--- /dev/null
--- /dev/null
++libseccomp (2.5.0-3) unstable; urgency=medium
++
++ * Cherry-pick patch from the 2.5 branch to fix test error on mips:
++ - arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 08 Nov 2020 19:59:21 +0100
++
++libseccomp (2.5.0-2) unstable; urgency=medium
++
++ * Upload to unstable.
++ * Cherry-pick patches from the 2.5 branch to fix build and test errors:
++ - build_undefine_mips_to_prevent_build_problems.patch
++ - tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 08 Nov 2020 15:49:41 +0100
++
++libseccomp (2.5.0-1) experimental; urgency=medium
++
++ * New upstream release.
++ - Build-depend on gperf.
++ - Update symbols file.
++ * Remove patches that have been applied upstream:
++ - cython3.patch
++ - riscv64_support.patch
++ * Cherry-pick patches from the 2.5 branch:
++ - all_only_request_the_userspace_notification_fd_once.patch
++ - system_change_our_notification_fd_handling.patch
++
++ -- Felix Geyer <fgeyer@debian.org> Sat, 24 Oct 2020 13:58:28 +0200
++
++libseccomp (2.4.4-1) unstable; urgency=medium
++
++ * Team upload.
++
++ [ Debian Janitor ]
++ * Set upstream metadata fields: Repository, Repository-Browse.
++ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository.
++
++ [ Felix Geyer ]
++ * New upstream release.
++ * Download and verify orig gpg signature.
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 20 Sep 2020 19:03:41 +0200
++
++libseccomp (2.4.3-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Drop patches that have been applied upstream:
++ - tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
++ - api_define__SNR_ppoll_again.patch
++ * Cherry-pick support for the riscv64 architecture. (Closes: #952386)
++ - Add riscv64_support.patch
++
++ -- Felix Geyer <fgeyer@debian.org> Thu, 12 Mar 2020 23:35:13 +0100
++
++libseccomp (2.4.2-2) unstable; urgency=medium
++
++ [ Christian Ehrhardt ]
++ * d/rules: fix potential FTFBS after full python3 switch
++ * d/t/control: drop python2 test following the removal of the package
++
++ [ Felix Geyer ]
++ * Remove build-dependency on valgrind for mips64el as it's broken there.
++ * Backport patch to define __SNR_ppoll again.
++ - Add api_define__SNR_ppoll_again.patch
++ * Replace custom patch for cython3 with the upstream fix.
++
++ -- Felix Geyer <fgeyer@debian.org> Fri, 15 Nov 2019 18:12:53 +0100
++
++libseccomp (2.4.2-1) unstable; urgency=medium
++
++ [ Christian Ehrhardt ]
++ * New upstream release 2.4.2 for compatibility with newer kernels and
++ fixing FTBFS (LP: #1849785).
++ - drop d/p/python_install_dir.patch (now upstream)
++ - d/rules: adapt to python 3.8 lacking the m modifier on includes
++ see https://wiki.debian.org/Python/Python3.8
++ - d/p/tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch: fix
++ build time test on arm64
++
++ [ Felix Geyer ]
++ * Drop Python 2 bindings. (Closes: #936917)
++ - Add cython3.patch to use the Python 3 cython variant.
++
++ -- Felix Geyer <fgeyer@debian.org> Wed, 13 Nov 2019 00:00:49 +0100
++
++libseccomp (2.4.1-2) unstable; urgency=medium
++
++ * Remove build-dependency on valgrind for mipsel and x32 as it's broken
++ on those archs.
++ * Set Rules-Requires-Root: no.
++
++ -- Felix Geyer <fgeyer@debian.org> Fri, 19 Jul 2019 00:03:34 +0200
++
++libseccomp (2.4.1-1) unstable; urgency=medium
++
++ * New upstream release.
++ - Addresses CVE-2019-9893 (Closes: #924646)
++ * Drop all patches for parisc arch support, merged upstream.
++ * Build-depend on valgrind to run more unit tests.
++ * Run dh_auto_configure for every python 3 version to install the extension
++ in the correct path.
++ * Update the symbols file.
++ * Adapt autopkgtest to new upstream version:
++ - Build against pthread
++ - Build scmp_api_level tool
++ * Upgrade to debhelper compat level 12.
++ - Add d/not-installed file
++ * Fix install path of the python module.
++ - Add python_install_dir.patch
++ * Add autopkgtest for python packages.
++
++ -- Felix Geyer <fgeyer@debian.org> Wed, 17 Jul 2019 23:23:28 +0200
++
++libseccomp (2.3.3-4) unstable; urgency=medium
++
++ [ Ondřej Nový ]
++ * d/copyright: Change Format URL to correct one
++
++ [ Helmut Grohne ]
++ * Fix FTCBFS: (Closes: #903556)
++ + Multiarchify python Build-Depends.
++ + Annotate cython dependencies with :native for now.
++ + Drop noop dh_auto_build invocations.
++ + Pass a suitable PYTHONPATH for python2.
++ + Pass _PYTHON_SYSCONFIGDATA_NAME for python3.
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 10 Feb 2019 12:25:44 +0100
++
++libseccomp (2.3.3-3) unstable; urgency=medium
++
++ * Fix FTBFS: Adapt to renamed README file. (Closes: #902767)
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 01 Jul 2018 20:32:03 +0200
++
++libseccomp (2.3.3-2) unstable; urgency=medium
++
++ [ Helmut Grohne ]
++ * Support the nopython build profile. (Closes: #897057)
++
++ [ Felix Geyer ]
++ * Run upstream "live" tests in an autopkgtest.
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 13 May 2018 09:53:08 +0200
++
++libseccomp (2.3.3-1) unstable; urgency=medium
++
++ * New upstream release. (Closes: #895417)
++ - Adds pkey_mprotect syscall. (Closes: #893722)
++ * Refresh parisc patch.
++ * Move libseccomp2 back to /usr/lib. (Closes: #894988)
++ * Make test failures cause the build to fail. (Closes: 877901)
++ * Build python bindings. (Closes: #810712)
++ * Switch to debhelper compat level 10.
++ * Move git repo to salsa.debian.org
++ * Add myself to Uploaders.
++
++ -- Felix Geyer <fgeyer@debian.org> Sun, 22 Apr 2018 23:55:03 +0200
++
++libseccomp (2.3.1-2.1) unstable; urgency=medium
++
++ [ Martin Pitt ]
++ * Non-maintainer upload with Kees' consent.
++
++ [ Laurent Bigonville ]
++ * Ensure strict enough generated dependencies (Closes: #844496)
++
++ -- Martin Pitt <mpitt@debian.org> Thu, 17 Nov 2016 10:16:44 +0100
++
++libseccomp (2.3.1-2) unstable; urgency=medium
++
++ * Add hppa (parisc) support (Closes: #820501)
++
++ -- Luca Bruno <lucab@debian.org> Sat, 28 May 2016 20:05:01 +0200
++
++libseccomp (2.3.1-1) unstable; urgency=medium
++
++ * New upstream release
++ * control: add Vcs-* fields
++
++ -- Luca Bruno <lucab@debian.org> Tue, 05 Apr 2016 22:16:55 +0200
++
++libseccomp (2.3.0-1) unstable; urgency=medium
++
++ * New upstream release
++ + drop all patches, applied upstream
++ * libseccomp2: update symbols file
++ * control: add myself to uploaders
++ * control: bump policy version
++
++ -- Luca Bruno <lucab@debian.org> Sun, 03 Apr 2016 00:31:09 +0200
++
++libseccomp (2.2.3-3) unstable; urgency=medium
++
++ [ Martin Pitt ]
++ * debian/patches/add-x86-32bit-socket-calls.patch: add the newly
++ connected direct socket calls. (Closes: #809556)
++ * debian/add-membarrier.patch: add membarrier syscall.
++ * Backport patches for ppc/ppc64 and s390x. (Closes: #800818)
++
++ -- Kees Cook <kees@debian.org> Tue, 01 Sep 2015 15:37:31 -0700
++
++libseccomp (2.2.3-2) unstable; urgency=medium
++
++ * debian/control: enable mips64, mips64el, and x32 architectures,
++ thanks to Helmut Grohne (Closes: 797383).
