tests: Add test for kernel version attribute

Add a test, 63-sim-kernel_version.[c|py], to test the kernel version
logic.

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>

Author: drakenclimber

tests/.gitignore

@@ -70,3 +70,4 @@ util.pyc
 60-sim-precompute
 61-sim-transactions
 62-sim-arch_transactions
+63-sim-kernel_version

tests/63-sim-kernel_version.c

@@ -0,0 +1,99 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#include <stdio.h>
+int main(int argc, char *argv[])
+{
+	int rc;
+	struct util_options opts;
+	scmp_filter_ctx ctx = NULL;
+
+	rc = util_getopt(argc, argv, &opts);
+	if (rc < 0)
+		goto out;
+
+	ctx = seccomp_init(SCMP_ACT_KILL);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 0);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(nanosleep), 0);
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_ENOSYS, SCMP_ACT_ERRNO(3));
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_KVERMAX, SCMP_KV_6_5);
+	if (rc != 0)
+		goto out;
+
+	/* unknown action must be set before the kernel version is set */
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_ENOSYS, SCMP_ACT_ERRNO(9));
+	if (rc != -EINVAL)
+		goto out;
+
+	/*
+	 * Attempt to add a rule after the maximum kernel version has been
+	 * set.  This should fail because libseccomp currently does not
+	 * support overwriting existing rules.
+	 */
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+	if (rc != -EINVAL)
+		goto out;
+
+	rc = util_filter_output(&opts, ctx);
+	if (rc)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}

tests/63-sim-kernel_version.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2025 Oracle and/or its affiliates.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+    f = SyscallFilter(KILL)
+    # NOTE: some of these arch functions are not strictly necessary, but are
+    #       here for test sanity/coverage
+    f.remove_arch(Arch())
+    f.add_arch(Arch("x86_64"))
+    f.add_arch(Arch("x32"))
+
+    f.add_rule(ALLOW, "read")
+    f.add_rule(ALLOW, "write")
+    f.add_rule(ALLOW, "poll")
+    f.add_rule(ALLOW, "nanosleep")
+
+    f.set_attr(Attr.CTL_OPTIMIZE, 2)
+    f.set_attr(Attr.ACT_ENOSYS, ERRNO(3))
+    f.set_attr(Attr.CTL_KVERMAX, Kver.v6_5)
+
+    return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

tests/63-sim-kernel_version.tests

@@ -0,0 +1,37 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2025 Oracle and/or its affiliates.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname		Arch	Syscall	Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
+63-sim-kernel_version	+x86_64,+x32	read	N	N	N	N	N	N	ALLOW
+63-sim-kernel_version	+x86_64,+x32	write	N	N	N	N	N	N	ALLOW
+63-sim-kernel_version	+x86_64,+x32	poll	N	N	N	N	N	N	ALLOW
+63-sim-kernel_version	+x86_64,+x32	nanosleep	N	N	N	N	N	N	ALLOW
+
+63-sim-kernel_version	+x86_64,+x32	2-6	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	8-34	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	36-133	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	135-155	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	158-173	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	179	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	186-235	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	237-313	N	N	N	N	N	N	KILL
+63-sim-kernel_version	+x86_64,+x32	335	N	N	N	N	N	N	ERRNO(3)
+63-sim-kernel_version	+x86_64,+x32	424-451	N	N	N	N	N	N	KILL
+
+63-sim-kernel_version	+x86_64,+x32	452-466	N	N	N	N	N	N	ERRNO(3)
+
+test type: bpf-sim-fuzz
+
+# Testname		StressCount
+63-sim-kernel_version	5
+
+test type: bpf-valgrind
+
+# Testname
+63-sim-kernel_version

tests/Makefile.am

@@ -97,7 +97,8 @@ check_PROGRAMS = \
 	59-basic-empty_binary_tree \
 	60-sim-precompute \
 	61-sim-transactions \
-	62-sim-arch_transactions
+	62-sim-arch_transactions \
+	63-sim-kernel_version
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -160,7 +161,8 @@ EXTRA_DIST_TESTPYTHON = \
 	59-basic-empty_binary_tree.py \
 	60-sim-precompute.py \
 	61-sim-transactions.py \
-	62-sim-arch_transactions.py
+	62-sim-arch_transactions.py \
+	63-sim-kernel_version.py
 
 EXTRA_DIST_TESTCFGS = \
 	01-sim-allow.tests \
@@ -224,7 +226,8 @@ EXTRA_DIST_TESTCFGS = \
 	59-basic-empty_binary_tree.tests \
 	60-sim-precompute.tests \
 	61-sim-transactions.tests \
-	62-sim-arch_transactions.tests
+	62-sim-arch_transactions.tests \
+	63-sim-kernel_version.tests
 
 EXTRA_DIST_TESTSCRIPTS = \
 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \