = $(LDADD)
+52_basic_load_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+53_sim_binary_tree_SOURCES = 53-sim-binary_tree.c
+53_sim_binary_tree_OBJECTS = 53-sim-binary_tree.$(OBJEXT)
+53_sim_binary_tree_LDADD = $(LDADD)
+53_sim_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+54_live_binary_tree_SOURCES = 54-live-binary_tree.c
+54_live_binary_tree_OBJECTS = 54-live-binary_tree.$(OBJEXT)
+54_live_binary_tree_LDADD = $(LDADD)
+54_live_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+55_basic_pfc_binary_tree_SOURCES = 55-basic-pfc_binary_tree.c
+55_basic_pfc_binary_tree_OBJECTS = 55-basic-pfc_binary_tree.$(OBJEXT)
+55_basic_pfc_binary_tree_LDADD = $(LDADD)
+55_basic_pfc_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+56_basic_iterate_syscalls_SOURCES = 56-basic-iterate_syscalls.c
+56_basic_iterate_syscalls_OBJECTS = \
+ 56-basic-iterate_syscalls.$(OBJEXT)
+56_basic_iterate_syscalls_LDADD = $(LDADD)
+56_basic_iterate_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+57_basic_rawsysrc_SOURCES = 57-basic-rawsysrc.c
+57_basic_rawsysrc_OBJECTS = 57-basic-rawsysrc.$(OBJEXT)
+57_basic_rawsysrc_LDADD = $(LDADD)
+57_basic_rawsysrc_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+58_live_tsync_notify_SOURCES = 58-live-tsync_notify.c
+58_live_tsync_notify_OBJECTS = 58-live-tsync_notify.$(OBJEXT)
+58_live_tsync_notify_LDADD = $(LDADD)
+58_live_tsync_notify_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+59_basic_empty_binary_tree_SOURCES = 59-basic-empty_binary_tree.c
+59_basic_empty_binary_tree_OBJECTS = \
+ 59-basic-empty_binary_tree.$(OBJEXT)
+59_basic_empty_binary_tree_LDADD = $(LDADD)
+59_basic_empty_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \
+ $(am__DEPENDENCIES_1)
+miniseq_SOURCES = miniseq.c
+miniseq_OBJECTS = miniseq.$(OBJEXT)
+miniseq_DEPENDENCIES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/00-test.Po \
+ ./$(DEPDIR)/01-sim-allow.Po ./$(DEPDIR)/02-sim-basic.Po \
+ ./$(DEPDIR)/03-sim-basic_chains.Po \
+ ./$(DEPDIR)/04-sim-multilevel_chains.Po \
+ ./$(DEPDIR)/05-sim-long_jumps.Po ./$(DEPDIR)/06-sim-actions.Po \
+ ./$(DEPDIR)/07-sim-db_bug_looping.Po \
+ ./$(DEPDIR)/08-sim-subtree_checks.Po \
+ ./$(DEPDIR)/09-sim-syscall_priority_pre.Po \
+ ./$(DEPDIR)/10-sim-syscall_priority_post.Po \
+ ./$(DEPDIR)/11-basic-basic_errors.Po \
+ ./$(DEPDIR)/12-sim-basic_masked_ops.Po \
+ ./$(DEPDIR)/13-basic-attrs.Po ./$(DEPDIR)/14-sim-reset.Po \
+ ./$(DEPDIR)/15-basic-resolver.Po \
+ ./$(DEPDIR)/16-sim-arch_basic.Po \
+ ./$(DEPDIR)/17-sim-arch_merge.Po \
+ ./$(DEPDIR)/18-sim-basic_allowlist.Po \
+ ./$(DEPDIR)/19-sim-missing_syscalls.Po \
+ ./$(DEPDIR)/20-live-basic_die.Po \
+ ./$(DEPDIR)/21-live-basic_allow.Po \
+ ./$(DEPDIR)/22-sim-basic_chains_array.Po \
+ ./$(DEPDIR)/23-sim-arch_all_le_basic.Po \
+ ./$(DEPDIR)/24-live-arg_allow.Po \
+ ./$(DEPDIR)/25-sim-multilevel_chains_adv.Po \
+ ./$(DEPDIR)/26-sim-arch_all_be_basic.Po \
+ ./$(DEPDIR)/27-sim-bpf_blk_state.Po \
+ ./$(DEPDIR)/28-sim-arch_x86.Po \
+ ./$(DEPDIR)/29-sim-pseudo_syscall.Po \
+ ./$(DEPDIR)/30-sim-socket_syscalls.Po \
+ ./$(DEPDIR)/31-basic-version_check.Po \
+ ./$(DEPDIR)/32-live-tsync_allow.Po \
+ ./$(DEPDIR)/33-sim-socket_syscalls_be.Po \
+ ./$(DEPDIR)/34-sim-basic_denylist.Po \
+ ./$(DEPDIR)/35-sim-negative_one.Po \
+ ./$(DEPDIR)/36-sim-ipc_syscalls.Po \
+ ./$(DEPDIR)/37-sim-ipc_syscalls_be.Po \
+ ./$(DEPDIR)/38-basic-pfc_coverage.Po \
+ ./$(DEPDIR)/39-basic-api_level.Po ./$(DEPDIR)/40-sim-log.Po \
+ ./$(DEPDIR)/41-sim-syscall_priority_arch.Po \
+ ./$(DEPDIR)/42-sim-adv_chains.Po \
+ ./$(DEPDIR)/43-sim-a2_order.Po ./$(DEPDIR)/44-live-a2_order.Po \
+ ./$(DEPDIR)/45-sim-chain_code_coverage.Po \
+ ./$(DEPDIR)/46-sim-kill_process.Po \
+ ./$(DEPDIR)/47-live-kill_process.Po \
+ ./$(DEPDIR)/48-sim-32b_args.Po \
+ ./$(DEPDIR)/49-sim-64b_comparisons.Po \
+ ./$(DEPDIR)/50-sim-hash_collision.Po \
+ ./$(DEPDIR)/51-live-user_notification.Po \
+ ./$(DEPDIR)/52-basic-load.Po ./$(DEPDIR)/53-sim-binary_tree.Po \
+ ./$(DEPDIR)/54-live-binary_tree.Po \
+ ./$(DEPDIR)/55-basic-pfc_binary_tree.Po \
+ ./$(DEPDIR)/56-basic-iterate_syscalls.Po \
+ ./$(DEPDIR)/57-basic-rawsysrc.Po \
+ ./$(DEPDIR)/58-live-tsync_notify.Po \
+ ./$(DEPDIR)/59-basic-empty_binary_tree.Po \
+ ./$(DEPDIR)/miniseq.Po ./$(DEPDIR)/util.Plo
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(util_la_SOURCES) $(nodist_00_test_SOURCES) 01-sim-allow.c \
+ 02-sim-basic.c 03-sim-basic_chains.c \
+ 04-sim-multilevel_chains.c 05-sim-long_jumps.c \
+ 06-sim-actions.c 07-sim-db_bug_looping.c \
+ 08-sim-subtree_checks.c 09-sim-syscall_priority_pre.c \
+ 10-sim-syscall_priority_post.c 11-basic-basic_errors.c \
+ 12-sim-basic_masked_ops.c 13-basic-attrs.c 14-sim-reset.c \
+ 15-basic-resolver.c 16-sim-arch_basic.c 17-sim-arch_merge.c \
+ 18-sim-basic_allowlist.c 19-sim-missing_syscalls.c \
+ 20-live-basic_die.c 21-live-basic_allow.c \
+ 22-sim-basic_chains_array.c 23-sim-arch_all_le_basic.c \
+ 24-live-arg_allow.c 25-sim-multilevel_chains_adv.c \
+ 26-sim-arch_all_be_basic.c 27-sim-bpf_blk_state.c \
+ 28-sim-arch_x86.c 29-sim-pseudo_syscall.c \
+ 30-sim-socket_syscalls.c 31-basic-version_check.c \
+ 32-live-tsync_allow.c 33-sim-socket_syscalls_be.c \
+ 34-sim-basic_denylist.c 35-sim-negative_one.c \
+ 36-sim-ipc_syscalls.c 37-sim-ipc_syscalls_be.c \
+ 38-basic-pfc_coverage.c 39-basic-api_level.c 40-sim-log.c \
+ 41-sim-syscall_priority_arch.c 42-sim-adv_chains.c \
+ 43-sim-a2_order.c 44-live-a2_order.c \
+ 45-sim-chain_code_coverage.c 46-sim-kill_process.c \
+ 47-live-kill_process.c 48-sim-32b_args.c \
+ 49-sim-64b_comparisons.c 50-sim-hash_collision.c \
+ 51-live-user_notification.c 52-basic-load.c \
+ 53-sim-binary_tree.c 54-live-binary_tree.c \
+ 55-basic-pfc_binary_tree.c 56-basic-iterate_syscalls.c \
+ 57-basic-rawsysrc.c 58-live-tsync_notify.c \
+ 59-basic-empty_binary_tree.c miniseq.c
+DIST_SOURCES = $(util_la_SOURCES) 01-sim-allow.c 02-sim-basic.c \
+ 03-sim-basic_chains.c 04-sim-multilevel_chains.c \
+ 05-sim-long_jumps.c 06-sim-actions.c 07-sim-db_bug_looping.c \
+ 08-sim-subtree_checks.c 09-sim-syscall_priority_pre.c \
+ 10-sim-syscall_priority_post.c 11-basic-basic_errors.c \
+ 12-sim-basic_masked_ops.c 13-basic-attrs.c 14-sim-reset.c \
+ 15-basic-resolver.c 16-sim-arch_basic.c 17-sim-arch_merge.c \
+ 18-sim-basic_allowlist.c 19-sim-missing_syscalls.c \
+ 20-live-basic_die.c 21-live-basic_allow.c \
+ 22-sim-basic_chains_array.c 23-sim-arch_all_le_basic.c \
+ 24-live-arg_allow.c 25-sim-multilevel_chains_adv.c \
+ 26-sim-arch_all_be_basic.c 27-sim-bpf_blk_state.c \
+ 28-sim-arch_x86.c 29-sim-pseudo_syscall.c \
+ 30-sim-socket_syscalls.c 31-basic-version_check.c \
+ 32-live-tsync_allow.c 33-sim-socket_syscalls_be.c \
+ 34-sim-basic_denylist.c 35-sim-negative_one.c \
+ 36-sim-ipc_syscalls.c 37-sim-ipc_syscalls_be.c \
+ 38-basic-pfc_coverage.c 39-basic-api_level.c 40-sim-log.c \
+ 41-sim-syscall_priority_arch.c 42-sim-adv_chains.c \
+ 43-sim-a2_order.c 44-live-a2_order.c \
+ 45-sim-chain_code_coverage.c 46-sim-kill_process.c \
+ 47-live-kill_process.c 48-sim-32b_args.c \
+ 49-sim-64b_comparisons.c 50-sim-hash_collision.c \
+ 51-live-user_notification.c 52-basic-load.c \
+ 53-sim-binary_tree.c 54-live-binary_tree.c \
+ 55-basic-pfc_binary_tree.c 56-basic-iterate_syscalls.c \
+ 57-basic-rawsysrc.c 58-live-tsync_notify.c \
+ 59-basic-empty_binary_tree.c miniseq.c
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
+am__DIST_COMMON = $(srcdir)/Makefile.in \
+ $(top_srcdir)/build-aux/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_CFLAGS = @AM_CFLAGS@
+AM_CPPFLAGS = @AM_CPPFLAGS@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AM_LDFLAGS = ${DBG_STATIC} -lpthread
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CODE_COVERAGE_CFLAGS = @CODE_COVERAGE_CFLAGS@
+CODE_COVERAGE_CPPFLAGS = @CODE_COVERAGE_CPPFLAGS@
+CODE_COVERAGE_CXXFLAGS = @CODE_COVERAGE_CXXFLAGS@
+CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@
+CODE_COVERAGE_LDFLAGS = @CODE_COVERAGE_LDFLAGS@
+CODE_COVERAGE_LIBS = @CODE_COVERAGE_LIBS@
+CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+ETAGS = @ETAGS@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FILECMD = @FILECMD@
+GCOV = @GCOV@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VERSION_MAJOR = @VERSION_MAJOR@
+VERSION_MICRO = @VERSION_MICRO@
+VERSION_MINOR = @VERSION_MINOR@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+cython = @cython@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+have_coverity = @have_coverity@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+@CODE_COVERAGE_ENABLED_FALSE@DBG_STATIC = -static
+@CODE_COVERAGE_ENABLED_TRUE@DBG_STATIC =
+LDADD = util.la ../src/libseccomp.la ${CODE_COVERAGE_LIBS}
+check_LTLIBRARIES = util.la
+util_la_SOURCES = util.c util.h
+util_la_LDFLAGS = -module
+miniseq_LDADD =
+TESTS = regression
+EXTRA_DIST_TESTPYTHON = \
+ util.py \
+ 01-sim-allow.py \
+ 02-sim-basic.py \
+ 03-sim-basic_chains.py \
+ 04-sim-multilevel_chains.py \
+ 05-sim-long_jumps.py \
+ 06-sim-actions.py \
+ 07-sim-db_bug_looping.py \
+ 08-sim-subtree_checks.py \
+ 09-sim-syscall_priority_pre.py \
+ 10-sim-syscall_priority_post.py \
+ 11-basic-basic_errors.py \
+ 12-sim-basic_masked_ops.py \
+ 13-basic-attrs.py \
+ 14-sim-reset.py \
+ 15-basic-resolver.py \
+ 16-sim-arch_basic.py \
+ 17-sim-arch_merge.py \
+ 18-sim-basic_allowlist.py \
+ 19-sim-missing_syscalls.py \
+ 20-live-basic_die.py \
+ 21-live-basic_allow.py \
+ 22-sim-basic_chains_array.py \
+ 23-sim-arch_all_le_basic.py \
+ 24-live-arg_allow.py \
+ 25-sim-multilevel_chains_adv.py \
+ 26-sim-arch_all_be_basic.py \
+ 27-sim-bpf_blk_state.py \
+ 28-sim-arch_x86.py \
+ 29-sim-pseudo_syscall.py \
+ 30-sim-socket_syscalls.py \
+ 31-basic-version_check.py \
+ 32-live-tsync_allow.py \
+ 33-sim-socket_syscalls_be.py \
+ 34-sim-basic_denylist.py \
+ 35-sim-negative_one.py \
+ 36-sim-ipc_syscalls.py \
+ 37-sim-ipc_syscalls_be.py \
+ 39-basic-api_level.py \
+ 40-sim-log.py \
+ 41-sim-syscall_priority_arch.py \
+ 42-sim-adv_chains.py \
+ 43-sim-a2_order.py \
+ 44-live-a2_order.py \
+ 45-sim-chain_code_coverage.py \
+ 46-sim-kill_process.py \
+ 47-live-kill_process.py \
+ 48-sim-32b_args.py \
+ 49-sim-64b_comparisons.py \
+ 50-sim-hash_collision.py \
+ 51-live-user_notification.py \
+ 52-basic-load.py \
+ 53-sim-binary_tree.py \
+ 54-live-binary_tree.py \
+ 56-basic-iterate_syscalls.py \
+ 57-basic-rawsysrc.py \
+ 58-live-tsync_notify.py \
+ 59-basic-empty_binary_tree.py
+
+EXTRA_DIST_TESTCFGS = \
+ 01-sim-allow.tests \
+ 02-sim-basic.tests \
+ 03-sim-basic_chains.tests \
+ 04-sim-multilevel_chains.tests \
+ 05-sim-long_jumps.tests \
+ 06-sim-actions.tests \
+ 07-sim-db_bug_looping.tests \
+ 08-sim-subtree_checks.tests \
+ 09-sim-syscall_priority_pre.tests \
+ 10-sim-syscall_priority_post.tests \
+ 11-basic-basic_errors.tests \
+ 12-sim-basic_masked_ops.tests \
+ 13-basic-attrs.tests \
+ 14-sim-reset.tests \
+ 15-basic-resolver.tests \
+ 16-sim-arch_basic.tests \
+ 17-sim-arch_merge.tests \
+ 18-sim-basic_allowlist.tests \
