libseccomp (2.5.2-2) unstable; urgency=medium

  * Revert mips and powerpc multiplexed syscall handling.
    - Fixes test suite failures. (Closes: #994285)

[dgit import unpatched libseccomp 2.5.2-2]

diff --cc debian/changelog
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..9b9f834ba45096f8affa524cb8313f1563db55db
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/changelog
@@@ -1,0 -1,0 +1,335 @@@
++libseccomp (2.5.2-2) unstable; urgency=medium
++
++  * Revert mips and powerpc multiplexed syscall handling.
++    - Fixes test suite failures. (Closes: #994285)
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 03 Oct 2021 23:26:59 +0200
++
++libseccomp (2.5.2-1) unstable; urgency=medium
++
++  * New upstream release.
++  * Update watch file.
++
++ -- Felix Geyer <fgeyer@debian.org>  Tue, 07 Sep 2021 11:14:34 +0200
++
++libseccomp (2.5.1-1) unstable; urgency=medium
++
++  * New upstream release.
++  * Drop all patches as they have been applied upstream.
++
++ -- Felix Geyer <fgeyer@debian.org>  Mon, 21 Dec 2020 10:50:30 +0100
++
++libseccomp (2.5.0-3) unstable; urgency=medium
++
++  * Cherry-pick patch from the 2.5 branch to fix test error on mips:
++    - arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 08 Nov 2020 19:59:21 +0100
++
++libseccomp (2.5.0-2) unstable; urgency=medium
++
++  * Upload to unstable.
++  * Cherry-pick patches from the 2.5 branch to fix build and test errors:
++    - build_undefine_mips_to_prevent_build_problems.patch
++    - tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 08 Nov 2020 15:49:41 +0100
++
++libseccomp (2.5.0-1) experimental; urgency=medium
++
++  * New upstream release.
++    - Build-depend on gperf.
++    - Update symbols file.
++  * Remove patches that have been applied upstream:
++    - cython3.patch
++    - riscv64_support.patch
++  * Cherry-pick patches from the 2.5 branch:
++    - all_only_request_the_userspace_notification_fd_once.patch
++    - system_change_our_notification_fd_handling.patch
++
++ -- Felix Geyer <fgeyer@debian.org>  Sat, 24 Oct 2020 13:58:28 +0200
++
++libseccomp (2.4.4-1) unstable; urgency=medium
++
++  * Team upload.
++
++  [ Debian Janitor ]
++  * Set upstream metadata fields: Repository, Repository-Browse.
++  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository.
++
++  [ Felix Geyer ]
++  * New upstream release.
++  * Download and verify orig gpg signature.
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 20 Sep 2020 19:03:41 +0200
++
++libseccomp (2.4.3-1) unstable; urgency=medium
++
++  * New upstream release.
++  * Drop patches that have been applied upstream:
++    - tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
++    - api_define__SNR_ppoll_again.patch
++  * Cherry-pick support for the riscv64 architecture. (Closes: #952386)
++    - Add riscv64_support.patch
++
++ -- Felix Geyer <fgeyer@debian.org>  Thu, 12 Mar 2020 23:35:13 +0100
++
++libseccomp (2.4.2-2) unstable; urgency=medium
++
++  [ Christian Ehrhardt ]
++  * d/rules: fix potential FTFBS after full python3 switch
++  * d/t/control: drop python2 test following the removal of the package
++
++  [ Felix Geyer ]
++  * Remove build-dependency on valgrind for mips64el as it's broken there.
++  * Backport patch to define __SNR_ppoll again.
++    - Add api_define__SNR_ppoll_again.patch
++  * Replace custom patch for cython3 with the upstream fix.
++
++ -- Felix Geyer <fgeyer@debian.org>  Fri, 15 Nov 2019 18:12:53 +0100
++
++libseccomp (2.4.2-1) unstable; urgency=medium
++
++  [ Christian Ehrhardt ]
++  * New upstream release 2.4.2 for compatibility with newer kernels and
++    fixing FTBFS (LP: #1849785).
++    - drop d/p/python_install_dir.patch (now upstream)
++    - d/rules: adapt to python 3.8 lacking the m modifier on includes
++      see https://wiki.debian.org/Python/Python3.8
++    - d/p/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch: fix
++      build time test on arm64
++
++  [ Felix Geyer ]
++  * Drop Python 2 bindings. (Closes: #936917)
++    - Add cython3.patch to use the Python 3 cython variant.
++
++ -- Felix Geyer <fgeyer@debian.org>  Wed, 13 Nov 2019 00:00:49 +0100
++
++libseccomp (2.4.1-2) unstable; urgency=medium
++
++  * Remove build-dependency on valgrind for mipsel and x32 as it's broken
++    on those archs.
++  * Set Rules-Requires-Root: no.
++
++ -- Felix Geyer <fgeyer@debian.org>  Fri, 19 Jul 2019 00:03:34 +0200
++
++libseccomp (2.4.1-1) unstable; urgency=medium
++
++  * New upstream release.
++    - Addresses CVE-2019-9893 (Closes: #924646)
++  * Drop all patches for parisc arch support, merged upstream.
++  * Build-depend on valgrind to run more unit tests.
++  * Run dh_auto_configure for every python 3 version to install the extension
++    in the correct path.
++  * Update the symbols file.
++  * Adapt autopkgtest to new upstream version:
++    - Build against pthread
++    - Build scmp_api_level tool
++  * Upgrade to debhelper compat level 12.
++    - Add d/not-installed file
++  * Fix install path of the python module.
++    - Add python_install_dir.patch
++  * Add autopkgtest for python packages.
++
++ -- Felix Geyer <fgeyer@debian.org>  Wed, 17 Jul 2019 23:23:28 +0200
++
++libseccomp (2.3.3-4) unstable; urgency=medium
++
++  [ Ondřej Nový ]
++  * d/copyright: Change Format URL to correct one
++
++  [ Helmut Grohne ]
++  * Fix FTCBFS: (Closes: #903556)
++    + Multiarchify python Build-Depends.
++    + Annotate cython dependencies with :native for now.
++    + Drop noop dh_auto_build invocations.
++    + Pass a suitable PYTHONPATH for python2.
++    + Pass _PYTHON_SYSCONFIGDATA_NAME for python3.
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 10 Feb 2019 12:25:44 +0100
++
++libseccomp (2.3.3-3) unstable; urgency=medium
++
++  * Fix FTBFS: Adapt to renamed README file. (Closes: #902767)
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 01 Jul 2018 20:32:03 +0200
++
++libseccomp (2.3.3-2) unstable; urgency=medium
++
++  [ Helmut Grohne ]
++  * Support the nopython build profile. (Closes: #897057)
++
++  [ Felix Geyer ]
++  * Run upstream "live" tests in an autopkgtest.
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 13 May 2018 09:53:08 +0200
++
++libseccomp (2.3.3-1) unstable; urgency=medium
++
++  * New upstream release. (Closes: #895417)
++    - Adds pkey_mprotect syscall. (Closes: #893722)
++  * Refresh parisc patch.
++  * Move libseccomp2 back to /usr/lib. (Closes: #894988)
++  * Make test failures cause the build to fail. (Closes: 877901)
++  * Build python bindings. (Closes: #810712)
++  * Switch to debhelper compat level 10.
++  * Move git repo to salsa.debian.org
++  * Add myself to Uploaders.
++
++ -- Felix Geyer <fgeyer@debian.org>  Sun, 22 Apr 2018 23:55:03 +0200
++
++libseccomp (2.3.1-2.1) unstable; urgency=medium
++
++  [ Martin Pitt ]
++  * Non-maintainer upload with Kees' consent.
++
++  [ Laurent Bigonville ]
++  * Ensure strict enough generated dependencies (Closes: #844496)
++
++ -- Martin Pitt <mpitt@debian.org>  Thu, 17 Nov 2016 10:16:44 +0100
++
++libseccomp (2.3.1-2) unstable; urgency=medium
++
++  * Add hppa (parisc) support (Closes: #820501)
++
++ -- Luca Bruno <lucab@debian.org>  Sat, 28 May 2016 20:05:01 +0200
++
++libseccomp (2.3.1-1) unstable; urgency=medium
++
++  * New upstream release
++  * control: add Vcs-* fields
++
++ -- Luca Bruno <lucab@debian.org>  Tue, 05 Apr 2016 22:16:55 +0200
++
++libseccomp (2.3.0-1) unstable; urgency=medium
++
++  * New upstream release
++    + drop all patches, applied upstream
++  * libseccomp2: update symbols file
++  * control: add myself to uploaders
++  * control: bump policy version
++
++ -- Luca Bruno <lucab@debian.org>  Sun, 03 Apr 2016 00:31:09 +0200
++
++libseccomp (2.2.3-3) unstable; urgency=medium
++
++  [ Martin Pitt ]
++  * debian/patches/add-x86-32bit-socket-calls.patch: add the newly
++    connected direct socket calls. (Closes: #809556)
++  * debian/add-membarrier.patch: add membarrier syscall.
++  * Backport patches for ppc/ppc64 and s390x. (Closes: #800818)
++
++ -- Kees Cook <kees@debian.org>  Tue, 01 Sep 2015 15:37:31 -0700
++
++libseccomp (2.2.3-2) unstable; urgency=medium
++
++  * debian/control: enable mips64, mips64el, and x32 architectures,
++    thanks to Helmut Grohne (Closes: 797383).
++
++ -- Kees Cook <kees@debian.org>  Tue, 01 Sep 2015 15:37:31 -0700
++
++libseccomp (2.2.3-1) unstable; urgency=medium
++
++  * New upstream release (Closes: 793032).
++  * debian/control: update Homepage (Closes: 793033).
++
++ -- Kees Cook <kees@debian.org>  Mon, 03 Aug 2015 15:06:08 -0700
++
++libseccomp (2.2.1-2) unstable; urgency=medium
++
++  * debian/{rules,*.install}: move to /lib, thanks to Michael Biebl
++    (Closes: 788923).
++
++ -- Kees Cook <kees@debian.org>  Tue, 16 Jun 2015 12:45:08 -0700
++
++libseccomp (2.2.1-1) unstable; urgency=medium
++
++  * New upstream release (Closes: 785428).
++    - debian/patches dropped: incorporated upstream.
++  * debian/libseccomp2.symbols: include only documented symbols.
++  * debian/libseccomp-dev.install: include static library (Closes: 698508).
++  * debian/control:
++    - add newly supported arm64, mips, and mipsel.
++    - bump standards version, no changes needed.
++
++ -- Kees Cook <kees@debian.org>  Sat, 16 May 2015 08:15:26 -0700
++
++libseccomp (2.1.1-1) unstable; urgency=low
++
++  * New upstream release (Closes: 733293).
++  * copyright: add a few missed people.
++  * rules: adjusted for new test target.
++  * libseccomp2.symbols: drop accidentally exported functions.
++  * control:
++    - bump standards, no changes needed.
++    - add armel target
++
++ -- Kees Cook <kees@debian.org>  Sat, 12 Apr 2014 10:44:22 -0700
++
++libseccomp (2.1.0+dfsg-1) unstable; urgency=low
++
++  * Rebuild source package without accidental binaries (Closes: 725617).
++    - debian/watch: mangle upstream version check.
++  * debian/rules: make tests non-fatal while upstream fixes them
++    (Closes: 721292).
++
++ -- Kees Cook <kees@debian.org>  Sun, 06 Oct 2013 15:05:51 -0700
++
++libseccomp (2.1.0-1) unstable; urgency=low
++
++  * New upstream release (Closes: 718398):
++    - dropped debian/patches/manpage-dashes.patch: taken upstream.
++    - dropped debian/patches/include-unistd.patch: not needed.
++    - debian/patches/testsuite-x86-write.patch: taken upstream.
++    - ABI bump: moved from libseccomp1 to libseccomp2.
++  * debian/control:
++    - added Arch: armhf, now supported upstream.
++    - added seccomp binary package for helper tools.
++  * Added debian/patches/manpage-typo.patch: spelling fix.
++  * Added debian/patches/build-ldflags.patch: fix LDFLAGS handling.
++
++ -- Kees Cook <kees@debian.org>  Tue, 13 Aug 2013 00:02:01 -0700
++
++libseccomp (1.0.1-2) unstable; urgency=low
++
++  * debian/rules: enable testsuite at build time, thanks to
++    Stéphane Graber (Closes: 698803).
++  * Added debian/patches/include-unistd.patch: detect location of
++    asm/unistd.h correctly.
++  * Added debian/patches/testsuite-x86-write.patch: skip the "write"
++    syscall correctly on x86.
++  * debian/control: bump standards to 3.9.4, no changes needed.
++
++ -- Kees Cook <kees@debian.org>  Wed, 23 Jan 2013 13:11:53 -0800
++
++libseccomp (1.0.1-1) unstable; urgency=low
++
++  * New upstream release.
++  * debian/control: only build on amd64 and i386 (Closes: 687368).
++
++ -- Kees Cook <kees@debian.org>  Fri, 07 Dec 2012 11:38:03 -0800
++
++libseccomp (1.0.0-1) unstable; urgency=low
++
++  * New upstream release.
++    - bump ABI.
++    - drop build verbosity patch, use upstream V=1 instead.
++  * libseccomp-dev.manpages: fix build location (Closes: 682152, 682471).
++  * debian/patches/pkgconfig-macro.patch: use literals for macro.
++
++ -- Kees Cook <kees@debian.org>  Fri, 03 Aug 2012 16:59:41 -0700
++
++libseccomp (0.1.0-1) unstable; urgency=low
++
++  * New upstream release.
++    - drop patches taken upstream:
++      - libexecdir.patch
++      - pass-flags.patch
++
++ -- Kees Cook <kees@debian.org>  Fri, 08 Jun 2012 12:32:22 -0700
++
++libseccomp (0.0.0~20120605-1) unstable; urgency=low
++
++  * Initial release (Closes: #676257).
++
++ -- Kees Cook <kees@debian.org>  Tue, 05 Jun 2012 11:28:07 -0700

diff --cc debian/control
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..c445bd051533f248e94e8a117d79bd483dc45894
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/control
@@@ -1,0 -1,0 +1,63 @@@
++Source: libseccomp
++Section: libs
++Priority: optional
++Maintainer: Kees Cook <kees@debian.org>
++Uploaders: Luca Bruno <lucab@debian.org>, Felix Geyer <fgeyer@debian.org>
++Build-Depends: debhelper-compat (= 12),
++               linux-libc-dev,
++               dh-python <!nopython>,
++               python3-all-dev:any <!nopython>,
++               libpython3-all-dev <!nopython>,
++               cython3:native <!nopython>,
++               valgrind [amd64 arm64 armhf i386 mips mips64 powerpc ppc64 ppc64el s390x] <!nocheck>,
++               gperf
++Rules-Requires-Root: no
++Standards-Version: 3.9.7
++Homepage: https://github.com/seccomp/libseccomp
++Vcs-Git: https://salsa.debian.org/debian/libseccomp.git
++Vcs-Browser: https://salsa.debian.org/debian/libseccomp
++
++Package: libseccomp-dev
++Section: libdevel
++Architecture: linux-any
++Multi-Arch: same
++Pre-Depends: ${misc:Pre-Depends}
++Depends: libseccomp2 (= ${binary:Version}), ${misc:Depends}
++Suggests: seccomp
++Description: high level interface to Linux seccomp filter (development files)
++ This library provides a high level interface to constructing, analyzing
++ and installing seccomp filters via a BPF passed to the Linux Kernel's
++ prctl() syscall.
++ .
++ This package contains the development files.
++
++Package: libseccomp2
++Architecture: linux-any
++Multi-Arch: same
++Pre-Depends: ${misc:Pre-Depends}
++Depends: ${shlibs:Depends}, ${misc:Depends}
++Description: high level interface to Linux seccomp filter
++ This library provides a high level interface to constructing, analyzing
++ and installing seccomp filters via a BPF passed to the Linux Kernel's
++ prctl() syscall.
++
++Package: seccomp
++Section: utils
++Architecture: linux-any
++Depends: ${shlibs:Depends}, ${misc:Depends}
++Suggests: libseccomp-dev
++Description: helper tools for high level interface to Linux seccomp filter
++ Provides helper tools for interacting with libseccomp. Currently, only
++ a single tool exists, providing a way to easily enumerate syscalls across
++ the supported architectures.
++
++Package: python3-seccomp
++Build-Profiles: <!nopython>
++Architecture: linux-any
++Multi-Arch: same
++Section: python
++Depends: ${shlibs:Depends}, ${misc:Depends}, ${python3:Depends}
++Description: high level interface to Linux seccomp filter (Python 3 bindings)
++ This library provides a high level interface to constructing, analyzing
++ and installing seccomp filters via a BPF passed to the Linux Kernel's
++ prctl() syscall.

diff --cc debian/copyright
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..307817f54afe13eb7f146a8f8e85dfad0bae64b8
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/copyright
@@@ -1,0 -1,0 +1,39 @@@
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: libseccomp
++Source: https://sourceforge.net/projects/libseccomp/
++
++Files: *
++Copyright: 2012 Paul Moore <pmoore@redhat.com>
++ 2012 Ashley Lai <adlai@us.ibm.com>
++ 2012 Corey Bryant <coreyb@linux.vnet.ibm.com>
++ 2012 Eduardo Otubo <otubo@linux.vnet.ibm.com>
++ 2012 Eric Paris <eparis@redhat.com>
++License: LGPL-2.1
++
++Files: tests/22-sim-basic_chains_array.tests
++Copyright: 2013 Vitaly Shukela <vi0oss@gmail.com>
++License: LGPL-2.1
++
++Files: src/hash.*
++Copyright: 2006 Bob Jenkins <bob_jenkins@burtleburtle.net>
++License: LGPL-2.1
++
++Files: debian/*
++Copyright: 2012 Kees Cook <kees@debian.org>
++License: LGPL-2.1
++
++License: LGPL-2.1
++ This library is free software; you can redistribute it and/or modify it
++ under the terms of version 2.1 of the GNU Lesser General Public License as
++ published by the Free Software Foundation.
++ .
++ This library is distributed in the hope that it will be useful, but WITHOUT
++ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
++ for more details.
++ .
++ You should have received a copy of the GNU Lesser General Public License
++ along with this library; if not, see <http://www.gnu.org/licenses>.
++ .
++ On Debian systems, the complete text of the GNU Lesser General
++ Public License can be found in "/usr/share/common-licenses/LGPL-2.1".

diff --cc debian/docs
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..b43bf86b50fd8d3529a0dc062c30006ed38f309e
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/docs
@@@ -1,0 -1,0 +1,1 @@@
++README.md

diff --cc debian/gbp.conf
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..c16083c70301497da7056aa8868345ce382f0719
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/gbp.conf
@@@ -1,0 -1,0 +1,9 @@@
++[DEFAULT]
++upstream-tag = upstream/%(version)s
++debian-tag = debian/%(version)s
++pristine-tar = True
++upstream-branch = upstream
++debian-branch = debian/sid
++
++[buildpackage]
++submodules = True

diff --cc debian/libseccomp-dev.install
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..b973af43759c909c12021a4ec27161733bdeb602
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/libseccomp-dev.install
@@@ -1,0 -1,0 +1,4 @@@
++usr/include/*
++usr/lib/*/lib*.so
++usr/lib/*/lib*.a
++usr/lib/*/pkgconfig/*

diff --cc debian/libseccomp-dev.manpages
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..7c726776fbd540cadae526736588fea6d8703b56
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/libseccomp-dev.manpages
@@@ -1,0 -1,0 +1,1 @@@
++debian/tmp/usr/share/man/man3/*

diff --cc debian/libseccomp2.install
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..3ddde584198421f0d2a3fef9d36cc110f3b8b76d
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/libseccomp2.install
@@@ -1,0 -1,0 +1,1 @@@
++usr/lib/*/lib*.so.*

diff --cc debian/libseccomp2.symbols
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..d1823d09ad3b050d3336ad20d8752120e95cbbc7
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/libseccomp2.symbols
@@@ -1,0 -1,0 +1,34 @@@
++libseccomp.so.2 libseccomp2 #MINVER#
++* Build-Depends-Package: libseccomp-dev
++ seccomp_api_get@Base 2.4.1
++ seccomp_api_set@Base 2.4.1
++ seccomp_attr_get@Base 0.0.0~20120605
++ seccomp_attr_set@Base 0.0.0~20120605
++ seccomp_export_bpf@Base 0.0.0~20120605
++ seccomp_export_pfc@Base 0.0.0~20120605
++ seccomp_init@Base 0.0.0~20120605
++ seccomp_load@Base 0.0.0~20120605
++ seccomp_release@Base 0.0.0~20120605
++ seccomp_reset@Base 0.0.0~20120605
++ seccomp_rule_add@Base 0.0.0~20120605
++ seccomp_rule_add_exact@Base 0.0.0~20120605
++ seccomp_syscall_priority@Base 0.0.0~20120605
++ seccomp_syscall_resolve_name@Base 1.0.1
++ seccomp_merge@Base 1.0.1
++ seccomp_notify_alloc@Base 2.5.0
++ seccomp_notify_fd@Base 2.5.0
++ seccomp_notify_free@Base 2.5.0
++ seccomp_notify_id_valid@Base 2.5.0
++ seccomp_notify_receive@Base 2.5.0
++ seccomp_notify_respond@Base 2.5.0
++ seccomp_arch_add@Base 1.0.1
++ seccomp_arch_exist@Base 1.0.1
++ seccomp_arch_remove@Base 1.0.1
++ seccomp_arch_native@Base 2.1.0
++ seccomp_rule_add_array@Base 2.1.0
++ seccomp_rule_add_exact_array@Base 2.1.0
++ seccomp_syscall_resolve_name_arch@Base 2.1.0
++ seccomp_syscall_resolve_num_arch@Base 2.1.0
++ seccomp_arch_resolve_name@Base 2.2.1
++ seccomp_syscall_resolve_name_rewrite@Base 2.2.1
++ seccomp_version@Base 2.3.0

diff --cc debian/not-installed
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..4f605951640379a03f1776edff01d7c31b76fca8
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/not-installed
@@@ -1,0 -1,0 +1,3 @@@
++usr/lib/python*/*-packages/install_files.txt
++usr/lib/python*/*-packages/seccomp-*.egg-info
++usr/lib/*/libseccomp.la

diff --cc debian/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..67bdc6311da7ba99fe19bca8654bdf2feb3055e0
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch
@@@ -1,0 -1,0 +1,4520 @@@
++REVERTS
++
++From f454456e261930d94b3a1a444b6bac75c11c3cb0 Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Wed, 4 Aug 2021 11:51:12 -0400
++Subject: [PATCH] arch: consolidate all of the multiplexed syscall handling
++
++Not only does this reduce the amount of duplicated code
++significantly, it removes a lot of the "magic" numbers in the
++code, and it happened to catch some bugs too.
++
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++
++(imported from commit 17cbd2c253ce63e5e9e3cec867ff58efbe8b5fdc)
++
++diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c
++--- a/src/arch-aarch64.c
+++++ b/src/arch-aarch64.c
++@@ -31,8 +31,8 @@ const struct arch_def arch_def_aarch64 = {
++      .token_bpf = AUDIT_ARCH_AARCH64,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_LITTLE,
++-     .syscall_resolve_name_raw = aarch64_syscall_resolve_name,
++-     .syscall_resolve_num_raw = aarch64_syscall_resolve_num,
+++     .syscall_resolve_name = aarch64_syscall_resolve_name,
+++     .syscall_resolve_num = aarch64_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-arm.c b/src/arch-arm.c
++--- a/src/arch-arm.c
+++++ b/src/arch-arm.c
++@@ -39,7 +39,6 @@
++ 
++ /**
++  * Resolve a syscall name to a number
++- * @param arch the architecture definition
++  * @param name the syscall name
++  *
++  * Resolve the given syscall name to the syscall number using the syscall table.
++@@ -47,13 +46,12 @@
++  * numbers; returns __NR_SCMP_ERROR on failure.
++  *
++  */
++-int arm_syscall_resolve_name_munge(const struct arch_def *arch,
++-                                const char *name)
+++int arm_syscall_resolve_name_munge(const char *name)
++ {
++      int sys;
++ 
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++-     sys = arch->syscall_resolve_name_raw(name);
+++     sys = arm_syscall_resolve_name(name);
++      if (sys == __NR_SCMP_ERROR || sys < 0)
++              return sys;
++ 
++@@ -62,7 +60,6 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch,
++ 
++ /**
++  * Resolve a syscall number to a name
++- * @param arch the architecture definition
++  * @param num the syscall number
++  *
++  * Resolve the given syscall number to the syscall name using the syscall table.
++@@ -70,12 +67,12 @@ int arm_syscall_resolve_name_munge(const struct arch_def *arch,
++  * syscall names; returns NULL on failure.
++  *
++  */
++-const char *arm_syscall_resolve_num_munge(const struct arch_def *arch, int num)
+++const char *arm_syscall_resolve_num_munge(int num)
++ {
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++      if (num >= 0)
++              num &= ~__SCMP_NR_BASE;
++-     return arch->syscall_resolve_num_raw(num);
+++     return arm_syscall_resolve_num(num);
++ }
++ 
++ const struct arch_def arch_def_arm = {
++@@ -84,9 +81,7 @@ const struct arch_def arch_def_arm = {
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_LITTLE,
++      .syscall_resolve_name = arm_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = arm_syscall_resolve_name,
++      .syscall_resolve_num = arm_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = arm_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-mips.c b/src/arch-mips.c
++--- a/src/arch-mips.c
+++++ b/src/arch-mips.c
++@@ -30,23 +30,535 @@
++ #include "arch.h"
++ #include "arch-mips.h"
++ 
+++/* O32 ABI */
+++#define __SCMP_NR_BASE                       4000
+++
++ /* mips syscall numbers */
++ #define __mips_NR_socketcall         102
++ #define __mips_NR_ipc                        117
++ 
+++/**
+++ * Resolve a syscall name to a number
+++ * @param name the syscall name
+++ *
+++ * Resolve the given syscall name to the syscall number using the syscall table.
+++ * Returns the syscall number on success, including negative pseudo syscall
+++ * numbers; returns __NR_SCMP_ERROR on failure.
+++ *
+++ */
+++int mips_syscall_resolve_name_munge(const char *name)
+++{
+++
+++#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
+++     if (!strcmp(name, #NAME)) return __PNR_##NAME;
+++
+++     _ABI_SYSCALL_RES_NAME_CHK(socket)
+++     _ABI_SYSCALL_RES_NAME_CHK(bind)
+++     _ABI_SYSCALL_RES_NAME_CHK(connect)
+++     _ABI_SYSCALL_RES_NAME_CHK(listen)
+++     _ABI_SYSCALL_RES_NAME_CHK(accept)
+++     _ABI_SYSCALL_RES_NAME_CHK(getsockname)
+++     _ABI_SYSCALL_RES_NAME_CHK(getpeername)
+++     _ABI_SYSCALL_RES_NAME_CHK(socketpair)
+++     _ABI_SYSCALL_RES_NAME_CHK(send)
+++     _ABI_SYSCALL_RES_NAME_CHK(recv)
+++     _ABI_SYSCALL_RES_NAME_CHK(sendto)
+++     _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
+++     _ABI_SYSCALL_RES_NAME_CHK(shutdown)
+++     _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
+++     _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
+++     _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(accept4)
+++     _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(semop)
+++     _ABI_SYSCALL_RES_NAME_CHK(semget)
+++     _ABI_SYSCALL_RES_NAME_CHK(semctl)
+++     _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgget)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgctl)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmat)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmdt)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmget)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmctl)
+++
+++     return mips_syscall_resolve_name(name);
+++}
+++
+++/**
+++ * Resolve a syscall number to a name
+++ * @param num the syscall number
+++ *
+++ * Resolve the given syscall number to the syscall name using the syscall table.
+++ * Returns a pointer to the syscall name string on success, including pseudo
+++ * syscall names; returns NULL on failure.
+++ *
+++ */
+++const char *mips_syscall_resolve_num_munge(int num)
+++{
+++
+++#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
+++     if (num == __PNR_##NAME) return #NAME;
+++
+++     _ABI_SYSCALL_RES_NUM_CHK(socket)
+++     _ABI_SYSCALL_RES_NUM_CHK(bind)
+++     _ABI_SYSCALL_RES_NUM_CHK(connect)
+++     _ABI_SYSCALL_RES_NUM_CHK(listen)
+++     _ABI_SYSCALL_RES_NUM_CHK(accept)
+++     _ABI_SYSCALL_RES_NUM_CHK(getsockname)
+++     _ABI_SYSCALL_RES_NUM_CHK(getpeername)
+++     _ABI_SYSCALL_RES_NUM_CHK(socketpair)
+++     _ABI_SYSCALL_RES_NUM_CHK(send)
+++     _ABI_SYSCALL_RES_NUM_CHK(recv)
+++     _ABI_SYSCALL_RES_NUM_CHK(sendto)
+++     _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
+++     _ABI_SYSCALL_RES_NUM_CHK(shutdown)
+++     _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
+++     _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
+++     _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(accept4)
+++     _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(semop)
+++     _ABI_SYSCALL_RES_NUM_CHK(semget)
+++     _ABI_SYSCALL_RES_NUM_CHK(semctl)
+++     _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgget)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgctl)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmat)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmdt)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmget)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmctl)
+++
+++     return mips_syscall_resolve_num(num);
+++}
+++
+++/**
+++ * Check if a syscall is a socket syscall
+++ * @param sys the syscall number
+++ *
+++ * Returns true if the syscall is a socket related syscall, false otherwise.
+++ *
+++ */
+++static bool _mips_syscall_socket_test(int sys)
+++{
+++     const char *name;
+++
+++     /* multiplexed pseduo-syscalls */
+++     if (sys <= -100 && sys >= -120)
+++             return true;
+++
+++     name = mips_syscall_resolve_num(sys);
+++     if (!name)
+++             return false;
+++
+++#define _ABI_SYSCALL_SOCK_CHK(NAME) \
+++     if (!strcmp(name, #NAME)) return true;
+++
+++     _ABI_SYSCALL_SOCK_CHK(socket)
+++     _ABI_SYSCALL_SOCK_CHK(bind)
+++     _ABI_SYSCALL_SOCK_CHK(connect)
+++     _ABI_SYSCALL_SOCK_CHK(listen)
+++     _ABI_SYSCALL_SOCK_CHK(accept)
+++     _ABI_SYSCALL_SOCK_CHK(getsockname)
+++     _ABI_SYSCALL_SOCK_CHK(getpeername)
+++     _ABI_SYSCALL_SOCK_CHK(socketpair)
+++     _ABI_SYSCALL_SOCK_CHK(send)
+++     _ABI_SYSCALL_SOCK_CHK(recv)
+++     _ABI_SYSCALL_SOCK_CHK(sendto)
+++     _ABI_SYSCALL_SOCK_CHK(recvfrom)
+++     _ABI_SYSCALL_SOCK_CHK(shutdown)
+++     _ABI_SYSCALL_SOCK_CHK(setsockopt)
+++     _ABI_SYSCALL_SOCK_CHK(getsockopt)
+++     _ABI_SYSCALL_SOCK_CHK(sendmsg)
+++     _ABI_SYSCALL_SOCK_CHK(recvmsg)
+++     _ABI_SYSCALL_SOCK_CHK(accept4)
+++     _ABI_SYSCALL_SOCK_CHK(recvmmsg)
+++     _ABI_SYSCALL_SOCK_CHK(sendmmsg)
+++
+++     return false;
+++}
+++
+++/**
+++ * Check if a syscall is an ipc syscall
+++ * @param sys the syscall number
+++ *
+++ * Returns true if the syscall is an ipc related syscall, false otherwise.
+++ *
+++ */
+++static bool _mips_syscall_ipc_test(int sys)
+++{
+++     const char *name;
+++
+++     /* multiplexed pseduo-syscalls */
+++     if (sys <= -200 && sys >= -224)
+++             return true;
+++
+++     name = mips_syscall_resolve_num(sys);
+++     if (!name)
+++             return false;
+++
+++#define _ABI_SYSCALL_IPC_CHK(NAME) \
+++     if (!strcmp(name, #NAME)) return true;
+++
+++     _ABI_SYSCALL_IPC_CHK(semop)
+++     _ABI_SYSCALL_IPC_CHK(semget)
+++     _ABI_SYSCALL_IPC_CHK(semctl)
+++     _ABI_SYSCALL_IPC_CHK(semtimedop)
+++     _ABI_SYSCALL_IPC_CHK(msgsnd)
+++     _ABI_SYSCALL_IPC_CHK(msgrcv)
+++     _ABI_SYSCALL_IPC_CHK(msgget)
+++     _ABI_SYSCALL_IPC_CHK(msgctl)
+++     _ABI_SYSCALL_IPC_CHK(shmat)
+++     _ABI_SYSCALL_IPC_CHK(shmdt)
+++     _ABI_SYSCALL_IPC_CHK(shmget)
+++     _ABI_SYSCALL_IPC_CHK(shmctl)
+++
+++     return false;
+++}
+++
+++/**
+++ * Convert a multiplexed pseudo syscall into a direct syscall
+++ * @param syscall the multiplexed pseudo syscall number
+++ *
+++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
+++ * no related syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _mips_syscall_demux(int syscall)
+++{
+++     int sys = __NR_SCMP_UNDEF;
+++
+++#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
+++case __PNR_##NAME: \
+++     sys = mips_syscall_resolve_name(#NAME); break;
+++
+++     switch (syscall) {
+++             _ABI_SYSCALL_DEMUX_CHK(socket)
+++             _ABI_SYSCALL_DEMUX_CHK(bind)
+++             _ABI_SYSCALL_DEMUX_CHK(connect)
+++             _ABI_SYSCALL_DEMUX_CHK(listen)
+++             _ABI_SYSCALL_DEMUX_CHK(accept)
+++             _ABI_SYSCALL_DEMUX_CHK(getsockname)
+++             _ABI_SYSCALL_DEMUX_CHK(getpeername)
+++             _ABI_SYSCALL_DEMUX_CHK(socketpair)
+++             _ABI_SYSCALL_DEMUX_CHK(send)
+++             _ABI_SYSCALL_DEMUX_CHK(recv)
+++             _ABI_SYSCALL_DEMUX_CHK(sendto)
+++             _ABI_SYSCALL_DEMUX_CHK(recvfrom)
+++             _ABI_SYSCALL_DEMUX_CHK(shutdown)
+++             _ABI_SYSCALL_DEMUX_CHK(setsockopt)
+++             _ABI_SYSCALL_DEMUX_CHK(getsockopt)
+++             _ABI_SYSCALL_DEMUX_CHK(sendmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(recvmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(accept4)
+++             _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(semop)
+++             _ABI_SYSCALL_DEMUX_CHK(semget)
+++             _ABI_SYSCALL_DEMUX_CHK(semctl)
+++             _ABI_SYSCALL_DEMUX_CHK(semtimedop)
+++             _ABI_SYSCALL_DEMUX_CHK(msgsnd)
+++             _ABI_SYSCALL_DEMUX_CHK(msgrcv)
+++             _ABI_SYSCALL_DEMUX_CHK(msgget)
+++             _ABI_SYSCALL_DEMUX_CHK(msgctl)
+++             _ABI_SYSCALL_DEMUX_CHK(shmat)
+++             _ABI_SYSCALL_DEMUX_CHK(shmdt)
+++             _ABI_SYSCALL_DEMUX_CHK(shmget)
+++             _ABI_SYSCALL_DEMUX_CHK(shmctl)
+++     }
+++
+++     /* this looks odd because the arch resolver returns _ERROR if it can't
+++      * resolve the syscall, but we want to use _UNDEF for that, so we set
+++      * 'sys' to a sentinel value of _UNDEF and if it is error here we know
+++      * the resolve failed to find a match */
+++     if (sys == __NR_SCMP_UNDEF)
+++             sys = __NR_SCMP_ERROR;
+++     else if (sys == __NR_SCMP_ERROR)
+++             sys = __NR_SCMP_UNDEF;
+++
+++     return sys;
+++}
+++
+++/**
+++ * Convert a direct syscall into multiplexed pseudo socket syscall
+++ * @param syscall the direct syscall
+++ *
+++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
+++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _mips_syscall_mux(int syscall)
+++{
+++     const char *sys;
+++
+++     sys = mips_syscall_resolve_num(syscall);
+++     if (!sys)
+++             return __NR_SCMP_ERROR;
+++
+++#define _ABI_SYSCALL_MUX_CHK(NAME) \
+++     if (!strcmp(sys, #NAME)) return __PNR_##NAME;
+++
+++     _ABI_SYSCALL_MUX_CHK(socket)
+++     _ABI_SYSCALL_MUX_CHK(bind)
+++     _ABI_SYSCALL_MUX_CHK(connect)
+++     _ABI_SYSCALL_MUX_CHK(listen)
+++     _ABI_SYSCALL_MUX_CHK(accept)
+++     _ABI_SYSCALL_MUX_CHK(getsockname)
+++     _ABI_SYSCALL_MUX_CHK(getpeername)
+++     _ABI_SYSCALL_MUX_CHK(socketpair)
+++     _ABI_SYSCALL_MUX_CHK(send)
+++     _ABI_SYSCALL_MUX_CHK(recv)
+++     _ABI_SYSCALL_MUX_CHK(sendto)
+++     _ABI_SYSCALL_MUX_CHK(recvfrom)
+++     _ABI_SYSCALL_MUX_CHK(shutdown)
+++     _ABI_SYSCALL_MUX_CHK(setsockopt)
+++     _ABI_SYSCALL_MUX_CHK(getsockopt)
+++     _ABI_SYSCALL_MUX_CHK(sendmsg)
+++     _ABI_SYSCALL_MUX_CHK(recvmsg)
+++     _ABI_SYSCALL_MUX_CHK(accept4)
+++     _ABI_SYSCALL_MUX_CHK(recvmmsg)
+++     _ABI_SYSCALL_MUX_CHK(sendmmsg)
+++     _ABI_SYSCALL_MUX_CHK(semop)
+++     _ABI_SYSCALL_MUX_CHK(semget)
+++     _ABI_SYSCALL_MUX_CHK(semctl)
+++     _ABI_SYSCALL_MUX_CHK(semtimedop)
+++     _ABI_SYSCALL_MUX_CHK(msgsnd)
+++     _ABI_SYSCALL_MUX_CHK(msgrcv)
+++     _ABI_SYSCALL_MUX_CHK(msgget)
+++     _ABI_SYSCALL_MUX_CHK(msgctl)
+++     _ABI_SYSCALL_MUX_CHK(shmat)
+++     _ABI_SYSCALL_MUX_CHK(shmdt)
+++     _ABI_SYSCALL_MUX_CHK(shmget)
+++     _ABI_SYSCALL_MUX_CHK(shmctl)
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Rewrite a syscall value to match the architecture
+++ * @param syscall the syscall number
+++ *
+++ * Syscalls can vary across different architectures so this function rewrites
+++ * the syscall into the correct value for the specified architecture.  Returns
+++ * zero on success, negative values on failure.
+++ *
+++ */
+++int mips_syscall_rewrite(int *syscall)
+++{
+++     int sys = *syscall;
+++
+++     if (sys <= -100 && sys >= -120)
+++             *syscall = __mips_NR_socketcall;
+++     else if (sys <= -200 && sys >= -224)
+++             *syscall = __mips_NR_ipc;
+++     else if (sys < 0)
+++             return -EDOM;
+++
+++     return 0;
+++}
+++
+++/**
+++ * add a new rule to the mips seccomp filter
+++ * @param db the seccomp filter db
+++ * @param rule the filter rule
+++ *
+++ * This function adds a new syscall filter to the seccomp filter db, making any
+++ * necessary adjustments for the mips ABI.  Returns zero on success, negative
+++ * values on failure.
+++ *
+++ * It is important to note that in the case of failure the db may be corrupted,
+++ * the caller must use the transaction mechanism if the db integrity is
+++ * important.
+++ *
+++ */
+++int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
+++{
+++     int rc = 0;
+++     unsigned int iter;
+++     int sys = rule->syscall;
+++     int sys_a, sys_b;
+++     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
+++
+++     if (_mips_syscall_socket_test(sys)) {
+++             /* socket syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _mips_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _mips_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __mips_NR_socketcall;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 100;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (_mips_syscall_ipc_test(sys)) {
+++             /* ipc syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _mips_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _mips_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __mips_NR_ipc;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 200;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (sys >= 0) {
+++             /* normal syscall processing */
+++             rc = db_rule_add(db, rule);
+++             if (rc < 0)
+++                     goto add_return;
+++     } else if (rule->strict) {
+++             rc = -EDOM;
+++             goto add_return;
+++     }
+++
+++add_return:
+++     if (rule_dup != NULL)
+++             free(rule_dup);
+++     return rc;
+++}
+++
++ const struct arch_def arch_def_mips = {
++      .token = SCMP_ARCH_MIPS,
++      .token_bpf = AUDIT_ARCH_MIPS,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_BIG,
++-     .sys_socketcall = __mips_NR_socketcall,
++-     .sys_ipc = __mips_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = mips_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = mips_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = mips_syscall_resolve_name_munge,
+++     .syscall_resolve_num = mips_syscall_resolve_num_munge,
+++     .syscall_rewrite = mips_syscall_rewrite,
+++     .rule_add = mips_rule_add,
++ };
++ 
++ const struct arch_def arch_def_mipsel = {
++@@ -54,12 +566,8 @@ const struct arch_def arch_def_mipsel = {
++      .token_bpf = AUDIT_ARCH_MIPSEL,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_LITTLE,
++-     .sys_socketcall = __mips_NR_socketcall,
++-     .sys_ipc = __mips_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = mips_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = mips_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = mips_syscall_resolve_name_munge,
+++     .syscall_resolve_num = mips_syscall_resolve_num_munge,
+++     .syscall_rewrite = mips_syscall_rewrite,
+++     .rule_add = mips_rule_add,
++ };
++diff --git a/src/arch-mips64.c b/src/arch-mips64.c
++--- a/src/arch-mips64.c
+++++ b/src/arch-mips64.c
++@@ -30,7 +30,6 @@
++ 
++ /**
++  * Resolve a syscall name to a number
++- * @param arch the architecture definition
++  * @param name the syscall name
++  *
++  * Resolve the given syscall name to the syscall number using the syscall table.
++@@ -38,13 +37,12 @@
++  * numbers; returns __NR_SCMP_ERROR on failure.
++  *
++  */
++-int mips64_syscall_resolve_name_munge(const struct arch_def *arch,
++-                                   const char *name)
+++int mips64_syscall_resolve_name_munge(const char *name)
++ {
++      int sys;
++ 
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++-     sys = arch->syscall_resolve_name_raw(name);
+++     sys = mips64_syscall_resolve_name(name);
++      if (sys == __NR_SCMP_ERROR || sys < 0)
++              return sys;
++ 
++@@ -53,7 +51,6 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch,
++ 
++ /**
++  * Resolve a syscall number to a name
++- * @param arch the architecture definition
++  * @param num the syscall number
++  *
++  * Resolve the given syscall number to the syscall name using the syscall table.
++@@ -61,13 +58,12 @@ int mips64_syscall_resolve_name_munge(const struct arch_def *arch,
++  * syscall names; returns NULL on failure.
++  *
++  */
++-const char *mips64_syscall_resolve_num_munge(const struct arch_def *arch,
++-                                          int num)
+++const char *mips64_syscall_resolve_num_munge(int num)
++ {
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++      if (num >= __SCMP_NR_BASE)
++              num -= __SCMP_NR_BASE;
++-     return arch->syscall_resolve_num_raw(num);
+++     return mips64_syscall_resolve_num(num);
++ }
++ 
++ const struct arch_def arch_def_mips64 = {
++@@ -76,9 +72,7 @@ const struct arch_def arch_def_mips64 = {
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_BIG,
++      .syscall_resolve_name = mips64_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = mips64_syscall_resolve_name,
++      .syscall_resolve_num = mips64_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = mips64_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++@@ -89,9 +83,7 @@ const struct arch_def arch_def_mipsel64 = {
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_LITTLE,
++      .syscall_resolve_name = mips64_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = mips64_syscall_resolve_name,
++      .syscall_resolve_num = mips64_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = mips64_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c
++--- a/src/arch-mips64n32.c
+++++ b/src/arch-mips64n32.c
++@@ -32,7 +32,6 @@
++ 
++ /**
++  * Resolve a syscall name to a number
++- * @param arch the architecture definition
++  * @param name the syscall name
++  *
++  * Resolve the given syscall name to the syscall number using the syscall table.
++@@ -40,8 +39,7 @@
++  * numbers; returns __NR_SCMP_ERROR on failure.
++  *
++  */
++-int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch,
++-                                      const char *name)
+++int mips64n32_syscall_resolve_name_munge(const char *name)
++ {
++      int sys;
++ 
++@@ -55,7 +53,6 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch,
++ 
++ /**
++  * Resolve a syscall number to a name
++- * @param arch the architecture definition
++  * @param num the syscall number
++  *
++  * Resolve the given syscall number to the syscall name using the syscall table.
++@@ -63,8 +60,7 @@ int mips64n32_syscall_resolve_name_munge(const struct arch_def *arch,
++  * syscall names; returns NULL on failure.
++  *
++  */
++-const char *mips64n32_syscall_resolve_num_munge(const struct arch_def *arch,
++-                                             int num)
+++const char *mips64n32_syscall_resolve_num_munge(int num)
++ {
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++      if (num >= __SCMP_NR_BASE)
++@@ -78,9 +74,7 @@ const struct arch_def arch_def_mips64n32 = {
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_BIG,
++      .syscall_resolve_name = mips64n32_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = mips64n32_syscall_resolve_name,
++      .syscall_resolve_num = mips64n32_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = mips64n32_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++@@ -91,9 +85,7 @@ const struct arch_def arch_def_mipsel64n32 = {
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_LITTLE,
++      .syscall_resolve_name = mips64n32_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = mips64n32_syscall_resolve_name,
++      .syscall_resolve_num = mips64n32_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = mips64n32_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-parisc.c b/src/arch-parisc.c
++--- a/src/arch-parisc.c
+++++ b/src/arch-parisc.c
++@@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc = {
++      .token_bpf = AUDIT_ARCH_PARISC,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_BIG,
++-     .syscall_resolve_name_raw = parisc_syscall_resolve_name,
++-     .syscall_resolve_num_raw = parisc_syscall_resolve_num,
+++     .syscall_resolve_name = parisc_syscall_resolve_name,
+++     .syscall_resolve_num = parisc_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-parisc64.c b/src/arch-parisc64.c
++--- a/src/arch-parisc64.c
+++++ b/src/arch-parisc64.c
++@@ -15,8 +15,8 @@ const struct arch_def arch_def_parisc64 = {
++      .token_bpf = AUDIT_ARCH_PARISC64,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_BIG,
++-     .syscall_resolve_name_raw = parisc64_syscall_resolve_name,
++-     .syscall_resolve_num_raw = parisc64_syscall_resolve_num,
+++     .syscall_resolve_name = parisc64_syscall_resolve_name,
+++     .syscall_resolve_num = parisc64_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-ppc.c b/src/arch-ppc.c
++--- a/src/arch-ppc.c
+++++ b/src/arch-ppc.c
++@@ -34,17 +34,526 @@
++ #define __ppc_NR_socketcall          102
++ #define __ppc_NR_ipc                 117
++ 
+++/**
+++ * Resolve a syscall name to a number
+++ * @param name the syscall name
+++ *
+++ * Resolve the given syscall name to the syscall number using the syscall table.
+++ * Returns the syscall number on success, including negative pseudo syscall
+++ * numbers; returns __NR_SCMP_ERROR on failure.
+++ *
+++ */
+++int ppc_syscall_resolve_name_munge(const char *name)
+++{
+++
+++#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
+++     if (!strcmp(name, #NAME)) return __PNR_##NAME;
+++
+++     _ABI_SYSCALL_RES_NAME_CHK(socket)
+++     _ABI_SYSCALL_RES_NAME_CHK(bind)
+++     _ABI_SYSCALL_RES_NAME_CHK(connect)
+++     _ABI_SYSCALL_RES_NAME_CHK(listen)
+++     _ABI_SYSCALL_RES_NAME_CHK(accept)
+++     _ABI_SYSCALL_RES_NAME_CHK(getsockname)
+++     _ABI_SYSCALL_RES_NAME_CHK(getpeername)
+++     _ABI_SYSCALL_RES_NAME_CHK(socketpair)
+++     _ABI_SYSCALL_RES_NAME_CHK(send)
+++     _ABI_SYSCALL_RES_NAME_CHK(recv)
+++     _ABI_SYSCALL_RES_NAME_CHK(sendto)
+++     _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
+++     _ABI_SYSCALL_RES_NAME_CHK(shutdown)
+++     _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
+++     _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
+++     _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(accept4)
+++     _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
+++     _ABI_SYSCALL_RES_NAME_CHK(semop)
+++     _ABI_SYSCALL_RES_NAME_CHK(semget)
+++     _ABI_SYSCALL_RES_NAME_CHK(semctl)
+++     _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgget)
+++     _ABI_SYSCALL_RES_NAME_CHK(msgctl)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmat)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmdt)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmget)
+++     _ABI_SYSCALL_RES_NAME_CHK(shmctl)
+++
+++     return ppc_syscall_resolve_name(name);
+++}
+++
+++/**
+++ * Resolve a syscall number to a name
+++ * @param num the syscall number
+++ *
+++ * Resolve the given syscall number to the syscall name using the syscall table.
+++ * Returns a pointer to the syscall name string on success, including pseudo
+++ * syscall names; returns NULL on failure.
+++ *
+++ */
+++const char *ppc_syscall_resolve_num_munge(int num)
+++{
+++
+++#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
+++     if (num == __PNR_##NAME) return #NAME;
+++
+++     _ABI_SYSCALL_RES_NUM_CHK(socket)
+++     _ABI_SYSCALL_RES_NUM_CHK(bind)
+++     _ABI_SYSCALL_RES_NUM_CHK(connect)
+++     _ABI_SYSCALL_RES_NUM_CHK(listen)
+++     _ABI_SYSCALL_RES_NUM_CHK(accept)
+++     _ABI_SYSCALL_RES_NUM_CHK(getsockname)
+++     _ABI_SYSCALL_RES_NUM_CHK(getpeername)
+++     _ABI_SYSCALL_RES_NUM_CHK(socketpair)
+++     _ABI_SYSCALL_RES_NUM_CHK(send)
+++     _ABI_SYSCALL_RES_NUM_CHK(recv)
+++     _ABI_SYSCALL_RES_NUM_CHK(sendto)
+++     _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
+++     _ABI_SYSCALL_RES_NUM_CHK(shutdown)
+++     _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
+++     _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
+++     _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(accept4)
+++     _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
+++     _ABI_SYSCALL_RES_NUM_CHK(semop)
+++     _ABI_SYSCALL_RES_NUM_CHK(semget)
+++     _ABI_SYSCALL_RES_NUM_CHK(semctl)
+++     _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgget)
+++     _ABI_SYSCALL_RES_NUM_CHK(msgctl)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmat)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmdt)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmget)
+++     _ABI_SYSCALL_RES_NUM_CHK(shmctl)
+++
+++     return ppc_syscall_resolve_num(num);
+++}
+++
+++/**
+++ * Check if a syscall is a socket syscall
+++ * @param sys the syscall number
+++ *
+++ * Returns true if the syscall is a socket related syscall, false otherwise.
+++ *
+++ */
+++static bool _ppc_syscall_socket_test(int sys)
+++{
+++     const char *name;
+++
+++     /* multiplexed pseduo-syscalls */
+++     if (sys <= -100 && sys >= -120)
+++             return true;
+++
+++     name = ppc_syscall_resolve_num(sys);
+++     if (!name)
+++             return false;
+++
+++#define _ABI_SYSCALL_SOCK_CHK(NAME) \
+++     if (!strcmp(name, #NAME)) return true;
+++
+++     _ABI_SYSCALL_SOCK_CHK(socket)
+++     _ABI_SYSCALL_SOCK_CHK(bind)
+++     _ABI_SYSCALL_SOCK_CHK(connect)
+++     _ABI_SYSCALL_SOCK_CHK(listen)
+++     _ABI_SYSCALL_SOCK_CHK(accept)
+++     _ABI_SYSCALL_SOCK_CHK(getsockname)
+++     _ABI_SYSCALL_SOCK_CHK(getpeername)
+++     _ABI_SYSCALL_SOCK_CHK(socketpair)
+++     _ABI_SYSCALL_SOCK_CHK(send)
+++     _ABI_SYSCALL_SOCK_CHK(recv)
+++     _ABI_SYSCALL_SOCK_CHK(sendto)
+++     _ABI_SYSCALL_SOCK_CHK(recvfrom)
+++     _ABI_SYSCALL_SOCK_CHK(shutdown)
+++     _ABI_SYSCALL_SOCK_CHK(setsockopt)
+++     _ABI_SYSCALL_SOCK_CHK(getsockopt)
+++     _ABI_SYSCALL_SOCK_CHK(sendmsg)
+++     _ABI_SYSCALL_SOCK_CHK(recvmsg)
+++     _ABI_SYSCALL_SOCK_CHK(accept4)
+++     _ABI_SYSCALL_SOCK_CHK(recvmmsg)
+++     _ABI_SYSCALL_SOCK_CHK(sendmmsg)
+++
+++     return false;
+++}
+++
+++/**
+++ * Check if a syscall is an ipc syscall
+++ * @param sys the syscall number
+++ *
+++ * Returns true if the syscall is an ipc related syscall, false otherwise.
+++ *
+++ */
+++static bool _ppc_syscall_ipc_test(int sys)
+++{
+++     const char *name;
+++
+++     /* multiplexed pseduo-syscalls */
+++     if (sys <= -200 && sys >= -224)
+++             return true;
+++
+++     name = ppc_syscall_resolve_num(sys);
+++     if (!name)
+++             return false;
+++
+++#define _ABI_SYSCALL_IPC_CHK(NAME) \
+++     if (!strcmp(name, #NAME)) return true;
+++
+++     _ABI_SYSCALL_IPC_CHK(semop)
+++     _ABI_SYSCALL_IPC_CHK(semget)
+++     _ABI_SYSCALL_IPC_CHK(semctl)
+++     _ABI_SYSCALL_IPC_CHK(semtimedop)
+++     _ABI_SYSCALL_IPC_CHK(msgsnd)
+++     _ABI_SYSCALL_IPC_CHK(msgrcv)
+++     _ABI_SYSCALL_IPC_CHK(msgget)
+++     _ABI_SYSCALL_IPC_CHK(msgctl)
+++     _ABI_SYSCALL_IPC_CHK(shmat)
+++     _ABI_SYSCALL_IPC_CHK(shmdt)
+++     _ABI_SYSCALL_IPC_CHK(shmget)
+++     _ABI_SYSCALL_IPC_CHK(shmctl)
+++
+++     return false;
+++}
+++
+++/**
+++ * Convert a multiplexed pseudo syscall into a direct syscall
+++ * @param syscall the multiplexed pseudo syscall number
+++ *
+++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
+++ * no related syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _ppc_syscall_demux(int syscall)
+++{
+++     int sys = __NR_SCMP_UNDEF;
+++
+++#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
+++case __PNR_##NAME: \
+++     sys = ppc_syscall_resolve_name(#NAME); break;
+++
+++     switch (syscall) {
+++             _ABI_SYSCALL_DEMUX_CHK(socket)
+++             _ABI_SYSCALL_DEMUX_CHK(bind)
+++             _ABI_SYSCALL_DEMUX_CHK(connect)
+++             _ABI_SYSCALL_DEMUX_CHK(listen)
+++             _ABI_SYSCALL_DEMUX_CHK(accept)
+++             _ABI_SYSCALL_DEMUX_CHK(getsockname)
+++             _ABI_SYSCALL_DEMUX_CHK(getpeername)
+++             _ABI_SYSCALL_DEMUX_CHK(socketpair)
+++             _ABI_SYSCALL_DEMUX_CHK(send)
+++             _ABI_SYSCALL_DEMUX_CHK(recv)
+++             _ABI_SYSCALL_DEMUX_CHK(sendto)
+++             _ABI_SYSCALL_DEMUX_CHK(recvfrom)
+++             _ABI_SYSCALL_DEMUX_CHK(shutdown)
+++             _ABI_SYSCALL_DEMUX_CHK(setsockopt)
+++             _ABI_SYSCALL_DEMUX_CHK(getsockopt)
+++             _ABI_SYSCALL_DEMUX_CHK(sendmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(recvmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(accept4)
+++             _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
+++             _ABI_SYSCALL_DEMUX_CHK(semop)
+++             _ABI_SYSCALL_DEMUX_CHK(semget)
+++             _ABI_SYSCALL_DEMUX_CHK(semctl)
+++             _ABI_SYSCALL_DEMUX_CHK(semtimedop)
+++             _ABI_SYSCALL_DEMUX_CHK(msgsnd)
+++             _ABI_SYSCALL_DEMUX_CHK(msgrcv)
+++             _ABI_SYSCALL_DEMUX_CHK(msgget)
+++             _ABI_SYSCALL_DEMUX_CHK(msgctl)
+++             _ABI_SYSCALL_DEMUX_CHK(shmat)
+++             _ABI_SYSCALL_DEMUX_CHK(shmdt)
+++             _ABI_SYSCALL_DEMUX_CHK(shmget)
+++             _ABI_SYSCALL_DEMUX_CHK(shmctl)
+++     }
+++
+++     /* this looks odd because the arch resolver returns _ERROR if it can't
+++      * resolve the syscall, but we want to use _UNDEF for that, so we set
+++      * 'sys' to a sentinel value of _UNDEF and if it is error here we know
+++      * the resolve failed to find a match */
+++     if (sys == __NR_SCMP_UNDEF)
+++             sys = __NR_SCMP_ERROR;
+++     else if (sys == __NR_SCMP_ERROR)
+++             sys = __NR_SCMP_UNDEF;
+++
+++     return sys;
+++}
+++
+++/**
+++ * Convert a direct syscall into multiplexed pseudo socket syscall
+++ * @param syscall the direct syscall
+++ *
+++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
+++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _ppc_syscall_mux(int syscall)
+++{
+++     const char *sys;
+++
+++     sys = ppc_syscall_resolve_num(syscall);
+++     if (!sys)
+++             return __NR_SCMP_ERROR;
+++
+++#define _ABI_SYSCALL_MUX_CHK(NAME) \
+++     if (!strcmp(sys, #NAME)) return __PNR_##NAME;
+++
+++     _ABI_SYSCALL_MUX_CHK(socket)
+++     _ABI_SYSCALL_MUX_CHK(bind)
+++     _ABI_SYSCALL_MUX_CHK(connect)
+++     _ABI_SYSCALL_MUX_CHK(listen)
+++     _ABI_SYSCALL_MUX_CHK(accept)
+++     _ABI_SYSCALL_MUX_CHK(getsockname)
+++     _ABI_SYSCALL_MUX_CHK(getpeername)
+++     _ABI_SYSCALL_MUX_CHK(socketpair)
+++     _ABI_SYSCALL_MUX_CHK(send)
+++     _ABI_SYSCALL_MUX_CHK(recv)
+++     _ABI_SYSCALL_MUX_CHK(sendto)
+++     _ABI_SYSCALL_MUX_CHK(recvfrom)
+++     _ABI_SYSCALL_MUX_CHK(shutdown)
+++     _ABI_SYSCALL_MUX_CHK(setsockopt)
+++     _ABI_SYSCALL_MUX_CHK(getsockopt)
+++     _ABI_SYSCALL_MUX_CHK(sendmsg)
+++     _ABI_SYSCALL_MUX_CHK(recvmsg)
+++     _ABI_SYSCALL_MUX_CHK(accept4)
+++     _ABI_SYSCALL_MUX_CHK(recvmmsg)
+++     _ABI_SYSCALL_MUX_CHK(sendmmsg)
+++     _ABI_SYSCALL_MUX_CHK(semop)
+++     _ABI_SYSCALL_MUX_CHK(semget)
+++     _ABI_SYSCALL_MUX_CHK(semctl)
+++     _ABI_SYSCALL_MUX_CHK(semtimedop)
+++     _ABI_SYSCALL_MUX_CHK(msgsnd)
+++     _ABI_SYSCALL_MUX_CHK(msgrcv)
+++     _ABI_SYSCALL_MUX_CHK(msgget)
+++     _ABI_SYSCALL_MUX_CHK(msgctl)
+++     _ABI_SYSCALL_MUX_CHK(shmat)
+++     _ABI_SYSCALL_MUX_CHK(shmdt)
+++     _ABI_SYSCALL_MUX_CHK(shmget)
+++     _ABI_SYSCALL_MUX_CHK(shmctl)
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Rewrite a syscall value to match the architecture
+++ * @param syscall the syscall number
+++ *
+++ * Syscalls can vary across different architectures so this function rewrites
+++ * the syscall into the correct value for the specified architecture.  Returns
+++ * zero on success, negative values on failure.
+++ *
+++ */
+++int ppc_syscall_rewrite(int *syscall)
+++{
+++     int sys = *syscall;
+++
+++     if (sys <= -100 && sys >= -120)
+++             *syscall = __ppc_NR_socketcall;
+++     else if (sys <= -200 && sys >= -224)
+++             *syscall = __ppc_NR_ipc;
+++     else if (sys < 0)
+++             return -EDOM;
+++
+++     return 0;
+++}
+++
+++/**
+++ * add a new rule to the ppc seccomp filter
+++ * @param db the seccomp filter db
+++ * @param rule the filter rule
+++ *
+++ * This function adds a new syscall filter to the seccomp filter db, making any
+++ * necessary adjustments for the ppc ABI.  Returns zero on success, negative
+++ * values on failure.
+++ *
+++ * It is important to note that in the case of failure the db may be corrupted,
+++ * the caller must use the transaction mechanism if the db integrity is
+++ * important.
+++ *
+++ */
+++int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
+++{
+++     int rc = 0;
+++     unsigned int iter;
+++     int sys = rule->syscall;
+++     int sys_a, sys_b;
+++     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
+++
+++     if (_ppc_syscall_socket_test(sys)) {
+++             /* socket syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _ppc_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _ppc_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __ppc_NR_socketcall;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 100;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (_ppc_syscall_ipc_test(sys)) {
+++             /* ipc syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _ppc_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _ppc_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __ppc_NR_ipc;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 200;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (sys >= 0) {
+++             /* normal syscall processing */
+++             rc = db_rule_add(db, rule);
+++             if (rc < 0)
+++                     goto add_return;
+++     } else if (rule->strict) {
+++             rc = -EDOM;
+++             goto add_return;
+++     }
+++
+++add_return:
+++     if (rule_dup != NULL)
+++             free(rule_dup);
+++     return rc;
+++}
+++
++ const struct arch_def arch_def_ppc = {
++      .token = SCMP_ARCH_PPC,
++      .token_bpf = AUDIT_ARCH_PPC,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_BIG,
++-     .sys_socketcall = __ppc_NR_socketcall,
++-     .sys_ipc = __ppc_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = ppc_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = ppc_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = ppc_syscall_resolve_name_munge,
+++     .syscall_resolve_num = ppc_syscall_resolve_num_munge,
+++     .syscall_rewrite = ppc_syscall_rewrite,
+++     .rule_add = ppc_rule_add,
++ };
++diff --git a/src/arch-ppc64.c b/src/arch-ppc64.c
++--- a/src/arch-ppc64.c
+++++ b/src/arch-ppc64.c
++@@ -26,7 +26,6 @@
++ #include <linux/audit.h>
++ 
++ #include "db.h"
++-#include "syscalls.h"
++ #include "arch.h"
++ #include "arch-ppc64.h"
++ 
++@@ -34,19 +33,605 @@
++ #define __ppc64_NR_socketcall                102
++ #define __ppc64_NR_ipc                       117
++ 
+++/**
+++ * Resolve a syscall name to a number
+++ * @param name the syscall name
+++ *
+++ * Resolve the given syscall name to the syscall number using the syscall table.
+++ * Returns the syscall number on success, including negative pseudo syscall
+++ * numbers; returns __NR_SCMP_ERROR on failure.
+++ *
+++ */
+++int ppc64_syscall_resolve_name_munge(const char *name)
+++{
+++     if (strcmp(name, "accept") == 0)
+++             return __PNR_accept;
+++     if (strcmp(name, "accept4") == 0)
+++             return __PNR_accept4;
+++     else if (strcmp(name, "bind") == 0)
+++             return __PNR_bind;
+++     else if (strcmp(name, "connect") == 0)
+++             return __PNR_connect;
+++     else if (strcmp(name, "getpeername") == 0)
+++             return __PNR_getpeername;
+++     else if (strcmp(name, "getsockname") == 0)
+++             return __PNR_getsockname;
+++     else if (strcmp(name, "getsockopt") == 0)
+++             return __PNR_getsockopt;
+++     else if (strcmp(name, "listen") == 0)
+++             return __PNR_listen;
+++     else if (strcmp(name, "msgctl") == 0)
+++             return __PNR_msgctl;
+++     else if (strcmp(name, "msgget") == 0)
+++             return __PNR_msgget;
+++     else if (strcmp(name, "msgrcv") == 0)
+++             return __PNR_msgrcv;
+++     else if (strcmp(name, "msgsnd") == 0)
+++             return __PNR_msgsnd;
+++     else if (strcmp(name, "recv") == 0)
+++             return __PNR_recv;
+++     else if (strcmp(name, "recvfrom") == 0)
+++             return __PNR_recvfrom;
+++     else if (strcmp(name, "recvmsg") == 0)
+++             return __PNR_recvmsg;
+++     else if (strcmp(name, "recvmmsg") == 0)
+++             return __PNR_recvmmsg;
+++     else if (strcmp(name, "semctl") == 0)
+++             return __PNR_semctl;
+++     else if (strcmp(name, "semget") == 0)
+++             return __PNR_semget;
+++     else if (strcmp(name, "semtimedop") == 0)
+++             return __PNR_semtimedop;
+++     else if (strcmp(name, "send") == 0)
+++             return __PNR_send;
+++     else if (strcmp(name, "sendmsg") == 0)
+++             return __PNR_sendmsg;
+++     else if (strcmp(name, "sendmmsg") == 0)
+++             return __PNR_sendmmsg;
+++     else if (strcmp(name, "sendto") == 0)
+++             return __PNR_sendto;
+++     else if (strcmp(name, "setsockopt") == 0)
+++             return __PNR_setsockopt;
+++     else if (strcmp(name, "shmat") == 0)
+++             return __PNR_shmat;
+++     else if (strcmp(name, "shmdt") == 0)
+++             return __PNR_shmdt;
+++     else if (strcmp(name, "shmget") == 0)
+++             return __PNR_shmget;
+++     else if (strcmp(name, "shmctl") == 0)
+++             return __PNR_shmctl;
+++     else if (strcmp(name, "shutdown") == 0)
+++             return __PNR_shutdown;
+++     else if (strcmp(name, "socket") == 0)
+++             return __PNR_socket;
+++     else if (strcmp(name, "socketpair") == 0)
+++             return __PNR_socketpair;
+++
+++     return ppc64_syscall_resolve_name(name);
+++}
+++
+++/**
+++ * Resolve a syscall number to a name
+++ * @param num the syscall number
+++ *
+++ * Resolve the given syscall number to the syscall name using the syscall table.
+++ * Returns a pointer to the syscall name string on success, including pseudo
+++ * syscall names; returns NULL on failure.
+++ *
+++ */
+++const char *ppc64_syscall_resolve_num_munge(int num)
+++{
+++     if (num == __PNR_accept)
+++             return "accept";
+++     else if (num == __PNR_accept4)
+++             return "accept4";
+++     else if (num == __PNR_bind)
+++             return "bind";
+++     else if (num == __PNR_connect)
+++             return "connect";
+++     else if (num == __PNR_getpeername)
+++             return "getpeername";
+++     else if (num == __PNR_getsockname)
+++             return "getsockname";
+++     else if (num == __PNR_getsockopt)
+++             return "getsockopt";
+++     else if (num == __PNR_listen)
+++             return "listen";
+++     else if (num == __PNR_msgctl)
+++             return "msgctl";
+++     else if (num == __PNR_msgget)
+++             return "msgget";
+++     else if (num == __PNR_msgrcv)
+++             return "msgrcv";
+++     else if (num == __PNR_msgsnd)
+++             return "msgsnd";
+++     else if (num == __PNR_recv)
+++             return "recv";
+++     else if (num == __PNR_recvfrom)
+++             return "recvfrom";
+++     else if (num == __PNR_recvmsg)
+++             return "recvmsg";
+++     else if (num == __PNR_recvmmsg)
+++             return "recvmmsg";
+++     else if (num == __PNR_semctl)
+++             return "semctl";
+++     else if (num == __PNR_semget)
+++             return "semget";
+++     else if (num == __PNR_semtimedop)
+++             return "semtimedop";
+++     else if (num == __PNR_send)
+++             return "send";
+++     else if (num == __PNR_sendmsg)
+++             return "sendmsg";
+++     else if (num == __PNR_sendmmsg)
+++             return "sendmmsg";
+++     else if (num == __PNR_sendto)
+++             return "sendto";
+++     else if (num == __PNR_setsockopt)
+++             return "setsockopt";
+++     else if (num == __PNR_shmat)
+++             return "shmat";
+++     else if (num == __PNR_shmdt)
+++             return "shmdt";
+++     else if (num == __PNR_shmget)
+++             return "shmget";
+++     else if (num == __PNR_shmctl)
+++             return "shmctl";
+++     else if (num == __PNR_shutdown)
+++             return "shutdown";
+++     else if (num == __PNR_socket)
+++             return "socket";
+++     else if (num == __PNR_socketpair)
+++             return "socketpair";
+++
+++     return ppc64_syscall_resolve_num(num);
+++}
+++
+++/**
+++ * Convert a multiplexed pseudo socket syscall into a direct syscall
+++ * @param syscall the multiplexed pseudo syscall number
+++ *
+++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
+++ * no related syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _ppc64_syscall_demux(int syscall)
+++{
+++     switch (syscall) {
+++     case -101:
+++             /* socket */
+++             return 326;
+++     case -102:
+++             /* bind */
+++             return 327;
+++     case -103:
+++             /* connect */
+++             return 328;
+++     case -104:
+++             /* listen */
+++             return 329;
+++     case -105:
+++             /* accept */
+++             return 330;
+++     case -106:
+++             /* getsockname */
+++             return 331;
+++     case -107:
+++             /* getpeername */
+++             return 332;
+++     case -108:
+++             /* socketpair */
+++             return 333;
+++     case -109:
+++             /* send */
+++             return 334;
+++     case -110:
+++             /* recv */
+++             return 336;
+++     case -111:
+++             /* sendto */
+++             return 335;
+++     case -112:
+++             /* recvfrom */
+++             return 337;
+++     case -113:
+++             /* shutdown */
+++             return 338;
+++     case -114:
+++             /* setsockopt */
+++             return 339;
+++     case -115:
+++             /* getsockopt */
+++             return 340;
+++     case -116:
+++             /* sendmsg */
+++             return 341;
+++     case -117:
+++             /* recvmsg */
+++             return 342;
+++     case -118:
+++             /* accept4 */
+++             return 344;
+++     case -119:
+++             /* recvmmsg */
+++             return 343;
+++     case -120:
+++             /* sendmmsg */
+++             return 349;
+++     case -201:
+++             /* semop - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -202:
+++             /* semget */
+++             return 393;
+++     case -203:
+++             /* semctl */
+++             return 394;
+++     case -204:
+++             /* semtimedop */
+++             return 392;
+++     case -211:
+++             /* msgsnd */
+++             return 400;
+++     case -212:
+++             /* msgrcv */
+++             return 401;
+++     case -213:
+++             /* msgget */
+++             return 399;
+++     case -214:
+++             /* msgctl */
+++             return 402;
+++     case -221:
+++             /* shmat */
+++             return 397;
+++     case -222:
+++             /* shmdt */
+++             return 398;
+++     case -223:
+++             /* shmget */
+++             return 395;
+++     case -224:
+++             /* shmctl */
+++             return 396;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Convert a direct socket syscall into multiplexed pseudo socket syscall
+++ * @param syscall the direct syscall
+++ *
+++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
+++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _ppc64_syscall_mux(int syscall)
+++{
+++     switch (syscall) {
+++     case 326:
+++             /* socket */
+++             return -101;
+++     case 327:
+++             /* bind */
+++             return -102;
+++     case 328:
+++             /* connect */
+++             return -103;
+++     case 329:
+++             /* listen */
+++             return -104;
+++     case 330:
+++             /* accept */
+++             return -105;
+++     case 331:
+++             /* getsockname */
+++             return -106;
+++     case 332:
+++             /* getpeername */
+++             return -107;
+++     case 333:
+++             /* socketpair */
+++             return -108;
+++     case 334:
+++             /* send */
+++             return -109;
+++     case 335:
+++             /* sendto */
+++             return -111;
+++     case 336:
+++             /* recv */
+++             return -110;
+++     case 337:
+++             /* recvfrom */
+++             return -112;
+++     case 338:
+++             /* shutdown */
+++             return -113;
+++     case 339:
+++             /* setsockopt */
+++             return -114;
+++     case 340:
+++             /* getsockopt */
+++             return -115;
+++     case 341:
+++             /* sendmsg */
+++             return -116;
+++     case 342:
+++             /* recvmsg */
+++             return -117;
+++     case 343:
+++             /* recvmmsg */
+++             return -119;
+++     case 344:
+++             /* accept4 */
+++             return -118;
+++     case 349:
+++             /* sendmmsg */
+++             return -120;
+++     case 392:
+++             /* semtimedop */
+++             return -204;
+++     case 393:
+++             /* semget */
+++             return -202;
+++     case 394:
+++             /* semctl */
+++             return -203;
+++     case 395:
+++             /* shmget */
+++             return -223;
+++     case 396:
+++             /* shmctl */
+++             return -224;
+++     case 397:
+++             /* shmat */
+++             return -221;
+++     case 398:
+++             /* shmdt */
+++             return -222;
+++     case 399:
+++             /* msgget */
+++             return -213;
+++     case 400:
+++             /* msgsnd */
+++             return -211;
+++     case 401:
+++             /* msgrcv */
+++             return -212;
+++     case 402:
+++             /* msgctl */
+++             return -214;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Rewrite a syscall value to match the architecture
+++ * @param syscall the syscall number
+++ *
+++ * Syscalls can vary across different architectures so this function rewrites
+++ * the syscall into the correct value for the specified architecture.  Returns
+++ * zero on success, negative values on failure.
+++ *
+++ */
+++int ppc64_syscall_rewrite(int *syscall)
+++{
+++     int sys = *syscall;
+++
+++     if (sys <= -100 && sys >= -120)
+++             *syscall = __ppc64_NR_socketcall;
+++     else if (sys <= -200 && sys >= -224)
+++             *syscall = __ppc64_NR_ipc;
+++     else if (sys < 0)
+++             return -EDOM;
+++
+++     return 0;
+++}
+++
+++/**
+++ * add a new rule to the ppc64 seccomp filter
+++ * @param db the seccomp filter db
+++ * @param rule the filter rule
+++ *
+++ * This function adds a new syscall filter to the seccomp filter db, making any
+++ * necessary adjustments for the ppc64 ABI.  Returns zero on success, negative
+++ * values on failure.
+++ *
+++ * It is important to note that in the case of failure the db may be corrupted,
+++ * the caller must use the transaction mechanism if the db integrity is
+++ * important.
+++ *
+++ */
+++int ppc64_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
+++{
+++     int rc = 0;
+++     unsigned int iter;
+++     int sys = rule->syscall;
+++     int sys_a, sys_b;
+++     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
+++
+++     if ((sys <= -100 && sys >= -120) || (sys >= 326 && sys <= 344) ||
+++         (sys == 349)) {
+++             /* (-100 to -120) : multiplexed socket syscalls
+++                (326 to 344)   : direct socket syscalls, Linux 4.3+
+++                (349)          : sendmmsg */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _ppc64_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _ppc64_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL) {
+++                             rc = -ENOMEM;
+++                             goto add_return;
+++                     }
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __ppc64_NR_socketcall;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 100;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) {
+++             /* (-200 to -224) : multiplexed ipc syscalls
+++                (392 to 402) : direct ipc syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _ppc64_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _ppc64_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __ppc64_NR_ipc;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 200;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (sys >= 0) {
+++             /* normal syscall processing */
+++             rc = db_rule_add(db, rule);
+++             if (rc < 0)
+++                     goto add_return;
+++     } else if (rule->strict) {
+++             rc = -EDOM;
+++             goto add_return;
+++     }
+++
+++add_return:
+++     if (rule_dup != NULL)
+++             free(rule_dup);
+++     return rc;
+++}
+++
++ const struct arch_def arch_def_ppc64 = {
++      .token = SCMP_ARCH_PPC64,
++      .token_bpf = AUDIT_ARCH_PPC64,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_BIG,
++-     .sys_socketcall = __ppc64_NR_socketcall,
++-     .sys_ipc = __ppc64_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = ppc64_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = ppc64_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = ppc64_syscall_resolve_name_munge,
+++     .syscall_resolve_num = ppc64_syscall_resolve_num_munge,
+++     .syscall_rewrite = ppc64_syscall_rewrite,
+++     .rule_add = ppc64_rule_add,
++ };
++ 
++ const struct arch_def arch_def_ppc64le = {
++@@ -54,12 +639,8 @@ const struct arch_def arch_def_ppc64le = {
++      .token_bpf = AUDIT_ARCH_PPC64LE,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_LITTLE,
++-     .sys_socketcall = __ppc64_NR_socketcall,
++-     .sys_ipc = __ppc64_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = ppc64_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = ppc64_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = ppc64_syscall_resolve_name_munge,
+++     .syscall_resolve_num = ppc64_syscall_resolve_num_munge,
+++     .syscall_rewrite = ppc64_syscall_rewrite,
+++     .rule_add = ppc64_rule_add,
++ };
++diff --git a/src/arch-riscv64.c b/src/arch-riscv64.c
++--- a/src/arch-riscv64.c
+++++ b/src/arch-riscv64.c
++@@ -24,8 +24,8 @@ const struct arch_def arch_def_riscv64 = {
++      .token_bpf = AUDIT_ARCH_RISCV64,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_LITTLE,
++-     .syscall_resolve_name_raw = riscv64_syscall_resolve_name,
++-     .syscall_resolve_num_raw = riscv64_syscall_resolve_num,
+++     .syscall_resolve_name = riscv64_syscall_resolve_name,
+++     .syscall_resolve_num = riscv64_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-s390.c b/src/arch-s390.c
++--- a/src/arch-s390.c
+++++ b/src/arch-s390.c
++@@ -17,17 +17,593 @@
++ #define __s390_NR_socketcall         102
++ #define __s390_NR_ipc                        117
++ 
+++/**
+++ * Resolve a syscall name to a number
+++ * @param name the syscall name
+++ *
+++ * Resolve the given syscall name to the syscall number using the syscall table.
+++ * Returns the syscall number on success, including negative pseudo syscall
+++ * numbers; returns __NR_SCMP_ERROR on failure.
+++ *
+++ */
+++int s390_syscall_resolve_name_munge(const char *name)
+++{
+++     if (strcmp(name, "accept") == 0)
+++             return __PNR_accept;
+++     if (strcmp(name, "accept4") == 0)
+++             return __PNR_accept4;
+++     else if (strcmp(name, "bind") == 0)
+++             return __PNR_bind;
+++     else if (strcmp(name, "connect") == 0)
+++             return __PNR_connect;
+++     else if (strcmp(name, "getpeername") == 0)
+++             return __PNR_getpeername;
+++     else if (strcmp(name, "getsockname") == 0)
+++             return __PNR_getsockname;
+++     else if (strcmp(name, "getsockopt") == 0)
+++             return __PNR_getsockopt;
+++     else if (strcmp(name, "listen") == 0)
+++             return __PNR_listen;
+++     else if (strcmp(name, "msgctl") == 0)
+++             return __PNR_msgctl;
+++     else if (strcmp(name, "msgget") == 0)
+++             return __PNR_msgget;
+++     else if (strcmp(name, "msgrcv") == 0)
+++             return __PNR_msgrcv;
+++     else if (strcmp(name, "msgsnd") == 0)
+++             return __PNR_msgsnd;
+++     else if (strcmp(name, "recv") == 0)
+++             return __PNR_recv;
+++     else if (strcmp(name, "recvfrom") == 0)
+++             return __PNR_recvfrom;
+++     else if (strcmp(name, "recvmsg") == 0)
+++             return __PNR_recvmsg;
+++     else if (strcmp(name, "semctl") == 0)
+++             return __PNR_semctl;
+++     else if (strcmp(name, "semget") == 0)
+++             return __PNR_semget;
+++     else if (strcmp(name, "semtimedop") == 0)
+++             return __PNR_semtimedop;
+++     else if (strcmp(name, "recvmmsg") == 0)
+++             return __PNR_recvmmsg;
+++     else if (strcmp(name, "send") == 0)
+++             return __PNR_send;
+++     else if (strcmp(name, "sendmsg") == 0)
+++             return __PNR_sendmsg;
+++     else if (strcmp(name, "sendmmsg") == 0)
+++             return __PNR_sendmmsg;
+++     else if (strcmp(name, "sendto") == 0)
+++             return __PNR_sendto;
+++     else if (strcmp(name, "setsockopt") == 0)
+++             return __PNR_setsockopt;
+++     else if (strcmp(name, "shmat") == 0)
+++             return __PNR_shmat;
+++     else if (strcmp(name, "shmdt") == 0)
+++             return __PNR_shmdt;
+++     else if (strcmp(name, "shmget") == 0)
+++             return __PNR_shmget;
+++     else if (strcmp(name, "shmctl") == 0)
+++             return __PNR_shmctl;
+++     else if (strcmp(name, "shutdown") == 0)
+++             return __PNR_shutdown;
+++     else if (strcmp(name, "socket") == 0)
+++             return __PNR_socket;
+++     else if (strcmp(name, "socketpair") == 0)
+++             return __PNR_socketpair;
+++
+++     return s390_syscall_resolve_name(name);
+++}
+++
+++/**
+++ * Resolve a syscall number to a name
+++ * @param num the syscall number
+++ *
+++ * Resolve the given syscall number to the syscall name using the syscall table.
+++ * Returns a pointer to the syscall name string on success, including pseudo
+++ * syscall names; returns NULL on failure.
+++ *
+++ */
+++const char *s390_syscall_resolve_num_munge(int num)
+++{
+++     if (num == __PNR_accept)
+++             return "accept";
+++     else if (num == __PNR_accept4)
+++             return "accept4";
+++     else if (num == __PNR_bind)
+++             return "bind";
+++     else if (num == __PNR_connect)
+++             return "connect";
+++     else if (num == __PNR_getpeername)
+++             return "getpeername";
+++     else if (num == __PNR_getsockname)
+++             return "getsockname";
+++     else if (num == __PNR_getsockopt)
+++             return "getsockopt";
+++     else if (num == __PNR_listen)
+++             return "listen";
+++     else if (num == __PNR_msgctl)
+++             return "msgctl";
+++     else if (num == __PNR_msgget)
+++             return "msgget";
+++     else if (num == __PNR_msgrcv)
+++             return "msgrcv";
+++     else if (num == __PNR_msgsnd)
+++             return "msgsnd";
+++     else if (num == __PNR_recv)
+++             return "recv";
+++     else if (num == __PNR_recvfrom)
+++             return "recvfrom";
+++     else if (num == __PNR_recvmsg)
+++             return "recvmsg";
+++     else if (num == __PNR_recvmmsg)
+++             return "recvmmsg";
+++     else if (num == __PNR_semctl)
+++             return "semctl";
+++     else if (num == __PNR_semget)
+++             return "semget";
+++     else if (num == __PNR_semtimedop)
+++             return "semtimedop";
+++     else if (num == __PNR_send)
+++             return "send";
+++     else if (num == __PNR_sendmsg)
+++             return "sendmsg";
+++     else if (num == __PNR_sendmmsg)
+++             return "sendmmsg";
+++     else if (num == __PNR_sendto)
+++             return "sendto";
+++     else if (num == __PNR_setsockopt)
+++             return "setsockopt";
+++     else if (num == __PNR_shmat)
+++             return "shmat";
+++     else if (num == __PNR_shmdt)
+++             return "shmdt";
+++     else if (num == __PNR_shmget)
+++             return "shmget";
+++     else if (num == __PNR_shmctl)
+++             return "shmctl";
+++     else if (num == __PNR_shutdown)
+++             return "shutdown";
+++     else if (num == __PNR_socket)
+++             return "socket";
+++     else if (num == __PNR_socketpair)
+++             return "socketpair";
+++
+++     return s390_syscall_resolve_num(num);
+++}
+++
+++/**
+++ * Convert a multiplexed pseudo syscall into a direct syscall
+++ * @param syscall the multiplexed pseudo syscall number
+++ *
+++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
+++ * no related syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _s390_syscall_demux(int syscall)
+++{
+++     switch (syscall) {
+++     case -101:
+++             /* socket */
+++             return 359;
+++     case -102:
+++             /* bind */
+++             return 361;
+++     case -103:
+++             /* connect */
+++             return 362;
+++     case -104:
+++             /* listen */
+++             return 363;
+++     case -105:
+++             /* accept - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -106:
+++             /* getsockname */
+++             return 367;
+++     case -107:
+++             /* getpeername */
+++             return 368;
+++     case -108:
+++             /* socketpair */
+++             return 360;
+++     case -109:
+++             /* send - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -110:
+++             /* recv - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -111:
+++             /* sendto */
+++             return 369;
+++     case -112:
+++             /* recvfrom */
+++             return 371;
+++     case -113:
+++             /* shutdown */
+++             return 373;
+++     case -114:
+++             /* setsockopt */
+++             return 366;
+++     case -115:
+++             /* getsockopt */
+++             return 365;
+++     case -116:
+++             /* sendmsg */
+++             return 370;
+++     case -117:
+++             /* recvmsg */
+++             return 372;
+++     case -118:
+++             /* accept4 */
+++             return 364;
+++     case -119:
+++             /* recvmmsg */
+++             return 337;
+++     case -120:
+++             /* sendmmsg */
+++             return 345;
+++     case -201:
+++             /* semop - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -202:
+++             /* semget */
+++             return 393;
+++     case -203:
+++             /* semctl */
+++             return 394;
+++     case -204:
+++             /* semtimedop */
+++             return 392;
+++     case -211:
+++             /* msgsnd */
+++             return 400;
+++     case -212:
+++             /* msgrcv */
+++             return 401;
+++     case -213:
+++             /* msgget */
+++             return 399;
+++     case -214:
+++             /* msgctl */
+++             return 402;
+++     case -221:
+++             /* shmat */
+++             return 397;
+++     case -222:
+++             /* shmdt */
+++             return 398;
+++     case -223:
+++             /* shmget */
+++             return 395;
+++     case -224:
+++             /* shmctl */
+++             return 396;
+++
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Convert a direct socket syscall into multiplexed pseudo socket syscall
+++ * @param syscall the direct syscall
+++ *
+++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
+++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _s390_syscall_mux(int syscall)