++
++ -- Kees Cook <kees@debian.org> Tue, 01 Sep 2015 15:37:31 -0700
++
++libseccomp (2.2.3-1) unstable; urgency=medium
++
++ * New upstream release (Closes: 793032).
++ * debian/control: update Homepage (Closes: 793033).
++
++ -- Kees Cook <kees@debian.org> Mon, 03 Aug 2015 15:06:08 -0700
++
++libseccomp (2.2.1-2) unstable; urgency=medium
++
++ * debian/{rules,*.install}: move to /lib, thanks to Michael Biebl
++ (Closes: 788923).
++
++ -- Kees Cook <kees@debian.org> Tue, 16 Jun 2015 12:45:08 -0700
++
++libseccomp (2.2.1-1) unstable; urgency=medium
++
++ * New upstream release (Closes: 785428).
++ - debian/patches dropped: incorporated upstream.
++ * debian/libseccomp2.symbols: include only documented symbols.
++ * debian/libseccomp-dev.install: include static library (Closes: 698508).
++ * debian/control:
++ - add newly supported arm64, mips, and mipsel.
++ - bump standards version, no changes needed.
++
++ -- Kees Cook <kees@debian.org> Sat, 16 May 2015 08:15:26 -0700
++
++libseccomp (2.1.1-1) unstable; urgency=low
++
++ * New upstream release (Closes: 733293).
++ * copyright: add a few missed people.
++ * rules: adjusted for new test target.
++ * libseccomp2.symbols: drop accidentally exported functions.
++ * control:
++ - bump standards, no changes needed.
++ - add armel target
++
++ -- Kees Cook <kees@debian.org> Sat, 12 Apr 2014 10:44:22 -0700
++
++libseccomp (2.1.0+dfsg-1) unstable; urgency=low
++
++ * Rebuild source package without accidental binaries (Closes: 725617).
++ - debian/watch: mangle upstream version check.
++ * debian/rules: make tests non-fatal while upstream fixes them
++ (Closes: 721292).
++
++ -- Kees Cook <kees@debian.org> Sun, 06 Oct 2013 15:05:51 -0700
++
++libseccomp (2.1.0-1) unstable; urgency=low
++
++ * New upstream release (Closes: 718398):
++ - dropped debian/patches/manpage-dashes.patch: taken upstream.
++ - dropped debian/patches/include-unistd.patch: not needed.
++ - debian/patches/testsuite-x86-write.patch: taken upstream.
++ - ABI bump: moved from libseccomp1 to libseccomp2.
++ * debian/control:
++ - added Arch: armhf, now supported upstream.
++ - added seccomp binary package for helper tools.
++ * Added debian/patches/manpage-typo.patch: spelling fix.
++ * Added debian/patches/build-ldflags.patch: fix LDFLAGS handling.
++
++ -- Kees Cook <kees@debian.org> Tue, 13 Aug 2013 00:02:01 -0700
++
++libseccomp (1.0.1-2) unstable; urgency=low
++
++ * debian/rules: enable testsuite at build time, thanks to
++ Stéphane Graber (Closes: 698803).
++ * Added debian/patches/include-unistd.patch: detect location of
++ asm/unistd.h correctly.
++ * Added debian/patches/testsuite-x86-write.patch: skip the "write"
++ syscall correctly on x86.
++ * debian/control: bump standards to 3.9.4, no changes needed.
++
++ -- Kees Cook <kees@debian.org> Wed, 23 Jan 2013 13:11:53 -0800
++
++libseccomp (1.0.1-1) unstable; urgency=low
++
++ * New upstream release.
++ * debian/control: only build on amd64 and i386 (Closes: 687368).
++
++ -- Kees Cook <kees@debian.org> Fri, 07 Dec 2012 11:38:03 -0800
++
++libseccomp (1.0.0-1) unstable; urgency=low
++
++ * New upstream release.
++ - bump ABI.
++ - drop build verbosity patch, use upstream V=1 instead.
++ * libseccomp-dev.manpages: fix build location (Closes: 682152, 682471).
++ * debian/patches/pkgconfig-macro.patch: use literals for macro.