+ 19-sim-missing_syscalls.tests \
+ 20-live-basic_die.tests \
+ 21-live-basic_allow.tests \
+ 22-sim-basic_chains_array.tests \
+ 23-sim-arch_all_le_basic.tests \
+ 24-live-arg_allow.tests \
+ 25-sim-multilevel_chains_adv.tests \
+ 26-sim-arch_all_be_basic.tests \
+ 27-sim-bpf_blk_state.tests \
+ 28-sim-arch_x86.tests \
+ 29-sim-pseudo_syscall.tests \
+ 30-sim-socket_syscalls.tests \
+ 31-basic-version_check.tests \
+ 32-live-tsync_allow.tests \
+ 33-sim-socket_syscalls_be.tests \
+ 34-sim-basic_denylist.tests \
+ 35-sim-negative_one.tests \
+ 36-sim-ipc_syscalls.tests \
+ 37-sim-ipc_syscalls_be.tests \
+ 38-basic-pfc_coverage.tests \
+ 39-basic-api_level.tests \
+ 40-sim-log.tests \
+ 41-sim-syscall_priority_arch.tests \
+ 42-sim-adv_chains.tests \
+ 43-sim-a2_order.tests \
+ 44-live-a2_order.tests \
+ 45-sim-chain_code_coverage.tests \
+ 46-sim-kill_process.tests \
+ 47-live-kill_process.tests \
+ 48-sim-32b_args.tests \
+ 49-sim-64b_comparisons.tests \
+ 50-sim-hash_collision.tests \
+ 51-live-user_notification.tests \
+ 52-basic-load.tests \
+ 53-sim-binary_tree.tests \
+ 54-live-binary_tree.tests \
+ 55-basic-pfc_binary_tree.tests \
+ 56-basic-iterate_syscalls.tests \
+ 57-basic-rawsysrc.tests \
+ 58-live-tsync_notify.tests \
+ 59-basic-empty_binary_tree.tests
+
+EXTRA_DIST_TESTSCRIPTS = \
+ 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \
+ 55-basic-pfc_binary_tree.sh 55-basic-pfc_binary_tree.pfc
+
+EXTRA_DIST_TESTTOOLS = regression testdiff testgen
+EXTRA_DIST_TESTVALGRIND = valgrind_test.supp
+EXTRA_DIST = \
+ ${EXTRA_DIST_TESTCFGS} \
+ ${EXTRA_DIST_TESTPYTHON} \
+ ${EXTRA_DIST_TESTSCRIPTS} \
+ ${EXTRA_DIST_TESTTOOLS} \
+ ${EXTRA_DIST_TESTVALGRIND}
+
+nodist_00_test_SOURCES = 00-test.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --foreign tests/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+
+clean-checkLTLIBRARIES:
+ -test -z "$(check_LTLIBRARIES)" || rm -f $(check_LTLIBRARIES)
+ @list='$(check_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+util.la: $(util_la_OBJECTS) $(util_la_DEPENDENCIES) $(EXTRA_util_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(util_la_LINK) $(util_la_OBJECTS) $(util_la_LIBADD) $(LIBS)
+
+00-test$(EXEEXT): $(00_test_OBJECTS) $(00_test_DEPENDENCIES) $(EXTRA_00_test_DEPENDENCIES)
+ @rm -f 00-test$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(00_test_OBJECTS) $(00_test_LDADD) $(LIBS)
+
+01-sim-allow$(EXEEXT): $(01_sim_allow_OBJECTS) $(01_sim_allow_DEPENDENCIES) $(EXTRA_01_sim_allow_DEPENDENCIES)
+ @rm -f 01-sim-allow$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(01_sim_allow_OBJECTS) $(01_sim_allow_LDADD) $(LIBS)
+
+02-sim-basic$(EXEEXT): $(02_sim_basic_OBJECTS) $(02_sim_basic_DEPENDENCIES) $(EXTRA_02_sim_basic_DEPENDENCIES)
+ @rm -f 02-sim-basic$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(02_sim_basic_OBJECTS) $(02_sim_basic_LDADD) $(LIBS)
+
+03-sim-basic_chains$(EXEEXT): $(03_sim_basic_chains_OBJECTS) $(03_sim_basic_chains_DEPENDENCIES) $(EXTRA_03_sim_basic_chains_DEPENDENCIES)
+ @rm -f 03-sim-basic_chains$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(03_sim_basic_chains_OBJECTS) $(03_sim_basic_chains_LDADD) $(LIBS)
+
+04-sim-multilevel_chains$(EXEEXT): $(04_sim_multilevel_chains_OBJECTS) $(04_sim_multilevel_chains_DEPENDENCIES) $(EXTRA_04_sim_multilevel_chains_DEPENDENCIES)
+ @rm -f 04-sim-multilevel_chains$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(04_sim_multilevel_chains_OBJECTS) $(04_sim_multilevel_chains_LDADD) $(LIBS)
+
+05-sim-long_jumps$(EXEEXT): $(05_sim_long_jumps_OBJECTS) $(05_sim_long_jumps_DEPENDENCIES) $(EXTRA_05_sim_long_jumps_DEPENDENCIES)
+ @rm -f 05-sim-long_jumps$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(05_sim_long_jumps_OBJECTS) $(05_sim_long_jumps_LDADD) $(LIBS)
+
+06-sim-actions$(EXEEXT): $(06_sim_actions_OBJECTS) $(06_sim_actions_DEPENDENCIES) $(EXTRA_06_sim_actions_DEPENDENCIES)
+ @rm -f 06-sim-actions$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(06_sim_actions_OBJECTS) $(06_sim_actions_LDADD) $(LIBS)
+
+07-sim-db_bug_looping$(EXEEXT): $(07_sim_db_bug_looping_OBJECTS) $(07_sim_db_bug_looping_DEPENDENCIES) $(EXTRA_07_sim_db_bug_looping_DEPENDENCIES)
+ @rm -f 07-sim-db_bug_looping$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(07_sim_db_bug_looping_OBJECTS) $(07_sim_db_bug_looping_LDADD) $(LIBS)
+
+08-sim-subtree_checks$(EXEEXT): $(08_sim_subtree_checks_OBJECTS) $(08_sim_subtree_checks_DEPENDENCIES) $(EXTRA_08_sim_subtree_checks_DEPENDENCIES)
+ @rm -f 08-sim-subtree_checks$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(08_sim_subtree_checks_OBJECTS) $(08_sim_subtree_checks_LDADD) $(LIBS)
+
+09-sim-syscall_priority_pre$(EXEEXT): $(09_sim_syscall_priority_pre_OBJECTS) $(09_sim_syscall_priority_pre_DEPENDENCIES) $(EXTRA_09_sim_syscall_priority_pre_DEPENDENCIES)
+ @rm -f 09-sim-syscall_priority_pre$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(09_sim_syscall_priority_pre_OBJECTS) $(09_sim_syscall_priority_pre_LDADD) $(LIBS)
+
+10-sim-syscall_priority_post$(EXEEXT): $(10_sim_syscall_priority_post_OBJECTS) $(10_sim_syscall_priority_post_DEPENDENCIES) $(EXTRA_10_sim_syscall_priority_post_DEPENDENCIES)
+ @rm -f 10-sim-syscall_priority_post$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(10_sim_syscall_priority_post_OBJECTS) $(10_sim_syscall_priority_post_LDADD) $(LIBS)
+
+11-basic-basic_errors$(EXEEXT): $(11_basic_basic_errors_OBJECTS) $(11_basic_basic_errors_DEPENDENCIES) $(EXTRA_11_basic_basic_errors_DEPENDENCIES)
+ @rm -f 11-basic-basic_errors$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(11_basic_basic_errors_OBJECTS) $(11_basic_basic_errors_LDADD) $(LIBS)
+
+12-sim-basic_masked_ops$(EXEEXT): $(12_sim_basic_masked_ops_OBJECTS) $(12_sim_basic_masked_ops_DEPENDENCIES) $(EXTRA_12_sim_basic_masked_ops_DEPENDENCIES)
+ @rm -f 12-sim-basic_masked_ops$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(12_sim_basic_masked_ops_OBJECTS) $(12_sim_basic_masked_ops_LDADD) $(LIBS)
+
+13-basic-attrs$(EXEEXT): $(13_basic_attrs_OBJECTS) $(13_basic_attrs_DEPENDENCIES) $(EXTRA_13_basic_attrs_DEPENDENCIES)
+ @rm -f 13-basic-attrs$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(13_basic_attrs_OBJECTS) $(13_basic_attrs_LDADD) $(LIBS)
+
+14-sim-reset$(EXEEXT): $(14_sim_reset_OBJECTS) $(14_sim_reset_DEPENDENCIES) $(EXTRA_14_sim_reset_DEPENDENCIES)
+ @rm -f 14-sim-reset$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(14_sim_reset_OBJECTS) $(14_sim_reset_LDADD) $(LIBS)
+
+15-basic-resolver$(EXEEXT): $(15_basic_resolver_OBJECTS) $(15_basic_resolver_DEPENDENCIES) $(EXTRA_15_basic_resolver_DEPENDENCIES)
+ @rm -f 15-basic-resolver$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(15_basic_resolver_OBJECTS) $(15_basic_resolver_LDADD) $(LIBS)
+
+16-sim-arch_basic$(EXEEXT): $(16_sim_arch_basic_OBJECTS) $(16_sim_arch_basic_DEPENDENCIES) $(EXTRA_16_sim_arch_basic_DEPENDENCIES)
+ @rm -f 16-sim-arch_basic$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(16_sim_arch_basic_OBJECTS) $(16_sim_arch_basic_LDADD) $(LIBS)
+
+17-sim-arch_merge$(EXEEXT): $(17_sim_arch_merge_OBJECTS) $(17_sim_arch_merge_DEPENDENCIES) $(EXTRA_17_sim_arch_merge_DEPENDENCIES)
+ @rm -f 17-sim-arch_merge$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(17_sim_arch_merge_OBJECTS) $(17_sim_arch_merge_LDADD) $(LIBS)
+
+18-sim-basic_allowlist$(EXEEXT): $(18_sim_basic_allowlist_OBJECTS) $(18_sim_basic_allowlist_DEPENDENCIES) $(EXTRA_18_sim_basic_allowlist_DEPENDENCIES)
+ @rm -f 18-sim-basic_allowlist$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(18_sim_basic_allowlist_OBJECTS) $(18_sim_basic_allowlist_LDADD) $(LIBS)
+
+19-sim-missing_syscalls$(EXEEXT): $(19_sim_missing_syscalls_OBJECTS) $(19_sim_missing_syscalls_DEPENDENCIES) $(EXTRA_19_sim_missing_syscalls_DEPENDENCIES)
+ @rm -f 19-sim-missing_syscalls$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(19_sim_missing_syscalls_OBJECTS) $(19_sim_missing_syscalls_LDADD) $(LIBS)
+
+20-live-basic_die$(EXEEXT): $(20_live_basic_die_OBJECTS) $(20_live_basic_die_DEPENDENCIES) $(EXTRA_20_live_basic_die_DEPENDENCIES)
+ @rm -f 20-live-basic_die$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(20_live_basic_die_OBJECTS) $(20_live_basic_die_LDADD) $(LIBS)
+
+21-live-basic_allow$(EXEEXT): $(21_live_basic_allow_OBJECTS) $(21_live_basic_allow_DEPENDENCIES) $(EXTRA_21_live_basic_allow_DEPENDENCIES)
+ @rm -f 21-live-basic_allow$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(21_live_basic_allow_OBJECTS) $(21_live_basic_allow_LDADD) $(LIBS)
+
+22-sim-basic_chains_array$(EXEEXT): $(22_sim_basic_chains_array_OBJECTS) $(22_sim_basic_chains_array_DEPENDENCIES) $(EXTRA_22_sim_basic_chains_array_DEPENDENCIES)
+ @rm -f 22-sim-basic_chains_array$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(22_sim_basic_chains_array_OBJECTS) $(22_sim_basic_chains_array_LDADD) $(LIBS)
+
+23-sim-arch_all_le_basic$(EXEEXT): $(23_sim_arch_all_le_basic_OBJECTS) $(23_sim_arch_all_le_basic_DEPENDENCIES) $(EXTRA_23_sim_arch_all_le_basic_DEPENDENCIES)
+ @rm -f 23-sim-arch_all_le_basic$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(23_sim_arch_all_le_basic_OBJECTS) $(23_sim_arch_all_le_basic_LDADD) $(LIBS)
+
+24-live-arg_allow$(EXEEXT): $(24_live_arg_allow_OBJECTS) $(24_live_arg_allow_DEPENDENCIES) $(EXTRA_24_live_arg_allow_DEPENDENCIES)
+ @rm -f 24-live-arg_allow$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(24_live_arg_allow_OBJECTS) $(24_live_arg_allow_LDADD) $(LIBS)
+
+25-sim-multilevel_chains_adv$(EXEEXT): $(25_sim_multilevel_chains_adv_OBJECTS) $(25_sim_multilevel_chains_adv_DEPENDENCIES) $(EXTRA_25_sim_multilevel_chains_adv_DEPENDENCIES)
+ @rm -f 25-sim-multilevel_chains_adv$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(25_sim_multilevel_chains_adv_OBJECTS) $(25_sim_multilevel_chains_adv_LDADD) $(LIBS)
+
+26-sim-arch_all_be_basic$(EXEEXT): $(26_sim_arch_all_be_basic_OBJECTS) $(26_sim_arch_all_be_basic_DEPENDENCIES) $(EXTRA_26_sim_arch_all_be_basic_DEPENDENCIES)
+ @rm -f 26-sim-arch_all_be_basic$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(26_sim_arch_all_be_basic_OBJECTS) $(26_sim_arch_all_be_basic_LDADD) $(LIBS)
+
+27-sim-bpf_blk_state$(EXEEXT): $(27_sim_bpf_blk_state_OBJECTS) $(27_sim_bpf_blk_state_DEPENDENCIES) $(EXTRA_27_sim_bpf_blk_state_DEPENDENCIES)
+ @rm -f 27-sim-bpf_blk_state$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(27_sim_bpf_blk_state_OBJECTS) $(27_sim_bpf_blk_state_LDADD) $(LIBS)
+
+28-sim-arch_x86$(EXEEXT): $(28_sim_arch_x86_OBJECTS) $(28_sim_arch_x86_DEPENDENCIES) $(EXTRA_28_sim_arch_x86_DEPENDENCIES)
+ @rm -f 28-sim-arch_x86$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(28_sim_arch_x86_OBJECTS) $(28_sim_arch_x86_LDADD) $(LIBS)
+
+29-sim-pseudo_syscall$(EXEEXT): $(29_sim_pseudo_syscall_OBJECTS) $(29_sim_pseudo_syscall_DEPENDENCIES) $(EXTRA_29_sim_pseudo_syscall_DEPENDENCIES)
+ @rm -f 29-sim-pseudo_syscall$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(29_sim_pseudo_syscall_OBJECTS) $(29_sim_pseudo_syscall_LDADD) $(LIBS)
+