+++{
+++     switch (syscall) {
+++     case 337:
+++             /* recvmmsg */
+++             return -119;
+++     case 345:
+++             /* sendmmsg */
+++             return -120;
+++     case 359:
+++             /* socket */
+++             return -101;
+++     case 360:
+++             /* socketpair */
+++             return -108;
+++     case 361:
+++             /* bind */
+++             return -102;
+++     case 362:
+++             /* connect */
+++             return -103;
+++     case 363:
+++             /* listen */
+++             return -104;
+++     case 364:
+++             /* accept4 */
+++             return -118;
+++     case 365:
+++             /* getsockopt */
+++             return -115;
+++     case 366:
+++             /* setsockopt */
+++             return -114;
+++     case 367:
+++             /* getsockname */
+++             return -106;
+++     case 368:
+++             /* getpeername */
+++             return -107;
+++     case 369:
+++             /* sendto */
+++             return -111;
+++     case 370:
+++             /* sendmsg */
+++             return -116;
+++     case 371:
+++             /* recvfrom */
+++             return -112;
+++     case 372:
+++             /* recvmsg */
+++             return -117;
+++     case 373:
+++             /* shutdown */
+++             return -113;
+++     case 393:
+++             /* semget */
+++             return -202;
+++     case 394:
+++             /* semctl */
+++             return -203;
+++     case 400:
+++             /* msgsnd */
+++             return -211;
+++     case 401:
+++             /* msgrcv */
+++             return -212;
+++     case 399:
+++             /* msgget */
+++             return -213;
+++     case 402:
+++             /* msgctl */
+++             return -214;
+++     case 397:
+++             /* shmat */
+++             return -221;
+++     case 398:
+++             /* shmdt */
+++             return -222;
+++     case 395:
+++             /* shmget */
+++             return -223;
+++     case 396:
+++             /* shmctl */
+++             return -224;
+++     case 392:
+++             /* semtimedop */
+++             return -204;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Rewrite a syscall value to match the architecture
+++ * @param syscall the syscall number
+++ *
+++ * Syscalls can vary across different architectures so this function rewrites
+++ * the syscall into the correct value for the specified architecture.  Returns
+++ * zero on success, negative values on failure.
+++ *
+++ */
+++int s390_syscall_rewrite(int *syscall)
+++{
+++     int sys = *syscall;
+++
+++     if (sys <= -100 && sys >= -120)
+++             *syscall = __s390_NR_socketcall;
+++     else if (sys <= -200 && sys >= -224)
+++             *syscall = __s390_NR_ipc;
+++     else if (sys < 0)
+++             return -EDOM;
+++
+++     return 0;
+++}
+++
+++/**
+++ * add a new rule to the s390 seccomp filter
+++ * @param db the seccomp filter db
+++ * @param rule the filter rule
+++ *
+++ * This function adds a new syscall filter to the seccomp filter db, making any
+++ * necessary adjustments for the s390 ABI.  Returns zero on success, negative
+++ * values on failure.
+++ *
+++ * It is important to note that in the case of failure the db may be corrupted,
+++ * the caller must use the transaction mechanism if the db integrity is
+++ * important.
+++ *
+++ */
+++int s390_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
+++{
+++     int rc = 0;
+++     unsigned int iter;
+++     int sys = rule->syscall;
+++     int sys_a, sys_b;
+++     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
+++
+++     if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
+++             /* (-100 to -120) : multiplexed socket syscalls
+++                (359 to 373)   : direct socket syscalls, Linux 4.3+ */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _s390_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _s390_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL) {
+++                             rc = -ENOMEM;
+++                             goto add_return;
+++                     }
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __s390_NR_socketcall;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 100;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) {
+++             /* (-200 to -224) : multiplexed ipc syscalls
+++                (393 to 402) : direct ipc syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _s390_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _s390_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __s390_NR_ipc;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 200;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (sys >= 0) {
+++             /* normal syscall processing */
+++             rc = db_rule_add(db, rule);
+++             if (rc < 0)
+++                     goto add_return;
+++     } else if (rule->strict) {
+++             rc = -EDOM;
+++             goto add_return;
+++     }
+++
+++add_return:
+++     if (rule_dup != NULL)
+++             free(rule_dup);
+++     return rc;
+++}
+++
++ const struct arch_def arch_def_s390 = {
++      .token = SCMP_ARCH_S390,
++      .token_bpf = AUDIT_ARCH_S390,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_BIG,
++-     .sys_socketcall = __s390_NR_socketcall,
++-     .sys_ipc = __s390_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = s390_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = s390_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = s390_syscall_resolve_name_munge,
+++     .syscall_resolve_num = s390_syscall_resolve_num_munge,
+++     .syscall_rewrite = s390_syscall_rewrite,
+++     .rule_add = s390_rule_add,
++ };
++diff --git a/src/arch-s390x.c b/src/arch-s390x.c
++--- a/src/arch-s390x.c
+++++ b/src/arch-s390x.c
++@@ -17,17 +17,592 @@
++ #define __s390x_NR_socketcall                102
++ #define __s390x_NR_ipc                       117
++ 
+++/**
+++ * Resolve a syscall name to a number
+++ * @param name the syscall name
+++ *
+++ * Resolve the given syscall name to the syscall number using the syscall table.
+++ * Returns the syscall number on success, including negative pseudo syscall
+++ * numbers; returns __NR_SCMP_ERROR on failure.
+++ *
+++ */
+++int s390x_syscall_resolve_name_munge(const char *name)
+++{
+++     if (strcmp(name, "accept") == 0)
+++             return __PNR_accept;
+++     if (strcmp(name, "accept4") == 0)
+++             return __PNR_accept4;
+++     else if (strcmp(name, "bind") == 0)
+++             return __PNR_bind;
+++     else if (strcmp(name, "connect") == 0)
+++             return __PNR_connect;
+++     else if (strcmp(name, "getpeername") == 0)
+++             return __PNR_getpeername;
+++     else if (strcmp(name, "getsockname") == 0)
+++             return __PNR_getsockname;
+++     else if (strcmp(name, "getsockopt") == 0)
+++             return __PNR_getsockopt;
+++     else if (strcmp(name, "listen") == 0)
+++             return __PNR_listen;
+++     else if (strcmp(name, "msgctl") == 0)
+++             return __PNR_msgctl;
+++     else if (strcmp(name, "msgget") == 0)
+++             return __PNR_msgget;
+++     else if (strcmp(name, "msgrcv") == 0)
+++             return __PNR_msgrcv;
+++     else if (strcmp(name, "msgsnd") == 0)
+++             return __PNR_msgsnd;
+++     else if (strcmp(name, "recv") == 0)
+++             return __PNR_recv;
+++     else if (strcmp(name, "recvfrom") == 0)
+++             return __PNR_recvfrom;
+++     else if (strcmp(name, "recvmsg") == 0)
+++             return __PNR_recvmsg;
+++     else if (strcmp(name, "recvmmsg") == 0)
+++             return __PNR_recvmmsg;
+++     else if (strcmp(name, "semctl") == 0)
+++             return __PNR_semctl;
+++     else if (strcmp(name, "semget") == 0)
+++             return __PNR_semget;
+++     else if (strcmp(name, "semtimedop") == 0)
+++             return __PNR_semtimedop;
+++     else if (strcmp(name, "send") == 0)
+++             return __PNR_send;
+++     else if (strcmp(name, "sendmsg") == 0)
+++             return __PNR_sendmsg;
+++     else if (strcmp(name, "sendmmsg") == 0)
+++             return __PNR_sendmmsg;
+++     else if (strcmp(name, "sendto") == 0)
+++             return __PNR_sendto;
+++     else if (strcmp(name, "setsockopt") == 0)
+++             return __PNR_setsockopt;
+++     else if (strcmp(name, "shmat") == 0)
+++             return __PNR_shmat;
+++     else if (strcmp(name, "shmdt") == 0)
+++             return __PNR_shmdt;
+++     else if (strcmp(name, "shmget") == 0)
+++             return __PNR_shmget;
+++     else if (strcmp(name, "shmctl") == 0)
+++             return __PNR_shmctl;
+++     else if (strcmp(name, "shutdown") == 0)
+++             return __PNR_shutdown;
+++     else if (strcmp(name, "socket") == 0)
+++             return __PNR_socket;
+++     else if (strcmp(name, "socketpair") == 0)
+++             return __PNR_socketpair;
+++
+++     return s390x_syscall_resolve_name(name);
+++}
+++
+++/**
+++ * Resolve a syscall number to a name
+++ * @param num the syscall number
+++ *
+++ * Resolve the given syscall number to the syscall name using the syscall table.
+++ * Returns a pointer to the syscall name string on success, including pseudo
+++ * syscall names; returns NULL on failure.
+++ *
+++ */
+++const char *s390x_syscall_resolve_num_munge(int num)
+++{
+++     if (num == __PNR_accept)
+++             return "accept";
+++     else if (num == __PNR_accept4)
+++             return "accept4";
+++     else if (num == __PNR_bind)
+++             return "bind";
+++     else if (num == __PNR_connect)
+++             return "connect";
+++     else if (num == __PNR_getpeername)
+++             return "getpeername";
+++     else if (num == __PNR_getsockname)
+++             return "getsockname";
+++     else if (num == __PNR_getsockopt)
+++             return "getsockopt";
+++     else if (num == __PNR_listen)
+++             return "listen";
+++     else if (num == __PNR_msgctl)
+++             return "msgctl";
+++     else if (num == __PNR_msgget)
+++             return "msgget";
+++     else if (num == __PNR_msgrcv)
+++             return "msgrcv";
+++     else if (num == __PNR_msgsnd)
+++             return "msgsnd";
+++     else if (num == __PNR_recv)
+++             return "recv";
+++     else if (num == __PNR_recvfrom)
+++             return "recvfrom";
+++     else if (num == __PNR_recvmsg)
+++             return "recvmsg";
+++     else if (num == __PNR_recvmmsg)
+++             return "recvmmsg";
+++     else if (num == __PNR_semctl)
+++             return "semctl";
+++     else if (num == __PNR_semget)
+++             return "semget";
+++     else if (num == __PNR_semtimedop)
+++             return "semtimedop";
+++     else if (num == __PNR_send)
+++             return "send";
+++     else if (num == __PNR_sendmsg)
+++             return "sendmsg";
+++     else if (num == __PNR_sendmmsg)
+++             return "sendmmsg";
+++     else if (num == __PNR_sendto)
+++             return "sendto";
+++     else if (num == __PNR_setsockopt)
+++             return "setsockopt";
+++     else if (num == __PNR_shmat)
+++             return "shmat";
+++     else if (num == __PNR_shmdt)
+++             return "shmdt";
+++     else if (num == __PNR_shmget)
+++             return "shmget";
+++     else if (num == __PNR_shmctl)
+++             return "shmctl";
+++     else if (num == __PNR_shutdown)
+++             return "shutdown";
+++     else if (num == __PNR_socket)
+++             return "socket";
+++     else if (num == __PNR_socketpair)
+++             return "socketpair";
+++
+++     return s390x_syscall_resolve_num(num);
+++}
+++
+++/**
+++ * Convert a multiplexed pseudo socket syscall into a direct syscall
+++ * @param syscall the multiplexed pseudo syscall number
+++ *
+++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
+++ * no related syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _s390x_syscall_demux(int syscall)
+++{
+++     switch (syscall) {
+++     case -101:
+++             /* socket */
+++             return 359;
+++     case -102:
+++             /* bind */
+++             return 361;
+++     case -103:
+++             /* connect */
+++             return 362;
+++     case -104:
+++             /* listen */
+++             return 363;
+++     case -105:
+++             /* accept - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -106:
+++             /* getsockname */
+++             return 367;
+++     case -107:
+++             /* getpeername */
+++             return 368;
+++     case -108:
+++             /* socketpair */
+++             return 360;
+++     case -109:
+++             /* send - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -110:
+++             /* recv - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -111:
+++             /* sendto */
+++             return 369;
+++     case -112:
+++             /* recvfrom */
+++             return 371;
+++     case -113:
+++             /* shutdown */
+++             return 373;
+++     case -114:
+++             /* setsockopt */
+++             return 366;
+++     case -115:
+++             /* getsockopt */
+++             return 365;
+++     case -116:
+++             /* sendmsg */
+++             return 370;
+++     case -117:
+++             /* recvmsg */
+++             return 372;
+++     case -118:
+++             /* accept4 */
+++             return 364;
+++     case -119:
+++             /* recvmmsg */
+++             return 337;
+++     case -120:
+++             /* sendmmsg */
+++             return 345;
+++     case -201:
+++             /* semop - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -202:
+++             /* semget */
+++             return 393;
+++     case -203:
+++             /* semctl */
+++             return 394;
+++     case -204:
+++             /* semtimedop */
+++             return 392;
+++     case -211:
+++             /* msgsnd */
+++             return 400;
+++     case -212:
+++             /* msgrcv */
+++             return 401;
+++     case -213:
+++             /* msgget */
+++             return 399;
+++     case -214:
+++             /* msgctl */
+++             return 402;
+++     case -221:
+++             /* shmat */
+++             return 397;
+++     case -222:
+++             /* shmdt */
+++             return 398;
+++     case -223:
+++             /* shmget */
+++             return 395;
+++     case -224:
+++             /* shmctl */
+++             return 396;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Convert a direct socket syscall into multiplexed pseudo socket syscall
+++ * @param syscall the direct syscall
+++ *
+++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
+++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _s390x_syscall_mux(int syscall)
+++{
+++     switch (syscall) {
+++     case 337:
+++             /* recvmmsg */
+++             return -119;
+++     case 345:
+++             /* sendmmsg */
+++             return -120;
+++     case 359:
+++             /* socket */
+++             return -101;
+++     case 360:
+++             /* socketpair */
+++             return -108;
+++     case 361:
+++             /* bind */
+++             return -102;
+++     case 362:
+++             /* connect */
+++             return -103;
+++     case 363:
+++             /* listen */
+++             return -104;
+++     case 364:
+++             /* accept4 */
+++             return -118;
+++     case 365:
+++             /* getsockopt */
+++             return -115;
+++     case 366:
+++             /* setsockopt */
+++             return -114;
+++     case 367:
+++             /* getsockname */
+++             return -106;
+++     case 368:
+++             /* getpeername */
+++             return -107;
+++     case 369:
+++             /* sendto */
+++             return -111;
+++     case 370:
+++             /* sendmsg */
+++             return -116;
+++     case 371:
+++             /* recvfrom */
+++             return -112;
+++     case 372:
+++             /* recvmsg */
+++             return -117;
+++     case 373:
+++             /* shutdown */
+++             return -113;
+++     case 392:
+++             /* semtimedop */
+++             return -204;
+++     case 393:
+++             /* semget */
+++             return -202;
+++     case 394:
+++             /* semctl */
+++             return -203;
+++     case 400:
+++             /* msgsnd */
+++             return -211;
+++     case 401:
+++             /* msgrcv */
+++             return -212;
+++     case 399:
+++             /* msgget */
+++             return -213;
+++     case 402:
+++             /* msgctl */
+++             return -214;
+++     case 397:
+++             /* shmat */
+++             return -221;
+++     case 398:
+++             /* shmdt */
+++             return -222;
+++     case 395:
+++             /* shmget */
+++             return -223;
+++     case 396:
+++             /* shmctl */
+++             return -224;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Rewrite a syscall value to match the architecture
+++ * @param syscall the syscall number
+++ *
+++ * Syscalls can vary across different architectures so this function rewrites
+++ * the syscall into the correct value for the specified architecture.  Returns
+++ * zero on success, negative values on failure.
+++ *
+++ */
+++int s390x_syscall_rewrite(int *syscall)
+++{
+++     int sys = *syscall;
+++
+++     if (sys <= -100 && sys >= -120)
+++             *syscall = __s390x_NR_socketcall;
+++     else if (sys <= -200 && sys >= -224)
+++             *syscall = __s390x_NR_ipc;
+++     else if (sys < 0)
+++             return -EDOM;
+++
+++     return 0;
+++}
+++
+++/**
+++ * add a new rule to the s390x seccomp filter
+++ * @param db the seccomp filter db
+++ * @param rule the filter rule
+++ *
+++ * This function adds a new syscall filter to the seccomp filter db, making any
+++ * necessary adjustments for the s390x ABI.  Returns zero on success, negative
+++ * values on failure.
+++ *
+++ * It is important to note that in the case of failure the db may be corrupted,
+++ * the caller must use the transaction mechanism if the db integrity is
+++ * important.
+++ *
+++ */
+++int s390x_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
+++{
+++     int rc = 0;
+++     unsigned int iter;
+++     int sys = rule->syscall;
+++     int sys_a, sys_b;
+++     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
+++
+++     if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
+++             /* (-100 to -120) : multiplexed socket syscalls
+++                (359 to 373)   : direct socket syscalls, Linux 4.3+ */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _s390x_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _s390x_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL) {
+++                             rc = -ENOMEM;
+++                             goto add_return;
+++                     }
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __s390x_NR_socketcall;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 100;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if ((sys <= -200 && sys >= -224) || (sys >= 392 && sys <= 402)) {
+++             /* (-200 to -224) : multiplexed ipc syscalls
+++                (392 to 402) : direct ipc syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _s390x_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _s390x_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __s390x_NR_ipc;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 200;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (sys >= 0) {
+++             /* normal syscall processing */
+++             rc = db_rule_add(db, rule);
+++             if (rc < 0)
+++                     goto add_return;
+++     } else if (rule->strict) {
+++             rc = -EDOM;
+++             goto add_return;
+++     }
+++
+++add_return:
+++     if (rule_dup != NULL)
+++             free(rule_dup);
+++     return rc;
+++}
+++
++ const struct arch_def arch_def_s390x = {
++      .token = SCMP_ARCH_S390X,
++      .token_bpf = AUDIT_ARCH_S390X,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_BIG,
++-     .sys_socketcall = __s390x_NR_socketcall,
++-     .sys_ipc = __s390x_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = s390x_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = s390x_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = s390x_syscall_resolve_name_munge,
+++     .syscall_resolve_num = s390x_syscall_resolve_num_munge,
+++     .syscall_rewrite = s390x_syscall_rewrite,
+++     .rule_add = s390x_rule_add,
++ };
++diff --git a/src/arch-x32.c b/src/arch-x32.c
++--- a/src/arch-x32.c
+++++ b/src/arch-x32.c
++@@ -28,7 +28,6 @@
++ 
++ /**
++  * Resolve a syscall name to a number
++- * @param arch the architecture definition
++  * @param name the syscall name
++  *
++  * Resolve the given syscall name to the syscall number using the syscall table.
++@@ -36,13 +35,12 @@
++  * numbers; returns __NR_SCMP_ERROR on failure.
++  *
++  */
++-int x32_syscall_resolve_name_munge(const struct arch_def *arch,
++-                                const char *name)
+++int x32_syscall_resolve_name_munge(const char *name)
++ {
++      int sys;
++ 
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++-     sys = arch->syscall_resolve_name_raw(name);
+++     sys = x32_syscall_resolve_name(name);
++      if (sys == __NR_SCMP_ERROR || sys < 0)
++              return sys;
++ 
++@@ -51,7 +49,6 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch,
++ 
++ /**
++  * Resolve a syscall number to a name
++- * @param arch the architecture definition
++  * @param num the syscall number
++  *
++  * Resolve the given syscall number to the syscall name using the syscall table.
++@@ -59,13 +56,12 @@ int x32_syscall_resolve_name_munge(const struct arch_def *arch,
++  * syscall names; returns NULL on failure.
++  *
++  */
++-const char *x32_syscall_resolve_num_munge(const struct arch_def *arch,
++-                                       int num)
+++const char *x32_syscall_resolve_num_munge(int num)
++ {
++      /* NOTE: we don't want to modify the pseudo-syscall numbers */
++      if (num >= 0)
++              num &= ~X32_SYSCALL_BIT;
++-     return arch->syscall_resolve_num_raw(num);
+++     return x32_syscall_resolve_num(num);
++ }
++ 
++ const struct arch_def arch_def_x32 = {
++@@ -75,9 +71,7 @@ const struct arch_def arch_def_x32 = {
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_LITTLE,
++      .syscall_resolve_name = x32_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = x32_syscall_resolve_name,
++      .syscall_resolve_num = x32_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = x32_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch-x86.c b/src/arch-x86.c
++--- a/src/arch-x86.c
+++++ b/src/arch-x86.c
++@@ -33,17 +33,593 @@
++ #define __x86_NR_socketcall          102
++ #define __x86_NR_ipc                 117
++ 
+++/**
+++ * Resolve a syscall name to a number
+++ * @param name the syscall name
+++ *
+++ * Resolve the given syscall name to the syscall number using the syscall table.
+++ * Returns the syscall number on success, including negative pseudo syscall
+++ * numbers; returns __NR_SCMP_ERROR on failure.
+++ *
+++ */
+++int x86_syscall_resolve_name_munge(const char *name)
+++{
+++     if (strcmp(name, "accept") == 0)
+++             return __PNR_accept;
+++     else if (strcmp(name, "accept4") == 0)
+++             return __PNR_accept4;
+++     else if (strcmp(name, "bind") == 0)
+++             return __PNR_bind;
+++     else if (strcmp(name, "connect") == 0)
+++             return __PNR_connect;
+++     else if (strcmp(name, "getpeername") == 0)
+++             return __PNR_getpeername;
+++     else if (strcmp(name, "getsockname") == 0)
+++             return __PNR_getsockname;
+++     else if (strcmp(name, "getsockopt") == 0)
+++             return __PNR_getsockopt;
+++     else if (strcmp(name, "listen") == 0)
+++             return __PNR_listen;
+++     else if (strcmp(name, "recv") == 0)
+++             return __PNR_recv;
+++     else if (strcmp(name, "recvfrom") == 0)
+++             return __PNR_recvfrom;
+++     else if (strcmp(name, "recvmsg") == 0)
+++             return __PNR_recvmsg;
+++     else if (strcmp(name, "recvmmsg") == 0)
+++             return __PNR_recvmmsg;
+++     else if (strcmp(name, "send") == 0)
+++             return __PNR_send;
+++     else if (strcmp(name, "sendmsg") == 0)
+++             return __PNR_sendmsg;
+++     else if (strcmp(name, "sendmmsg") == 0)
+++             return __PNR_sendmmsg;
+++     else if (strcmp(name, "sendto") == 0)
+++             return __PNR_sendto;
+++     else if (strcmp(name, "setsockopt") == 0)
+++             return __PNR_setsockopt;
+++     else if (strcmp(name, "shutdown") == 0)
+++             return __PNR_shutdown;
+++     else if (strcmp(name, "socket") == 0)
+++             return __PNR_socket;
+++     else if (strcmp(name, "socketpair") == 0)
+++             return __PNR_socketpair;
+++
+++     if (strcmp(name, "semop") == 0)
+++             return __PNR_semop;
+++     else if (strcmp(name, "semget") == 0)
+++             return __PNR_semget;
+++     else if (strcmp(name, "semctl") == 0)
+++             return __PNR_semctl;
+++     else if (strcmp(name, "semtimedop") == 0)
+++             return __PNR_semtimedop;
+++     else if (strcmp(name, "msgsnd") == 0)
+++             return __PNR_msgsnd;
+++     else if (strcmp(name, "msgrcv") == 0)
+++             return __PNR_msgrcv;
+++     else if (strcmp(name, "msgget") == 0)
+++             return __PNR_msgget;
+++     else if (strcmp(name, "msgctl") == 0)
+++             return __PNR_msgctl;
+++     else if (strcmp(name, "shmat") == 0)
+++             return __PNR_shmat;
+++     else if (strcmp(name, "shmdt") == 0)
+++             return __PNR_shmdt;
+++     else if (strcmp(name, "shmget") == 0)
+++             return __PNR_shmget;
+++     else if (strcmp(name, "shmctl") == 0)
+++             return __PNR_shmctl;
+++
+++     return x86_syscall_resolve_name(name);
+++}
+++
+++/**
+++ * Resolve a syscall number to a name
+++ * @param num the syscall number
+++ *
+++ * Resolve the given syscall number to the syscall name using the syscall table.
+++ * Returns a pointer to the syscall name string on success, including pseudo
+++ * syscall names; returns NULL on failure.
+++ *
+++ */
+++const char *x86_syscall_resolve_num_munge(int num)
+++{
+++     if (num == __PNR_accept)
+++             return "accept";
+++     else if (num == __PNR_accept4)
+++             return "accept4";
+++     else if (num == __PNR_bind)
+++             return "bind";
+++     else if (num == __PNR_connect)
+++             return "connect";
+++     else if (num == __PNR_getpeername)
+++             return "getpeername";
+++     else if (num == __PNR_getsockname)
+++             return "getsockname";
+++     else if (num == __PNR_getsockopt)
+++             return "getsockopt";
+++     else if (num == __PNR_listen)
+++             return "listen";
+++     else if (num == __PNR_recv)
+++             return "recv";
+++     else if (num == __PNR_recvfrom)
+++             return "recvfrom";
+++     else if (num == __PNR_recvmsg)
+++             return "recvmsg";
+++     else if (num == __PNR_recvmmsg)
+++             return "recvmmsg";
+++     else if (num == __PNR_send)
+++             return "send";
+++     else if (num == __PNR_sendmsg)
+++             return "sendmsg";
+++     else if (num == __PNR_sendmmsg)
+++             return "sendmmsg";
+++     else if (num == __PNR_sendto)
+++             return "sendto";
+++     else if (num == __PNR_setsockopt)
+++             return "setsockopt";
+++     else if (num == __PNR_shutdown)
+++             return "shutdown";
+++     else if (num == __PNR_socket)
+++             return "socket";
+++     else if (num == __PNR_socketpair)
+++             return "socketpair";
+++
+++     if (num == __PNR_semop)
+++             return "semop";
+++     else if (num == __PNR_semget)
+++             return "semget";
+++     else if (num == __PNR_semctl)
+++             return "semctl";
+++     else if (num == __PNR_semtimedop)
+++             return "semtimedop";
+++     else if (num == __PNR_msgsnd)
+++             return "msgsnd";
+++     else if (num == __PNR_msgrcv)
+++             return "msgrcv";
+++     else if (num == __PNR_msgget)
+++             return "msgget";
+++     else if (num == __PNR_msgctl)
+++             return "msgctl";
+++     else if (num == __PNR_shmat)
+++             return "shmat";
+++     else if (num == __PNR_shmdt)
+++             return "shmdt";
+++     else if (num == __PNR_shmget)
+++             return "shmget";
+++     else if (num == __PNR_shmctl)
+++             return "shmctl";
+++
+++     return x86_syscall_resolve_num(num);
+++}
+++
+++/**
+++ * Convert a multiplexed pseudo syscall into a direct syscall
+++ * @param syscall the multiplexed pseudo syscall number
+++ *
+++ * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
+++ * no related syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _x86_syscall_demux(int syscall)
+++{
+++     switch (syscall) {
+++     case -101:
+++             /* socket */
+++             return 359;
+++     case -102:
+++             /* bind */
+++             return 361;
+++     case -103:
+++             /* connect */
+++             return 362;
+++     case -104:
+++             /* listen */
+++             return 363;
+++     case -105:
+++             /* accept - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -106:
+++             /* getsockname */
+++             return 367;
+++     case -107:
+++             /* getpeername */
+++             return 368;
+++     case -108:
+++             /* socketpair */
+++             return 360;
+++     case -109:
+++             /* send - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -110:
+++             /* recv - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -111:
+++             /* sendto */
+++             return 369;
+++     case -112:
+++             /* recvfrom */
+++             return 371;
+++     case -113:
+++             /* shutdown */
+++             return 373;
+++     case -114:
+++             /* setsockopt */
+++             return 366;
+++     case -115:
+++             /* getsockopt */
+++             return 365;
+++     case -116:
+++             /* sendmsg */
+++             return 370;
+++     case -117:
+++             /* recvmsg */
+++             return 372;
+++     case -118:
+++             /* accept4 */
+++             return 364;
+++     case -119:
+++             /* recvmmsg */
+++             return 337;
+++     case -120:
+++             /* sendmmsg */
+++             return 345;
+++     case -201:
+++             /* semop - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -202:
+++             /* semget */
+++             return 393;
+++     case -203:
+++             /* semctl */
+++             return 394;
+++     case -204:
+++             /* semtimedop - not defined */
+++             return __NR_SCMP_UNDEF;
+++     case -211:
+++             /* msgsnd */
+++             return 400;
+++     case -212:
+++             /* msgrcv */
+++             return 401;
+++     case -213:
+++             /* msgget */
+++             return 399;
+++     case -214:
+++             /* msgctl */
+++             return 402;
+++     case -221:
+++             /* shmat */
+++             return 397;
+++     case -222:
+++             /* shmdt */
+++             return 398;
+++     case -223:
+++             /* shmget */
+++             return 395;
+++     case -224:
+++             /* shmctl */
+++             return 396;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Convert a direct syscall into multiplexed pseudo socket syscall
+++ * @param syscall the direct syscall
+++ *
+++ * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
+++ * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
+++ *
+++ */
+++static int _x86_syscall_mux(int syscall)
+++{
+++     switch (syscall) {
+++     case 337:
+++             /* recvmmsg */
+++             return -119;
+++     case 345:
+++             /* sendmmsg */
+++             return -120;
+++     case 359:
+++             /* socket */
+++             return -101;
+++     case 360:
+++             /* socketpair */
+++             return -108;
+++     case 361:
+++             /* bind */
+++             return -102;
+++     case 362:
+++             /* connect */
+++             return -103;
+++     case 363:
+++             /* listen */
+++             return -104;
+++     case 364:
+++             /* accept4 */
+++             return -118;
+++     case 365:
+++             /* getsockopt */
+++             return -115;
+++     case 366:
+++             /* setsockopt */
+++             return -114;
+++     case 367:
+++             /* getsockname */
+++             return -106;
+++     case 368:
+++             /* getpeername */
+++             return -107;
+++     case 369:
+++             /* sendto */
+++             return -111;
+++     case 370:
+++             /* sendmsg */
+++             return -116;
+++     case 371:
+++             /* recvfrom */
+++             return -112;
+++     case 372:
+++             /* recvmsg */
+++             return -117;
+++     case 373:
+++             /* shutdown */
+++             return -113;
+++     case 393:
+++             /* semget */
+++             return -202;
+++     case 394:
+++             /* semctl */
+++             return -203;
+++     case 400:
+++             /* msgsnd */
+++             return -211;
+++     case 401:
+++             /* msgrcv */
+++             return -212;
+++     case 399:
+++             /* msgget */
+++             return -213;
+++     case 402:
+++             /* msgctl */
+++             return -214;
+++     case 397:
+++             /* shmat */
+++             return -221;
+++     case 398:
+++             /* shmdt */
+++             return -222;
+++     case 395:
+++             /* shmget */
+++             return -223;
+++     case 396:
+++             /* shmctl */
+++             return -224;
+++     }
+++
+++     return __NR_SCMP_ERROR;
+++}
+++
+++/**
+++ * Rewrite a syscall value to match the architecture
+++ * @param syscall the syscall number
+++ *
+++ * Syscalls can vary across different architectures so this function rewrites
+++ * the syscall into the correct value for the specified architecture.  Returns
+++ * zero on success, negative values on failure.
+++ *
+++ */
+++int x86_syscall_rewrite(int *syscall)
+++{
+++     int sys = *syscall;
+++
+++     if (sys <= -100 && sys >= -120)
+++             *syscall = __x86_NR_socketcall;
+++     else if (sys <= -200 && sys >= -224)
+++             *syscall = __x86_NR_ipc;
+++     else if (sys < 0)
+++             return -EDOM;
+++
+++     return 0;
+++}
+++
+++/**
+++ * add a new rule to the x86 seccomp filter
+++ * @param db the seccomp filter db
+++ * @param rule the filter rule
+++ *
+++ * This function adds a new syscall filter to the seccomp filter db, making any
+++ * necessary adjustments for the x86 ABI.  Returns zero on success, negative
+++ * values on failure.
+++ *
+++ * It is important to note that in the case of failure the db may be corrupted,
+++ * the caller must use the transaction mechanism if the db integrity is
+++ * important.
+++ *
+++ */
+++int x86_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
+++{
+++     int rc = 0;
+++     unsigned int iter;
+++     int sys = rule->syscall;
+++     int sys_a, sys_b;
+++     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
+++
+++     if ((sys <= -100 && sys >= -120) || (sys >= 359 && sys <= 373)) {
+++             /* (-100 to -120) : multiplexed socket syscalls
+++                (359 to 373)   : direct socket syscalls, Linux 4.3+ */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _x86_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _x86_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __x86_NR_socketcall;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 100;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if ((sys <= -200 && sys >= -224) || (sys >= 393 && sys <= 402)) {
+++             /* (-200 to -224) : multiplexed ipc syscalls
+++                (393 to 402) : direct ipc syscalls */
+++
+++             /* strict check for the multiplexed socket syscalls */
+++             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
+++                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
+++                             rc = -EINVAL;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* determine both the muxed and direct syscall numbers */
+++             if (sys > 0) {
+++                     sys_a = _x86_syscall_mux(sys);
+++                     if (sys_a == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++                     sys_b = sys;
+++             } else {
+++                     sys_a = sys;
+++                     sys_b = _x86_syscall_demux(sys);
+++                     if (sys_b == __NR_SCMP_ERROR) {
+++                             rc = __NR_SCMP_ERROR;
+++                             goto add_return;
+++                     }
+++             }
+++
+++             /* use rule_a for the multiplexed syscall and use rule_b for
+++              * the direct wired syscall */
+++
+++             if (sys_a == __NR_SCMP_UNDEF) {
+++                     rule_a = NULL;
+++                     rule_b = rule;
+++             } else if (sys_b == __NR_SCMP_UNDEF) {
+++                     rule_a = rule;
+++                     rule_b = NULL;
+++             } else {
+++                     /* need two rules, dup the first and link together */
+++                     rule_a = rule;
+++                     rule_dup = db_rule_dup(rule_a);
+++                     rule_b = rule_dup;
+++                     if (rule_b == NULL)
+++                             goto add_return;
+++                     rule_b->prev = rule_a;
+++                     rule_b->next = NULL;
+++                     rule_a->next = rule_b;
+++             }
+++
+++             /* multiplexed socket syscalls */
+++             if (rule_a != NULL) {
+++                     rule_a->syscall = __x86_NR_ipc;
+++                     rule_a->args[0].arg = 0;
+++                     rule_a->args[0].op = SCMP_CMP_EQ;
+++                     rule_a->args[0].mask = DATUM_MAX;
+++                     rule_a->args[0].datum = (-sys_a) % 200;
+++                     rule_a->args[0].valid = 1;
+++             }
+++
+++             /* direct wired socket syscalls */
+++             if (rule_b != NULL)
+++                     rule_b->syscall = sys_b;
+++
+++             /* we should be protected by a transaction checkpoint */
+++             if (rule_a != NULL) {
+++                     rc = db_rule_add(db, rule_a);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++             if (rule_b != NULL) {
+++                     rc = db_rule_add(db, rule_b);
+++                     if (rc < 0)
+++                             goto add_return;
+++             }
+++     } else if (sys >= 0) {
+++             /* normal syscall processing */
+++             rc = db_rule_add(db, rule);
+++             if (rc < 0)
+++                     goto add_return;
+++     } else if (rule->strict) {
+++             rc = -EDOM;
+++             goto add_return;
+++     }
+++
+++add_return:
+++     if (rule_dup != NULL)
+++             free(rule_dup);
+++     return rc;
+++}
+++
++ const struct arch_def arch_def_x86 = {
++      .token = SCMP_ARCH_X86,
++      .token_bpf = AUDIT_ARCH_I386,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_LITTLE,
++-     .sys_socketcall = __x86_NR_socketcall,
++-     .sys_ipc = __x86_NR_ipc,
++-     .syscall_resolve_name = abi_syscall_resolve_name_munge,
++-     .syscall_resolve_name_raw = x86_syscall_resolve_name,
++-     .syscall_resolve_num = abi_syscall_resolve_num_munge,
++-     .syscall_resolve_num_raw = x86_syscall_resolve_num,
++-     .syscall_rewrite = abi_syscall_rewrite,
++-     .rule_add = abi_rule_add,
+++     .syscall_resolve_name = x86_syscall_resolve_name_munge,
+++     .syscall_resolve_num = x86_syscall_resolve_num_munge,
+++     .syscall_rewrite = x86_syscall_rewrite,
+++     .rule_add = x86_rule_add,
++ };
++diff --git a/src/arch-x86_64.c b/src/arch-x86_64.c
++--- a/src/arch-x86_64.c
+++++ b/src/arch-x86_64.c
++@@ -31,8 +31,8 @@ const struct arch_def arch_def_x86_64 = {
++      .token_bpf = AUDIT_ARCH_X86_64,
++      .size = ARCH_SIZE_64,
++      .endian = ARCH_ENDIAN_LITTLE,
++-     .syscall_resolve_name_raw = x86_64_syscall_resolve_name,
++-     .syscall_resolve_num_raw = x86_64_syscall_resolve_num,
+++     .syscall_resolve_name = x86_64_syscall_resolve_name,
+++     .syscall_resolve_num = x86_64_syscall_resolve_num,
++      .syscall_rewrite = NULL,
++      .rule_add = NULL,
++ };
++diff --git a/src/arch.c b/src/arch.c
++--- a/src/arch.c
+++++ b/src/arch.c
++@@ -300,9 +300,7 @@ int arch_arg_offset(const struct arch_def *arch, unsigned int arg)
++ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name)
++ {
++      if (arch->syscall_resolve_name)
++-             return (*arch->syscall_resolve_name)(arch, name);
++-     if (arch->syscall_resolve_name_raw)
++-             return (*arch->syscall_resolve_name_raw)(name);
+++             return (*arch->syscall_resolve_name)(name);
++ 
++      return __NR_SCMP_ERROR;
++ }
++@@ -320,9 +318,7 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name)
++ const char *arch_syscall_resolve_num(const struct arch_def *arch, int num)
++ {
++      if (arch->syscall_resolve_num)
++-             return (*arch->syscall_resolve_num)(arch, num);
++-     if (arch->syscall_resolve_num_raw)
++-             return (*arch->syscall_resolve_num_raw)(num);
+++             return (*arch->syscall_resolve_num)(num);
++ 
++      return NULL;
++ }
++@@ -385,7 +381,7 @@ int arch_syscall_rewrite(const struct arch_def *arch, int *syscall)
++      } else if (sys > -10000) {
++              /* rewritable syscalls */
++              if (arch->syscall_rewrite)
++-                     (*arch->syscall_rewrite)(arch, syscall);
+++                     (*arch->syscall_rewrite)(syscall);
++      }
++ 
++      /* syscalls not defined on this architecture */
++diff --git a/src/arch.h b/src/arch.h
++--- a/src/arch.h
+++++ b/src/arch.h
++@@ -49,18 +49,10 @@ struct arch_def {
++              ARCH_ENDIAN_BIG,
++      } endian;
++ 
++-     /* arch specific constants */
++-     int sys_socketcall;
++-     int sys_ipc;
++-
++      /* arch specific functions */
++-     int (*syscall_resolve_name)(const struct arch_def *arch,
++-                                 const char *name);
++-     int (*syscall_resolve_name_raw)(const char *name);
++-     const char *(*syscall_resolve_num)(const struct arch_def *arch,
++-                                        int num);
++-     const char *(*syscall_resolve_num_raw)(int num);
++-     int (*syscall_rewrite)(const struct arch_def *arch, int *syscall);
+++     int (*syscall_resolve_name)(const char *name);
+++     const char *(*syscall_resolve_num)(int num);
+++     int (*syscall_rewrite)(int *syscall);
++      int (*rule_add)(struct db_filter *db, struct db_api_rule_list *rule);
++ };
++ 
++diff --git a/src/syscalls.c b/src/syscalls.c
++--- a/src/syscalls.c
+++++ b/src/syscalls.c
++@@ -1,5 +1,5 @@
++ /**
++- * Enhanced Seccomp Syscall Table Functions
+++ * Enhanced Seccomp x86_64 Syscall Table
++  *
++  * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com>
++  * Author: Paul Moore <paul@paul-moore.com>
++@@ -19,13 +19,9 @@
++  * You should have received a copy of the GNU Lesser General Public License
++  * along with this library; if not, see <http://www.gnu.org/licenses>.
++  */
++-
++-#include <stdlib.h>
++-#include <errno.h>
++-#include <string.h>
++ #include <seccomp.h>
+++#include <string.h>
++ 
++-#include "db.h"
++ #include "arch.h"
++ #include "syscalls.h"
++ 
++@@ -58,524 +54,3 @@ ARCH_DEF(s390x)
++ ARCH_DEF(x32)
++ ARCH_DEF(x86)
++ ARCH_DEF(riscv64)
++-
++-/**
++- * Resolve a syscall name to a number
++- * @param arch the arch definition
++- * @param name the syscall name
++- *
++- * Resolve the given syscall name to the syscall number using the syscall table.
++- * Returns the syscall number on success, including negative pseudo syscall
++- * numbers; returns __NR_SCMP_ERROR on failure.
++- *
++- */
++-int abi_syscall_resolve_name_munge(const struct arch_def *arch,
++-                                const char *name)
++-{
++-
++-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return __PNR_##NAME;
++-
++-     _ABI_SYSCALL_RES_NAME_CHK(socket)
++-     _ABI_SYSCALL_RES_NAME_CHK(bind)
++-     _ABI_SYSCALL_RES_NAME_CHK(connect)
++-     _ABI_SYSCALL_RES_NAME_CHK(listen)
++-     _ABI_SYSCALL_RES_NAME_CHK(accept)
++-     _ABI_SYSCALL_RES_NAME_CHK(getsockname)
++-     _ABI_SYSCALL_RES_NAME_CHK(getpeername)
++-     _ABI_SYSCALL_RES_NAME_CHK(socketpair)
++-     _ABI_SYSCALL_RES_NAME_CHK(send)
++-     _ABI_SYSCALL_RES_NAME_CHK(recv)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendto)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
++-     _ABI_SYSCALL_RES_NAME_CHK(shutdown)
++-     _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
++-     _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(accept4)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(semop)
++-     _ABI_SYSCALL_RES_NAME_CHK(semget)
++-     _ABI_SYSCALL_RES_NAME_CHK(semctl)
++-     _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgget)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgctl)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmat)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmdt)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmget)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmctl)
++-
++-     return arch->syscall_resolve_name_raw(name);
++-}
++-
++-/**
++- * Resolve a syscall number to a name
++- * @param arch the arch definition
++- * @param num the syscall number
++- *
++- * Resolve the given syscall number to the syscall name using the syscall table.
++- * Returns a pointer to the syscall name string on success, including pseudo
++- * syscall names; returns NULL on failure.
++- *
++- */
++-const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num)
++-{
++-
++-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
++-     if (num == __PNR_##NAME) return #NAME;
++-
++-     _ABI_SYSCALL_RES_NUM_CHK(socket)
++-     _ABI_SYSCALL_RES_NUM_CHK(bind)
++-     _ABI_SYSCALL_RES_NUM_CHK(connect)
++-     _ABI_SYSCALL_RES_NUM_CHK(listen)
++-     _ABI_SYSCALL_RES_NUM_CHK(accept)
++-     _ABI_SYSCALL_RES_NUM_CHK(getsockname)
++-     _ABI_SYSCALL_RES_NUM_CHK(getpeername)
++-     _ABI_SYSCALL_RES_NUM_CHK(socketpair)
++-     _ABI_SYSCALL_RES_NUM_CHK(send)
++-     _ABI_SYSCALL_RES_NUM_CHK(recv)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendto)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
++-     _ABI_SYSCALL_RES_NUM_CHK(shutdown)
++-     _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
++-     _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(accept4)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(semop)
++-     _ABI_SYSCALL_RES_NUM_CHK(semget)
++-     _ABI_SYSCALL_RES_NUM_CHK(semctl)
++-     _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgget)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgctl)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmat)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmdt)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmget)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmctl)
++-
++-     return arch->syscall_resolve_num_raw(num);
++-}
++-
++-/**
++- * Check if a syscall is a socket syscall
++- * @param arch the arch definition
++- * @param sys the syscall number
++- *
++- * Returns true if the syscall is a socket related syscall, false otherwise.
++- *
++- */
++-static bool _abi_syscall_socket_test(const struct arch_def *arch, int sys)
++-{
++-     const char *name;
++-
++-     /* multiplexed pseduo-syscalls */
++-     if (sys <= -100 && sys >= -120)
++-             return true;
++-
++-     name = arch->syscall_resolve_num_raw(sys);
++-     if (!name)
++-             return false;
++-
++-#define _ABI_SYSCALL_SOCK_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return true;
++-
++-     _ABI_SYSCALL_SOCK_CHK(socket)
++-     _ABI_SYSCALL_SOCK_CHK(bind)
++-     _ABI_SYSCALL_SOCK_CHK(connect)
++-     _ABI_SYSCALL_SOCK_CHK(listen)
++-     _ABI_SYSCALL_SOCK_CHK(accept)
++-     _ABI_SYSCALL_SOCK_CHK(getsockname)
++-     _ABI_SYSCALL_SOCK_CHK(getpeername)
++-     _ABI_SYSCALL_SOCK_CHK(socketpair)
++-     _ABI_SYSCALL_SOCK_CHK(send)
++-     _ABI_SYSCALL_SOCK_CHK(recv)
++-     _ABI_SYSCALL_SOCK_CHK(sendto)
++-     _ABI_SYSCALL_SOCK_CHK(recvfrom)
++-     _ABI_SYSCALL_SOCK_CHK(shutdown)
++-     _ABI_SYSCALL_SOCK_CHK(setsockopt)
++-     _ABI_SYSCALL_SOCK_CHK(getsockopt)
++-     _ABI_SYSCALL_SOCK_CHK(sendmsg)
++-     _ABI_SYSCALL_SOCK_CHK(recvmsg)
++-     _ABI_SYSCALL_SOCK_CHK(accept4)
++-     _ABI_SYSCALL_SOCK_CHK(recvmmsg)
++-     _ABI_SYSCALL_SOCK_CHK(sendmmsg)
++-
++-     return false;
++-}
++-
++-/**
++- * Check if a syscall is an ipc syscall
++- * @param arch the arch definition
++- * @param sys the syscall number
++- *
++- * Returns true if the syscall is an ipc related syscall, false otherwise.
++- *
++- */
++-static bool _abi_syscall_ipc_test(const struct arch_def *arch, int sys)
++-{
++-     const char *name;
++-
++-     /* multiplexed pseduo-syscalls */
++-     if (sys <= -200 && sys >= -224)
++-             return true;
++-
++-     name = arch->syscall_resolve_num_raw(sys);
++-     if (!name)
++-             return false;
++-
++-#define _ABI_SYSCALL_IPC_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return true;
++-
++-     _ABI_SYSCALL_IPC_CHK(semop)
++-     _ABI_SYSCALL_IPC_CHK(semget)
++-     _ABI_SYSCALL_IPC_CHK(semctl)
++-     _ABI_SYSCALL_IPC_CHK(semtimedop)
++-     _ABI_SYSCALL_IPC_CHK(msgsnd)
++-     _ABI_SYSCALL_IPC_CHK(msgrcv)
++-     _ABI_SYSCALL_IPC_CHK(msgget)
++-     _ABI_SYSCALL_IPC_CHK(msgctl)
++-     _ABI_SYSCALL_IPC_CHK(shmat)
++-     _ABI_SYSCALL_IPC_CHK(shmdt)
++-     _ABI_SYSCALL_IPC_CHK(shmget)
++-     _ABI_SYSCALL_IPC_CHK(shmctl)
++-
++-     return false;
++-}
++-
++-/**
++- * Convert a multiplexed pseudo syscall into a direct syscall
++- * @param arch the arch definition
++- * @param syscall the multiplexed pseudo syscall number
++- *
++- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
++- * no related syscall, or __NR_SCMP_ERROR otherwise.
++- *
++- */
++-static int _abi_syscall_demux(const struct arch_def *arch, int syscall)
++-{
++-     int sys = __NR_SCMP_UNDEF;
++-
++-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
++-case __PNR_##NAME: \
++-     sys = arch->syscall_resolve_name_raw(#NAME); break;
++-
++-     switch (syscall) {
++-             _ABI_SYSCALL_DEMUX_CHK(socket)
++-             _ABI_SYSCALL_DEMUX_CHK(bind)
++-             _ABI_SYSCALL_DEMUX_CHK(connect)
++-             _ABI_SYSCALL_DEMUX_CHK(listen)
++-             _ABI_SYSCALL_DEMUX_CHK(accept)
++-             _ABI_SYSCALL_DEMUX_CHK(getsockname)
++-             _ABI_SYSCALL_DEMUX_CHK(getpeername)
++-             _ABI_SYSCALL_DEMUX_CHK(socketpair)
++-             _ABI_SYSCALL_DEMUX_CHK(send)
++-             _ABI_SYSCALL_DEMUX_CHK(recv)
++-             _ABI_SYSCALL_DEMUX_CHK(sendto)
++-             _ABI_SYSCALL_DEMUX_CHK(recvfrom)
++-             _ABI_SYSCALL_DEMUX_CHK(shutdown)
++-             _ABI_SYSCALL_DEMUX_CHK(setsockopt)
++-             _ABI_SYSCALL_DEMUX_CHK(getsockopt)
++-             _ABI_SYSCALL_DEMUX_CHK(sendmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(recvmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(accept4)
++-             _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(semop)
++-             _ABI_SYSCALL_DEMUX_CHK(semget)
++-             _ABI_SYSCALL_DEMUX_CHK(semctl)
++-             _ABI_SYSCALL_DEMUX_CHK(semtimedop)
++-             _ABI_SYSCALL_DEMUX_CHK(msgsnd)
++-             _ABI_SYSCALL_DEMUX_CHK(msgrcv)
++-             _ABI_SYSCALL_DEMUX_CHK(msgget)
++-             _ABI_SYSCALL_DEMUX_CHK(msgctl)
++-             _ABI_SYSCALL_DEMUX_CHK(shmat)
++-             _ABI_SYSCALL_DEMUX_CHK(shmdt)
++-             _ABI_SYSCALL_DEMUX_CHK(shmget)
++-             _ABI_SYSCALL_DEMUX_CHK(shmctl)
++-     }
++-
++-     /* this looks odd because the arch resolver returns _ERROR if it can't
++-      * resolve the syscall, but we want to use _UNDEF for that, so we set
++-      * 'sys' to a sentinel value of _UNDEF and if it is error here we know
++-      * the resolve failed to find a match */
++-     if (sys == __NR_SCMP_UNDEF)
++-             sys = __NR_SCMP_ERROR;
++-     else if (sys == __NR_SCMP_ERROR)
++-             sys = __NR_SCMP_UNDEF;
++-
++-     return sys;
++-}
++-
++-/**
++- * Convert a direct syscall into multiplexed pseudo socket syscall
++- * @param arch the arch definition
++- * @param syscall the direct syscall
++- *
++- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
++- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
++- *
++- */
++-static int _abi_syscall_mux(const struct arch_def *arch, int syscall)
++-{
++-     const char *sys;
++-
++-     sys = arch->syscall_resolve_num_raw(syscall);
++-     if (!sys)
++-             return __NR_SCMP_ERROR;
++-
++-#define _ABI_SYSCALL_MUX_CHK(NAME) \
++-     if (!strcmp(sys, #NAME)) return __PNR_##NAME;
++-
++-     _ABI_SYSCALL_MUX_CHK(socket)
++-     _ABI_SYSCALL_MUX_CHK(bind)
++-     _ABI_SYSCALL_MUX_CHK(connect)
++-     _ABI_SYSCALL_MUX_CHK(listen)
++-     _ABI_SYSCALL_MUX_CHK(accept)
++-     _ABI_SYSCALL_MUX_CHK(getsockname)
++-     _ABI_SYSCALL_MUX_CHK(getpeername)
++-     _ABI_SYSCALL_MUX_CHK(socketpair)
++-     _ABI_SYSCALL_MUX_CHK(send)
++-     _ABI_SYSCALL_MUX_CHK(recv)
++-     _ABI_SYSCALL_MUX_CHK(sendto)
++-     _ABI_SYSCALL_MUX_CHK(recvfrom)
++-     _ABI_SYSCALL_MUX_CHK(shutdown)
++-     _ABI_SYSCALL_MUX_CHK(setsockopt)
++-     _ABI_SYSCALL_MUX_CHK(getsockopt)
++-     _ABI_SYSCALL_MUX_CHK(sendmsg)
++-     _ABI_SYSCALL_MUX_CHK(recvmsg)
++-     _ABI_SYSCALL_MUX_CHK(accept4)
++-     _ABI_SYSCALL_MUX_CHK(recvmmsg)
++-     _ABI_SYSCALL_MUX_CHK(sendmmsg)
++-     _ABI_SYSCALL_MUX_CHK(semop)
++-     _ABI_SYSCALL_MUX_CHK(semget)
++-     _ABI_SYSCALL_MUX_CHK(semctl)
++-     _ABI_SYSCALL_MUX_CHK(semtimedop)
++-     _ABI_SYSCALL_MUX_CHK(msgsnd)
++-     _ABI_SYSCALL_MUX_CHK(msgrcv)
++-     _ABI_SYSCALL_MUX_CHK(msgget)
++-     _ABI_SYSCALL_MUX_CHK(msgctl)
++-     _ABI_SYSCALL_MUX_CHK(shmat)
++-     _ABI_SYSCALL_MUX_CHK(shmdt)
++-     _ABI_SYSCALL_MUX_CHK(shmget)
++-     _ABI_SYSCALL_MUX_CHK(shmctl)
++-
++-     return __NR_SCMP_ERROR;
++-}
++-
++-/**
++- * Rewrite a syscall value to match the architecture
++- * @param arch the arch definition
++- * @param syscall the syscall number
++- *
++- * Syscalls can vary across different architectures so this function rewrites
++- * the syscall into the correct value for the specified architecture.  Returns
++- * zero on success, negative values on failure.
++- *
++- */
++-int abi_syscall_rewrite(const struct arch_def *arch, int *syscall)
++-{
++-     int sys = *syscall;
++-
++-     if (sys <= -100 && sys >= -120)
++-             *syscall = arch->sys_socketcall;
++-     else if (sys <= -200 && sys >= -224)
++-             *syscall = arch->sys_ipc;
++-     else if (sys < 0)
++-             return -EDOM;
++-
++-     return 0;
++-}
++-
++-/**
++- * add a new rule to the abi seccomp filter
++- * @param db the seccomp filter db
++- * @param rule the filter rule
++- *
++- * This function adds a new syscall filter to the seccomp filter db, making any
++- * necessary adjustments for the abi ABI.  Returns zero on success, negative
++- * values on failure.
++- *
++- * It is important to note that in the case of failure the db may be corrupted,
++- * the caller must use the transaction mechanism if the db integrity is
++- * important.
++- *
++- */
++-int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
++-{
++-     int rc = 0;
++-     unsigned int iter;
++-     int sys = rule->syscall;
++-     int sys_a, sys_b;
++-     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
++-
++-     if (_abi_syscall_socket_test(db->arch, sys)) {
++-             /* socket syscalls */
++-
++-             /* strict check for the multiplexed socket syscalls */
++-             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
++-                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
++-                             rc = -EINVAL;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* determine both the muxed and direct syscall numbers */
++-             if (sys > 0) {
++-                     sys_a = _abi_syscall_mux(db->arch, sys);
++-                     if (sys_a == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-                     sys_b = sys;
++-             } else {
++-                     sys_a = sys;
++-                     sys_b = _abi_syscall_demux(db->arch, sys);
++-                     if (sys_b == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* use rule_a for the multiplexed syscall and use rule_b for
++-              * the direct wired syscall */
++-
++-             if (sys_a == __NR_SCMP_UNDEF) {
++-                     rule_a = NULL;
++-                     rule_b = rule;
++-             } else if (sys_b == __NR_SCMP_UNDEF) {
++-                     rule_a = rule;
++-                     rule_b = NULL;
++-             } else {
++-                     /* need two rules, dup the first and link together */
++-                     rule_a = rule;
++-                     rule_dup = db_rule_dup(rule_a);
++-                     rule_b = rule_dup;
++-                     if (rule_b == NULL)
++-                             goto add_return;
++-                     rule_b->prev = rule_a;
++-                     rule_b->next = NULL;
++-                     rule_a->next = rule_b;
++-             }
++-
++-             /* multiplexed socket syscalls */
++-             if (rule_a != NULL) {
++-                     rule_a->syscall = db->arch->sys_socketcall;
++-                     rule_a->args[0].arg = 0;
++-                     rule_a->args[0].op = SCMP_CMP_EQ;
++-                     rule_a->args[0].mask = DATUM_MAX;
++-                     rule_a->args[0].datum = (-sys_a) % 100;
++-                     rule_a->args[0].valid = 1;
++-             }
++-
++-             /* direct wired socket syscalls */
++-             if (rule_b != NULL)
++-                     rule_b->syscall = sys_b;
++-
++-             /* we should be protected by a transaction checkpoint */
++-             if (rule_a != NULL) {
++-                     rc = db_rule_add(db, rule_a);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-             if (rule_b != NULL) {
++-                     rc = db_rule_add(db, rule_b);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-     } else if (_abi_syscall_ipc_test(db->arch, sys)) {
++-             /* ipc syscalls */
++-
++-             /* strict check for the multiplexed socket syscalls */
++-             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
++-                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
++-                             rc = -EINVAL;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* determine both the muxed and direct syscall numbers */
++-             if (sys > 0) {
++-                     sys_a = _abi_syscall_mux(db->arch, sys);
++-                     if (sys_a == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-                     sys_b = sys;
++-             } else {
++-                     sys_a = sys;
++-                     sys_b = _abi_syscall_demux(db->arch, sys);
++-                     if (sys_b == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* use rule_a for the multiplexed syscall and use rule_b for
++-              * the direct wired syscall */
++-
++-             if (sys_a == __NR_SCMP_UNDEF) {
++-                     rule_a = NULL;
++-                     rule_b = rule;
++-             } else if (sys_b == __NR_SCMP_UNDEF) {
++-                     rule_a = rule;
++-                     rule_b = NULL;
++-             } else {
++-                     /* need two rules, dup the first and link together */
++-                     rule_a = rule;
++-                     rule_dup = db_rule_dup(rule_a);
++-                     rule_b = rule_dup;
++-                     if (rule_b == NULL)
++-                             goto add_return;
++-                     rule_b->prev = rule_a;
++-                     rule_b->next = NULL;
++-                     rule_a->next = rule_b;
++-             }
++-
++-             /* multiplexed socket syscalls */
++-             if (rule_a != NULL) {
++-                     rule_a->syscall = db->arch->sys_ipc;
++-                     rule_a->args[0].arg = 0;
++-                     rule_a->args[0].op = SCMP_CMP_EQ;
++-                     rule_a->args[0].mask = DATUM_MAX;
++-                     rule_a->args[0].datum = (-sys_a) % 200;
++-                     rule_a->args[0].valid = 1;
++-             }
++-
++-             /* direct wired socket syscalls */
++-             if (rule_b != NULL)
++-                     rule_b->syscall = sys_b;
++-
++-             /* we should be protected by a transaction checkpoint */
++-             if (rule_a != NULL) {
++-                     rc = db_rule_add(db, rule_a);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-             if (rule_b != NULL) {
++-                     rc = db_rule_add(db, rule_b);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-     } else if (sys >= 0) {
++-             /* normal syscall processing */
++-             rc = db_rule_add(db, rule);
++-             if (rc < 0)
++-                     goto add_return;
++-     } else if (rule->strict) {
++-             rc = -EDOM;
++-             goto add_return;
++-     }
++-
++-add_return:
++-     if (rule_dup != NULL)
++-             free(rule_dup);
++-     return rc;
++-}
++diff --git a/src/syscalls.h b/src/syscalls.h
++--- a/src/syscalls.h
+++++ b/src/syscalls.h
++@@ -59,12 +59,4 @@ int syscall_resolve_name(const char *name, int offset);
++ const char *syscall_resolve_num(int num, int offset);
++ const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset);
++ 
++-/* helper functions for multiplexed syscalls, e.g. socketcall(2) and ipc(2) */
++-int abi_syscall_resolve_name_munge(const struct arch_def *arch,
++-                                const char *name);
++-const char *abi_syscall_resolve_num_munge(const struct arch_def *arch, int num);
++-int abi_syscall_rewrite(const struct arch_def *arch, int *syscall);
++-int abi_rule_add(struct db_filter *db, struct db_api_rule_list *rule);
++-
++-
++ #endif