++
++ -- Kees Cook <kees@debian.org> Fri, 03 Aug 2012 16:59:41 -0700
++
++libseccomp (0.1.0-1) unstable; urgency=low
++
++ * New upstream release.
++ - drop patches taken upstream:
++ - libexecdir.patch
++ - pass-flags.patch
++
++ -- Kees Cook <kees@debian.org> Fri, 08 Jun 2012 12:32:22 -0700
++
++libseccomp (0.0.0~20120605-1) unstable; urgency=low
++
++ * Initial release (Closes: #676257).
++
++ -- Kees Cook <kees@debian.org> Tue, 05 Jun 2012 11:28:07 -0700
--- /dev/null
--- /dev/null
++Source: libseccomp
++Section: libs
++Priority: optional
++Maintainer: Kees Cook <kees@debian.org>
++Uploaders: Luca Bruno <lucab@debian.org>, Felix Geyer <fgeyer@debian.org>
++Build-Depends: debhelper-compat (= 12),
++ linux-libc-dev,
++ dh-python <!nopython>,
++ python3-all-dev:any <!nopython>,
++ libpython3-all-dev <!nopython>,
++ cython3:native <!nopython>,
++ valgrind [amd64 arm64 armhf i386 mips mips64 powerpc ppc64 ppc64el s390x] <!nocheck>,
++ gperf
++Rules-Requires-Root: no
++Standards-Version: 3.9.7
++Homepage: https://github.com/seccomp/libseccomp
++Vcs-Git: https://salsa.debian.org/debian/libseccomp.git
++Vcs-Browser: https://salsa.debian.org/debian/libseccomp
++
++Package: libseccomp-dev
++Section: libdevel
++Architecture: linux-any
++Multi-Arch: same
++Pre-Depends: ${misc:Pre-Depends}
++Depends: libseccomp2 (= ${binary:Version}), ${misc:Depends}
++Suggests: seccomp
++Description: high level interface to Linux seccomp filter (development files)
++ This library provides a high level interface to constructing, analyzing
++ and installing seccomp filters via a BPF passed to the Linux Kernel's
++ prctl() syscall.
++ .
++ This package contains the development files.
++
++Package: libseccomp2
++Architecture: linux-any
++Multi-Arch: same
++Pre-Depends: ${misc:Pre-Depends}
++Depends: ${shlibs:Depends}, ${misc:Depends}
++Description: high level interface to Linux seccomp filter
++ This library provides a high level interface to constructing, analyzing
++ and installing seccomp filters via a BPF passed to the Linux Kernel's
++ prctl() syscall.
++
++Package: seccomp
++Section: utils
++Architecture: linux-any
++Depends: ${shlibs:Depends}, ${misc:Depends}
++Suggests: libseccomp-dev
++Description: helper tools for high level interface to Linux seccomp filter
++ Provides helper tools for interacting with libseccomp. Currently, only
++ a single tool exists, providing a way to easily enumerate syscalls across
++ the supported architectures.
++
++Package: python3-seccomp
++Build-Profiles: <!nopython>
++Architecture: linux-any
++Multi-Arch: same
++Section: python
++Depends: ${shlibs:Depends}, ${misc:Depends}, ${python3:Depends}
++Description: high level interface to Linux seccomp filter (Python 3 bindings)
++ This library provides a high level interface to constructing, analyzing
++ and installing seccomp filters via a BPF passed to the Linux Kernel's
++ prctl() syscall.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: libseccomp
++Source: https://sourceforge.net/projects/libseccomp/
++
++Files: *
++Copyright: 2012 Paul Moore <pmoore@redhat.com>
++ 2012 Ashley Lai <adlai@us.ibm.com>
++ 2012 Corey Bryant <coreyb@linux.vnet.ibm.com>
++ 2012 Eduardo Otubo <otubo@linux.vnet.ibm.com>
++ 2012 Eric Paris <eparis@redhat.com>
++License: LGPL-2.1
++
++Files: tests/22-sim-basic_chains_array.tests
++Copyright: 2013 Vitaly Shukela <vi0oss@gmail.com>
++License: LGPL-2.1
++
++Files: src/hash.*
++Copyright: 2006 Bob Jenkins <bob_jenkins@burtleburtle.net>
++License: LGPL-2.1
++
++Files: debian/*
++Copyright: 2012 Kees Cook <kees@debian.org>
++License: LGPL-2.1
++
++License: LGPL-2.1
++ This library is free software; you can redistribute it and/or modify it
++ under the terms of version 2.1 of the GNU Lesser General Public License as
++ published by the Free Software Foundation.