+30-sim-socket_syscalls$(EXEEXT): $(30_sim_socket_syscalls_OBJECTS) $(30_sim_socket_syscalls_DEPENDENCIES) $(EXTRA_30_sim_socket_syscalls_DEPENDENCIES)
+ @rm -f 30-sim-socket_syscalls$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(30_sim_socket_syscalls_OBJECTS) $(30_sim_socket_syscalls_LDADD) $(LIBS)
+
+31-basic-version_check$(EXEEXT): $(31_basic_version_check_OBJECTS) $(31_basic_version_check_DEPENDENCIES) $(EXTRA_31_basic_version_check_DEPENDENCIES)
+ @rm -f 31-basic-version_check$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(31_basic_version_check_OBJECTS) $(31_basic_version_check_LDADD) $(LIBS)
+
+32-live-tsync_allow$(EXEEXT): $(32_live_tsync_allow_OBJECTS) $(32_live_tsync_allow_DEPENDENCIES) $(EXTRA_32_live_tsync_allow_DEPENDENCIES)
+ @rm -f 32-live-tsync_allow$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(32_live_tsync_allow_OBJECTS) $(32_live_tsync_allow_LDADD) $(LIBS)
+
+33-sim-socket_syscalls_be$(EXEEXT): $(33_sim_socket_syscalls_be_OBJECTS) $(33_sim_socket_syscalls_be_DEPENDENCIES) $(EXTRA_33_sim_socket_syscalls_be_DEPENDENCIES)
+ @rm -f 33-sim-socket_syscalls_be$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(33_sim_socket_syscalls_be_OBJECTS) $(33_sim_socket_syscalls_be_LDADD) $(LIBS)
+
+34-sim-basic_denylist$(EXEEXT): $(34_sim_basic_denylist_OBJECTS) $(34_sim_basic_denylist_DEPENDENCIES) $(EXTRA_34_sim_basic_denylist_DEPENDENCIES)
+ @rm -f 34-sim-basic_denylist$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(34_sim_basic_denylist_OBJECTS) $(34_sim_basic_denylist_LDADD) $(LIBS)
+
+35-sim-negative_one$(EXEEXT): $(35_sim_negative_one_OBJECTS) $(35_sim_negative_one_DEPENDENCIES) $(EXTRA_35_sim_negative_one_DEPENDENCIES)
+ @rm -f 35-sim-negative_one$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(35_sim_negative_one_OBJECTS) $(35_sim_negative_one_LDADD) $(LIBS)
+
+36-sim-ipc_syscalls$(EXEEXT): $(36_sim_ipc_syscalls_OBJECTS) $(36_sim_ipc_syscalls_DEPENDENCIES) $(EXTRA_36_sim_ipc_syscalls_DEPENDENCIES)
+ @rm -f 36-sim-ipc_syscalls$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(36_sim_ipc_syscalls_OBJECTS) $(36_sim_ipc_syscalls_LDADD) $(LIBS)
+
+37-sim-ipc_syscalls_be$(EXEEXT): $(37_sim_ipc_syscalls_be_OBJECTS) $(37_sim_ipc_syscalls_be_DEPENDENCIES) $(EXTRA_37_sim_ipc_syscalls_be_DEPENDENCIES)
+ @rm -f 37-sim-ipc_syscalls_be$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(37_sim_ipc_syscalls_be_OBJECTS) $(37_sim_ipc_syscalls_be_LDADD) $(LIBS)
+
+38-basic-pfc_coverage$(EXEEXT): $(38_basic_pfc_coverage_OBJECTS) $(38_basic_pfc_coverage_DEPENDENCIES) $(EXTRA_38_basic_pfc_coverage_DEPENDENCIES)
+ @rm -f 38-basic-pfc_coverage$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(38_basic_pfc_coverage_OBJECTS) $(38_basic_pfc_coverage_LDADD) $(LIBS)
+
+39-basic-api_level$(EXEEXT): $(39_basic_api_level_OBJECTS) $(39_basic_api_level_DEPENDENCIES) $(EXTRA_39_basic_api_level_DEPENDENCIES)
+ @rm -f 39-basic-api_level$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(39_basic_api_level_OBJECTS) $(39_basic_api_level_LDADD) $(LIBS)
+
+40-sim-log$(EXEEXT): $(40_sim_log_OBJECTS) $(40_sim_log_DEPENDENCIES) $(EXTRA_40_sim_log_DEPENDENCIES)
+ @rm -f 40-sim-log$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(40_sim_log_OBJECTS) $(40_sim_log_LDADD) $(LIBS)
+
+41-sim-syscall_priority_arch$(EXEEXT): $(41_sim_syscall_priority_arch_OBJECTS) $(41_sim_syscall_priority_arch_DEPENDENCIES) $(EXTRA_41_sim_syscall_priority_arch_DEPENDENCIES)
+ @rm -f 41-sim-syscall_priority_arch$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(41_sim_syscall_priority_arch_OBJECTS) $(41_sim_syscall_priority_arch_LDADD) $(LIBS)
+
+42-sim-adv_chains$(EXEEXT): $(42_sim_adv_chains_OBJECTS) $(42_sim_adv_chains_DEPENDENCIES) $(EXTRA_42_sim_adv_chains_DEPENDENCIES)
+ @rm -f 42-sim-adv_chains$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(42_sim_adv_chains_OBJECTS) $(42_sim_adv_chains_LDADD) $(LIBS)
+
+43-sim-a2_order$(EXEEXT): $(43_sim_a2_order_OBJECTS) $(43_sim_a2_order_DEPENDENCIES) $(EXTRA_43_sim_a2_order_DEPENDENCIES)
+ @rm -f 43-sim-a2_order$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(43_sim_a2_order_OBJECTS) $(43_sim_a2_order_LDADD) $(LIBS)
+
+44-live-a2_order$(EXEEXT): $(44_live_a2_order_OBJECTS) $(44_live_a2_order_DEPENDENCIES) $(EXTRA_44_live_a2_order_DEPENDENCIES)
+ @rm -f 44-live-a2_order$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(44_live_a2_order_OBJECTS) $(44_live_a2_order_LDADD) $(LIBS)
+
+45-sim-chain_code_coverage$(EXEEXT): $(45_sim_chain_code_coverage_OBJECTS) $(45_sim_chain_code_coverage_DEPENDENCIES) $(EXTRA_45_sim_chain_code_coverage_DEPENDENCIES)
+ @rm -f 45-sim-chain_code_coverage$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(45_sim_chain_code_coverage_OBJECTS) $(45_sim_chain_code_coverage_LDADD) $(LIBS)
+
+46-sim-kill_process$(EXEEXT): $(46_sim_kill_process_OBJECTS) $(46_sim_kill_process_DEPENDENCIES) $(EXTRA_46_sim_kill_process_DEPENDENCIES)
+ @rm -f 46-sim-kill_process$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(46_sim_kill_process_OBJECTS) $(46_sim_kill_process_LDADD) $(LIBS)
+
+47-live-kill_process$(EXEEXT): $(47_live_kill_process_OBJECTS) $(47_live_kill_process_DEPENDENCIES) $(EXTRA_47_live_kill_process_DEPENDENCIES)
+ @rm -f 47-live-kill_process$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(47_live_kill_process_OBJECTS) $(47_live_kill_process_LDADD) $(LIBS)
+
+48-sim-32b_args$(EXEEXT): $(48_sim_32b_args_OBJECTS) $(48_sim_32b_args_DEPENDENCIES) $(EXTRA_48_sim_32b_args_DEPENDENCIES)
+ @rm -f 48-sim-32b_args$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(48_sim_32b_args_OBJECTS) $(48_sim_32b_args_LDADD) $(LIBS)
+
+49-sim-64b_comparisons$(EXEEXT): $(49_sim_64b_comparisons_OBJECTS) $(49_sim_64b_comparisons_DEPENDENCIES) $(EXTRA_49_sim_64b_comparisons_DEPENDENCIES)
+ @rm -f 49-sim-64b_comparisons$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(49_sim_64b_comparisons_OBJECTS) $(49_sim_64b_comparisons_LDADD) $(LIBS)
+
+50-sim-hash_collision$(EXEEXT): $(50_sim_hash_collision_OBJECTS) $(50_sim_hash_collision_DEPENDENCIES) $(EXTRA_50_sim_hash_collision_DEPENDENCIES)
+ @rm -f 50-sim-hash_collision$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(50_sim_hash_collision_OBJECTS) $(50_sim_hash_collision_LDADD) $(LIBS)
+
+51-live-user_notification$(EXEEXT): $(51_live_user_notification_OBJECTS) $(51_live_user_notification_DEPENDENCIES) $(EXTRA_51_live_user_notification_DEPENDENCIES)
+ @rm -f 51-live-user_notification$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(51_live_user_notification_OBJECTS) $(51_live_user_notification_LDADD) $(LIBS)
+
+52-basic-load$(EXEEXT): $(52_basic_load_OBJECTS) $(52_basic_load_DEPENDENCIES) $(EXTRA_52_basic_load_DEPENDENCIES)
+ @rm -f 52-basic-load$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(52_basic_load_OBJECTS) $(52_basic_load_LDADD) $(LIBS)
+
+53-sim-binary_tree$(EXEEXT): $(53_sim_binary_tree_OBJECTS) $(53_sim_binary_tree_DEPENDENCIES) $(EXTRA_53_sim_binary_tree_DEPENDENCIES)
+ @rm -f 53-sim-binary_tree$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(53_sim_binary_tree_OBJECTS) $(53_sim_binary_tree_LDADD) $(LIBS)
+
+54-live-binary_tree$(EXEEXT): $(54_live_binary_tree_OBJECTS) $(54_live_binary_tree_DEPENDENCIES) $(EXTRA_54_live_binary_tree_DEPENDENCIES)
+ @rm -f 54-live-binary_tree$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(54_live_binary_tree_OBJECTS) $(54_live_binary_tree_LDADD) $(LIBS)
+
+55-basic-pfc_binary_tree$(EXEEXT): $(55_basic_pfc_binary_tree_OBJECTS) $(55_basic_pfc_binary_tree_DEPENDENCIES) $(EXTRA_55_basic_pfc_binary_tree_DEPENDENCIES)
+ @rm -f 55-basic-pfc_binary_tree$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(55_basic_pfc_binary_tree_OBJECTS) $(55_basic_pfc_binary_tree_LDADD) $(LIBS)
+
+56-basic-iterate_syscalls$(EXEEXT): $(56_basic_iterate_syscalls_OBJECTS) $(56_basic_iterate_syscalls_DEPENDENCIES) $(EXTRA_56_basic_iterate_syscalls_DEPENDENCIES)
+ @rm -f 56-basic-iterate_syscalls$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(56_basic_iterate_syscalls_OBJECTS) $(56_basic_iterate_syscalls_LDADD) $(LIBS)
+
+57-basic-rawsysrc$(EXEEXT): $(57_basic_rawsysrc_OBJECTS) $(57_basic_rawsysrc_DEPENDENCIES) $(EXTRA_57_basic_rawsysrc_DEPENDENCIES)
+ @rm -f 57-basic-rawsysrc$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(57_basic_rawsysrc_OBJECTS) $(57_basic_rawsysrc_LDADD) $(LIBS)
+
+58-live-tsync_notify$(EXEEXT): $(58_live_tsync_notify_OBJECTS) $(58_live_tsync_notify_DEPENDENCIES) $(EXTRA_58_live_tsync_notify_DEPENDENCIES)
+ @rm -f 58-live-tsync_notify$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(58_live_tsync_notify_OBJECTS) $(58_live_tsync_notify_LDADD) $(LIBS)
+
+59-basic-empty_binary_tree$(EXEEXT): $(59_basic_empty_binary_tree_OBJECTS) $(59_basic_empty_binary_tree_DEPENDENCIES) $(EXTRA_59_basic_empty_binary_tree_DEPENDENCIES)
+ @rm -f 59-basic-empty_binary_tree$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(59_basic_empty_binary_tree_OBJECTS) $(59_basic_empty_binary_tree_LDADD) $(LIBS)
+
+miniseq$(EXEEXT): $(miniseq_OBJECTS) $(miniseq_DEPENDENCIES) $(EXTRA_miniseq_DEPENDENCIES)
+ @rm -f miniseq$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(miniseq_OBJECTS) $(miniseq_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/00-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/01-sim-allow.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/02-sim-basic.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/03-sim-basic_chains.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/04-sim-multilevel_chains.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/05-sim-long_jumps.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/06-sim-actions.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/07-sim-db_bug_looping.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/08-sim-subtree_checks.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/09-sim-syscall_priority_pre.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/10-sim-syscall_priority_post.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/11-basic-basic_errors.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/12-sim-basic_masked_ops.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/13-basic-attrs.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/14-sim-reset.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/15-basic-resolver.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/16-sim-arch_basic.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/17-sim-arch_merge.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/18-sim-basic_allowlist.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/19-sim-missing_syscalls.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/20-live-basic_die.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/21-live-basic_allow.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/22-sim-basic_chains_array.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/23-sim-arch_all_le_basic.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/24-live-arg_allow.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/25-sim-multilevel_chains_adv.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/26-sim-arch_all_be_basic.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/27-sim-bpf_blk_state.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/28-sim-arch_x86.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/29-sim-pseudo_syscall.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/30-sim-socket_syscalls.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/31-basic-version_check.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/32-live-tsync_allow.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/33-sim-socket_syscalls_be.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/34-sim-basic_denylist.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/35-sim-negative_one.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/36-sim-ipc_syscalls.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/37-sim-ipc_syscalls_be.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/38-basic-pfc_coverage.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/39-basic-api_level.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/40-sim-log.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/41-sim-syscall_priority_arch.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/42-sim-adv_chains.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/43-sim-a2_order.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/44-live-a2_order.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/45-sim-chain_code_coverage.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/46-sim-kill_process.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/47-live-kill_process.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/48-sim-32b_args.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/49-sim-64b_comparisons.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/50-sim-hash_collision.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/51-live-user_notification.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/52-basic-load.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/53-sim-binary_tree.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/54-live-binary_tree.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/55-basic-pfc_binary_tree.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/56-basic-iterate_syscalls.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/57-basic-rawsysrc.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/58-live-tsync_notify.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/59-basic-empty_binary_tree.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/miniseq.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+ @$(MKDIR_P) $(@D)
+ @echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_LTLIBRARIES)
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkLTLIBRARIES clean-checkPROGRAMS clean-generic \
+ clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+ -rm -f ./$(DEPDIR)/00-test.Po
+ -rm -f ./$(DEPDIR)/01-sim-allow.Po
+ -rm -f ./$(DEPDIR)/02-sim-basic.Po
+ -rm -f ./$(DEPDIR)/03-sim-basic_chains.Po
+ -rm -f ./$(DEPDIR)/04-sim-multilevel_chains.Po
+ -rm -f ./$(DEPDIR)/05-sim-long_jumps.Po
+ -rm -f ./$(DEPDIR)/06-sim-actions.Po
+ -rm -f ./$(DEPDIR)/07-sim-db_bug_looping.Po
+ -rm -f ./$(DEPDIR)/08-sim-subtree_checks.Po
+ -rm -f ./$(DEPDIR)/09-sim-syscall_priority_pre.Po
+ -rm -f ./$(DEPDIR)/10-sim-syscall_priority_post.Po
+ -rm -f ./$(DEPDIR)/11-basic-basic_errors.Po
+ -rm -f ./$(DEPDIR)/12-sim-basic_masked_ops.Po
+ -rm -f ./$(DEPDIR)/13-basic-attrs.Po
+ -rm -f ./$(DEPDIR)/14-sim-reset.Po
+ -rm -f ./$(DEPDIR)/15-basic-resolver.Po
+ -rm -f ./$(DEPDIR)/16-sim-arch_basic.Po
+ -rm -f ./$(DEPDIR)/17-sim-arch_merge.Po
+ -rm -f ./$(DEPDIR)/18-sim-basic_allowlist.Po
+ -rm -f ./$(DEPDIR)/19-sim-missing_syscalls.Po
+ -rm -f ./$(DEPDIR)/20-live-basic_die.Po
+ -rm -f ./$(DEPDIR)/21-live-basic_allow.Po
+ -rm -f ./$(DEPDIR)/22-sim-basic_chains_array.Po
+ -rm -f ./$(DEPDIR)/23-sim-arch_all_le_basic.Po
+ -rm -f ./$(DEPDIR)/24-live-arg_allow.Po
+ -rm -f ./$(DEPDIR)/25-sim-multilevel_chains_adv.Po
+ -rm -f ./$(DEPDIR)/26-sim-arch_all_be_basic.Po
+ -rm -f ./$(DEPDIR)/27-sim-bpf_blk_state.Po
+ -rm -f ./$(DEPDIR)/28-sim-arch_x86.Po
+ -rm -f ./$(DEPDIR)/29-sim-pseudo_syscall.Po
+ -rm -f ./$(DEPDIR)/30-sim-socket_syscalls.Po
+ -rm -f ./$(DEPDIR)/31-basic-version_check.Po
+ -rm -f ./$(DEPDIR)/32-live-tsync_allow.Po
+ -rm -f ./$(DEPDIR)/33-sim-socket_syscalls_be.Po
+ -rm -f ./$(DEPDIR)/34-sim-basic_denylist.Po
+ -rm -f ./$(DEPDIR)/35-sim-negative_one.Po
+ -rm -f ./$(DEPDIR)/36-sim-ipc_syscalls.Po
+ -rm -f ./$(DEPDIR)/37-sim-ipc_syscalls_be.Po
+ -rm -f ./$(DEPDIR)/38-basic-pfc_coverage.Po
+ -rm -f ./$(DEPDIR)/39-basic-api_level.Po
+ -rm -f ./$(DEPDIR)/40-sim-log.Po
+ -rm -f ./$(DEPDIR)/41-sim-syscall_priority_arch.Po
+ -rm -f ./$(DEPDIR)/42-sim-adv_chains.Po
+ -rm -f ./$(DEPDIR)/43-sim-a2_order.Po
+ -rm -f ./$(DEPDIR)/44-live-a2_order.Po
+ -rm -f ./$(DEPDIR)/45-sim-chain_code_coverage.Po
+ -rm -f ./$(DEPDIR)/46-sim-kill_process.Po
+ -rm -f ./$(DEPDIR)/47-live-kill_process.Po
+ -rm -f ./$(DEPDIR)/48-sim-32b_args.Po
+ -rm -f ./$(DEPDIR)/49-sim-64b_comparisons.Po
+ -rm -f ./$(DEPDIR)/50-sim-hash_collision.Po
+ -rm -f ./$(DEPDIR)/51-live-user_notification.Po
+ -rm -f ./$(DEPDIR)/52-basic-load.Po
+ -rm -f ./$(DEPDIR)/53-sim-binary_tree.Po
+ -rm -f ./$(DEPDIR)/54-live-binary_tree.Po
+ -rm -f ./$(DEPDIR)/55-basic-pfc_binary_tree.Po
+ -rm -f ./$(DEPDIR)/56-basic-iterate_syscalls.Po
+ -rm -f ./$(DEPDIR)/57-basic-rawsysrc.Po
+ -rm -f ./$(DEPDIR)/58-live-tsync_notify.Po
+ -rm -f ./$(DEPDIR)/59-basic-empty_binary_tree.Po
+ -rm -f ./$(DEPDIR)/miniseq.Po
+ -rm -f ./$(DEPDIR)/util.Plo
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f ./$(DEPDIR)/00-test.Po
+ -rm -f ./$(DEPDIR)/01-sim-allow.Po
+ -rm -f ./$(DEPDIR)/02-sim-basic.Po
+ -rm -f ./$(DEPDIR)/03-sim-basic_chains.Po
+ -rm -f ./$(DEPDIR)/04-sim-multilevel_chains.Po
+ -rm -f ./$(DEPDIR)/05-sim-long_jumps.Po
+ -rm -f ./$(DEPDIR)/06-sim-actions.Po
+ -rm -f ./$(DEPDIR)/07-sim-db_bug_looping.Po
+ -rm -f ./$(DEPDIR)/08-sim-subtree_checks.Po
+ -rm -f ./$(DEPDIR)/09-sim-syscall_priority_pre.Po
+ -rm -f ./$(DEPDIR)/10-sim-syscall_priority_post.Po
+ -rm -f ./$(DEPDIR)/11-basic-basic_errors.Po
+ -rm -f ./$(DEPDIR)/12-sim-basic_masked_ops.Po
+ -rm -f ./$(DEPDIR)/13-basic-attrs.Po
+ -rm -f ./$(DEPDIR)/14-sim-reset.Po
+ -rm -f ./$(DEPDIR)/15-basic-resolver.Po
+ -rm -f ./$(DEPDIR)/16-sim-arch_basic.Po
+ -rm -f ./$(DEPDIR)/17-sim-arch_merge.Po
+ -rm -f ./$(DEPDIR)/18-sim-basic_allowlist.Po
+ -rm -f ./$(DEPDIR)/19-sim-missing_syscalls.Po
+ -rm -f ./$(DEPDIR)/20-live-basic_die.Po
+ -rm -f ./$(DEPDIR)/21-live-basic_allow.Po
+ -rm -f ./$(DEPDIR)/22-sim-basic_chains_array.Po
+ -rm -f ./$(DEPDIR)/23-sim-arch_all_le_basic.Po
+ -rm -f ./$(DEPDIR)/24-live-arg_allow.Po
+ -rm -f ./$(DEPDIR)/25-sim-multilevel_chains_adv.Po
+ -rm -f ./$(DEPDIR)/26-sim-arch_all_be_basic.Po
+ -rm -f ./$(DEPDIR)/27-sim-bpf_blk_state.Po
+ -rm -f ./$(DEPDIR)/28-sim-arch_x86.Po
+ -rm -f ./$(DEPDIR)/29-sim-pseudo_syscall.Po
+ -rm -f ./$(DEPDIR)/30-sim-socket_syscalls.Po
+ -rm -f ./$(DEPDIR)/31-basic-version_check.Po
+ -rm -f ./$(DEPDIR)/32-live-tsync_allow.Po
+ -rm -f ./$(DEPDIR)/33-sim-socket_syscalls_be.Po
+ -rm -f ./$(DEPDIR)/34-sim-basic_denylist.Po
+ -rm -f ./$(DEPDIR)/35-sim-negative_one.Po
+ -rm -f ./$(DEPDIR)/36-sim-ipc_syscalls.Po
+ -rm -f ./$(DEPDIR)/37-sim-ipc_syscalls_be.Po
+ -rm -f ./$(DEPDIR)/38-basic-pfc_coverage.Po
+ -rm -f ./$(DEPDIR)/39-basic-api_level.Po
+ -rm -f ./$(DEPDIR)/40-sim-log.Po
+ -rm -f ./$(DEPDIR)/41-sim-syscall_priority_arch.Po
+ -rm -f ./$(DEPDIR)/42-sim-adv_chains.Po
+ -rm -f ./$(DEPDIR)/43-sim-a2_order.Po
+ -rm -f ./$(DEPDIR)/44-live-a2_order.Po
+ -rm -f ./$(DEPDIR)/45-sim-chain_code_coverage.Po
+ -rm -f ./$(DEPDIR)/46-sim-kill_process.Po
+ -rm -f ./$(DEPDIR)/47-live-kill_process.Po
+ -rm -f ./$(DEPDIR)/48-sim-32b_args.Po
+ -rm -f ./$(DEPDIR)/49-sim-64b_comparisons.Po
+ -rm -f ./$(DEPDIR)/50-sim-hash_collision.Po
+ -rm -f ./$(DEPDIR)/51-live-user_notification.Po
+ -rm -f ./$(DEPDIR)/52-basic-load.Po
+ -rm -f ./$(DEPDIR)/53-sim-binary_tree.Po
+ -rm -f ./$(DEPDIR)/54-live-binary_tree.Po
+ -rm -f ./$(DEPDIR)/55-basic-pfc_binary_tree.Po
+ -rm -f ./$(DEPDIR)/56-basic-iterate_syscalls.Po
+ -rm -f ./$(DEPDIR)/57-basic-rawsysrc.Po
+ -rm -f ./$(DEPDIR)/58-live-tsync_notify.Po
+ -rm -f ./$(DEPDIR)/59-basic-empty_binary_tree.Po
+ -rm -f ./$(DEPDIR)/miniseq.Po
+ -rm -f ./$(DEPDIR)/util.Plo
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
+ check-am clean clean-checkLTLIBRARIES clean-checkPROGRAMS \
+ clean-generic clean-libtool clean-local cscopelist-am ctags \
+ ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags tags-am uninstall uninstall-am
+
+.PRECIOUS: Makefile
+
+
+check-build:
+ ${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS}
+
+clean-local:
+ ${RM} -f 00-test *.pyc
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/tests/miniseq.c b/tests/miniseq.c
new file mode 100644
index 0000000..120fdb2
--- /dev/null
+++ b/tests/miniseq.c
@@ -0,0 +1,58 @@
+/**
+ * Seccomp Library test support program
+ *
+ * Copyright (c) 2015 Mathias Krause <minipli@googlemail.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <errno.h>
+
+static int get_number(char *str, uint64_t *res)
+{
+ char *end = str;
+
+ errno = 0;
+ *res = strtoull(str, &end, 0);
+ if (errno || *end != '\0') {
+ fprintf(stderr, "error: failed to convert '%s'\n", str);
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char *argv[])
+{
+ uint64_t first, last, cur;
+
+ if (argc != 3) {
+ fprintf(stderr, "usage: %s FIRST LAST\n", argv[0]);
+ return 1;
+ }
+
+ if (get_number(argv[1], &first) || get_number(argv[2], &last))
+ return 1;
+
+ for (cur = first; cur != last; cur++)
+ printf("%" PRId64 "\n", cur);
+ printf("%" PRId64 "\n", cur);
+
+ return 0;
+}
diff --git a/tests/regression b/tests/regression
new file mode 100755
index 0000000..f938b1b
--- /dev/null
+++ b/tests/regression
@@ -0,0 +1,1127 @@
+#!/bin/bash
+
+#
+# libseccomp regression test automation script
+#
+# Copyright IBM Corp. 2012
+# Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+GLBL_ARCH_LE_SUPPORT=" \
+ x86 x86_64 x32 \
+ arm aarch64 \
+ mipsel mipsel64 mipsel64n32 \
+ ppc64le \
+ riscv64"
+GLBL_ARCH_BE_SUPPORT=" \
+ mips mips64 mips64n32 \
+ parisc parisc64 \
+ ppc ppc64 \
+ s390 s390x"
+
+GLBL_ARCH_32B_SUPPORT=" \
+ x86 x32 \
+ arm \
+ mips mipsel mips64n32 mipsel64n32 \
+ parisc \
+ ppc \
+ s390"
+
+GLBL_ARCH_64B_SUPPORT=" \
+ x86_64 \
+ aarch64 \
+ mips64 \
+ parisc64 \
+ ppc64 \
+ riscv64 \
+ s390x"
+
+GLBL_SYS_ARCH="../tools/scmp_arch_detect"
+GLBL_SYS_RESOLVER="../tools/scmp_sys_resolver"
+GLBL_SYS_SIM="../tools/scmp_bpf_sim"
+GLBL_SYS_API="../tools/scmp_api_level"
+
+####
+# functions
+
+#
+# Dependency check
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function check_deps() {
+ [[ -z "$1" ]] && return
+ which "$1" >& /dev/null
+ return $?