diff --cc debian/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..56eaca728b13b55c856ad1aae985e9c8ba7d8840
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/revert_mips_add_multiplexed_syscall_support_to_MIPS.patch
@@@ -1,0 -1,0 +1,572 @@@
++REVERTS
++
++From e976080ac5547a46f4654abc710e89bed992bb63 Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Tue, 3 Aug 2021 23:09:04 -0400
++Subject: [PATCH] mips: add multiplexed syscall support to MIPS
++
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++
++(imported from commit 8e2d449b012647d5f6d6ac86860689ce40e504ae)
++---
++ src/arch-mips.c | 508 ++++++++++++++++++++++++++++++++++++++++++++++--
++ 1 file changed, 495 insertions(+), 13 deletions(-)
++
++diff --git a/src/arch-mips.c b/src/arch-mips.c
++--- a/src/arch-mips.c
+++++ b/src/arch-mips.c
++@@ -22,21 +22,14 @@
++ 
++ #include <stdlib.h>
++ #include <errno.h>
++-#include <string.h>
++ #include <linux/audit.h>
++ 
++-#include "db.h"
++-#include "syscalls.h"
++ #include "arch.h"
++ #include "arch-mips.h"
++ 
++ /* O32 ABI */
++ #define __SCMP_NR_BASE                       4000
++ 
++-/* mips syscall numbers */
++-#define __mips_NR_socketcall         102
++-#define __mips_NR_ipc                        117
++-
++ /**
++  * Resolve a syscall name to a number
++  * @param name the syscall name
++@@ -48,44 +41,14 @@
++  */
++ int mips_syscall_resolve_name_munge(const char *name)
++ {
+++     int sys;
++ 
++-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return __PNR_##NAME;
+++     /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++     sys = mips_syscall_resolve_name(name);
+++     if (sys == __NR_SCMP_ERROR || sys < 0)
+++             return sys;
++ 
++-     _ABI_SYSCALL_RES_NAME_CHK(socket)
++-     _ABI_SYSCALL_RES_NAME_CHK(bind)
++-     _ABI_SYSCALL_RES_NAME_CHK(connect)
++-     _ABI_SYSCALL_RES_NAME_CHK(listen)
++-     _ABI_SYSCALL_RES_NAME_CHK(accept)
++-     _ABI_SYSCALL_RES_NAME_CHK(getsockname)
++-     _ABI_SYSCALL_RES_NAME_CHK(getpeername)
++-     _ABI_SYSCALL_RES_NAME_CHK(socketpair)
++-     _ABI_SYSCALL_RES_NAME_CHK(send)
++-     _ABI_SYSCALL_RES_NAME_CHK(recv)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendto)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
++-     _ABI_SYSCALL_RES_NAME_CHK(shutdown)
++-     _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
++-     _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(accept4)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(semop)
++-     _ABI_SYSCALL_RES_NAME_CHK(semget)
++-     _ABI_SYSCALL_RES_NAME_CHK(semctl)
++-     _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgget)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgctl)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmat)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmdt)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmget)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmctl)
++-
++-     return mips_syscall_resolve_name(name);
+++     return sys + __SCMP_NR_BASE;
++ }
++ 
++ /**
++@@ -99,457 +62,12 @@ int mips_syscall_resolve_name_munge(const char *name)
++  */
++ const char *mips_syscall_resolve_num_munge(int num)
++ {
++-
++-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
++-     if (num == __PNR_##NAME) return #NAME;
++-
++-     _ABI_SYSCALL_RES_NUM_CHK(socket)
++-     _ABI_SYSCALL_RES_NUM_CHK(bind)
++-     _ABI_SYSCALL_RES_NUM_CHK(connect)
++-     _ABI_SYSCALL_RES_NUM_CHK(listen)
++-     _ABI_SYSCALL_RES_NUM_CHK(accept)
++-     _ABI_SYSCALL_RES_NUM_CHK(getsockname)
++-     _ABI_SYSCALL_RES_NUM_CHK(getpeername)
++-     _ABI_SYSCALL_RES_NUM_CHK(socketpair)
++-     _ABI_SYSCALL_RES_NUM_CHK(send)
++-     _ABI_SYSCALL_RES_NUM_CHK(recv)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendto)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
++-     _ABI_SYSCALL_RES_NUM_CHK(shutdown)
++-     _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
++-     _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(accept4)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(semop)
++-     _ABI_SYSCALL_RES_NUM_CHK(semget)
++-     _ABI_SYSCALL_RES_NUM_CHK(semctl)
++-     _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgget)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgctl)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmat)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmdt)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmget)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmctl)
++-
+++     /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++     if (num >= __SCMP_NR_BASE)
+++             num -= __SCMP_NR_BASE;
++      return mips_syscall_resolve_num(num);
++ }
++ 
++-/**
++- * Check if a syscall is a socket syscall
++- * @param sys the syscall number
++- *
++- * Returns true if the syscall is a socket related syscall, false otherwise.
++- *
++- */
++-static bool _mips_syscall_socket_test(int sys)
++-{
++-     const char *name;
++-
++-     /* multiplexed pseduo-syscalls */
++-     if (sys <= -100 && sys >= -120)
++-             return true;
++-
++-     name = mips_syscall_resolve_num(sys);
++-     if (!name)
++-             return false;
++-
++-#define _ABI_SYSCALL_SOCK_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return true;
++-
++-     _ABI_SYSCALL_SOCK_CHK(socket)
++-     _ABI_SYSCALL_SOCK_CHK(bind)
++-     _ABI_SYSCALL_SOCK_CHK(connect)
++-     _ABI_SYSCALL_SOCK_CHK(listen)
++-     _ABI_SYSCALL_SOCK_CHK(accept)
++-     _ABI_SYSCALL_SOCK_CHK(getsockname)
++-     _ABI_SYSCALL_SOCK_CHK(getpeername)
++-     _ABI_SYSCALL_SOCK_CHK(socketpair)
++-     _ABI_SYSCALL_SOCK_CHK(send)
++-     _ABI_SYSCALL_SOCK_CHK(recv)
++-     _ABI_SYSCALL_SOCK_CHK(sendto)
++-     _ABI_SYSCALL_SOCK_CHK(recvfrom)
++-     _ABI_SYSCALL_SOCK_CHK(shutdown)
++-     _ABI_SYSCALL_SOCK_CHK(setsockopt)
++-     _ABI_SYSCALL_SOCK_CHK(getsockopt)
++-     _ABI_SYSCALL_SOCK_CHK(sendmsg)
++-     _ABI_SYSCALL_SOCK_CHK(recvmsg)
++-     _ABI_SYSCALL_SOCK_CHK(accept4)
++-     _ABI_SYSCALL_SOCK_CHK(recvmmsg)
++-     _ABI_SYSCALL_SOCK_CHK(sendmmsg)
++-
++-     return false;
++-}
++-
++-/**
++- * Check if a syscall is an ipc syscall
++- * @param sys the syscall number
++- *
++- * Returns true if the syscall is an ipc related syscall, false otherwise.
++- *
++- */
++-static bool _mips_syscall_ipc_test(int sys)
++-{
++-     const char *name;
++-
++-     /* multiplexed pseduo-syscalls */
++-     if (sys <= -200 && sys >= -224)
++-             return true;
++-
++-     name = mips_syscall_resolve_num(sys);
++-     if (!name)
++-             return false;
++-
++-#define _ABI_SYSCALL_IPC_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return true;
++-
++-     _ABI_SYSCALL_IPC_CHK(semop)
++-     _ABI_SYSCALL_IPC_CHK(semget)
++-     _ABI_SYSCALL_IPC_CHK(semctl)
++-     _ABI_SYSCALL_IPC_CHK(semtimedop)
++-     _ABI_SYSCALL_IPC_CHK(msgsnd)
++-     _ABI_SYSCALL_IPC_CHK(msgrcv)
++-     _ABI_SYSCALL_IPC_CHK(msgget)
++-     _ABI_SYSCALL_IPC_CHK(msgctl)
++-     _ABI_SYSCALL_IPC_CHK(shmat)
++-     _ABI_SYSCALL_IPC_CHK(shmdt)
++-     _ABI_SYSCALL_IPC_CHK(shmget)
++-     _ABI_SYSCALL_IPC_CHK(shmctl)
++-
++-     return false;
++-}
++-
++-/**
++- * Convert a multiplexed pseudo syscall into a direct syscall
++- * @param syscall the multiplexed pseudo syscall number
++- *
++- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
++- * no related syscall, or __NR_SCMP_ERROR otherwise.
++- *
++- */
++-static int _mips_syscall_demux(int syscall)
++-{
++-     int sys = __NR_SCMP_UNDEF;
++-
++-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
++-case __PNR_##NAME: \
++-     sys = mips_syscall_resolve_name(#NAME); break;
++-
++-     switch (syscall) {
++-             _ABI_SYSCALL_DEMUX_CHK(socket)
++-             _ABI_SYSCALL_DEMUX_CHK(bind)
++-             _ABI_SYSCALL_DEMUX_CHK(connect)
++-             _ABI_SYSCALL_DEMUX_CHK(listen)
++-             _ABI_SYSCALL_DEMUX_CHK(accept)
++-             _ABI_SYSCALL_DEMUX_CHK(getsockname)
++-             _ABI_SYSCALL_DEMUX_CHK(getpeername)
++-             _ABI_SYSCALL_DEMUX_CHK(socketpair)
++-             _ABI_SYSCALL_DEMUX_CHK(send)
++-             _ABI_SYSCALL_DEMUX_CHK(recv)
++-             _ABI_SYSCALL_DEMUX_CHK(sendto)
++-             _ABI_SYSCALL_DEMUX_CHK(recvfrom)
++-             _ABI_SYSCALL_DEMUX_CHK(shutdown)
++-             _ABI_SYSCALL_DEMUX_CHK(setsockopt)
++-             _ABI_SYSCALL_DEMUX_CHK(getsockopt)
++-             _ABI_SYSCALL_DEMUX_CHK(sendmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(recvmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(accept4)
++-             _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(semop)
++-             _ABI_SYSCALL_DEMUX_CHK(semget)
++-             _ABI_SYSCALL_DEMUX_CHK(semctl)
++-             _ABI_SYSCALL_DEMUX_CHK(semtimedop)
++-             _ABI_SYSCALL_DEMUX_CHK(msgsnd)
++-             _ABI_SYSCALL_DEMUX_CHK(msgrcv)
++-             _ABI_SYSCALL_DEMUX_CHK(msgget)
++-             _ABI_SYSCALL_DEMUX_CHK(msgctl)
++-             _ABI_SYSCALL_DEMUX_CHK(shmat)
++-             _ABI_SYSCALL_DEMUX_CHK(shmdt)
++-             _ABI_SYSCALL_DEMUX_CHK(shmget)
++-             _ABI_SYSCALL_DEMUX_CHK(shmctl)
++-     }
++-
++-     /* this looks odd because the arch resolver returns _ERROR if it can't
++-      * resolve the syscall, but we want to use _UNDEF for that, so we set
++-      * 'sys' to a sentinel value of _UNDEF and if it is error here we know
++-      * the resolve failed to find a match */
++-     if (sys == __NR_SCMP_UNDEF)
++-             sys = __NR_SCMP_ERROR;
++-     else if (sys == __NR_SCMP_ERROR)
++-             sys = __NR_SCMP_UNDEF;
++-
++-     return sys;
++-}
++-
++-/**
++- * Convert a direct syscall into multiplexed pseudo socket syscall
++- * @param syscall the direct syscall
++- *
++- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
++- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
++- *
++- */
++-static int _mips_syscall_mux(int syscall)
++-{
++-     const char *sys;
++-
++-     sys = mips_syscall_resolve_num(syscall);
++-     if (!sys)
++-             return __NR_SCMP_ERROR;
++-
++-#define _ABI_SYSCALL_MUX_CHK(NAME) \
++-     if (!strcmp(sys, #NAME)) return __PNR_##NAME;
++-
++-     _ABI_SYSCALL_MUX_CHK(socket)
++-     _ABI_SYSCALL_MUX_CHK(bind)
++-     _ABI_SYSCALL_MUX_CHK(connect)
++-     _ABI_SYSCALL_MUX_CHK(listen)
++-     _ABI_SYSCALL_MUX_CHK(accept)
++-     _ABI_SYSCALL_MUX_CHK(getsockname)
++-     _ABI_SYSCALL_MUX_CHK(getpeername)
++-     _ABI_SYSCALL_MUX_CHK(socketpair)
++-     _ABI_SYSCALL_MUX_CHK(send)
++-     _ABI_SYSCALL_MUX_CHK(recv)
++-     _ABI_SYSCALL_MUX_CHK(sendto)
++-     _ABI_SYSCALL_MUX_CHK(recvfrom)
++-     _ABI_SYSCALL_MUX_CHK(shutdown)
++-     _ABI_SYSCALL_MUX_CHK(setsockopt)
++-     _ABI_SYSCALL_MUX_CHK(getsockopt)
++-     _ABI_SYSCALL_MUX_CHK(sendmsg)
++-     _ABI_SYSCALL_MUX_CHK(recvmsg)
++-     _ABI_SYSCALL_MUX_CHK(accept4)
++-     _ABI_SYSCALL_MUX_CHK(recvmmsg)
++-     _ABI_SYSCALL_MUX_CHK(sendmmsg)
++-     _ABI_SYSCALL_MUX_CHK(semop)
++-     _ABI_SYSCALL_MUX_CHK(semget)
++-     _ABI_SYSCALL_MUX_CHK(semctl)
++-     _ABI_SYSCALL_MUX_CHK(semtimedop)
++-     _ABI_SYSCALL_MUX_CHK(msgsnd)
++-     _ABI_SYSCALL_MUX_CHK(msgrcv)
++-     _ABI_SYSCALL_MUX_CHK(msgget)
++-     _ABI_SYSCALL_MUX_CHK(msgctl)
++-     _ABI_SYSCALL_MUX_CHK(shmat)
++-     _ABI_SYSCALL_MUX_CHK(shmdt)
++-     _ABI_SYSCALL_MUX_CHK(shmget)
++-     _ABI_SYSCALL_MUX_CHK(shmctl)
++-
++-     return __NR_SCMP_ERROR;
++-}
++-
++-/**
++- * Rewrite a syscall value to match the architecture
++- * @param syscall the syscall number
++- *
++- * Syscalls can vary across different architectures so this function rewrites
++- * the syscall into the correct value for the specified architecture.  Returns
++- * zero on success, negative values on failure.
++- *
++- */
++-int mips_syscall_rewrite(int *syscall)
++-{
++-     int sys = *syscall;
++-
++-     if (sys <= -100 && sys >= -120)
++-             *syscall = __mips_NR_socketcall;
++-     else if (sys <= -200 && sys >= -224)
++-             *syscall = __mips_NR_ipc;
++-     else if (sys < 0)
++-             return -EDOM;
++-
++-     return 0;
++-}
++-
++-/**
++- * add a new rule to the mips seccomp filter
++- * @param db the seccomp filter db
++- * @param rule the filter rule
++- *
++- * This function adds a new syscall filter to the seccomp filter db, making any
++- * necessary adjustments for the mips ABI.  Returns zero on success, negative
++- * values on failure.
++- *
++- * It is important to note that in the case of failure the db may be corrupted,
++- * the caller must use the transaction mechanism if the db integrity is
++- * important.
++- *
++- */
++-int mips_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
++-{
++-     int rc = 0;
++-     unsigned int iter;
++-     int sys = rule->syscall;
++-     int sys_a, sys_b;
++-     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
++-
++-     if (_mips_syscall_socket_test(sys)) {
++-             /* socket syscalls */
++-
++-             /* strict check for the multiplexed socket syscalls */
++-             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
++-                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
++-                             rc = -EINVAL;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* determine both the muxed and direct syscall numbers */
++-             if (sys > 0) {
++-                     sys_a = _mips_syscall_mux(sys);
++-                     if (sys_a == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-                     sys_b = sys;
++-             } else {
++-                     sys_a = sys;
++-                     sys_b = _mips_syscall_demux(sys);
++-                     if (sys_b == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* use rule_a for the multiplexed syscall and use rule_b for
++-              * the direct wired syscall */
++-
++-             if (sys_a == __NR_SCMP_UNDEF) {
++-                     rule_a = NULL;
++-                     rule_b = rule;
++-             } else if (sys_b == __NR_SCMP_UNDEF) {
++-                     rule_a = rule;
++-                     rule_b = NULL;
++-             } else {
++-                     /* need two rules, dup the first and link together */
++-                     rule_a = rule;
++-                     rule_dup = db_rule_dup(rule_a);
++-                     rule_b = rule_dup;
++-                     if (rule_b == NULL)
++-                             goto add_return;
++-                     rule_b->prev = rule_a;
++-                     rule_b->next = NULL;
++-                     rule_a->next = rule_b;
++-             }
++-
++-             /* multiplexed socket syscalls */
++-             if (rule_a != NULL) {
++-                     rule_a->syscall = __mips_NR_socketcall;
++-                     rule_a->args[0].arg = 0;
++-                     rule_a->args[0].op = SCMP_CMP_EQ;
++-                     rule_a->args[0].mask = DATUM_MAX;
++-                     rule_a->args[0].datum = (-sys_a) % 100;
++-                     rule_a->args[0].valid = 1;
++-             }
++-
++-             /* direct wired socket syscalls */
++-             if (rule_b != NULL)
++-                     rule_b->syscall = sys_b;
++-
++-             /* we should be protected by a transaction checkpoint */
++-             if (rule_a != NULL) {
++-                     rc = db_rule_add(db, rule_a);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-             if (rule_b != NULL) {
++-                     rc = db_rule_add(db, rule_b);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-     } else if (_mips_syscall_ipc_test(sys)) {
++-             /* ipc syscalls */
++-
++-             /* strict check for the multiplexed socket syscalls */
++-             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
++-                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
++-                             rc = -EINVAL;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* determine both the muxed and direct syscall numbers */
++-             if (sys > 0) {
++-                     sys_a = _mips_syscall_mux(sys);
++-                     if (sys_a == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-                     sys_b = sys;
++-             } else {
++-                     sys_a = sys;
++-                     sys_b = _mips_syscall_demux(sys);
++-                     if (sys_b == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* use rule_a for the multiplexed syscall and use rule_b for
++-              * the direct wired syscall */
++-
++-             if (sys_a == __NR_SCMP_UNDEF) {
++-                     rule_a = NULL;
++-                     rule_b = rule;
++-             } else if (sys_b == __NR_SCMP_UNDEF) {
++-                     rule_a = rule;
++-                     rule_b = NULL;
++-             } else {
++-                     /* need two rules, dup the first and link together */
++-                     rule_a = rule;
++-                     rule_dup = db_rule_dup(rule_a);
++-                     rule_b = rule_dup;
++-                     if (rule_b == NULL)
++-                             goto add_return;
++-                     rule_b->prev = rule_a;
++-                     rule_b->next = NULL;
++-                     rule_a->next = rule_b;
++-             }
++-
++-             /* multiplexed socket syscalls */
++-             if (rule_a != NULL) {
++-                     rule_a->syscall = __mips_NR_ipc;
++-                     rule_a->args[0].arg = 0;
++-                     rule_a->args[0].op = SCMP_CMP_EQ;
++-                     rule_a->args[0].mask = DATUM_MAX;
++-                     rule_a->args[0].datum = (-sys_a) % 200;
++-                     rule_a->args[0].valid = 1;
++-             }
++-
++-             /* direct wired socket syscalls */
++-             if (rule_b != NULL)
++-                     rule_b->syscall = sys_b;
++-
++-             /* we should be protected by a transaction checkpoint */
++-             if (rule_a != NULL) {
++-                     rc = db_rule_add(db, rule_a);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-             if (rule_b != NULL) {
++-                     rc = db_rule_add(db, rule_b);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-     } else if (sys >= 0) {
++-             /* normal syscall processing */
++-             rc = db_rule_add(db, rule);
++-             if (rc < 0)
++-                     goto add_return;
++-     } else if (rule->strict) {
++-             rc = -EDOM;
++-             goto add_return;
++-     }
++-
++-add_return:
++-     if (rule_dup != NULL)
++-             free(rule_dup);
++-     return rc;
++-}
++-
++ const struct arch_def arch_def_mips = {
++      .token = SCMP_ARCH_MIPS,
++      .token_bpf = AUDIT_ARCH_MIPS,
++@@ -557,8 +75,8 @@ const struct arch_def arch_def_mips = {
++      .endian = ARCH_ENDIAN_BIG,
++      .syscall_resolve_name = mips_syscall_resolve_name_munge,
++      .syscall_resolve_num = mips_syscall_resolve_num_munge,
++-     .syscall_rewrite = mips_syscall_rewrite,
++-     .rule_add = mips_rule_add,
+++     .syscall_rewrite = NULL,
+++     .rule_add = NULL,
++ };
++ 
++ const struct arch_def arch_def_mipsel = {
++@@ -568,6 +86,6 @@ const struct arch_def arch_def_mipsel = {
++      .endian = ARCH_ENDIAN_LITTLE,
++      .syscall_resolve_name = mips_syscall_resolve_name_munge,
++      .syscall_resolve_num = mips_syscall_resolve_num_munge,
++-     .syscall_rewrite = mips_syscall_rewrite,
++-     .rule_add = mips_rule_add,
+++     .syscall_rewrite = NULL,
+++     .rule_add = NULL,
++ };

diff --cc debian/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..974b550323a4a3b1a2d5ae9946ecfbf938d29c77
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/revert_ppc_add_multiplexed_syscall_support_to_PPC.patch
@@@ -1,0 -1,0 +1,563 @@@
++REVERTS
++
++From f93a872fbc404df3dd3739dd399ad67f139fb1fa Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Tue, 3 Aug 2021 23:21:55 -0400
++Subject: [PATCH] ppc: add multiplexed syscall support to PPC
++
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++
++(imported from commit 255801bccf89343c684b2b94e85d9e0df484c133)
++---
++ src/arch-ppc.c | 530 ++++++++++++++++++++++++++++++++++++++++++++++++-
++ 1 file changed, 526 insertions(+), 4 deletions(-)
++
++diff --git a/src/arch-ppc.c b/src/arch-ppc.c
++--- a/src/arch-ppc.c
+++++ b/src/arch-ppc.c
++@@ -20,540 +20,18 @@
++  * along with this library; if not, see <http://www.gnu.org/licenses>.
++  */
++ 
++-#include <stdlib.h>
++-#include <errno.h>
++-#include <string.h>
++ #include <linux/audit.h>
++ 
++-#include "db.h"
++-#include "syscalls.h"
++ #include "arch.h"
++ #include "arch-ppc.h"
++ 
++-/* ppc syscall numbers */
++-#define __ppc_NR_socketcall          102
++-#define __ppc_NR_ipc                 117
++-
++-/**
++- * Resolve a syscall name to a number
++- * @param name the syscall name
++- *
++- * Resolve the given syscall name to the syscall number using the syscall table.
++- * Returns the syscall number on success, including negative pseudo syscall
++- * numbers; returns __NR_SCMP_ERROR on failure.
++- *
++- */
++-int ppc_syscall_resolve_name_munge(const char *name)
++-{
++-
++-#define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return __PNR_##NAME;
++-
++-     _ABI_SYSCALL_RES_NAME_CHK(socket)
++-     _ABI_SYSCALL_RES_NAME_CHK(bind)
++-     _ABI_SYSCALL_RES_NAME_CHK(connect)
++-     _ABI_SYSCALL_RES_NAME_CHK(listen)
++-     _ABI_SYSCALL_RES_NAME_CHK(accept)
++-     _ABI_SYSCALL_RES_NAME_CHK(getsockname)
++-     _ABI_SYSCALL_RES_NAME_CHK(getpeername)
++-     _ABI_SYSCALL_RES_NAME_CHK(socketpair)
++-     _ABI_SYSCALL_RES_NAME_CHK(send)
++-     _ABI_SYSCALL_RES_NAME_CHK(recv)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendto)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvfrom)
++-     _ABI_SYSCALL_RES_NAME_CHK(shutdown)
++-     _ABI_SYSCALL_RES_NAME_CHK(setsockopt)
++-     _ABI_SYSCALL_RES_NAME_CHK(getsockopt)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(accept4)
++-     _ABI_SYSCALL_RES_NAME_CHK(recvmmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(sendmmsg)
++-     _ABI_SYSCALL_RES_NAME_CHK(semop)
++-     _ABI_SYSCALL_RES_NAME_CHK(semget)
++-     _ABI_SYSCALL_RES_NAME_CHK(semctl)
++-     _ABI_SYSCALL_RES_NAME_CHK(semtimedop)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgsnd)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgrcv)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgget)
++-     _ABI_SYSCALL_RES_NAME_CHK(msgctl)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmat)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmdt)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmget)
++-     _ABI_SYSCALL_RES_NAME_CHK(shmctl)
++-
++-     return ppc_syscall_resolve_name(name);
++-}
++-
++-/**
++- * Resolve a syscall number to a name
++- * @param num the syscall number
++- *
++- * Resolve the given syscall number to the syscall name using the syscall table.
++- * Returns a pointer to the syscall name string on success, including pseudo
++- * syscall names; returns NULL on failure.
++- *
++- */
++-const char *ppc_syscall_resolve_num_munge(int num)
++-{
++-
++-#define _ABI_SYSCALL_RES_NUM_CHK(NAME) \
++-     if (num == __PNR_##NAME) return #NAME;
++-
++-     _ABI_SYSCALL_RES_NUM_CHK(socket)
++-     _ABI_SYSCALL_RES_NUM_CHK(bind)
++-     _ABI_SYSCALL_RES_NUM_CHK(connect)
++-     _ABI_SYSCALL_RES_NUM_CHK(listen)
++-     _ABI_SYSCALL_RES_NUM_CHK(accept)
++-     _ABI_SYSCALL_RES_NUM_CHK(getsockname)
++-     _ABI_SYSCALL_RES_NUM_CHK(getpeername)
++-     _ABI_SYSCALL_RES_NUM_CHK(socketpair)
++-     _ABI_SYSCALL_RES_NUM_CHK(send)
++-     _ABI_SYSCALL_RES_NUM_CHK(recv)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendto)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvfrom)
++-     _ABI_SYSCALL_RES_NUM_CHK(shutdown)
++-     _ABI_SYSCALL_RES_NUM_CHK(setsockopt)
++-     _ABI_SYSCALL_RES_NUM_CHK(getsockopt)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(accept4)
++-     _ABI_SYSCALL_RES_NUM_CHK(recvmmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(sendmmsg)
++-     _ABI_SYSCALL_RES_NUM_CHK(semop)
++-     _ABI_SYSCALL_RES_NUM_CHK(semget)
++-     _ABI_SYSCALL_RES_NUM_CHK(semctl)
++-     _ABI_SYSCALL_RES_NUM_CHK(semtimedop)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgsnd)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgrcv)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgget)
++-     _ABI_SYSCALL_RES_NUM_CHK(msgctl)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmat)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmdt)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmget)
++-     _ABI_SYSCALL_RES_NUM_CHK(shmctl)
++-
++-     return ppc_syscall_resolve_num(num);
++-}
++-
++-/**
++- * Check if a syscall is a socket syscall
++- * @param sys the syscall number
++- *
++- * Returns true if the syscall is a socket related syscall, false otherwise.
++- *
++- */
++-static bool _ppc_syscall_socket_test(int sys)
++-{
++-     const char *name;
++-
++-     /* multiplexed pseduo-syscalls */
++-     if (sys <= -100 && sys >= -120)
++-             return true;
++-
++-     name = ppc_syscall_resolve_num(sys);
++-     if (!name)
++-             return false;
++-
++-#define _ABI_SYSCALL_SOCK_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return true;
++-
++-     _ABI_SYSCALL_SOCK_CHK(socket)
++-     _ABI_SYSCALL_SOCK_CHK(bind)
++-     _ABI_SYSCALL_SOCK_CHK(connect)
++-     _ABI_SYSCALL_SOCK_CHK(listen)
++-     _ABI_SYSCALL_SOCK_CHK(accept)
++-     _ABI_SYSCALL_SOCK_CHK(getsockname)
++-     _ABI_SYSCALL_SOCK_CHK(getpeername)
++-     _ABI_SYSCALL_SOCK_CHK(socketpair)
++-     _ABI_SYSCALL_SOCK_CHK(send)
++-     _ABI_SYSCALL_SOCK_CHK(recv)
++-     _ABI_SYSCALL_SOCK_CHK(sendto)
++-     _ABI_SYSCALL_SOCK_CHK(recvfrom)
++-     _ABI_SYSCALL_SOCK_CHK(shutdown)
++-     _ABI_SYSCALL_SOCK_CHK(setsockopt)
++-     _ABI_SYSCALL_SOCK_CHK(getsockopt)
++-     _ABI_SYSCALL_SOCK_CHK(sendmsg)
++-     _ABI_SYSCALL_SOCK_CHK(recvmsg)
++-     _ABI_SYSCALL_SOCK_CHK(accept4)
++-     _ABI_SYSCALL_SOCK_CHK(recvmmsg)
++-     _ABI_SYSCALL_SOCK_CHK(sendmmsg)
++-
++-     return false;
++-}
++-
++-/**
++- * Check if a syscall is an ipc syscall
++- * @param sys the syscall number
++- *
++- * Returns true if the syscall is an ipc related syscall, false otherwise.
++- *
++- */
++-static bool _ppc_syscall_ipc_test(int sys)
++-{
++-     const char *name;
++-
++-     /* multiplexed pseduo-syscalls */
++-     if (sys <= -200 && sys >= -224)
++-             return true;
++-
++-     name = ppc_syscall_resolve_num(sys);
++-     if (!name)
++-             return false;
++-
++-#define _ABI_SYSCALL_IPC_CHK(NAME) \
++-     if (!strcmp(name, #NAME)) return true;
++-
++-     _ABI_SYSCALL_IPC_CHK(semop)
++-     _ABI_SYSCALL_IPC_CHK(semget)
++-     _ABI_SYSCALL_IPC_CHK(semctl)
++-     _ABI_SYSCALL_IPC_CHK(semtimedop)
++-     _ABI_SYSCALL_IPC_CHK(msgsnd)
++-     _ABI_SYSCALL_IPC_CHK(msgrcv)
++-     _ABI_SYSCALL_IPC_CHK(msgget)
++-     _ABI_SYSCALL_IPC_CHK(msgctl)
++-     _ABI_SYSCALL_IPC_CHK(shmat)
++-     _ABI_SYSCALL_IPC_CHK(shmdt)
++-     _ABI_SYSCALL_IPC_CHK(shmget)
++-     _ABI_SYSCALL_IPC_CHK(shmctl)
++-
++-     return false;
++-}
++-
++-/**
++- * Convert a multiplexed pseudo syscall into a direct syscall
++- * @param syscall the multiplexed pseudo syscall number
++- *
++- * Return the related direct syscall number, __NR_SCMP_UNDEF is there is
++- * no related syscall, or __NR_SCMP_ERROR otherwise.
++- *
++- */
++-static int _ppc_syscall_demux(int syscall)
++-{
++-     int sys = __NR_SCMP_UNDEF;
++-
++-#define _ABI_SYSCALL_DEMUX_CHK(NAME) \
++-case __PNR_##NAME: \
++-     sys = ppc_syscall_resolve_name(#NAME); break;
++-
++-     switch (syscall) {
++-             _ABI_SYSCALL_DEMUX_CHK(socket)
++-             _ABI_SYSCALL_DEMUX_CHK(bind)
++-             _ABI_SYSCALL_DEMUX_CHK(connect)
++-             _ABI_SYSCALL_DEMUX_CHK(listen)
++-             _ABI_SYSCALL_DEMUX_CHK(accept)
++-             _ABI_SYSCALL_DEMUX_CHK(getsockname)
++-             _ABI_SYSCALL_DEMUX_CHK(getpeername)
++-             _ABI_SYSCALL_DEMUX_CHK(socketpair)
++-             _ABI_SYSCALL_DEMUX_CHK(send)
++-             _ABI_SYSCALL_DEMUX_CHK(recv)
++-             _ABI_SYSCALL_DEMUX_CHK(sendto)
++-             _ABI_SYSCALL_DEMUX_CHK(recvfrom)
++-             _ABI_SYSCALL_DEMUX_CHK(shutdown)
++-             _ABI_SYSCALL_DEMUX_CHK(setsockopt)
++-             _ABI_SYSCALL_DEMUX_CHK(getsockopt)
++-             _ABI_SYSCALL_DEMUX_CHK(sendmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(recvmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(accept4)
++-             _ABI_SYSCALL_DEMUX_CHK(recvmmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(sendmmsg)
++-             _ABI_SYSCALL_DEMUX_CHK(semop)
++-             _ABI_SYSCALL_DEMUX_CHK(semget)
++-             _ABI_SYSCALL_DEMUX_CHK(semctl)
++-             _ABI_SYSCALL_DEMUX_CHK(semtimedop)
++-             _ABI_SYSCALL_DEMUX_CHK(msgsnd)
++-             _ABI_SYSCALL_DEMUX_CHK(msgrcv)
++-             _ABI_SYSCALL_DEMUX_CHK(msgget)
++-             _ABI_SYSCALL_DEMUX_CHK(msgctl)
++-             _ABI_SYSCALL_DEMUX_CHK(shmat)
++-             _ABI_SYSCALL_DEMUX_CHK(shmdt)
++-             _ABI_SYSCALL_DEMUX_CHK(shmget)
++-             _ABI_SYSCALL_DEMUX_CHK(shmctl)
++-     }
++-
++-     /* this looks odd because the arch resolver returns _ERROR if it can't
++-      * resolve the syscall, but we want to use _UNDEF for that, so we set
++-      * 'sys' to a sentinel value of _UNDEF and if it is error here we know
++-      * the resolve failed to find a match */
++-     if (sys == __NR_SCMP_UNDEF)
++-             sys = __NR_SCMP_ERROR;
++-     else if (sys == __NR_SCMP_ERROR)
++-             sys = __NR_SCMP_UNDEF;
++-
++-     return sys;
++-}
++-
++-/**
++- * Convert a direct syscall into multiplexed pseudo socket syscall
++- * @param syscall the direct syscall
++- *
++- * Return the related multiplexed pseduo syscall number, __NR_SCMP_UNDEF is
++- * there is no related pseudo syscall, or __NR_SCMP_ERROR otherwise.
++- *
++- */
++-static int _ppc_syscall_mux(int syscall)
++-{
++-     const char *sys;
++-
++-     sys = ppc_syscall_resolve_num(syscall);
++-     if (!sys)
++-             return __NR_SCMP_ERROR;
++-
++-#define _ABI_SYSCALL_MUX_CHK(NAME) \
++-     if (!strcmp(sys, #NAME)) return __PNR_##NAME;
++-
++-     _ABI_SYSCALL_MUX_CHK(socket)
++-     _ABI_SYSCALL_MUX_CHK(bind)
++-     _ABI_SYSCALL_MUX_CHK(connect)
++-     _ABI_SYSCALL_MUX_CHK(listen)
++-     _ABI_SYSCALL_MUX_CHK(accept)
++-     _ABI_SYSCALL_MUX_CHK(getsockname)
++-     _ABI_SYSCALL_MUX_CHK(getpeername)
++-     _ABI_SYSCALL_MUX_CHK(socketpair)
++-     _ABI_SYSCALL_MUX_CHK(send)
++-     _ABI_SYSCALL_MUX_CHK(recv)
++-     _ABI_SYSCALL_MUX_CHK(sendto)
++-     _ABI_SYSCALL_MUX_CHK(recvfrom)
++-     _ABI_SYSCALL_MUX_CHK(shutdown)
++-     _ABI_SYSCALL_MUX_CHK(setsockopt)
++-     _ABI_SYSCALL_MUX_CHK(getsockopt)
++-     _ABI_SYSCALL_MUX_CHK(sendmsg)
++-     _ABI_SYSCALL_MUX_CHK(recvmsg)
++-     _ABI_SYSCALL_MUX_CHK(accept4)
++-     _ABI_SYSCALL_MUX_CHK(recvmmsg)
++-     _ABI_SYSCALL_MUX_CHK(sendmmsg)
++-     _ABI_SYSCALL_MUX_CHK(semop)
++-     _ABI_SYSCALL_MUX_CHK(semget)
++-     _ABI_SYSCALL_MUX_CHK(semctl)
++-     _ABI_SYSCALL_MUX_CHK(semtimedop)
++-     _ABI_SYSCALL_MUX_CHK(msgsnd)
++-     _ABI_SYSCALL_MUX_CHK(msgrcv)
++-     _ABI_SYSCALL_MUX_CHK(msgget)
++-     _ABI_SYSCALL_MUX_CHK(msgctl)
++-     _ABI_SYSCALL_MUX_CHK(shmat)
++-     _ABI_SYSCALL_MUX_CHK(shmdt)
++-     _ABI_SYSCALL_MUX_CHK(shmget)
++-     _ABI_SYSCALL_MUX_CHK(shmctl)
++-
++-     return __NR_SCMP_ERROR;
++-}
++-
++-/**
++- * Rewrite a syscall value to match the architecture
++- * @param syscall the syscall number
++- *
++- * Syscalls can vary across different architectures so this function rewrites
++- * the syscall into the correct value for the specified architecture.  Returns
++- * zero on success, negative values on failure.
++- *
++- */
++-int ppc_syscall_rewrite(int *syscall)
++-{
++-     int sys = *syscall;
++-
++-     if (sys <= -100 && sys >= -120)
++-             *syscall = __ppc_NR_socketcall;
++-     else if (sys <= -200 && sys >= -224)
++-             *syscall = __ppc_NR_ipc;
++-     else if (sys < 0)
++-             return -EDOM;
++-
++-     return 0;
++-}
++-
++-/**
++- * add a new rule to the ppc seccomp filter
++- * @param db the seccomp filter db
++- * @param rule the filter rule
++- *
++- * This function adds a new syscall filter to the seccomp filter db, making any
++- * necessary adjustments for the ppc ABI.  Returns zero on success, negative
++- * values on failure.
++- *
++- * It is important to note that in the case of failure the db may be corrupted,
++- * the caller must use the transaction mechanism if the db integrity is
++- * important.
++- *
++- */
++-int ppc_rule_add(struct db_filter *db, struct db_api_rule_list *rule)
++-{
++-     int rc = 0;
++-     unsigned int iter;
++-     int sys = rule->syscall;
++-     int sys_a, sys_b;
++-     struct db_api_rule_list *rule_a, *rule_b, *rule_dup = NULL;
++-
++-     if (_ppc_syscall_socket_test(sys)) {
++-             /* socket syscalls */
++-
++-             /* strict check for the multiplexed socket syscalls */
++-             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
++-                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
++-                             rc = -EINVAL;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* determine both the muxed and direct syscall numbers */
++-             if (sys > 0) {
++-                     sys_a = _ppc_syscall_mux(sys);
++-                     if (sys_a == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-                     sys_b = sys;
++-             } else {
++-                     sys_a = sys;
++-                     sys_b = _ppc_syscall_demux(sys);
++-                     if (sys_b == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* use rule_a for the multiplexed syscall and use rule_b for
++-              * the direct wired syscall */
++-
++-             if (sys_a == __NR_SCMP_UNDEF) {
++-                     rule_a = NULL;
++-                     rule_b = rule;
++-             } else if (sys_b == __NR_SCMP_UNDEF) {
++-                     rule_a = rule;
++-                     rule_b = NULL;
++-             } else {
++-                     /* need two rules, dup the first and link together */
++-                     rule_a = rule;
++-                     rule_dup = db_rule_dup(rule_a);
++-                     rule_b = rule_dup;
++-                     if (rule_b == NULL)
++-                             goto add_return;
++-                     rule_b->prev = rule_a;
++-                     rule_b->next = NULL;
++-                     rule_a->next = rule_b;
++-             }
++-
++-             /* multiplexed socket syscalls */
++-             if (rule_a != NULL) {
++-                     rule_a->syscall = __ppc_NR_socketcall;
++-                     rule_a->args[0].arg = 0;
++-                     rule_a->args[0].op = SCMP_CMP_EQ;
++-                     rule_a->args[0].mask = DATUM_MAX;
++-                     rule_a->args[0].datum = (-sys_a) % 100;
++-                     rule_a->args[0].valid = 1;
++-             }
++-
++-             /* direct wired socket syscalls */
++-             if (rule_b != NULL)
++-                     rule_b->syscall = sys_b;
++-
++-             /* we should be protected by a transaction checkpoint */
++-             if (rule_a != NULL) {
++-                     rc = db_rule_add(db, rule_a);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-             if (rule_b != NULL) {
++-                     rc = db_rule_add(db, rule_b);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-     } else if (_ppc_syscall_ipc_test(sys)) {
++-             /* ipc syscalls */
++-
++-             /* strict check for the multiplexed socket syscalls */
++-             for (iter = 0; iter < ARG_COUNT_MAX; iter++) {
++-                     if ((rule->args[iter].valid != 0) && (rule->strict)) {
++-                             rc = -EINVAL;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* determine both the muxed and direct syscall numbers */
++-             if (sys > 0) {
++-                     sys_a = _ppc_syscall_mux(sys);
++-                     if (sys_a == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-                     sys_b = sys;
++-             } else {
++-                     sys_a = sys;
++-                     sys_b = _ppc_syscall_demux(sys);
++-                     if (sys_b == __NR_SCMP_ERROR) {
++-                             rc = __NR_SCMP_ERROR;
++-                             goto add_return;
++-                     }
++-             }
++-
++-             /* use rule_a for the multiplexed syscall and use rule_b for
++-              * the direct wired syscall */
++-
++-             if (sys_a == __NR_SCMP_UNDEF) {
++-                     rule_a = NULL;
++-                     rule_b = rule;
++-             } else if (sys_b == __NR_SCMP_UNDEF) {
++-                     rule_a = rule;
++-                     rule_b = NULL;
++-             } else {
++-                     /* need two rules, dup the first and link together */
++-                     rule_a = rule;
++-                     rule_dup = db_rule_dup(rule_a);
++-                     rule_b = rule_dup;
++-                     if (rule_b == NULL)
++-                             goto add_return;
++-                     rule_b->prev = rule_a;
++-                     rule_b->next = NULL;
++-                     rule_a->next = rule_b;
++-             }
++-
++-             /* multiplexed socket syscalls */
++-             if (rule_a != NULL) {
++-                     rule_a->syscall = __ppc_NR_ipc;
++-                     rule_a->args[0].arg = 0;
++-                     rule_a->args[0].op = SCMP_CMP_EQ;
++-                     rule_a->args[0].mask = DATUM_MAX;
++-                     rule_a->args[0].datum = (-sys_a) % 200;
++-                     rule_a->args[0].valid = 1;
++-             }
++-
++-             /* direct wired socket syscalls */
++-             if (rule_b != NULL)
++-                     rule_b->syscall = sys_b;
++-
++-             /* we should be protected by a transaction checkpoint */
++-             if (rule_a != NULL) {
++-                     rc = db_rule_add(db, rule_a);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-             if (rule_b != NULL) {
++-                     rc = db_rule_add(db, rule_b);
++-                     if (rc < 0)
++-                             goto add_return;
++-             }
++-     } else if (sys >= 0) {
++-             /* normal syscall processing */
++-             rc = db_rule_add(db, rule);
++-             if (rc < 0)
++-                     goto add_return;
++-     } else if (rule->strict) {
++-             rc = -EDOM;
++-             goto add_return;
++-     }
++-
++-add_return:
++-     if (rule_dup != NULL)
++-             free(rule_dup);
++-     return rc;
++-}
++-
++ const struct arch_def arch_def_ppc = {
++      .token = SCMP_ARCH_PPC,
++      .token_bpf = AUDIT_ARCH_PPC,
++      .size = ARCH_SIZE_32,
++      .endian = ARCH_ENDIAN_BIG,
++-     .syscall_resolve_name = ppc_syscall_resolve_name_munge,
++-     .syscall_resolve_num = ppc_syscall_resolve_num_munge,
++-     .syscall_rewrite = ppc_syscall_rewrite,
++-     .rule_add = ppc_rule_add,
+++     .syscall_resolve_name = ppc_syscall_resolve_name,
+++     .syscall_resolve_num = ppc_syscall_resolve_num,
+++     .syscall_rewrite = NULL,
+++     .rule_add = NULL,
++ };

diff --cc debian/patches/revert_various_additions_to_improve_code_coverage.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..327017086d7fc278247199802a64e373fb9da192
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/revert_various_additions_to_improve_code_coverage.patch
@@@ -1,0 -1,0 +1,1110 @@@
++REVERTS
++
++From aa0f858aa58d51c93a176c60a4c83a4a303bcffd Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Tue, 3 Aug 2021 14:12:50 -0400
++Subject: [PATCH] tests: various additions to improve code coverage
++
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++
++(imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65)
++---
++ tests/11-basic-basic_errors.c         |  52 +++
++ tests/15-basic-resolver.c             |  40 ++
++ tests/30-sim-socket_syscalls.c        |  62 ++-
++ tests/33-sim-socket_syscalls_be.c     |   3 +
++ tests/33-sim-socket_syscalls_be.py    |   1 +
++ tests/33-sim-socket_syscalls_be.tests |  42 +-
++ tests/36-sim-ipc_syscalls.c           |   3 +
++ tests/36-sim-ipc_syscalls.py          |   1 +
++ tests/36-sim-ipc_syscalls.tests       |  50 +--
++ tests/37-sim-ipc_syscalls_be.c        |   3 +
++ tests/37-sim-ipc_syscalls_be.py       |   1 +
++ tests/37-sim-ipc_syscalls_be.tests    |  26 +-
++ tests/38-basic-pfc_coverage.c         |  27 ++
++ tests/38-basic-pfc_coverage.pfc       | 534 ++++++++++++++++++++++++++
++ tests/52-basic-load.c                 |  23 ++
++ 15 files changed, 804 insertions(+), 64 deletions(-)
++
++diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
++--- a/tests/11-basic-basic_errors.c
+++++ b/tests/11-basic-basic_errors.c
++@@ -29,8 +29,6 @@ int main(int argc, char *argv[])
++      int rc;
++      scmp_filter_ctx ctx;
++      uint32_t attr;
++-     struct seccomp_notif *req = NULL;
++-     struct seccomp_notif_resp *resp = NULL;
++ 
++      /* seccomp_init errors */
++      ctx = seccomp_init(SCMP_ACT_ALLOW + 1);
++@@ -125,9 +123,6 @@ int main(int argc, char *argv[])
++              return -1;
++      rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1,
++                                  SCMP_A0(SCMP_CMP_EQ, 2));
++-     if (rc != -EINVAL)
++-             return -1;
++-     rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0);
++      if (rc != -EINVAL)
++              return -1;
++      seccomp_release(ctx);
++@@ -185,53 +180,6 @@ int main(int argc, char *argv[])
++      rc = seccomp_attr_set(ctx, 1000, 1);
++      if (rc != -EINVAL)
++              return -1;
++-     seccomp_release(ctx);
++-     ctx = NULL;
++-
++-     /* seccomp_merge() errors */
++-     ctx = seccomp_init(SCMP_ACT_ALLOW);
++-     if (ctx == NULL)
++-             return -1;
++-     rc = seccomp_merge(ctx, NULL);
++-     if (rc == 0)
++-             return -1;
++-     seccomp_release(ctx);
++-     ctx = NULL;
++-
++-     /* seccomp notify errors */
++-     ctx = seccomp_init(SCMP_ACT_ALLOW);
++-     if (ctx == NULL)
++-             return -1;
++-     rc = seccomp_notify_alloc(NULL, NULL);
++-     if (rc != 0)
++-             return -1;
++-     rc = seccomp_notify_alloc(&req, NULL);
++-     if (rc != 0)
++-             return -1;
++-     rc = seccomp_notify_alloc(NULL, &resp);
++-     if (rc != 0)
++-             return -1;
++-     seccomp_notify_free(NULL, NULL);
++-     seccomp_notify_free(req, resp);
++-     req = NULL;
++-     resp = NULL;
++-     rc = seccomp_notify_receive(-1, NULL);
++-     if (rc == 0)
++-             return -1;
++-     rc = seccomp_notify_respond(-1, NULL);
++-     if (rc == 0)
++-             return -1;
++-     rc = seccomp_notify_id_valid(-1, 0);
++-     if (rc == 0)
++-             return -1;
++-     rc = seccomp_notify_fd(NULL);
++-     if (rc == 0)
++-             return -1;
++-     rc = seccomp_notify_fd(ctx);
++-     if (rc == 0)
++-             return -1;
++-     seccomp_release(ctx);
++-     ctx = NULL;
++ 
++      return 0;
++ }
++diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
++--- a/tests/15-basic-resolver.c
+++++ b/tests/15-basic-resolver.c
++@@ -68,7 +68,6 @@ int main(int argc, char *argv[])
++              goto fail;
++ 
++      while ((arch = arch_list[iter++]) != -1) {
++-             int sys;
++              int nr_open;
++              int nr_read;
++              int nr_socket;
++@@ -120,45 +119,6 @@ int main(int argc, char *argv[])
++                      goto fail;
++              free(name);
++              name = NULL;
++-
++-             /* socket pseudo-syscalls */
++-             if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) {
++-                     for (sys = -101; sys >= -120; sys--) {
++-                             name = seccomp_syscall_resolve_num_arch(arch,
++-                                                                     sys);
++-                             if (name == NULL)
++-                                     goto fail;
++-                             free(name);
++-                             name = NULL;
++-                     }
++-             }
++-             /* ipc pseudo-syscalls */
++-             if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) {
++-                     for (sys = -201; sys >= -204; sys--) {
++-                             name = seccomp_syscall_resolve_num_arch(arch,
++-                                                                     sys);
++-                             if (name == NULL)
++-                                     goto fail;
++-                             free(name);
++-                             name = NULL;
++-                     }
++-                     for (sys = -211; sys >= -214; sys--) {
++-                             name = seccomp_syscall_resolve_num_arch(arch,
++-                                                                     sys);
++-                             if (name == NULL)
++-                                     goto fail;
++-                             free(name);
++-                             name = NULL;
++-                     }
++-                     for (sys = -221; sys >= -224; sys--) {
++-                             name = seccomp_syscall_resolve_num_arch(arch,
++-                                                                     sys);
++-                             if (name == NULL)
++-                                     goto fail;
++-                             free(name);
++-                             name = NULL;
++-                     }
++-             }
++      }
++ 
++      return 0;
++diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c
++--- a/tests/30-sim-socket_syscalls.c
+++++ b/tests/30-sim-socket_syscalls.c
++@@ -61,79 +61,19 @@ int main(int argc, char *argv[])
++      if (rc != 0)
++              goto out;
++ 
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0);
++-     if (rc != 0)
++-             goto out;
++-
++      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
++      if (rc != 0)
++              goto out;
++ 
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0);
++-     if (rc != 0)
++-             goto out;
++-
++      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
++      if (rc != 0)
++              goto out;
++ 
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0);
++-     if (rc != 0)
++-             goto out;
++-
++      rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
++      if (rc != 0)
++              goto out;
++ 
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0);
++-     if (rc != 0)
++-             goto out;
++-
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0);
+++     rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
++      if (rc != 0)
++              goto out;
++ 
++diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c
++--- a/tests/33-sim-socket_syscalls_be.c
+++++ b/tests/33-sim-socket_syscalls_be.c
++@@ -48,9 +48,6 @@ int main(int argc, char *argv[])
++      if (rc != 0)
++              goto out;
++      rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
++-     if (rc != 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
++      if (rc != 0)
++              goto out;
++ 
++diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py
++--- a/tests/33-sim-socket_syscalls_be.py
+++++ b/tests/33-sim-socket_syscalls_be.py
++@@ -33,7 +33,6 @@ def test(args):
++     f.remove_arch(Arch())
++     f.add_arch(Arch("s390"))
++     f.add_arch(Arch("s390x"))
++-    f.add_arch(Arch("ppc"))
++     f.add_rule(ALLOW, "socket")
++     f.add_rule(ALLOW, "connect")
++     f.add_rule(ALLOW, "accept")
++diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests
++--- a/tests/33-sim-socket_syscalls_be.tests
+++++ b/tests/33-sim-socket_syscalls_be.tests
++@@ -7,23 +7,31 @@
++ 
++ test type: bpf-sim
++ 
++-# Testname                   Arch                    Syscall         Arg0            Arg1            Arg2    Arg3    Arg4    Arg5    Result
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       socketcall      1               N               N       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       socketcall      3               N               N       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       socketcall      5               N               N       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       socketcall      13              N               N       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x            359             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +ppc                    326             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x            362             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +ppc                    328             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x            364             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +ppc                    344             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x            373             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +ppc                    338             0               1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       accept          5               N               N       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       accept          0               1               2       N       N       N       KILL
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       accept4         18              1               2       N       N       N       ALLOW
++-33-sim-socket_syscalls_be    +s390,+s390x,+ppc       accept4         0               1               2       N       N       N       KILL
+++# Testname                   Arch    Syscall         Arg0            Arg1            Arg2    Arg3    Arg4    Arg5    Result
+++33-sim-socket_syscalls_be    +s390   socketcall      1               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   socketcall      3               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   socketcall      5               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   socketcall      13              N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   359             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   362             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   364             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   373             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   accept          5               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   accept          0               1               2       N       N       N       KILL
+++33-sim-socket_syscalls_be    +s390   accept4         18              1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390   accept4         0               1               2       N       N       N       KILL
+++33-sim-socket_syscalls_be    +s390x  socketcall      1               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  socketcall      3               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  socketcall      5               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  socketcall      13              N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  359             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  362             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  364             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  373             0               1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  accept          5               N               N       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  accept          0               1               2       N       N       N       KILL
+++33-sim-socket_syscalls_be    +s390x  accept4         18              1               2       N       N       N       ALLOW
+++33-sim-socket_syscalls_be    +s390x  accept4         0               1               2       N       N       N       KILL
++ 
++ test type: bpf-valgrind
++ 
++diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c
++--- a/tests/36-sim-ipc_syscalls.c
+++++ b/tests/36-sim-ipc_syscalls.c
++@@ -54,9 +54,6 @@ int main(int argc, char *argv[])
++      if (rc != 0)
++              goto out;
++      rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
++-     if (rc != 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
++      if (rc != 0)
++              goto out;
++ 
++diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py
++--- a/tests/36-sim-ipc_syscalls.py
+++++ b/tests/36-sim-ipc_syscalls.py
++@@ -35,7 +35,6 @@ def test(args):
++     f.add_arch(Arch("x86_64"))
++     f.add_arch(Arch("x32"))
++     f.add_arch(Arch("ppc64le"))
++-    f.add_arch(Arch("mipsel"))
++     f.add_rule(ALLOW, "semop")
++     f.add_rule(ALLOW, "semtimedop")
++     f.add_rule(ALLOW, "semget")
++diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests
++--- a/tests/36-sim-ipc_syscalls.tests
+++++ b/tests/36-sim-ipc_syscalls.tests
++@@ -7,31 +7,31 @@
++ 
++ test type: bpf-sim
++ 
++-# Testname           Arch                    Syscall         Arg0    Arg1    Arg2    Arg3    Arg4    Arg5    Result
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             1       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             2       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             3       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             4       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             11      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             12      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             13      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             14      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             21      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             22      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             23      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86,+ppc64le,+mipsel   ipc             24      N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         semop           N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         semget          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         semctl          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         semtimedop      N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         msgsnd          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         msgrcv          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         msgget          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         msgctl          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         shmat           N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         shmdt           N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         shmget          N       N       N       N       N       N       ALLOW
++-36-sim-ipc_syscalls  +x86_64                         shmctl          N       N       N       N       N       N       ALLOW
+++# Testname           Arch            Syscall         Arg0    Arg1    Arg2    Arg3    Arg4    Arg5    Result
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             1       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             2       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             3       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             4       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             11      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             12      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             13      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             14      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             21      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             22      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             23      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86,+ppc64le   ipc             24      N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         semop           N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         semget          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         semctl          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         semtimedop      N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         msgsnd          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         msgrcv          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         msgget          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         msgctl          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         shmat           N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         shmdt           N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         shmget          N       N       N       N       N       N       ALLOW
+++36-sim-ipc_syscalls  +x86_64         shmctl          N       N       N       N       N       N       ALLOW
++ 
++ test type: bpf-valgrind
++ 
++diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c
++--- a/tests/37-sim-ipc_syscalls_be.c
+++++ b/tests/37-sim-ipc_syscalls_be.c
++@@ -48,9 +48,6 @@ int main(int argc, char *argv[])
++      if (rc != 0)
++              goto out;
++      rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X);
++-     if (rc != 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC);
++      if (rc != 0)
++              goto out;
++ 
++diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py
++--- a/tests/37-sim-ipc_syscalls_be.py
+++++ b/tests/37-sim-ipc_syscalls_be.py
++@@ -33,7 +33,6 @@ def test(args):
++     f.remove_arch(Arch())
++     f.add_arch(Arch("s390"))
++     f.add_arch(Arch("s390x"))
++-    f.add_arch(Arch("ppc"))
++     f.add_rule(ALLOW, "semop")
++     f.add_rule(ALLOW, "semtimedop")
++     f.add_rule(ALLOW, "semget")
++diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests
++--- a/tests/37-sim-ipc_syscalls_be.tests
+++++ b/tests/37-sim-ipc_syscalls_be.tests
++@@ -7,19 +7,19 @@
++ 
++ test type: bpf-sim
++ 
++-# Testname           Arch                    Syscall         Arg0    Arg1    Arg2    Arg3    Arg4    Arg5    Result
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             1       N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             2       N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             3       N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             4       N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             11      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             12      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             13      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             14      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             21      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             22      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             23      N       N       N       N       N       ALLOW
++-37-sim-ipc_syscalls_be       +s390,+s390x,+ppc       ipc             24      N       N       N       N       N       ALLOW
+++# Testname           Arch            Syscall         Arg0    Arg1    Arg2    Arg3    Arg4    Arg5    Result
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             1       N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             2       N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             3       N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             4       N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             11      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             12      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             13      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             14      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             21      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             22      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             23      N       N       N       N       N       ALLOW
+++37-sim-ipc_syscalls_be       +s390,+s390x    ipc             24      N       N       N       N       N       ALLOW
++ 
++ test type: bpf-valgrind
++ 
++diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c
++--- a/tests/38-basic-pfc_coverage.c
+++++ b/tests/38-basic-pfc_coverage.c
++@@ -55,30 +55,6 @@ int main(int argc, char *argv[])
++      if (rc < 0)
++              goto out;
++      rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64);
++      if (rc < 0)
++              goto out;
++ 
++@@ -109,9 +85,6 @@ int main(int argc, char *argv[])
++      if (rc < 0)
++              goto out;
++      rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
++-     if (rc < 0)
++-             goto out;
++-     rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0);
++      if (rc < 0)
++              goto out;
++ 
++diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc
++--- a/tests/38-basic-pfc_coverage.pfc
+++++ b/tests/38-basic-pfc_coverage.pfc
++@@ -3,9 +3,6 @@
++ #
++ # filter for arch x86_64 (3221225534)
++ if ($arch == 3221225534)
++-  # filter for syscall "exit_group" (231) [priority: 65535]
++-  if ($syscall == 231)
++-    action LOG;
++   # filter for syscall "exit" (60) [priority: 65535]
++   if ($syscall == 60)
++     action TRACE(1);
++@@ -100,9 +97,6 @@ if ($arch == 3221225534)
++   action ALLOW;
++ # filter for arch x86 (1073741827)
++ if ($arch == 1073741827)
++-  # filter for syscall "exit_group" (252) [priority: 65535]
++-  if ($syscall == 252)
++-    action LOG;
++   # filter for syscall "fstat" (108) [priority: 65535]
++   if ($syscall == 108)
++     action KILL_PROCESS;
++@@ -133,534 +127,6 @@ if ($arch == 1073741827)
++             action KILL;
++   # default action
++   action ALLOW;
++-# filter for arch x32 (3221225534)
++-if ($arch == 3221225534)
++-  # filter for syscall "exit_group" (1073742055) [priority: 65535]
++-  if ($syscall == 1073742055)
++-    action LOG;
++-  # filter for syscall "exit" (1073741884) [priority: 65535]
++-  if ($syscall == 1073741884)
++-    action TRACE(1);
++-  # filter for syscall "fstat" (1073741829) [priority: 65535]
++-  if ($syscall == 1073741829)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (1073741827) [priority: 65535]
++-  if ($syscall == 1073741827)
++-    action ERRNO(1);
++-  # filter for syscall "open" (1073741826) [priority: 65535]
++-  if ($syscall == 1073741826)
++-    action KILL;
++-  # filter for syscall "write" (1073741825) [priority: 65532]
++-  if ($syscall == 1073741825)
++-    if ($a0 == 0)
++-    else
++-      if ($a1 > 1)
++-      else
++-        if ($a2 >= 2)
++-        else
++-          action TRAP;
++-  # filter for syscall "read" (1073741824) [priority: 65531]
++-  if ($syscall == 1073741824)
++-    if ($a0 == 0)
++-      if ($a1 >= 1)
++-        if ($a2 > 2)
++-          if ($a3 & 0x0000000f == 3)
++-            action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch arm (1073741864)
++-if ($arch == 1073741864)
++-  # filter for syscall "exit_group" (248) [priority: 65535]
++-  if ($syscall == 248)
++-    action LOG;
++-  # filter for syscall "fstat" (108) [priority: 65535]
++-  if ($syscall == 108)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (6) [priority: 65535]
++-  if ($syscall == 6)
++-    action ERRNO(1);
++-  # filter for syscall "open" (5) [priority: 65535]
++-  if ($syscall == 5)
++-    action KILL;
++-  # filter for syscall "exit" (1) [priority: 65535]
++-  if ($syscall == 1)
++-    action TRACE(1);
++-  # filter for syscall "write" (4) [priority: 65532]
++-  if ($syscall == 4)
++-    if ($a0 == 0)
++-    else
++-      if ($a1 > 1)
++-      else
++-        if ($a2 >= 2)
++-        else
++-          action TRAP;
++-  # filter for syscall "read" (3) [priority: 65531]
++-  if ($syscall == 3)
++-    if ($a0 == 0)
++-      if ($a1 >= 1)
++-        if ($a2 > 2)
++-          if ($a3 & 0x0000000f == 3)
++-            action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch aarch64 (3221225655)
++-if ($arch == 3221225655)
++-  # filter for syscall "open" (4294957130) [priority: 65535]
++-  if ($syscall == 4294957130)
++-    action KILL;
++-  # filter for syscall "exit_group" (94) [priority: 65535]
++-  if ($syscall == 94)
++-    action LOG;
++-  # filter for syscall "exit" (93) [priority: 65535]
++-  if ($syscall == 93)
++-    action TRACE(1);
++-  # filter for syscall "fstat" (80) [priority: 65535]
++-  if ($syscall == 80)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (57) [priority: 65535]
++-  if ($syscall == 57)
++-    action ERRNO(1);
++-  # filter for syscall "write" (64) [priority: 65527]
++-  if ($syscall == 64)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-      else
++-        if ($a1.hi32 > 0)
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 > 1)
++-            else
++-              if ($a2.hi32 > 0)
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 >= 2)
++-                  else
++-                    action TRAP;
++-                else
++-                  action TRAP;
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-    else
++-      if ($a1.hi32 > 0)
++-      else
++-        if ($a1.hi32 == 0)
++-          if ($a1.lo32 > 1)
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-        else
++-          if ($a2.hi32 > 0)
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 >= 2)
++-              else
++-                action TRAP;
++-            else
++-              action TRAP;
++-  # filter for syscall "read" (63) [priority: 65525]
++-  if ($syscall == 63)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-        if ($a1.hi32 > 0)
++-          if ($a2.hi32 > 0)
++-            if ($a3.hi32 & 0x00000000 == 0)
++-              if ($a3.lo32 & 0x0000000f == 3)
++-                action KILL;
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 > 2)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 >= 1)
++-              if ($a2.hi32 > 0)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 > 2)
++-                    if ($a3.hi32 & 0x00000000 == 0)
++-                      if ($a3.lo32 & 0x0000000f == 3)
++-                        action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch mipsel (1073741832)
++-if ($arch == 1073741832)
++-  # filter for syscall "exit_group" (246) [priority: 65535]
++-  if ($syscall == 246)
++-    action LOG;
++-  # filter for syscall "fstat" (108) [priority: 65535]
++-  if ($syscall == 108)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (6) [priority: 65535]
++-  if ($syscall == 6)
++-    action ERRNO(1);
++-  # filter for syscall "open" (5) [priority: 65535]
++-  if ($syscall == 5)
++-    action KILL;
++-  # filter for syscall "exit" (1) [priority: 65535]
++-  if ($syscall == 1)
++-    action TRACE(1);
++-  # filter for syscall "write" (4) [priority: 65532]
++-  if ($syscall == 4)
++-    if ($a0 == 0)
++-    else
++-      if ($a1 > 1)
++-      else
++-        if ($a2 >= 2)
++-        else
++-          action TRAP;
++-  # filter for syscall "read" (3) [priority: 65531]
++-  if ($syscall == 3)
++-    if ($a0 == 0)
++-      if ($a1 >= 1)
++-        if ($a2 > 2)
++-          if ($a3 & 0x0000000f == 3)
++-            action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch mipsel64 (3221225480)
++-if ($arch == 3221225480)
++-  # filter for syscall "exit_group" (5205) [priority: 65535]
++-  if ($syscall == 5205)
++-    action LOG;
++-  # filter for syscall "exit" (5058) [priority: 65535]
++-  if ($syscall == 5058)
++-    action TRACE(1);
++-  # filter for syscall "fstat" (5005) [priority: 65535]
++-  if ($syscall == 5005)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (5003) [priority: 65535]
++-  if ($syscall == 5003)
++-    action ERRNO(1);
++-  # filter for syscall "open" (5002) [priority: 65535]
++-  if ($syscall == 5002)
++-    action KILL;
++-  # filter for syscall "write" (5001) [priority: 65527]
++-  if ($syscall == 5001)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-      else
++-        if ($a1.hi32 > 0)
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 > 1)
++-            else
++-              if ($a2.hi32 > 0)
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 >= 2)
++-                  else
++-                    action TRAP;
++-                else
++-                  action TRAP;
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-    else
++-      if ($a1.hi32 > 0)
++-      else
++-        if ($a1.hi32 == 0)
++-          if ($a1.lo32 > 1)
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-        else
++-          if ($a2.hi32 > 0)
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 >= 2)
++-              else
++-                action TRAP;
++-            else
++-              action TRAP;
++-  # filter for syscall "read" (5000) [priority: 65525]
++-  if ($syscall == 5000)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-        if ($a1.hi32 > 0)
++-          if ($a2.hi32 > 0)
++-            if ($a3.hi32 & 0x00000000 == 0)
++-              if ($a3.lo32 & 0x0000000f == 3)
++-                action KILL;
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 > 2)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 >= 1)
++-              if ($a2.hi32 > 0)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 > 2)
++-                    if ($a3.hi32 & 0x00000000 == 0)
++-                      if ($a3.lo32 & 0x0000000f == 3)
++-                        action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch mipsel64n32 (3758096392)
++-if ($arch == 3758096392)
++-  # filter for syscall "exit_group" (6205) [priority: 65535]
++-  if ($syscall == 6205)
++-    action LOG;
++-  # filter for syscall "exit" (6058) [priority: 65535]
++-  if ($syscall == 6058)
++-    action TRACE(1);
++-  # filter for syscall "fstat" (6005) [priority: 65535]
++-  if ($syscall == 6005)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (6003) [priority: 65535]
++-  if ($syscall == 6003)
++-    action ERRNO(1);
++-  # filter for syscall "open" (6002) [priority: 65535]
++-  if ($syscall == 6002)
++-    action KILL;
++-  # filter for syscall "write" (6001) [priority: 65532]
++-  if ($syscall == 6001)
++-    if ($a0 == 0)
++-    else
++-      if ($a1 > 1)
++-      else
++-        if ($a2 >= 2)
++-        else
++-          action TRAP;
++-  # filter for syscall "read" (6000) [priority: 65531]
++-  if ($syscall == 6000)
++-    if ($a0 == 0)
++-      if ($a1 >= 1)
++-        if ($a2 > 2)
++-          if ($a3 & 0x0000000f == 3)
++-            action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch ppc64le (3221225493)
++-if ($arch == 3221225493)
++-  # filter for syscall "exit_group" (234) [priority: 65535]
++-  if ($syscall == 234)
++-    action LOG;
++-  # filter for syscall "fstat" (108) [priority: 65535]
++-  if ($syscall == 108)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (6) [priority: 65535]
++-  if ($syscall == 6)
++-    action ERRNO(1);
++-  # filter for syscall "open" (5) [priority: 65535]
++-  if ($syscall == 5)
++-    action KILL;
++-  # filter for syscall "exit" (1) [priority: 65535]
++-  if ($syscall == 1)
++-    action TRACE(1);
++-  # filter for syscall "write" (4) [priority: 65527]
++-  if ($syscall == 4)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-      else
++-        if ($a1.hi32 > 0)
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 > 1)
++-            else
++-              if ($a2.hi32 > 0)
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 >= 2)
++-                  else
++-                    action TRAP;
++-                else
++-                  action TRAP;
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-    else
++-      if ($a1.hi32 > 0)
++-      else
++-        if ($a1.hi32 == 0)
++-          if ($a1.lo32 > 1)
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-        else
++-          if ($a2.hi32 > 0)
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 >= 2)
++-              else
++-                action TRAP;
++-            else
++-              action TRAP;
++-  # filter for syscall "read" (3) [priority: 65525]
++-  if ($syscall == 3)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-        if ($a1.hi32 > 0)
++-          if ($a2.hi32 > 0)
++-            if ($a3.hi32 & 0x00000000 == 0)
++-              if ($a3.lo32 & 0x0000000f == 3)
++-                action KILL;
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 > 2)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 >= 1)
++-              if ($a2.hi32 > 0)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 > 2)
++-                    if ($a3.hi32 & 0x00000000 == 0)
++-                      if ($a3.lo32 & 0x0000000f == 3)
++-                        action KILL;
++-  # default action
++-  action ALLOW;
++-# filter for arch riscv64 (3221225715)
++-if ($arch == 3221225715)
++-  # filter for syscall "open" (4294957130) [priority: 65535]
++-  if ($syscall == 4294957130)
++-    action KILL;
++-  # filter for syscall "exit_group" (94) [priority: 65535]
++-  if ($syscall == 94)
++-    action LOG;
++-  # filter for syscall "exit" (93) [priority: 65535]
++-  if ($syscall == 93)
++-    action TRACE(1);
++-  # filter for syscall "fstat" (80) [priority: 65535]
++-  if ($syscall == 80)
++-    action KILL_PROCESS;
++-  # filter for syscall "close" (57) [priority: 65535]
++-  if ($syscall == 57)
++-    action ERRNO(1);
++-  # filter for syscall "write" (64) [priority: 65527]
++-  if ($syscall == 64)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-      else
++-        if ($a1.hi32 > 0)
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 > 1)
++-            else
++-              if ($a2.hi32 > 0)
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 >= 2)
++-                  else
++-                    action TRAP;
++-                else
++-                  action TRAP;
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-    else
++-      if ($a1.hi32 > 0)
++-      else
++-        if ($a1.hi32 == 0)
++-          if ($a1.lo32 > 1)
++-          else
++-            if ($a2.hi32 > 0)
++-            else
++-              if ($a2.hi32 == 0)
++-                if ($a2.lo32 >= 2)
++-                else
++-                  action TRAP;
++-              else
++-                action TRAP;
++-        else
++-          if ($a2.hi32 > 0)
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 >= 2)
++-              else
++-                action TRAP;
++-            else
++-              action TRAP;
++-  # filter for syscall "read" (63) [priority: 65525]
++-  if ($syscall == 63)
++-    if ($a0.hi32 == 0)
++-      if ($a0.lo32 == 0)
++-        if ($a1.hi32 > 0)
++-          if ($a2.hi32 > 0)
++-            if ($a3.hi32 & 0x00000000 == 0)
++-              if ($a3.lo32 & 0x0000000f == 3)
++-                action KILL;
++-          else
++-            if ($a2.hi32 == 0)
++-              if ($a2.lo32 > 2)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-        else
++-          if ($a1.hi32 == 0)
++-            if ($a1.lo32 >= 1)
++-              if ($a2.hi32 > 0)
++-                if ($a3.hi32 & 0x00000000 == 0)
++-                  if ($a3.lo32 & 0x0000000f == 3)
++-                    action KILL;
++-              else
++-                if ($a2.hi32 == 0)
++-                  if ($a2.lo32 > 2)
++-                    if ($a3.hi32 & 0x00000000 == 0)
++-                      if ($a3.lo32 & 0x0000000f == 3)
++-                        action KILL;
++-  # default action
++-  action ALLOW;
++ # invalid architecture action
++ action KILL;
++ #
++diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c
++--- a/tests/52-basic-load.c
+++++ b/tests/52-basic-load.c
++@@ -31,38 +31,15 @@ int main(int argc, char *argv[])
++      int rc;
++      struct util_options opts;
++      scmp_filter_ctx ctx = NULL;
++-     unsigned int api;
++ 
++      rc = util_getopt(argc, argv, &opts);
++      if (rc < 0)
++              goto out;
++ 
++-     api = seccomp_api_get();
++-     if (api == 0) {
++-             rc = -EFAULT;
++-             goto out;
++-     }
++-
++      ctx = seccomp_init(SCMP_ACT_ALLOW);
++      if (ctx == NULL)
++              return ENOMEM;
++ 
++-     if (api >= 2) {
++-             rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
++-             if (rc != 0)
++-                     goto out;
++-     }
++-     if (api >= 3) {
++-             rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1);
++-             if (rc != 0)
++-                     goto out;
++-     }
++-     if (api >= 4) {
++-             rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1);
++-             if (rc != 0)
++-                     goto out;
++-     }
++-
++      rc = seccomp_load(ctx);
++ 
++ out:

