From c536b2561bb4b2b15e869e20fcde5c7e5301474f Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 29 Apr 2021 13:18:39 +0200
Subject: [PATCH] test: rework seccomp testing

Instead of a single test with enabled seccomp, rerun all other
non-destructive and destructive tests for each seccomp level.
---
 test/system/005-scfilter | 17 -----------------
 test/system/099-scfilter | 24 ++++++++++++++++++++++++
 test/system/199-scfilter | 24 ++++++++++++++++++++++++
 test/system/test.common  |  2 ++
 4 files changed, 50 insertions(+), 17 deletions(-)
 delete mode 100755 test/system/005-scfilter
 create mode 100755 test/system/099-scfilter
 create mode 100755 test/system/199-scfilter

diff --git a/test/system/005-scfilter b/test/system/005-scfilter
deleted file mode 100755
index 778a688..0000000
--- a/test/system/005-scfilter
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-
-. ./test.common
-
-check_chronyd_features SCFILTER || test_skip "SCFILTER support disabled"
-
-test_start "system call filter"
-
-for extra_chronyd_options in "-F -1" "-F 1"; do
-	start_chronyd || test_fail
-	wait_for_sync || test_fail
-	stop_chronyd || test_fail
-	check_chronyd_messages || test_fail
-	check_chronyd_files || test_fail
-done
-
-test_pass
diff --git a/test/system/099-scfilter b/test/system/099-scfilter
new file mode 100755
index 0000000..b3f26fd
--- /dev/null
+++ b/test/system/099-scfilter
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+. ./test.common
+
+check_chronyd_features SCFILTER || test_skip "SCFILTER support disabled"
+
+test_start "system call filter in non-destructive tests"
+
+for level in "-1" "1"; do
+	test_message 1 1 "level $level:"
+	for test in 0[0-8][0-9]-*[^_]; do
+		test_message 2 0 "$test"
+		TEST_SCFILTER=$level "./$test" > /dev/null 2> /dev/null
+		result=$?
+
+		if [ $result != 0 ] && [ $result != 9 ] ; then
+			test_bad
+			test_fail
+		fi
+		test_ok
+	done
+done
+
+test_pass
diff --git a/test/system/199-scfilter b/test/system/199-scfilter
new file mode 100755
index 0000000..749d159
--- /dev/null
+++ b/test/system/199-scfilter
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+. ./test.common
+
+check_chronyd_features SCFILTER || test_skip "SCFILTER support disabled"
+
+test_start "system call filter in destructive tests"
+
+for level in "-1" "1"; do
+	test_message 1 1 "level $level:"
+	for test in 1[0-8][0-9]-*[^_]; do
+		test_message 2 0 "$test"
+		TEST_SCFILTER=$level "./$test" > /dev/null 2> /dev/null
+		result=$?
+
+		if [ $result != 0 ] && [ $result != 9 ] ; then
+			test_bad
+			test_fail
+		fi
+		test_ok
+	done
+done
+
+test_pass
diff --git a/test/system/test.common b/test/system/test.common
index 2c5b259..db8e899 100644
--- a/test/system/test.common
+++ b/test/system/test.common
@@ -20,6 +20,7 @@ TEST_DIR=${TEST_DIR:-$(pwd)/tmp}
 TEST_LIBDIR=${TEST_LIBDIR:-$TEST_DIR}
 TEST_LOGDIR=${TEST_LOGDIR:-$TEST_DIR}
 TEST_RUNDIR=${TEST_RUNDIR:-$TEST_DIR}
+TEST_SCFILTER=${TEST_SCFILTER:-0}
 
 test_start() {
 	check_chronyd_features NTP CMDMON || test_skip "NTP/CMDMON support disabled"
@@ -242,6 +243,7 @@ get_chronyd_options() {
 	echo "-l $(get_logfile)"
 	echo "-f $(get_conffile)"
 	echo "-u $user"
+	echo "-F $TEST_SCFILTER"
 	echo "$extra_chronyd_options"
 }