+}
+
+#
+# Dependency verification
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function verify_deps() {
+ [[ -z "$1" ]] && return
+ if ! check_deps "$1"; then
+ echo "error: install \"$1\" and include it in your \$PATH"
+ exit 1
+ fi
+}
+
+#
+# Print out script usage details
+#
+function usage() {
+cat << EOF
+usage: regression [-h] [-v] [-m MODE] [-a] [-b BATCH_NAME] [-l <LOG>]
+ [-s SINGLE_TEST] [-t <TEMP_DIR>] [-T <TEST_TYPE>]
+
+libseccomp regression test automation script
+optional arguments:
+ -h show this help message and exit
+ -m MODE specified the test mode [c (default), python]
+ can also be set via LIBSECCOMP_TSTCFG_MODE_LIST env variable
+ -a specifies all tests are to be run
+ -b BATCH_NAME specifies batch of tests to be run
+ can also be set via LIBSECCOMP_TSTCFG_BATCHES env variable
+ -l [LOG] specifies log file to write test results to
+ -s SINGLE_TEST specifies individual test number to be run
+ -t [TEMP_DIR] specifies directory to create temporary files in
+ -T [TEST_TYPE] only run tests matching the specified type
+ can also be set via LIBSECCOMP_TSTCFG_TYPE env variable
+ -v specifies that verbose output be provided
+EOF
+}
+
+#
+# Match on a single word/column in a CSV string
+#
+# Arguments:
+# 1 string containing the CSV
+# 2 string containing the word to match
+#
+# Returns true/0 if a match is found false/1 otherwise.
+#
+function match_csv_word() {
+ [[ -z $1 || -z $2 ]] && return 1
+
+ echo "$1" | sed 's/,/ /g' | grep -w "$2"
+}
+
+#
+# Generate a string representing the test number
+#
+# Arguments:
+# 1 string containing the batch name
+# 2 value of the test number from the input test data file
+# 3 value of the subtest number that corresponds to argument 1
+#
+# The actual test number from the input test data file is 1 for the first
+# test found in the file, 2 for the second, etc.
+#
+# The subtest number is useful for batches that generate multiple tests based
+# on a single line of input from the test data file. The subtest number
+# should be set to zero if the corresponding test data is actual test data
+# that was read from the input file, and should be set to a value greater than
+# zero if the corresponding test data is generated.
+#
+function generate_test_num() {
+ local testnumstr=$(printf '%s%%%%%03d-%05d' "$1" $2 $3)
+ echo "$testnumstr"
+}
+
+#
+# Print the test data to the log file
+#
+# Arguments:
+# 1 string containing generated test number
+# 2 string containing line of test data
+#
+function print_data() {
+ if [[ -n $verbose ]]; then
+ printf "Test %s data: %s\n" "$1" "$2" >&$logfd
+ fi
+}
+
+#
+# Print the test result to the log file
+#
+# Arguments:
+# 1 string containing generated test number
+# 2 string containing the test result (INFO, SUCCESS, ERROR, or FAILURE)
+# 3 string containing addition details
+#
+function print_result() {
+ if [[ $2 == "INFO" && -z $verbose ]]; then
+ return
+ fi
+ if [[ $3 == "" ]]; then
+ printf "Test %s result: %s\n" "$1" "$2" >&$logfd
+ else
+ printf "Test %s result: %s %s\n" "$1" "$2" "$3" >&$logfd
+ fi
+}
+
+#
+# Print the valgrind header to the log file
+#
+# Arguments:
+# 1 string containing generated test number
+#
+function print_valgrind() {
+ if [[ -n $verbose ]]; then
+ printf "Test %s valgrind output\n" "$1" >&$logfd
+ fi
+}
+
+#
+# Get the low or high range value from a range specification
+#
+# Arguments:
+# 1 value specifying range value to retrieve: low (1) or high (2)
+# 2 string containing dash-separated range or a single value
+#
+function get_range() {
+ if [[ $2 =~ ^[0-9a-fA-Fx]+-[0-9a-fA-Fx]+$ ]]; then
+ # if there's a dash, get the low or high range value
+ range_val=$(echo "$2" | cut -d'-' -f "$1")
+ else
+ # otherwise there should just be a single value
+ range_val="$2"
+ fi
+ echo "$range_val"
+}
+
+#
+# Get the number sequence for a given range with increments of 1, i.e.
+# implement a specialized seq(1).
+#
+# We use our own implementation based on miniseq in favour to the standard seq
+# tool as, at least, seq of coreutils v8.23 and v8.24 has problems on 32 bit
+# ARM for large numbers (see the mailing thread at
+# https://groups.google.com/forum/#!topic/libseccomp/VtrClkXxLGA).
+#
+# Arguments:
+# 1 starting value
+# 2 last value
+#
+function get_seq() {
+ # NOTE: this whole thing is a bit hacky, but we need to search around
+ # for miniseq to fix 'make distcheck', someday we should fix this
+ if [[ -x ./miniseq ]]; then
+ ./miniseq "$1" "$2"
+ elif [[ -x $basedir/miniseq ]]; then
+ $basedir/miniseq "$1" "$2"
+ else
+ # we're often run from a subshell, so we can't simply exit
+ echo "error: unable to find miniseq" >&2
+ kill $pid
+ fi
+}
+
+#
+# Run the specified test command (with valgrind if requested)
+#
+# Arguments:
+# 1 string containing generated test number
+# 2 string containing command name
+# 3 string containing command options
+# 4 number for the stdout fd
+# 5 number for the stderr fd
+#
+function run_test_command() {
+ local cmd
+
+ if [[ $mode == "python" ]]; then
+ cmd="PYTHONPATH=$PYTHONPATH"
+ cmd="$cmd:$(cd $(pwd)/../src/python/build/lib.*; pwd)"
+ # check and adjust if we are doing a VPATH build
+ if [[ -e "./$2.py" ]]; then
+ cmd="$cmd /usr/bin/env python $2.py $3"
+ else
+ cmd="$cmd /usr/bin/env python ${srcdir}/$2.py $3"
+ fi
+ else
+ cmd="$2 $3"
+ fi
+
+ # setup the stdout/stderr redirects
+ local stdout=$4
+ local stderr=$5
+ [[ -z $stdout ]] && stdout=$logfd
+ [[ -z $stderr ]] && stderr=$logfd
+
+ # run the command
+ eval "$cmd" 1>&$stdout 2>&$stderr
+
+ # return the command's return code
+ return $?
+}
+
+#
+# Generate pseudo-random string of alphanumeric characters
+#
+# The generated string will be no larger than the corresponding
+# architecture's register size.
+#
+function generate_random_data() {
+ local rcount
+ local rdata
+ if [[ $arch == "x86_64" ]]; then
+ rcount=$[ ($RANDOM % 16) + 1 ]
+ else
+ rcount=$[ ($RANDOM % 8) + 1 ]
+ fi
+ rdata=$(dd if=/dev/urandom bs=64 count=1 status=none | \
+ md5sum | awk '{ print $1 }' | head -c"$rcount")
+ echo "$rdata"
+}
+
+#
+# Run the specified "bpf-sim-fuzz" test
+#
+# Tests that belong to the "bpf-sim-fuzz" test type generate a BPF filter and
+# then run a simulated system call test with pseudo-random fuzz data for the
+# syscall and argument values. Tests that belong to this test type provide the
+# following data on a single line in the input batch file:
+#
+# Testname - The executable test name (e.g. 01-allow, 02-basic, etc.)
+# StressCount - The number of fuzz tests to run against the filter
+#
+# The following test data is output to the logfile for each generated test:
+#
+# Testname - The executable test name (e.g. 01-allow, 02-basic, etc.)
+# Syscall - The fuzzed syscall value to be simulated against the filter
+# Arg0-5 - The fuzzed syscall arg values to be simulated against the filter
+#
+# Arguments:
+# 1 string containing the batch name
+# 2 value of test number from batch file
+# 3 string containing line of test data from batch file
+#
+function run_test_bpf_sim_fuzz() {
+ local rc
+
+ # begin splitting the test data from the line into individual variables
+ local line=($3)
+ local testname=${line[0]}
+ local stress_count=${line[1]}
+
+ # check for stress count configuration via environment variables
+ [[ -n $LIBSECCOMP_TSTCFG_STRESSCNT ]] && \
+ stress_count=$LIBSECCOMP_TSTCFG_STRESSCNT
+
+ for i in $(get_seq 1 $stress_count); do
+ local sys=$(generate_random_data)
+ local -a arg=($(generate_random_data) $(generate_random_data) \
+ $(generate_random_data) $(generate_random_data) \
+ $(generate_random_data) $(generate_random_data))
+
+ # get the generated sub-test num string
+ local testnumstr=$(generate_test_num "$1" $2 $i)
+
+ # set up log file test data line for this individual test,
+ # spacing is added to align the output in the correct columns
+ local -a COL_WIDTH=(26 17 17 17 17 17 17)
+ local testdata=$(printf "%-${COL_WIDTH[0]}s" $testname)
+ testdata+=$(printf "%-${COL_WIDTH[1]}s" $sys)
+ testdata+=$(printf "%-${COL_WIDTH[2]}s" ${arg[0]})
+ testdata+=$(printf "%-${COL_WIDTH[3]}s" ${arg[1]})
+ testdata+=$(printf "%-${COL_WIDTH[4]}s" ${arg[2]})
+ testdata+=$(printf "%-${COL_WIDTH[5]}s" ${arg[3]})
+ testdata+=$(printf "%-${COL_WIDTH[6]}s" ${arg[4]})
+ testdata+=$(printf "%s" ${arg[5]})
+
+ # print out the generated test data to the log file
+ print_data "$testnumstr" "$testdata"
+
+ # set up the syscall argument values to be passed to bpf_sim
+ for i in {0..5}; do
+ arg[$i]=" -$i ${arg[$i]} "
+ done
+
+ # run the test command and put the BPF filter in a temp file
+ exec 4>$tmpfile
+ run_test_command "$testnumstr" "./$testname" "-b" 4 ""
+ rc=$?
+ exec 4>&-
+ if [[ $rc -ne 0 ]]; then
+ print_result $testnumstr "ERROR" "$testname rc=$rc"
+ stats_error=$(($stats_error+1))
+ return
+ fi
+
+ # simulate the fuzzed syscall data against the BPF filter, we
+ # don't verify the resulting action since we're just testing for
+ # stability
+ allow=$($GLBL_SYS_SIM -f $tmpfile -s $sys \
+ ${arg[0]} ${arg[1]} ${arg[2]} ${arg[3]} ${arg[4]} \
+ ${arg[5]})
+ rc=$?
+ if [[ $rc -ne 0 ]]; then
+ print_result $testnumstr "ERROR" "bpf_sim rc=$rc"
+ stats_error=$(($stats_error+1))
+ else
+ print_result $testnumstr "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ fi
+ stats_all=$(($stats_all+1))
+ done
+}
+
+#
+# Run the specified "bpf-sim" test
+#
+# Tests that belong to the "bpf-sim" test type generate a BPF filter and then
+# run a simulated system call test to validate the filter. Tests that belong to
+# this test type provide the following data on a single line in the input batch
+# file:
+#
+# Testname - The executable test name (e.g. 01-allow, 02-basic, etc.)