diff --cc debian/patches/series
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..b6e2f868f233f437d56304c4a3adfeefc318754c
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/series
@@@ -1,0 -1,0 +1,4 @@@
++revert_various_additions_to_improve_code_coverage.patch
++revert_arch_consolidate_all_of_the_multiplexed_syscall_handling.patch
++revert_ppc_add_multiplexed_syscall_support_to_PPC.patch
++revert_mips_add_multiplexed_syscall_support_to_MIPS.patch

diff --cc debian/python-seccomp.install
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..a71458d79155a583d230e66fe08776892cd715d8
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/python-seccomp.install
@@@ -1,0 -1,0 +1,1 @@@
++usr/lib/python2.*/dist-packages/seccomp.so

diff --cc debian/python3-seccomp.install
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..97a45dc5694713a953ef14ccc1c7c24a875d3844
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/python3-seccomp.install
@@@ -1,0 -1,0 +1,1 @@@
++usr/lib/python3.*/site-packages/seccomp.cpython-*.so

diff --cc debian/rules
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..54d5951b333353d9159cda38a1c3a252d675b206
new file mode 100755 (executable)
--- /dev/null
--- /dev/null
+++ b/debian/rules
@@@ -1,0 -1,0 +1,37 @@@
++#!/usr/bin/make -f
++# -*- makefile -*-
++
++# Uncomment this to turn on verbose mode.
++#export DH_VERBOSE=1
++
++# Enable verbose build details.
++export V=1
++
++include /usr/share/dpkg/architecture.mk
++
++%:
++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),)
++      dh $@ --with python3
++else
++      dh $@
++endif
++
++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),)
++
++override_dh_auto_install:
++      dh_auto_install
++      for pyver in `py3versions -s`; do \
++              set -e; \
++              if python3 -c "pyver='$$pyver'; exit(0 if float(pyver[6:]) >= 3.8 else 1)"; then \
++                      export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata__${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \
++              else \
++                      export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata_m_${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \
++              fi; \
++              dh_auto_configure -- --enable-python PYTHON=$$pyver; \
++              dh_auto_install --sourcedirectory=src/python -- PYTHON=$$pyver; \
++      done
++endif
++
++override_dh_auto_clean:
++      dh_auto_clean
++      rm -f regression.out

diff --cc debian/seccomp.install
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..1df36c612fb7cd107795e240186fbddfc0f953b9
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/seccomp.install
@@@ -1,0 -1,0 +1,1 @@@
++usr/bin/*

diff --cc debian/seccomp.manpages
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..5ea05feb8038ba5fc32bc915ae644febebf68056
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/seccomp.manpages
@@@ -1,0 -1,0 +1,1 @@@
++debian/tmp/usr/share/man/man1/*

diff --cc debian/source/format
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..163aaf8d82b6c54f23c45f32895dbdfdcc27b047
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/source/format
@@@ -1,0 -1,0 +1,1 @@@
++3.0 (quilt)

diff --cc debian/tests/common
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..e02e8db63f5f0d7a956ee71ffaf77f64788a8226
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/tests/common
@@@ -1,0 -1,0 +1,12 @@@
++SRCDIR="$(pwd)"
++
++mkdir "$AUTOPKGTEST_TMP/tests" "$AUTOPKGTEST_TMP/tools"
++cp -a tests/. "$AUTOPKGTEST_TMP/tests/"
++
++cd "$AUTOPKGTEST_TMP/tests"
++
++# build tools needed for tests
++for tool in scmp_api_level scmp_arch_detect scmp_sys_resolver; do
++  echo "Building $tool ..."
++  gcc -O2 -g "$SRCDIR/tools/$tool.c" "$SRCDIR/tools/util.c" -lseccomp -o ../tools/$tool
++done

diff --cc debian/tests/control
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..3d2c4ba4f0a42988e84f44b7c7bd591e1696c4d8
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/tests/control
@@@ -1,0 -1,0 +1,7 @@@
++Tests: testsuite-live
++Depends: libseccomp-dev, build-essential
++Restrictions: isolation-machine
++
++Tests: testsuite-live-python3
++Depends: libseccomp-dev, build-essential, python3-seccomp
++Restrictions: isolation-machine, allow-stderr

diff --cc debian/tests/testsuite-live
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..bbf20d047446ce2ad8fe8147d116159c73c699d0
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/tests/testsuite-live
@@@ -1,0 -1,0 +1,17 @@@
++#!/bin/sh
++
++set -eu
++
++. debian/tests/common
++
++# manually build necessary files against the installed libseccomp
++
++# build live tests
++for filename in *-live-*.tests; do
++  testname=$(echo "$filename" | cut -f 1 -d '.')
++  echo "Building $testname ..."
++  gcc -O2 -g "${testname}.c" util.c -pthread -lseccomp -o "$testname"
++done
++
++echo "Running test suite ..."
++./regression -T live

diff --cc debian/tests/testsuite-live-python2
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..9c9ded41922165b7527c11ceb804caaa32c00692
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/tests/testsuite-live-python2
@@@ -1,0 -1,0 +1,8 @@@
++#!/bin/sh
++
++set -eu
++
++. debian/tests/common
++
++echo "Running test suite ..."
++./regression -T live -m python

diff --cc debian/tests/testsuite-live-python3
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..f4fb094a770da53d17e0068712b43592584e23a0
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/tests/testsuite-live-python3
@@@ -1,0 -1,0 +1,13 @@@
++#!/bin/sh
++
++set -eu
++
++. debian/tests/common
++
++# make sure "python" points to python3 as this is not configurable
++# in the regression script
++mkdir python3env
++ln -s /usr/bin/python3 python3env/python
++
++echo "Running test suite ..."
++PATH="$(pwd)/python3env:$PATH" ./regression -T live -m python

diff --cc debian/upstream/metadata
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..0fef70b15da13a2738632d06198331ec1018c7f2
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/upstream/metadata
@@@ -1,0 -1,0 +1,4 @@@
++Bug-Database: https://github.com/seccomp/libseccomp/issues
++Bug-Submit: https://github.com/seccomp/libseccomp/issues/new
++Repository: https://github.com/seccomp/libseccomp.git
++Repository-Browse: https://github.com/seccomp/libseccomp

diff --cc debian/upstream/signing-key.asc
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..5ddf4356ed0af5cc32c48d46ed79f7e4fcbbd202
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@@ -1,0 -1,0 +1,192 @@@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBE6TSxkBEACy+4BPGoI7vphGh/q5WET0lmU7LcDwuNs/satPRH/vPoSYLxYU
++FmZ64A2zA4/imlohR+9VMfEVgOX6f23vZWheC2Z12bCtK0/cGLfoGMddFi7mg6aV
++hJeAegYkC6hDAYI+Mc/mt0fYvDB+bSPUCUdnB/NegbWegJMJur2pc0/nQqeeoRdp
++sazOyBEs4ipP1p05DZA/MifGNRASMHJg2bYG2FyC48Vx/xl0B+oactTwPODJlkQS
++n6+yYTcvYh7wIbbainEi0jBnyRj6bi6jODPTjArW2YRzEmPEkqbBsfA/HYEpH4DR
++IyZIJzqkP/+P+F+BVBjPVz4r6CWvCjnTMTlROfaUqIvfmpdKKtBDVN0Cjn6GVYae
++t9yoJM5bcJK+KEp5aNmW3U7vDMG2XEttw4vdfIFc9ZEWnu2kyiltQw9cUk3ucsIH
++79M4o24oVu2+J/z4QNGbRHdbxbO6c9R+IxAfiF/FAz5OhQfRHrDayfQV457cE/Ga
++ZhE1AeT7EdnXFF3G1RhTTE2lomQ1TfBSK6CyIyabU7I0R2Gh0aITpAE0fP4heZNZ
++zA8vPggdtRzgKgu4tC2is2Dg3NQnPc+k4mnU07LwmJuxCluN7pNhhlhtJkNWnA+a
++C2sV8zIicH7SAwmGoeMkp1kluxcdp/jGKsdRIfIDnVax4/t6VPL2+lKQzwARAQAB
++tB5QYXVsIE1vb3JlIDxwY21vb3JlQHVtaWNoLmVkdT6JAjgEEwECACIFAk6TS4MC
++GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFXkWlroynyKs5MP/it8TqV6
++IVXZh9X6ioJbchNcofT+L74+BjHXpzmdlf0awutCrKdZTWz5zC4A7Xrnam5LNg9j
++aZr44oUOhnwIKwm1xxm2KBIGky7nKMinUfsSlYlfJybSJjWA3hv3dKI4Fpd7xsy1
++5CDcmfAD5NfQeW7KD5I0U89zKsdFyGCZV03xWbrvGPitncPB+Sifjp29lWmGwOwY
++5tNcg7Mvby5vi6Zit686Q4wjYzmgoCDKKgk6QSo/VAqXJn8PRttuZArDfckraL+h
++LXsxx1W0zaKVi9qeyR3n/++fDxPcc5rQIsd9TZj7nojj/5qGjoLCPwFDZaR97u8M
++v795+ITrMCLRPYAd8DE94e3sjZK8R+hCtD0Xp9KgaNWofnA4cIHQyWaKI5is4NaT
++9Y638We5RkTaYrFC0dxSgiekmnB0pogDU69smFNa26r0CX85cQf4YKYURc1xnbmS
++Cyh+gvIHXVSGglmGXgKJ436qUBFCq2/BlecLZm/Lk0vQyPdCr08ZzPc7AUfc1hAe
+++PiZ7RDkhJzQaUN3ufjvcyeMGHoUejaO3G9ODE/yVZ6Yi8HQPN7IGmyeh73xaqcv
++5PpSrfpK+yjR13WGdi6PRL1IBfverc1fXtxXBywFhV4o/Jatj6XrS7hsU5EJ43An
++I9Cqa+8FBjLIrqzfAKHng3qYKA3R346+L0pPtB5QYXVsIE1vb3JlIDxwbW9vcmVA
++cmVkaGF0LmNvbT6JAjgEEwECACIFAk6TS60CGwMGCwkIBwMCBhUIAgkKCwQWAgMB
++Ah4BAheAAAoJEFXkWlroynyKK8AP+QFOxGd3sSxMgEgTjT2fUUwqjD0oRZUrC3RZ
++pld+fqmMIoGP0XRQYIpSZubX/ryn0DK9zd7D1o8nOz32lz8QfeEwshh+KAI93V0J
++iIFprZUtCJxXKIO2GuHVgwqyzQs+DbXoov6BiTmbNHDGy1xT+mx4Z0xboHX2ZzKc
++mLj42w7Qv5clL8X+4D3EiePCWeaw5e/p2xlPEVXfaYlu3nsUUrRwdx1RZSZ/qJE6
++CZLL348vp7mf9nR7bGBx8NiHrzbE3nh7ofZ8ai/dUTkkK+cFsxr5Gkt1nHegdv2t
++Q3pk/KoR6YYvGYIDeuyZB0zMs2VW6zLIrD7qPc9sFLIwAsgBW3pWyznZ9mZrpbqp
++JPzkhDYQH5XnTkL5g0tq4z3eDtOCODB2rNRrj/JvZcv3WmT1IK2d3x3E06Bfb4oy
++qMgTzD2z/IHgyL9Wt+yyogB0Y0zyGj3lV3fISIINT2mn+UtutYIqDEeGbSEtQrXx
++yIvQEViPO52mO+QdOtc5ZMfQ9ddsQKbawK/pqbzVMRPXX1z5hYKyx/Tv0roBrAzj
++DSBI2vP0NmfzzSUKZ3POOZLOxE0425AYeNE623SCntrOWNYdgwf9EfnAcMgsY2Kl
++a18e24ZHdAGFmJWBYx+XllheI6diU7dOZAlvuuuslVJfvD8ixzm7SR98elmUk57k
++wf9FO9yxtCBQYXVsIE1vb3JlIDxwYXVsQHBhdWwtbW9vcmUuY29tPokCOgQTAQIA
++JQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAk6TS8ACGQEACgkQVeRaWujK
++fIrtrg/2Kr2XYWu6jYDX2PSWeLQ/5P/VgGzjZI+AKaj5JyEID/5J31yvSKICjK3F
++Wl+lHRo/LQzQx8f6gQ9FEBeDTndpa1t23XQGmBgEDAev6FHX3jmheFTkJJ+dEYpc
++gX7R+jTjmrRYjAFu1Jo2fIblBTvECwlKLxDvSzAvp5giHYj8TDWcYPlZcDqfq9Aq
++5p7UjkRYvAAUlkwSxPE28zcWPwgQuikcyVw/ObPpNWon+0TfruzindsyKnMss7mE
++pxUMhRHAWM8KACBUmScP2TC95xKzm+KtlT6E/pdPXItPXiFg5sg8Vf5Rco8j16+b
++DzviiAC21Mp69wtnV8Mdsl1jiL65wotclG+SMcgUmyqD3rgBW3jSedDFFu6CHQyG
++FuthVj25eNUSXjhVOMCWQSxOgv4uN1jgk89paHJuBqHwKfk55ezQJFB1UlkJqH7L
++NJ2uVd0Go5PTE2mBbkBQ4bvSyfhlOUYbcjNUlZOZSHsaQPVXDUXCW90LjH4azg8j
++ek7YinygvZBpxQurRj7honmoqqyBfvOweA8wDdjIYURFrA4kwYwN8d+xdIDv5Pu5
++8U/ruus+y59MebQDhMr1BaM26QhgPZ6Ur/vHvTkW6bFo+Q0Rg9/abO67O00OZX/+
++oakt1BZ3Tb30L6nGu7ZosTXos+s9Leter/wcOk49JNd5q4WnZbkCDQROk0sZARAA
++7lIE/HyQ5pTSabH0OJKa78mNJckQ+2NsEwUpEj459Ca5s3DvJCT7ZBOUQaL5ctkl
++KgjByI+3BSIT90swim6vdMYxSrS7IpQ17zb3pdV5H5LFQSCvS1Dd466amWFWCyb6
++ZWl3g7kmf5xEEIob9PLMlCe37gsIXp9M0hbRIOVISeqCiWp5HkcMXwMEd5XHxGN6
++CCgG86vzxEOnLKoMdXQIxkenA4ggk5cCBoYd0FMURH53EznhuceS3euNSzu71+H3
++SJjIdjIjYQDhpHF6gXoI+u8NSWsZ9dEn/s+9e/uP2cYvAPmR01a73QyVIZS23eo9
++rmMqlPJNjJbybQ81uaHxQqA5ljC7WWqYl7tia+QSKYMEyMkHvTqnPPhJvghsQoJO
++aeN6j/qIQWIl5fQEENLRzkcGO6SLEDOKzEgABZSwP9Wff47jyzD4JVb71qApI60m
++3TGB829vBavFIkHNzhvr91m+6AfeUvZlWlFmC3v4BsqH/3SzwwQU28cxy53a/EDO
++wm2MDJL4wkVLO2Yh2CZ/4x07VZtjmGmG6wyVOq+9GQ3cnTPEgynfZYsdPaml/RJm
++kbCAmDbHbyV4NhT1RCg803thZZX8HzJcM2nywutGlzi0xxv63tP48tfTAV6ajqyQ
++5jeRGKCq/zpME9Ghr/oH414NlGcomYU0UQ5Fjpdk8eMAEQEAAYkCHwQYAQIACQUC
++TpNLGQIbDAAKCRBV5Fpa6Mp8iqQaD/9L2zMdzYznSOnApTz1SHhpgbi8RKaKy88j
++WTz0AxZGrYF6cKv8BH2fFgA7phlONcWhUvWpEEpP208EY52c811lohRocNhSlXgW
++XHYCiG2vydsQe9HEdBB6bUOO0z8g2DPcoBtUGWe1gDZddRW2VbqN2ts8Wxebog2Y
++Y3tvJ0ocMo150t5c0koldlStav/zM2eipz+zTjfsN4Xy04q/WQ63FIbub5o5jcUJ
++j1o177I1VtA8eEumsfnMMRgQBfz0t2bEIc/ZmrsuR+j/H4WlBAuIarNjWtIylH/e
++VJhxFtXGnCI5mO1gN90QG6IpwszcwEPJf3gU7dO8r+HXeTBifLYB/JnzGWixPaek
++DgCrNOZXz+48KEJEoVXUxsnqa8PRIUO5OtVRq3mk2uwcIHqPEBLb0yB6GRQjb9jQ
++qBdRPun2FavjxWRuTZBGS1RItLW8bmAJz1d/ySWizRqnoz8U0s9SyGGHx5OsyJJu
++FO6FFr31m7WZG5LPfQJUNiyR2y9ZrjdPbwXmchywhTLqyTb5N6j5RfAdn74H379t
++ilUhH5c7ieVLt/RLTtWXEnkZzsO7LvP/3X0jHt3eZD2WzvVg4llZFvnuie8C0/yC
++Twhc2xMJOLd2WpH6ZKHNbRqv1a2xg8K2KGdhlZrRo/AYbX/FjZ/k9klZwEjFsefd
++0Ff4mojoNokCNgQoAQgAIBYhBHEAqt+ubm6UDS4K1lXkWlroynyKBQJbxKnWAh0B
++AAoJEFXkWlroynyKGT4P/jXnXhB+VEkr+NL86MssDU+S9Gz+kCYEOSxFPFvhxpmk
++x+Q9Y2SXugaThp9h9IIUH6lhtAZeYimzGC67ObZh+Ev0SIfN24xvZ2nPzLLj1pay
++/2f/OQ0g7LalC7SpaF/7nIrxrYSP3Lyv3QAw/ZCeP8+U0CCV0Nw2Jrxck61ySXOR
++W9diyGKTszNwzWQOPUBOLlMw2BxjudQW0Djy8mYoqyByUYEWtbcGgJ3MSPzE0RgW
++PLgVujdzDunGDeJd9SBeI220ILxAHiB96JZYxmkVoz4trB7PwyA3plg19CXjwZ5J
++ediKZov02JG0aGNpL2678YwJAGDCLMNhBi9gDqx3Xf6rvzqK/CvR3xQs6/bAjiAC
++FHSUjv1oQ+p75yyt0clVrJOaB3kh6DICr+dZYuBvPGbls0yMTvEvCRxrj0rmpd9w
++tI2ZTvN6ak9+5c9ZI7N+tQKYRPonfrVigVR+VgoWS0UMh5IQedkcfMO1vX2S5i/m
++mmtDPT8aTyearL/ZpRoba8UvuTi/jksGTkR9QwKxBQeBWIy4xpKtddtp29RJFAFm
++m3uvsHTGfRIm0oAGnbSgAooQSqZiv9bQvjzP0maWc7A9uNIspKj4CaEjDttqMzPG
++u5GyplMDGnmEuldXbUhyCLlRXzVqmxuE46q0G2vl+qwiwwoYDauNoyvLvHK0AOZb
++uQINBFvEpn0BEACpnI2D7qSeKGEihHtIvbZAhN6x3zkkELaLB2+MmhWZAdTmzfFm
++JU28DXNLuCqxyy7GxATaBdPR5gPyq4LkA/xqTqC5nK9zTZqxtqwh9xTFCchUhmdC
++voSkFy3R1cZlifLVartuIBHQXd9XfYkJMop4whsbPcbzDJ9JYUqHpuqysNAAhHge
++vKIzZ93B7nW5JIBHf1/iVMSnC7+l3gSLMg0n+0UalGiQSpgzUSnyfgnoJjBbbyQT
++JMrOhGSJHviezcCT3OOctnn0j5I0DuU1IRJ5h+MZ4NpgV2YyHCTXdHE9x1DGE9Wu
++ExubFjiAvJtgcYkwcfqyqpbcK2IICWOUv+XJbrApm0PdaclyXbrJZRZ08QBOW9cZ
++8tnrkvb4PtktigiHzTy9LenoWP7lSXVeroju3+g+igkaa9ZbgVkHOkDRrrjtJhNl
++3yPEaK0RplLpJ6J/ysGvjuG9b/pWAsXptsfSN4TCCKIAqOg4/RINiyM5YzzIIqLc
++vwBzm8awFpoMsexhBBUJLdBC3F2s53AZJUkH+NYJ/lZgnDA9/EVYPAOGCXt5u/Ot
++ZyCyJzyYD6fZtLshQiRRdDMkeCZ+W88+HmgxA3Ck6vfSPIPyVUGYQYqREzZqfBVV
++FuANufrr+dBYYxE0R61zYMJdXL8fsNshHR5mlcHg4EODdnhOeRSeIuS+uQARAQAB
++iQI2BBgBCAAgFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAlvEpn0CGwwACgkQVeRa
++WujKfIquIRAArTQcsGL/5Tw+L4g0OxUeH1/E7TQ54UrpT9f4PjPj0SPZevqzsV/b
++uRemr6bqpNx5aMvLhoeoAodq4a0GmC+BX9ucfGKELavgReQWpyAlFFop8/MCbonq
++q+07PdO+6ZJiff0VIMGFAdWOabzQ9VMkYQ4ibF+etTjgWNpJ0UiFhUNric+eT00t
++HMzEq2WdgbnS/bwANsEF7kIA3klF7lkYG5MFN5gTbWssHeavfUn3coR9AJVqmx+m
++bJdUiMxiMrzRORepUO1zs8XJzLMkOb5h2CElk1um0LfGI9T/RZ3nyP5uv3xU5aG/
++Rp2owv4EsvjhpATt+votq3iZk2hkwymYmMbKpZ690sNT7tTYS5E6dX085NRmEQpy
++/U+gX/V5rsWULPmQ2UJEoIizyRrhxq/O73ZinapkDZVO+DeePBrdXDwDOKlhDQ2V
++dMp/uLbOg8Hxs2N+Brnn5Ts6FADeP951F9VxTaRWrppOt9eRQgxasYE9hEzFS61e
++WY3qHfWT59Pnx+KPmuR69SobBrG5Y7qYvlQxHQUsiVhRlPDDlOuZk0nbK7QR4/aX
++7AwNxp2byo7cduCOecs+uSsAcWgA+KMif8yGzHxywHm34dTn7JY0Moqd03n09UY4
++3LISNC1atd/q0BTijMpzroU+4i3omeL3SSHJRBJJSMxSxU5SXV/DBMa5Ag0EW8Sm
++sQEQAOQoaAL4LSK1yQzbIJg4hojiJ+iOIMhz2BG9zVNp2CJ4veyfjgH0eUbSr8kX
++D1OBkdw9hJuyQXIu4hARvkh41H1N9BTDRMXt5VzeiZUQBS0mJlTQ6EJrX6z+Y497
++0OwPXHYTZG7EcBtTrrY9s+Bm0JnBQr5lZ4TdoGWg8sQxGZIY79zUYYjle6naBZQ0
++QFUTgfyKbx4n8gzXqIZbpj/SrbGctFve36HD+YVwmkcjIJuxKBKMcVfTRQ1AG1PV
++qoIyV/gTcmPbVMKcC8L9S0ixkWrqmVhkNJEblzkTEhN0WF5XjzasbxCkUGcJ24Cd
++oM5515LpCKaqOTSyuov2aDJfGrNoXi0LTo93M+xaBq6Li/kVUb9S7KY1CSD7buuw
++9CAriAVJZBYCuvByp49tBwYWSVhn2GURh7mex91NsJ2H7OveLygYEHSvT+S2ARA1
++lvpLDEG8LvIuKo8QrwmCkE5AO4WU6c62gnrajWwTDU0R38vXObD0dquguhvVyLWi
++OEVWacUUXfTN6hCLoqUlOAijKgSmHVhjIs2nngKdR/PLOQiVjKpMxxDoyStMJkfg
++khL8v9D/VBU398QwBOBHXFDovKZLhNz32KU3Ma2pE+RGZYBEQeCAWBK51MNdcpsd
++Q0p26O33H6Np+GWRHSwrtvO00HK0Wd4eOmO5LY2AiSUdK0NXABEBAAGJBGwEGAEI
++ACAWIQRxAKrfrm5ulA0uCtZV5Fpa6Mp8igUCW8SmsQIbAgJACRBV5Fpa6Mp8isF0
++IAQZAQgAHRYhBEtCqM8H8pnVVJd+7+og8tqXN4lzBQJbxKaxAAoJEOog8tqXN4lz
++0fkQAILG/ON167EqJq2VNMCD/e4Su5M5/RzcosEk+0xxmHyjOTn/36TG9uneNSr+
++IaNdSeH926LaVpcauSFdCKbegKjznUTtmMfdJQX+iTdfO7JTSdZACFHQUSva4Rs6
++33VMTnyhJdRerxrGvNAL0aAyDdTG5rc/CSQjj683AJGK9T7iZubgkBKWoYY8jtJi
++nsSuePp+gFetIhCQyG2nSq4yrIgXbd6l/kJdsqq6xEz42mbGJf2uPQ/BEbD/gzWj
++m8sRUAJ91u0lHqz3KjQ4MzdsU+Mm/ngZdyXWzwlfC24QbHAr9cnWwZvtLdvo2G7z
++igMX7PyMwfEq5l7i3gFS0Mny3LtvGqH1AS/YJczDeyonDtR2gAptYlyBHOBftdj7
++hVoZS0QNNss2B0kwHqSWOLtfgMHWiBXFq8buntwWGW2rUXs77gvKYG9TB1a0NYp1
++Hv2FOOUCWY9pzs/WBOkW0s5EOiatxoDfAFIoKH7FlqDf7Cnr3IpaKS6tXDH+7B35
++QBptYgMIY43v+GhqIEELkaYow3VnnTcbQFi0VfBxh/GgyhydhFyaUs5djklCZ091
++nRRYeDSyUhB1nlr7FnuLK91/rm6YI+IWmw2j3Z6urlnD6TNYPFfeZzXDoJgtlRsc
++HFQL2/HCIiCcObVFd8HbCvHmNpMdRxId8qogOr/y5Lu2FYvzRzEP/A8NNqwqj7zX
++Wk5w6lj4tVk796B4gPNZ0NUIXYeUobEtuuPjrh4SQSVOluvADCV5/8quP4fdw/iN
++tmaoTqYqmhpHArFgP9gjHQ7vL3+eHCQIqV0hdhsLm0t8ol5ArP3BgNtfS3RcQf3k
++Q9aQdIYscz5iTvCpcncVrMXDxz3wO7YKylzNHDUF7bo1FMc9HPedcKbzG/BRFnpw
++YNn8w24xlr9+o1YEzwgc48N7djcAsYl7KCIKq82vWrbeePNHLA4yo0rdqS1RP7jI
++lOlMWfxF+IGODkwCfiuMWVo35h5uMPueA0xyEfGobX1OtK6pkeFq1b1mNYCVr++4
++eWaJj64cv3ijx/sA+Ni51pD1dHrwURuX5FIixRJm0awwoJgxbsXLy54PGVgatNoa
++1Wx4lnt/6HA32MtM7Im0NMLGAt298GD/AIr3bAnbovevNTjaxwpO8KlMNLhANqYt
++GjFlhucGfQjVOxOU0c3QL1wBJ5s0bNltz5C8LqCRpqjJc43v3CfQ/IZzqZ+g51wJ
++WWgN9wAj62doD4x6JlVg17AZm6WRoGQjslyDUuBE3ZtZd2XXpc7P/rbmfZQCcr1W
++1h8moBknbU2eOji/cULgGM3Y8W5V3RwNgD7IFHDKr1I19PyBEMr+Qk+KVHpsw09S
++xOtqJHdjtKxzOrgL0rG+n0VYx6dl2Lt4mQINBF3C4AkBEADQxp4jfxmbJ3t/ZuKc
++sV4JxG8mhuGXBkzMB0k2uGULCpY4yh7dsN4PBU7PuHgUMkxJnJlbg0xVR2nux20I
++NzroYn8xzRe+jSmKTW0fTvNH+Nxyr4k+KgqmVZCcfyvwXuL7IOfG5luc/oSXJV62
++u+LHP891dVcJlVN0Ef9i5Sz9iRkkMUknwoTrOK9q1nZNOA+XoLMhCIdyWIPx6jFm
++PxfZpgEJw6YIeyOSRIPYtH4twuDj50bzQuTTfQ3ph9FdcXVLYwP3BayvfFasGhyJ
++6caqVW9GpMDa/OPvteNmt2WbqaRgcX9CWWOKonhFqkaWAXj0lYFkM65DTzSUKpNt
++oh2MRVA7qyGZ2zlHocNWSplQ8VJlly6ch9O95UEXlSIJFxAi/7NBNuG/CekHQxxQ
++ZhdslUe7LIsujlKS8Fy0bpYsTDPb/g+rUuIHWCOhEC+B0qOYVEf+wcc9jTQjZf6N
++P3zIV4dO+Mc9GVT+d3Kz0y11g1ON0b82qy2ONvRys1NmqXC2vCnXzKCQ6UTHRYt+
++EdV0nlo59G+lolCnT8t1sW7ezuByA4zWMI6hLyk0NLb8xwPK9BT732RGhzba7a7E
++aArTBsPA3rWvObC1kQWSaw+ule5rmnTL5Q4Jw3qDhgM9b2Bg3hLYP5/UU0INq7kr
++H413Kin0C29T1aNmLfMTfmS5EwARAQABtCZUb20gSHJvbWF0a2EgPHRvbS5ocm9t
++YXRrYUBvcmFjbGUuY29tPokCTgQTAQgAOBYhBEemj843x9cCT9ZeETVs5iwrUkCZ
++BQJdwuAJAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDVs5iwrUkCZNL0P
++/3KFyrWXW5ouPuAzWeMMUZrQmyz31T70iVSS8PtPWb8S2QxQdzgpdVPrvxT+wfq5
++zJbdz3X5uPvdOXUeyv0bAQRqYQVX/tkz10zu6+m+Bgx0H6I5Xk9F7EDvag1EDDs/
++BDSLh9VbsTllSaNpLhFjSRj0dVmE1DgaUDX5F66npYMgSIspsAjEI1MZ1PDYQfho
++yxEMiz0ld14yv6HE7hBPekcQW2mAWzlpZmgw9NVIcqShy3znJNGGpQUbLEtGbrv/
++wRMNWjGWPJyfE5dLDvkfQjrdsTRWv5+Sd5/z3fwp0G8dUq1iWeegu6mFe0KRLB5z
++3lcc+QJSlWetyyoYWOhq1Jzn0QHjakZp2Nb4rtp9/b9TdhvD5cOjpsECmL5qMri1
++mn/j4F63AG4yLQaYrwwjWzDcz+jQ8wNuyl7cXQFD6UYbywC1tC9DE0VppV2nOirt
++TOPz8+etXMx6sg40STJ4dbYn/gJLhiycSaUAqGkSHpC24FbcvkVwKz5MBUYuLEgN
++H3RyNKVgnb5JWZofE7ehOVCc+VAmzMyobjE+71FRXlPdmqD/im4vYDsqzb15wX79
++VsXqI0bij+xVYaR7GoQbTfVQ0a6f6slWex6PmKOnZTjfLL7sEu1JhAteqlI9I0Nl
++NJBF/y32T6lQpO+3CJGhY+2rSiCpnI31NMusAkcufnxquQINBF3C4AkBEAC9ReOz
++Yf6nryTLn8lGg6M0kpMX3P7v8GlOV1hZ8hTDlUETpo+xxR3FvNjWEDNyuawCpvNz
++8Pu3OKqxKDIivyVdJNEc335glsMY7BmAevLvAtyfjb0rOzOXqLfhdsn108Nr6Ai+
++lkMs8xlK2hxGI3qpDHzImOYmhWD4J181gxlj5Gaj8fOyV8JZvfY6AZcei2tzlmHp
++j9SSh7K59trUZtaUDljUeVAEP4KfU1sLEYy3BUzS+eb4Qw1tleui+89E/J4zPrgw
++wuLg5OU+ScTigfbEF/05MMUAySiKieKhp8IFsT41+FXOlotBl0wz6Jbo4HxNtY5P
++trpv6BOrBlYfhfhZeANk4+y5OnLqRjjgTvf1p9CHmsgs6sx/lkNyXpzoxKR89Rzx
++HxnrgUATSa80JK9o/0tPZkN33HKJlkSndPQEM4uLrTsIxvNsBSOPIKC09siMbbBe
++I0t811P1pMh8zvTnRl2FSQjiumLoVhr+xxZ2wWiPxztVQkMLuuWXkzcxQUfuw5nE
++QCH+WdqYKNmV6rw2kU6j10q0kvvspWPMTbsI/vBY3KyiP1F8dToXiwulNT1U05NG
++J20YbzEHnYEKatBq9ZILLx63c8eLZ6VppkAE0ZlmgsOvn+zIcv81P4x9mDLvuqTO
++zRj/RuDAY6qJHuICpsV3F5A03z9ne/Z9u0mwSwARAQABiQI2BBgBCAAgFiEER6aP
++zjfH1wJP1l4RNWzmLCtSQJkFAl3C4AkCGwwACgkQNWzmLCtSQJkiQA/8Cm07bQf2
++FIKTdwRECJO7pvpuc3zE1XsSuLyu40qpsWX24Ll97S7cpOK7rN2jSZ6UDoXpNgXV
++iOzma5yiC+GO6UUWxr8xE/CDXeuawxHUt0Xrn+UQnWsirsrZifjVPkXou71QM+ka
++Q9qXy4liOpRaJjf8B7iz3ilgMUACnMcwOVn+jbswLQpNetsKk+vrLwQlILPkWcKG
++xIu1Iro3E7WoIPojHHtT7Co7mSRzaNI00VU7jMwZwXFQL/IbeGsKlaAyxh1BzRLn
++LdPN8hxiYtEq2IG66Uq3EmigtwOvh06d/Qi/gBH6CWxdahRk7HwATyrNvbjfduzN
++nhF+lPA39iKrI5+IGasK6Lp9HklUJD0Q9JK7yac/cUj5LptY/PBFC7eJKHJLyohm
++vlXYgRSeAXEm7uGpU5k/jUZDM4Z1o5JboiNVQoqDWs6iDYJb82cRjKKlvC2d2lFK
++xtBOR3xJZUUsIpoQrstxn1LA5DcBosPvd9ISyIZs38UyJNTz07GUedEpeE3YhLke
++sc6n2iL9D2Yjz/S4ANukxl9YZDW+EFS8LtTchvK11OHWubvWxWFV7txLFmkBYQwk
++2krCi2MVguRZGj8bodqjty1H8ZMfA5NYwAKeyQmsmTHqNmR1Ws/cdQCV7+3q9Rur
++lUtY1AVxx4LtnS16GX+OVCybWzbK1uqLrfo=
++=9JXr
++-----END PGP PUBLIC KEY BLOCK-----

diff --cc debian/watch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..a94a8686cdeae374868628a340d091bb58850d98
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/watch
@@@ -1,0 -1,0 +1,4 @@@
++version=4
++opts="dversionmangle=s/\+dfsg//,pgpsigurlmangle=s/$/.asc/" \
++https://github.com/seccomp/libseccomp/releases \
++    .*/libseccomp-(.*)\.tar\.gz