+# Arch - The architecture that the test should be run on (all, x86, x86_64)
+# Syscall - The syscall to simulate against the generated filter
+# Arg0-5 - The syscall arguments to simulate against the generated filter
+# Result - The expected simulation result (ALLOW, KILL, etc.)
+#
+# If a range of syscall or argument values are specified (e.g. 1-9), a test is
+# generated for every combination of range values. Otherwise, the individual
+# test is run.
+#
+# Arguments:
+# 1 string containing the batch name
+# 2 value of test number from batch file
+# 3 string containing line of test data from batch file
+#
+function run_test_bpf_sim() {
+ local rc
+ local LOW=1
+ local HIGH=2
+ local -a arg_empty=(false false false false false false)
+
+ # begin splitting the test data from the line into individual variables
+ local line=($3)
+ local testname=${line[0]}
+ local testarch=${line[1]}
+ local low_syscall #line[2]
+ local high_syscall #line[2]
+ local -a low_arg #line[3-8]
+ local -a high_arg #line[3-8]
+ local result=${line[9]}
+
+ # expand the architecture list
+ local simarch_tmp
+ local simarch_avoid
+ simarch_tmp=""
+ simarch_avoid=""
+ for arch_i in $(echo $testarch | sed -e 's/,/ /g'); do
+ case $arch_i in
+ all)
+ # add the native arch
+ simarch_tmp+=" $arch"
+ ;;
+ all_le)
+ # add the native arch only if it is little endian
+ if echo "$GLBL_ARCH_LE_SUPPORT" | grep -qw "$arch"; then
+ simarch_tmp+=" $arch"
+ fi
+ ;;
+ +all_le)
+ # add all of the little endian architectures
+ simarch_tmp+=" $GLBL_ARCH_LE_SUPPORT"
+ ;;
+ all_be)
+ # add the native arch only if it is big endian
+ if echo "$GLBL_ARCH_BE_SUPPORT" | grep -qw "$arch"; then
+ simarch_tmp+=" $arch"
+ fi
+ ;;
+ +all_be)
+ # add all of the big endian architectures
+ simarch_tmp+=" $GLBL_ARCH_BE_SUPPORT"
+ ;;
+ all_32)
+ # add the native arch only if it is 32-bit
+ if echo "$GLBL_ARCH_32B_SUPPORT" | grep -qw "$arch"; then
+ simarch_tmp+=" $arch"
+ fi
+ ;;
+ +all_32)
+ # add all of the 32-bit architectures
+ simarch_tmp+=" $GLBL_ARCH_32B_SUPPORT"
+ ;;
+ all_64)
+ # add the native arch only if it is 64-bit
+ if echo "$GLBL_ARCH_64B_SUPPORT" | grep -qw "$arch"; then
+ simarch_tmp+=" $arch"
+ fi
+ ;;
+ +all_64)
+ # add all of the 64-bit architectures
+ simarch_tmp+=" $GLBL_ARCH_64B_SUPPORT"
+ ;;
+ +*)
+ # add the architecture specified
+ simarch_tmp+=" ${arch_i:1}"
+ ;;
+ -*)
+ # remove the architecture specified
+ simarch_avoid+=" ${arch_i:1}"
+ ;;
+ *)
+ # add the architecture specified if it is native
+ if [[ "$arch_i" == "$arch" ]]; then
+ simarch_tmp+=" $arch_i"
+ fi
+ ;;
+ esac
+ done
+
+ # make sure we remove any undesired architectures
+ local simarch_list
+ simarch_list=""
+ for arch_i in $simarch_tmp; do
+ if echo "$simarch_avoid" | grep -q -v -w "$arch_i"; then
+ simarch_list+=" $arch_i"
+ fi
+ done
+ simarch_list=$(echo $simarch_list | sed -e 's/ / /g;s/^ //;')
+
+ # do we have any architectures remaining in the list?
+ if [[ $simarch_list == "" ]]; then
+ print_result $(generate_test_num "$1" $2 1) "SKIPPED" \
+ "(architecture difference)"
+ stats_skipped=$(($stats_skipped+1))
+ return
+ fi
+
+ # get low and high range arg values
+ line_i=3
+ for arg_i in {0..5}; do
+ low_arg[$arg_i]=$(get_range $LOW "${line[$line_i]}")
+ high_arg[$arg_i]=$(get_range $HIGH "${line[$line_i]}")
+
+ # fix up empty arg values so the nested loops work
+ if [[ ${low_arg[$arg_i]} == "N" ]]; then
+ arg_empty[$arg_i]=true
+ low_arg[$arg_i]=0
+ high_arg[$arg_i]=0
+ fi
+
+ line_i=$(($line_i+1))
+ done
+
+ # loop through the selected architectures
+ for simarch in $simarch_list; do
+ # print architecture header if necessary
+ if [[ $simarch != $simarch_list ]]; then
+ echo " test arch: $simarch" >&$logfd
+ fi
+
+ # reset the subtest number
+ local subtestnum=1
+
+ # get low and high syscall values and convert them to numbers
+ low_syscall=$(get_range $LOW "${line[2]}")
+ if [[ ! $low_syscall =~ ^\-?[0-9]+$ ]]; then
+ low_syscall=$($GLBL_SYS_RESOLVER -a $simarch -t \
+ $low_syscall)
+ if [[ $? -ne 0 ]]; then
+ print_result $(generate_test_num "$1" $2 1) \
+ "ERROR" "sys_resolver rc=$?"
+ stats_error=$(($stats_error+1))
+ return
+ fi
+ fi
+ high_syscall=$(get_range $HIGH "${line[2]}")
+ if [[ ! $high_syscall =~ ^\-?[0-9]+$ ]]; then
+ high_syscall=$($GLBL_SYS_RESOLVER -a $simarch -t \
+ $high_syscall)
+ if [[ $? -ne 0 ]]; then
+ print_result $(generate_test_num "$1" $2 1) \
+ "ERROR" "sys_resolver rc=$?"
+ stats_error=$(($stats_error+1))
+ return
+ fi
+ fi
+
+ # if ranges exist, the following will loop through all syscall
+ # and arg ranges and generate/run every combination of requested
+ # tests; if no ranges were specifed, then the single test is
+ # run
+ for sys in $(get_seq $low_syscall $high_syscall); do
+ for arg0 in $(get_seq ${low_arg[0]} ${high_arg[0]}); do
+ for arg1 in $(get_seq ${low_arg[1]} ${high_arg[1]}); do
+ for arg2 in $(get_seq ${low_arg[2]} ${high_arg[2]}); do
+ for arg3 in $(get_seq ${low_arg[3]} ${high_arg[3]}); do
+ for arg4 in $(get_seq ${low_arg[4]} ${high_arg[4]}); do
+ for arg5 in $(get_seq ${low_arg[5]} ${high_arg[5]}); do
+ local -a arg=($arg0 $arg1 $arg2 $arg3 $arg4 $arg5)
+
+ # Get the generated sub-test num string
+ local testnumstr=$(generate_test_num "$1" $2 \
+ $subtestnum)
+
+ # format any empty args to print to log file
+ for i in {0..5}; do
+ if ${arg_empty[$i]}; then
+ arg[$i]="N"
+ fi
+ done
+
+ # set up log file test data line for this
+ # individual test, spacing is added to align
+ # the output in the correct columns
+ local -a COL_WIDTH=(26 08 14 11 17 21 09 06 06)
+ local testdata=$(printf "%-${COL_WIDTH[0]}s" $testname)
+ testdata+=$(printf "%-${COL_WIDTH[1]}s" $simarch)
+ testdata+=$(printf "%-${COL_WIDTH[2]}s" $sys)
+ testdata+=$(printf "%-${COL_WIDTH[3]}s" ${arg[0]})
+ testdata+=$(printf "%-${COL_WIDTH[4]}s" ${arg[1]})
+ testdata+=$(printf "%-${COL_WIDTH[5]}s" ${arg[2]})
+ testdata+=$(printf "%-${COL_WIDTH[6]}s" ${arg[3]})
+ testdata+=$(printf "%-${COL_WIDTH[7]}s" ${arg[4]})
+ testdata+=$(printf "%-${COL_WIDTH[8]}s" ${arg[5]})
+ testdata+=$(printf "%-${COL_WIDTH[9]}s" $result)
+
+ # print out the test data to the log file
+ print_data "$testnumstr" "$testdata"
+
+ # set up the syscall arguments to be passed to bpf_sim
+ for i in {0..5}; do
+ if ${arg_empty[$i]}; then
+ arg[$i]=""
+ else
+ arg[$i]=" -$i ${arg[$i]} "
+ fi
+ done
+
+ # run the test command and put the BPF in a temp file
+ exec 4>$tmpfile
+ run_test_command "$testnumstr" "./$testname" "-b" 4 ""
+ rc=$?
+ exec 4>&-
+ if [[ $rc -ne 0 ]]; then
+ print_result $testnumstr \
+ "ERROR" "$testname rc=$rc"
+ stats_error=$(($stats_error+1))
+ return
+ fi
+
+ # simulate the specifed syscall against the BPF filter
+ # and verify the results
+ action=$($GLBL_SYS_SIM -a $simarch -f $tmpfile \
+ -s $sys ${arg[0]} ${arg[1]} ${arg[2]} \
+ ${arg[3]} ${arg[4]} ${arg[5]})
+ rc=$?
+ if [[ $rc -ne 0 ]]; then
+ print_result $testnumstr \
+ "ERROR" "bpf_sim rc=$rc"
+ stats_error=$(($stats_error+1))
+ elif [[ "$action" != "$result" ]]; then
+ print_result $testnumstr "FAILURE" \
+ "bpf_sim resulted in $action"
+ stats_failure=$(($stats_failure+1))
+ else
+ print_result $testnumstr "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ fi
+ stats_all=$(($stats_all+1))
+
+ subtestnum=$(($subtestnum+1))
+ done # syscall
+ done # arg0
+ done # arg1
+ done # arg2
+ done # arg3
+ done # arg4
+ done # arg5
+ done # architecture
+}
+
+#
+# Run the specified "basic" test
+#
+# Tests that belong to the "basic" test type will simply have the command
+# specified in the input batch file. The command must return zero for success
+# and non-zero for failure.
+#
+# Arguments:
+# 1 value of test number from batch file
+# 2 string containing line of test data from batch file
+#
+function run_test_basic() {
+ local rc
+ local cmd
+
+ # if the test is a script, only run it in native/c mode
+ if [[ $mode != "c" && "$2" == *.sh ]]; then
+ print_result "$1" "SKIPPED" "(only valid in native/c mode)"
+ stats_skipped=$(($stats_skipped+1))
+ return
+ fi
+
+ # print out the input test data to the log file
+ print_data "$1" "$2"
+
+ # check and adjust if we are doing a VPATH build
+ if [[ -x "./$2" ]]; then
+ cmd="./$2"
+ else
+ cmd="${srcdir}/$2"
+ fi
+
+ # run the command
+ run_test_command "$1" "$cmd" "" "" ""
+ rc=$?
+ if [[ $rc -ne 0 ]]; then
+ print_result $1 "FAILURE" "$2 rc=$rc"
+ stats_failure=$(($stats_failure+1))
+ else
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ fi
+ stats_all=$(($stats_all+1))
+}
+
+#
+# Run the specified "bpf-valgrind" test
+#
+# Tests that belong to the "bpf-valgrind" test type generate a BPF filter
+# while running under valgrind to detect any memory errors.
+#
+# Arguments:
+# 1 value of test number from batch file
+# 2 string containing line of test data from batch file
+#
+function run_test_bpf_valgrind() {
+ local rc
+
+ # we only support the native/c test mode here
+ if [[ $mode != "c" ]]; then
+ print_result "$1" "SKIPPED" "(only valid in native/c mode)"
+ stats_skipped=$(($stats_skipped+1))
+ return
+ fi
+
+ # print out the input test data to the log file
+ print_data "$1" "$2"
+
+ # build the command
+ testvalgrind="valgrind \
+ --tool=memcheck \
+ --error-exitcode=1 \
+ --leak-check=full \
+ --read-var-info=yes \
+ --track-origins=yes \
+ --suppressions=$basedir/valgrind_test.supp"
+ if [[ -n $logfile ]]; then
+ testvalgrind+=" --log-fd=$logfd"
+ fi
+ if [[ -z $verbose ]]; then
+ testvalgrind+=" --quiet --log-fd=4"
+ fi
+
+ # run the command
+ exec 4>/dev/null
+ print_valgrind "$1"
+ run_test_command "$1" "$testvalgrind --" "./$2 -b" 4 2
+ rc=$?
+ exec 4>&-
+ if [[ $rc -ne 0 ]]; then
+ print_result $1 "FAILURE" "$2 rc=$rc"
+ stats_failure=$(($stats_failure+1))
+ else
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ fi
+ stats_all=$(($stats_all+1))
+}
+
+#
+# Run the specified "live" test
+#
+# Tests that belong to the "live" test type will attempt to run a live test
+# of the libseccomp library on the host system; for obvious reasons the host
+# system must support seccomp mode 2 for this to work correctly.
+#
+# Arguments:
+# 1 value of test number from batch file
+# 2 string containing line of test data from batch file
+#
+function run_test_live() {
+ local rc
+ local api
+ local line=($2)
+
+ # parse the test line
+ line_cmd=${line[0]}
+ line_api=${line[1]}
+ line_act=${line[2]}
+ line_test="$line_cmd $line_api $line_act"
+
+ # check the api level
+ api=$($GLBL_SYS_API)
+ if [[ $api -lt $line_api ]]; then
+ # runtime api level is too low
+ print_result "$1" "SKIPPED" "(api level)"
+ stats_skipped=$(($stats_skipped+1))
+ return
+ fi
+
+ # print out the input test data to the log file
+ print_data "$1" "$2"
+
+ # run the command
+ exec 4>/dev/null
+ run_test_command "$1" "./$line_cmd" "$line_act" "" 4
+ rc=$?
+ exec 4>&-
+ stats_all=$(($stats_all+1))
+
+ # setup the arch specific return values
+ case "$arch" in
+ x86|x86_64|x32|arm|aarch64|parisc|parisc64|ppc|ppc64|ppc64le|ppc|s390|s390x|riscv64)
+ rc_kill_process=159
+ rc_kill=159
+ rc_allow=160
+ rc_trap=161
+ rc_trace=162
+ rc_errno=163
+ rc_log=164
+ ;;
+ mips|mipsel|mips64|mips64n32|mipsel64|mipsel64n32)
+ rc_kill_process=140
+ rc_kill=140
+ rc_allow=160
+ rc_trap=161
+ rc_trace=162
+ rc_errno=163
+ rc_log=164
+ ;;
+ *)
+ print_result $testnumstr "ERROR" "arch $arch not supported"
+ stats_error=$(($stats_error+1))
+ return
+ ;;
+ esac
+
+ # verify the results
+ if [[ $line_act == "KILL_PROCESS" && $rc -eq $rc_kill_process ]]; then
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ elif [[ $line_act == "KILL" && $rc -eq $rc_kill ]]; then
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ elif [[ $line_act == "ALLOW" && $rc -eq $rc_allow ]]; then
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ elif [[ $line_act == "TRAP" && $rc -eq $rc_trap ]]; then
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ elif [[ $line_act == "TRACE" ]]; then
+ print_result $1 "ERROR" "unsupported action \"$line_act\""
+ stats_error=$(($stats_error+1))
+ elif [[ $line_act == "ERRNO" && $rc -eq $rc_errno ]]; then
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ elif [[ $line_act == "LOG" && $rc -eq $rc_log ]]; then
+ print_result $1 "SUCCESS" ""
+ stats_success=$(($stats_success+1))
+ else
+ print_result $1 "FAILURE" "$line_test rc=$rc"
+ stats_failure=$(($stats_failure+1))
+ fi
+}
+
+#
+# Run a single test from the specified batch
+#
+# Arguments:
+# 1 string containing the batch name
+# 2 value of test number from batch file
+# 3 string containing line of test data from batch file
+# 4 string containing test type that this test belongs to
+#
+function run_test() {
+ # generate the test number string for the line of batch test data
+ local testnumstr=$(generate_test_num "$1" $2 1)
+
+ # ensure we only run tests which match the specified type
+ match_csv_word "$type" "$4"
+ local type_match=$?
+ [[ -n $type && $type_match -eq 1 ]] && return
+
+ # execute the function corresponding to the test type
+ if [[ "$4" == "basic" ]]; then
+ run_test_basic "$testnumstr" "$3"
+ elif [[ "$4" == "bpf-sim" ]]; then
+ run_test_bpf_sim "$1" $2 "$3"
+ elif [[ "$4" == "bpf-sim-fuzz" ]]; then
+ run_test_bpf_sim_fuzz "$1" $2 "$3"
+ elif [[ "$4" == "bpf-valgrind" ]]; then
+ # only run this test if valgrind is installed
+ if check_deps valgrind; then
+ run_test_bpf_valgrind "$testnumstr" "$3"
+ else
+ print_result $testnumstr "SKIPPED" \
+ "(valgrind not installed)"
+ stats_skipped=$(($stats_skipped+1))
+ fi
+ elif [[ "$4" == "live" ]]; then
+ # only run this test if explicitly requested
+ if [[ -n $type ]]; then
+ run_test_live "$testnumstr" "$3"
+ else
+ print_result $testnumstr "SKIPPED" \
+ "(must specify live tests)"
+ stats_skipped=$(($stats_skipped+1))
+ fi
+ else
+ print_result $testnumstr "ERROR" "test type $4 not supported"
+ stats_error=$(($stats_error+1))
+ fi
+}
+
+#
+# Run the requested tests
+#
+function run_tests() {
+ # loop through all test files
+ for file in $basedir/*.tests; do
+ local testnum=1
+ local batch_requested=false
+ local batch_name=""
+
+ # extract the batch name from the file name
+ batch_name=$(basename $file .tests)
+
+ # check if this batch was requested
+ if [[ ${batch_list[@]} ]]; then
+ for b in ${batch_list[@]}; do
+ if [[ $b == $batch_name ]]; then
+ batch_requested=true
+ break
+ fi
+ done
+ if ! $batch_requested; then
+ continue
+ fi
+ fi
+
+ # print a test batch header
+ echo " batch name: $batch_name" >&$logfd
+
+ # loop through each line and run the requested tests
+ while read line; do
+ # strip whitespace, comments, and blank lines
+ line=$(echo "$line" | \
+ sed -e 's/^[\t ]*//;s/[\t ]*$//;' | \
+ sed -e '/^[#].*$/d;/^$/d')
+ if [[ -z $line ]]; then
+ continue
+ fi
+
+ if [[ $line =~ ^"test type": ]]; then
+ test_type=$(echo "$line" | \
+ sed -e 's/^test type: //;')
+ # print a test mode and type header
+ echo " test mode: $mode" >&$logfd
+ echo " test type: $test_type" >&$logfd
+ continue
+ fi
+
+ if [[ ${single_list[@]} ]]; then
+ for i in ${single_list[@]}; do
+ if [ $i -eq $testnum ]; then
+ # we're running a single test
+ run_test "$batch_name" \
+ $testnum "$line" \
+ "$test_type"
+ fi
+ done
+ else
+ # we're running a test from a batch
+ run_test "$batch_name" \
+ $testnum "$line" "$test_type"
+ fi
+ testnum=$(($testnum+1))
+ done < "$file"
+ done
+}
+
+####
+# main
+
+# verify general script dependencies
+verify_deps head
+verify_deps sed
+verify_deps awk
+verify_deps tr
+
+# global variables
+declare -a batch_list
+declare -a single_list
+arch=
+batch_count=0
+logfile=
+logfd=
+mode_list=""
+runall=
+singlecount=0
+tmpfile=""
+tmpdir=""
+type=
+verbose=
+stats_all=0
+stats_skipped=0
+stats_success=0
+stats_failure=0
+stats_error=0
+
+# set the test root directory
+basedir=$(dirname $0)
+
+# set the test harness pid
+pid=$$
+
+# parse the command line
+while getopts "ab:gl:m:s:t:T:vh" opt; do
+ case $opt in
+ a)
+ runall=1
+ ;;
+ b)
+ batch_list[batch_count]="$OPTARG"
+ batch_count=$(($batch_count+1))
+ ;;
+ l)
+ logfile="$OPTARG"
+ ;;
+ m)
+ case $OPTARG in
+ c)
+ mode_list="$mode_list c"
+ ;;
+ python)
+ verify_deps python
+ mode_list="$mode_list python"
+ ;;
+ *)
+ usage
+ exit 1
+ esac
+ ;;
+ s)
+ single_list[single_count]=$OPTARG
+ single_count=$(($single_count+1))
+ ;;
+ t)
+ tmpdir="$OPTARG"
+ ;;
+ T)
+ type="$OPTARG"
+ ;;
+ v)
+ verbose=1
+ ;;
+ h|*)
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+# use mode list from environment if provided
+[[ -z $mode_list && -n $LIBSECCOMP_TSTCFG_MODE_LIST ]] && mode_list=$LIBSECCOMP_TSTCFG_MODE_LIST
+
+# determine the mode test automatically
+if [[ -z $mode_list ]]; then
+ # always perform the native c tests
+ mode_list="c"
+
+ # query the build configuration
+ if [[ -r "../configure.h" ]]; then
+ # python tests
+ [[ "$(grep "ENABLE_PYTHON" ../configure.h | \
+ awk '{ print $3 }')" = "1" ]] && \
+ mode_list="$mode_list python"
+ fi
+fi
+
+# check if we specified a list of tests via the environment variable
+if [[ -n $LIBSECCOMP_TSTCFG_BATCHES ]]; then
+ for i in $(echo "$LIBSECCOMP_TSTCFG_BATCHES" | sed 's/,/ /g'); do
+ batch_list[batch_count]="$i"
+ batch_count=$(($batch_count+1))
+ done
+fi
+
+# default to all tests if batch or single tests not requested
+if [[ -z $batch_list ]] && [[ -z $single_list ]]; then
+ runall=1
+fi
+
+# drop any requested batch and single tests if all tests were requested
+if [[ -n $runall ]]; then
+ batch_list=()
+ single_list=()
+fi
+
+# check for configuration via environment variables
+[[ -z $type && -n $LIBSECCOMP_TSTCFG_TYPE ]] && type=$LIBSECCOMP_TSTCFG_TYPE
+
+# open log file for append (default to stdout)
+if [[ -n $logfile ]]; then
+ logfd=3
+ exec 3>>"$logfile"
+else
+ logfd=1
+fi
+
+# open temporary file
+if [[ -n $tmpdir ]]; then
+ tmpfile=$(mktemp -t regression_XXXXXX --tmpdir=$tmpdir)
+else
+ tmpfile=$(mktemp -t regression_XXXXXX)
+fi
+
+# determine the current system's architecture
+arch=$($GLBL_SYS_ARCH)
+
+# display the test output and run the requested tests
+echo "=============== $(date) ===============" >&$logfd
+echo "Regression Test Report (\"regression $*\")" >&$logfd
+for mode in $mode_list; do
+ run_tests
+done
+echo "Regression Test Summary" >&$logfd
+echo " tests run: $stats_all" >&$logfd
+echo " tests skipped: $stats_skipped" >&$logfd
+echo " tests passed: $stats_success" >&$logfd
+echo " tests failed: $stats_failure" >&$logfd
+echo " tests errored: $stats_error" >&$logfd
+echo "============================================================" >&$logfd
+
+# cleanup and exit
+rm -f $tmpfile
+rc=0
+[[ $stats_failure -gt 0 ]] && rc=$(($rc + 2))
+[[ $stats_error -gt 0 ]] && rc=$(($rc + 4))
+
+exit $rc
diff --git a/tests/testdiff b/tests/testdiff
new file mode 100755
index 0000000..927c754
--- /dev/null
+++ b/tests/testdiff
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+#
+# libseccomp test diff generator
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+####
+# functions
+
+#
+# Print out script usage details
+#
+function usage() {
+cat << EOF
+usage: regression [-h] LABEL_1 LABEL_2
+
+libseccomp test diff generator script
+optional arguments:
+ -h show this help message and exit
+EOF
+}
+
+#
+# Print the test header
+#
+# Arguments:
+# 1 string containing generated test number
+#
+function print_test() {
+ printf "Test %s comparison:\n" "$1"
+}
+
+#
+# Compare the tests
+#
+# Arguments:
+# 1 string containing first test label
+# 2 string containing second test label
+#
+function diff_tests() {
+ local batch_name
+ local label_a
+ local label_b
+ local file_a
+ local file_b
+
+ if [[ -n $1 ]]; then
+ label_a=".$1"
+ else
+ label_a=""
+ fi
+
+ if [[ -n $2 ]]; then
+ label_b=".$2"
+ else
+ label_b=""
+ fi
+
+ for file in *-sim-*.tests; do
+ # extract the batch name from the file name
+ batch_name=$(basename $file .tests)
+
+ print_test "$batch_name"
+
+ file_a="${batch_name}${label_a}"
+ file_b="${batch_name}${label_b}"
+
+ if [[ -r "$file_a.pfc" && -r "$file_b.pfc" ]]; then
+ diff -pu "$file_a.pfc" "$file_b.pfc"
+ fi
+
+ if [[ -r "$file_a.bpf" && -r "$file_b.bpf" ]]; then
+ diff -pu "$file_a.bpf" "$file_b.bpf"
+ fi
+
+ if [[ -r "$file_a.bpfd" && -r "$file_b.bpfd" ]]; then
+ diff -pu "$file_a.bpfd" "$file_b.bpfd"
+ fi
+ done
+
+ return
+}
+
+####
+# main
+
+opt_label=
+opt_disasm=0
+
+while getopts "h" opt; do
+ case $opt in
+ h|*)
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+stats_all=0
+stats_failure=0
+
+# display the test output and run the requested tests
+echo "=============== $(date) ==============="
+echo "Comparing Test Output (\"testdiff $*\")"
+diff_tests "$1" "$2"
+echo "============================================================"
+
+# exit
+exit 0
diff --git a/tests/testgen b/tests/testgen
new file mode 100755
index 0000000..5a940e8
--- /dev/null
+++ b/tests/testgen
@@ -0,0 +1,207 @@
+#!/bin/bash
+
+#
+# libseccomp test output generator
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+####
+# functions
+
+#
+# Dependency verification
+#
+# Arguments:
+# 1 Dependency to check for
+#
+function verify_deps() {
+ [[ -z "$1" ]] && return
+ if ! which "$1" >& /dev/null; then
+ echo "error: install \"$1\" and include it in your \$PATH"
+ exit 1
+ fi
+}
+
+#
+# Print out script usage details
+#
+function usage() {
+cat << EOF
+usage: regression [-h] [-d] [-l LABEL]
+
+libseccomp test output generator script
+optional arguments:
+ -h show this help message and exit
+ -b generate BPF output
+ -d generate disassembled BPF output
+ -p generate PFC output
+ -v perform valgrind checks
+ -l [LABEL] specifies label for the test output
+EOF
+}
+
+#
+# Print the test result
+#
+# Arguments:
+# 1 string containing generated test number
+# 2 string containing the test result
+#
+function print_result() {
+ printf "Test %s result: %s\n" "$1" "$2"
+}
+
+#
+# Run the tests
+#
+# Arguments:
+# 1 string containing output label
+#
+function run_tests() {
+ local batch_name
+ local label
+ local rc
+
+ if [[ -n $1 ]]; then
+ label=".$1"
+ else
+ label=""
+ fi
+
+ for file in *-sim-*.tests; do
+ # extract the batch name from the file name
+ batch_name=$(basename $file .tests)
+
+ if [[ -x "$batch_name" ]]; then
+ if [[ $opt_pfc -eq 1 ]]; then
+ ./$batch_name > ${batch_name}${label}.pfc
+ rc=$?
+ stats_all=$(($stats_all + 1))
+ if [[ $rc -eq 0 ]]; then
+ print_result "$batch_name [pfc]" "SUCCESS"
+ else
+ stats_failure=$(($stats_failure + 1))
+ print_result "$batch_name [pfc]" "FAILURE"
+ fi
+ fi
+
+ if [[ $opt_bpf -eq 1 ]]; then
+ ./$batch_name -b > ${batch_name}${label}.bpf
+ rc=$?
+ stats_all=$(($stats_all + 1))
+ if [[ $rc -eq 0 ]]; then
+ print_result "$batch_name [bpf]" "SUCCESS"
+ else
+ stats_failure=$(($stats_failure + 1))
+ print_result "$batch_name [bpf]" "FAILURE"
+ fi
+ fi
+
+ if [[ $opt_disasm -eq 1 ]]; then
+ ./$batch_name -b | \
+ ../tools/scmp_bpf_disasm > ${batch_name}${label}.bpfd
+ rc=$?
+ stats_all=$(($stats_all + 1))
+ if [[ $rc -eq 0 ]]; then
+ print_result "$batch_name [bpfd]" "SUCCESS"
+ else
+ stats_failure=$(($stats_failure + 1))
+ print_result "$batch_name [bpfd]" "FAILURE"
+ fi
+ fi
+
+ if [[ $opt_valgrind -eq 1 ]]; then
+ valgrind --tool=memcheck \
+ --quiet --error-exitcode=1 \
+ --leak-check=full \
+ --read-var-info=yes \
+ --track-origins=yes \
+ --suppressions=valgrind_test.supp \
+ -- ./$batch_name -b > /dev/null
+ rc=$?
+ stats_all=$(($stats_all + 1))
+ if [[ $rc -eq 0 ]]; then
+ print_result "$batch_name [valgrind]" "SUCCESS"
+ else
+ stats_failure=$(($stats_failure + 1))
+ print_result "$batch_name [valgrind]" "FAILURE"
+ fi
+ fi
+ else
+ stats_failure=$(($stats_failure + 1))
+ print_result "$batch_name" "FAILURE"
+ fi
+ done
+
+ return
+}
+
+####
+# main
+
+opt_label=
+opt_bpf=0
+opt_disasm=0
+opt_pfc=0
+opt_valgrind=0
+
+while getopts "bphdl:v" opt; do
+ case $opt in
+ b)
+ opt_bpf=1
+ ;;
+ d)
+ opt_disasm=1
+ ;;
+ l)
+ opt_label="$OPTARG"
+ ;;
+ p)
+ opt_pfc=1
+ ;;
+ v)
+ opt_valgrind=1
+ ;;
+ h|*)
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+# verify valgrind
+[[ $opt_valgrind -eq 1 ]] && verify_deps valgrind
+
+stats_all=0
+stats_failure=0
+
+# display the test output and run the requested tests
+echo "=============== $(date) ==============="
+echo "Collecting Test Output (\"testgen $*\")"
+run_tests "$opt_label"
+echo "Test Summary"
+echo " tests run: $stats_all"
+echo " tests failed: $stats_failure"
+echo "============================================================"
+
+# cleanup and exit
+rc=0
+[[ $stats_failure -gt 0 ]] && rc=$(($rc + 2))
+
+exit $rc
diff --git a/tests/util.c b/tests/util.c
new file mode 100644
index 0000000..f978e8a
--- /dev/null
+++ b/tests/util.c
@@ -0,0 +1,253 @@
+/**
+ * Seccomp Library utility code for tests
+ *
+ * Copyright (c) 2012 Red Hat <eparis@redhat.com>
+ * Author: Eric Paris <eparis@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <getopt.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+/**
+ * SIGSYS signal handler
+ * @param nr the signal number
+ * @param info siginfo_t pointer
+ * @param void_context handler context
+ *
+ * Simple signal handler for SIGSYS which exits with error code 161.
+ *
+ */
+static void _trap_handler(int signal, siginfo_t *info, void *ctx)
+{
+ _exit(161);
+}
+
+/**
+ * Add rules for gcov/lcov
+ * @param ctx the filter context
+ * @param action the action for the rules
+ *
+ * This function is to make it easier for developers to temporarily add support
+ * for gcov/lcov to a test program; it likely should not be used in the normal
+ * regression tests. Further, this should only be necessary for the "live"
+ * tests.
+ *
+ */
+int util_gcov_rules(const scmp_filter_ctx ctx, int action)
+{
+ int rc;
+
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(open), 0);
+ if (rc != 0)
+ return rc;
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(openat), 0);
+ if (rc != 0)
+ return rc;
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(fcntl), 0);
+ if (rc != 0)
+ return rc;
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(lseek), 0);
+ if (rc != 0)
+ return rc;
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(read), 0);
+ if (rc != 0)
+ return rc;
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(write), 0);
+ if (rc != 0)
+ return rc;
+ rc = seccomp_rule_add(ctx, action, SCMP_SYS(getpid), 0);
+ if (rc != 0)
+ return rc;
+
+ return 0;
+}
+
+/**
+ * Parse the arguments passed to main
+ * @param argc the argument count
+ * @param argv the argument pointer
+ * @param opts the options structure
+ *
+ * This function parses the arguments passed to the test from the command line.
+ * Returns zero on success and negative values on failure.
+ *
+ */
+int util_getopt(int argc, char *argv[], struct util_options *opts)
+{
+ int rc = 0;
+
+ if (opts == NULL)
+ return -EFAULT;
+
+ memset(opts, 0, sizeof(*opts));
+ while (1) {
+ int c, option_index = 0;
+ const struct option long_options[] = {
+ {"bpf", no_argument, &(opts->bpf_flg), 1},
+ {"pfc", no_argument, &(opts->bpf_flg), 0},
+ {0, 0, 0, 0},
+ };
+
+ c = getopt_long(argc, argv, "bp",
+ long_options, &option_index);
+ if (c == -1)
+ break;
+
+ switch (c) {
+ case 0:
+ break;
+ case 'b':
+ opts->bpf_flg = 1;
+ break;
+ case 'p':
+ opts->bpf_flg = 0;
+ break;
+ default:
+ rc = -EINVAL;
+ break;
+ }
+ }
+
+ if (rc == -EINVAL || optind < argc) {
+ fprintf(stderr, "usage %s: [--bpf,-b] [--pfc,-p]\n", argv[0]);
+ rc = -EINVAL;
+ }
+
+ return rc;
+}
+
+/**
+ * Output the filter in either BPF or PFC
+ * @param opts the options structure
+ * @param ctx the filter context
+ *
+ * This function outputs the seccomp filter to stdout in either BPF or PFC
+ * format depending on the test paramaeters supplied by @opts.
+ *
+ */
+int util_filter_output(const struct util_options *opts,
+ const scmp_filter_ctx ctx)
+{
+ int rc;
+
+ if (opts == NULL)
+ return -EFAULT;
+
+ if (opts->bpf_flg)
+ rc = seccomp_export_bpf(ctx, STDOUT_FILENO);
+ else
+ rc = seccomp_export_pfc(ctx, STDOUT_FILENO);
+
+ return rc;
+}
+
+/**
+ * Install a TRAP action signal handler
+ *
+ * This function installs the TRAP action signal handler and is based on
+ * examples from Will Drewry and Kees Cook. Returns zero on success, negative
+ * values on failure.
+ *
+ */
+int util_trap_install(void)
+{
+ struct sigaction signal_handler;
+ sigset_t signal_mask;
+
+ memset(&signal_handler, 0, sizeof(signal_handler));
+ sigemptyset(&signal_mask);
+ sigaddset(&signal_mask, SIGSYS);
+
+ signal_handler.sa_sigaction = &_trap_handler;
+ signal_handler.sa_flags = SA_SIGINFO;
+ if (sigaction(SIGSYS, &signal_handler, NULL) < 0)
+ return -errno;
+ if (sigprocmask(SIG_UNBLOCK, &signal_mask, NULL))
+ return -errno;
+
+ return 0;
+}
+
+/**
+ * Parse a filter action string into an action value
+ * @param action the action string
+ *
+ * Parse a seccomp action string into the associated integer value. Returns
+ * the correct value on success, -1 on failure.
+ *
+ */
+int util_action_parse(const char *action)
+{
+ if (action == NULL)
+ return -1;
+
+ if (strcasecmp(action, "KILL") == 0)
+ return SCMP_ACT_KILL;
+ if (strcasecmp(action, "KILL_PROCESS") == 0)
+ return SCMP_ACT_KILL_PROCESS;
+ else if (strcasecmp(action, "TRAP") == 0)
+ return SCMP_ACT_TRAP;
+ else if (strcasecmp(action, "ERRNO") == 0)
+ return SCMP_ACT_ERRNO(163);
+ else if (strcasecmp(action, "TRACE") == 0)
+ return -1; /* not yet supported */
+ else if (strcasecmp(action, "ALLOW") == 0)
+ return SCMP_ACT_ALLOW;
+ else if (strcasecmp(action, "LOG") == 0)
+ return SCMP_ACT_LOG;
+
+ return -1;
+}
+
+/**
+ * Write a string to a file
+ * @param path the file path
+ *
+ * Open the specified file, write a string to the file, and close the file.
+ * Return zero on success, negative values on error.
+ *
+ */
+int util_file_write(const char *path)
+{
+ int fd;
+ const char buf[] = "testing";
+ ssize_t buf_len = strlen(buf);
+
+ fd = open(path, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+ if (fd < 0)
+ return -errno;
+ if (write(fd, buf, buf_len) < buf_len) {
+ int rc = -errno;
+ close(fd);
+ return rc;
+ }
+ if (close(fd) < 0)
+ return -errno;
+
+ return 0;
+}
diff --git a/tests/util.h b/tests/util.h
new file mode 100644
index 0000000..909bef5
--- /dev/null
+++ b/tests/util.h
@@ -0,0 +1,42 @@
+/**
+ * Seccomp Library utility code for tests
+ *
+ * Copyright IBM Corp. 2012
+ * Author: Corey Bryant <coreyb@linux.vnet.ibm.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#ifndef _UTIL_TEST_H
+#define _UTIL_TEST_H
+
+struct util_options {
+ int bpf_flg;
+};
+
+int util_getopt(int argc, char *argv[], struct util_options *opts);
+
+int util_gcov_rules(const scmp_filter_ctx ctx, int action);
+
+int util_filter_output(const struct util_options *opts,
+ const scmp_filter_ctx ctx);
+
+int util_trap_install(void);
+
+int util_action_parse(const char *action);
+
+int util_file_write(const char *path);
+
+#endif
diff --git a/tests/util.py b/tests/util.py
new file mode 100755
index 0000000..e601f2d
--- /dev/null
+++ b/tests/util.py
@@ -0,0 +1,109 @@
+#
+# Seccomp Library utility code for tests
+#
+# Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+""" Python utility code for the libseccomp test suite """
+
+import argparse
+import os
+import sys
+import signal
+
+from seccomp import *
+
+def trap_handler(signum, frame):
+ """ SIGSYS signal handler, internal use only
+ """
+ os._exit(161)
+
+def get_opt():
+ """ Parse the arguments passed to main
+
+ Description:
+ Parse the arguments passed to the test from the command line. Returns
+ a parsed argparse object.
+ """
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-b", "--bpf", action="store_true")
+ parser.add_argument("-p", "--pfc", action="store_true")
+ return parser.parse_args()
+
+def filter_output(args, ctx):
+ """ Output the filter in either BPF or PFC
+
+ Arguments:
+ args - an argparse object from UtilGetOpt()
+ ctx - a seccomp SyscallFilter object
+
+ Description:
+ Output the SyscallFilter to stdout in either BPF or PFC format depending
+ on the test's command line arguments.
+ """
+ if (args.bpf):
+ ctx.export_bpf(sys.stdout)
+ else:
+ ctx.export_pfc(sys.stdout)
+
+def install_trap():
+ """ Install a TRAP action signal handler
+
+ Description:
+ Install the TRAP action signal handler.
+ """
+ signal.signal(signal.SIGSYS, trap_handler)
+
+def parse_action(action):
+ """ Parse a filter action string into an action value
+
+ Arguments:
+ action - the action string
+
+ Description:
+ Parse a seccomp action string into the associated integer value.
+ """
+ if action == "KILL":
+ return KILL
+ elif action == "TRAP":
+ return TRAP
+ elif action == "ERRNO":
+ return ERRNO(163)
+ elif action == "TRACE":
+ raise RuntimeError("the TRACE action is not currently supported")
+ elif action == "ALLOW":
+ return ALLOW
+ raise RuntimeError("invalid action string")
+
+
+def write_file(path):
+ """ Write a string to a file
+
+ Arguments:
+ path - the file path
+
+ Description:
+ Open the specified file, write a string to the file, and close the file.
+ """
+ fd = os.open(str(path), os.O_WRONLY|os.O_CREAT)
+ if not os.write(fd, b"testing") == len("testing"):
+ raise IOError("failed to write the full test string in write_file()")
+ os.close(fd)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/valgrind_test.supp b/tests/valgrind_test.supp
new file mode 100644
index 0000000..6a13968
--- /dev/null
+++ b/tests/valgrind_test.supp
@@ -0,0 +1,27 @@
+#
+# Valgrind suppression file for the libseccomp automated tests
+#
+
+# information:
+# to create entries run with the "--gen-suppressions=all" option, e.g.
+# valgrind --gen-suppressions=all ...
+# to use the suppressions run with the "--suppressions" options, e.g.
+# valgrind --suppressions=<file> ...
+
+# Gentoo x86-64 system with valgrind-3.9.0 and glibc-2.19
+{
+ gentoo-x86-64_valgrind-3.9.0_glibc-2.19_1
+ Memcheck:Cond
+ fun:index
+ fun:expand_dynamic_string_token
+ fun:_dl_map_object
+ fun:map_doit
+ fun:_dl_catch_error
+ fun:do_preload
+ fun:dl_main
+ fun:_dl_sysdep_start
+ fun:_dl_start
+ obj:/lib64/ld-2.19.so
+ obj:*
+ obj:*
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 12:46:53 +0000