++ .
++ This library is distributed in the hope that it will be useful, but WITHOUT
++ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
++ for more details.
++ .
++ You should have received a copy of the GNU Lesser General Public License
++ along with this library; if not, see <http://www.gnu.org/licenses>.
++ .
++ On Debian systems, the complete text of the GNU Lesser General
++ Public License can be found in "/usr/share/common-licenses/LGPL-2.1".
--- /dev/null
--- /dev/null
++README.md
--- /dev/null
--- /dev/null
++[DEFAULT]
++upstream-tag = upstream/%(version)s
++debian-tag = debian/%(version)s
++pristine-tar = True
++upstream-branch = upstream
++debian-branch = debian/sid
++
++[buildpackage]
++submodules = True
--- /dev/null
--- /dev/null
++usr/include/*
++usr/lib/*/lib*.so
++usr/lib/*/lib*.a
++usr/lib/*/pkgconfig/*
--- /dev/null
--- /dev/null
++debian/tmp/usr/share/man/man3/*
--- /dev/null
--- /dev/null
++usr/lib/*/lib*.so.*
--- /dev/null
--- /dev/null
++libseccomp.so.2 libseccomp2 #MINVER#
++* Build-Depends-Package: libseccomp-dev
++ seccomp_api_get@Base 2.4.1
++ seccomp_api_set@Base 2.4.1
++ seccomp_attr_get@Base 0.0.0~20120605
++ seccomp_attr_set@Base 0.0.0~20120605
++ seccomp_export_bpf@Base 0.0.0~20120605
++ seccomp_export_pfc@Base 0.0.0~20120605
++ seccomp_init@Base 0.0.0~20120605
++ seccomp_load@Base 0.0.0~20120605
++ seccomp_release@Base 0.0.0~20120605
++ seccomp_reset@Base 0.0.0~20120605
++ seccomp_rule_add@Base 0.0.0~20120605
++ seccomp_rule_add_exact@Base 0.0.0~20120605
++ seccomp_syscall_priority@Base 0.0.0~20120605
++ seccomp_syscall_resolve_name@Base 1.0.1
++ seccomp_merge@Base 1.0.1
++ seccomp_notify_alloc@Base 2.5.0
++ seccomp_notify_fd@Base 2.5.0
++ seccomp_notify_free@Base 2.5.0
++ seccomp_notify_id_valid@Base 2.5.0
++ seccomp_notify_receive@Base 2.5.0
++ seccomp_notify_respond@Base 2.5.0
++ seccomp_arch_add@Base 1.0.1
++ seccomp_arch_exist@Base 1.0.1
++ seccomp_arch_remove@Base 1.0.1
++ seccomp_arch_native@Base 2.1.0
++ seccomp_rule_add_array@Base 2.1.0
++ seccomp_rule_add_exact_array@Base 2.1.0
++ seccomp_syscall_resolve_name_arch@Base 2.1.0
++ seccomp_syscall_resolve_num_arch@Base 2.1.0
++ seccomp_arch_resolve_name@Base 2.2.1
++ seccomp_syscall_resolve_name_rewrite@Base 2.2.1
++ seccomp_version@Base 2.3.0
--- /dev/null
--- /dev/null
++usr/lib/python*/*-packages/install_files.txt
++usr/lib/python*/*-packages/seccomp-*.egg-info
++usr/lib/*/libseccomp.la
--- /dev/null
--- /dev/null
++From 8147801fbc73016491d9caaab0fc740dbdbc989d Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Sun, 26 Jul 2020 11:01:49 -0400
++Subject: [PATCH] all: only request the userspace notification fd once
++
++It turns out that requesting the seccomp userspace notifcation fd
++more than once is a bad thing which causes the kernel to complain
++(rightfully so for a variety of reasons). Unfortunately as we were
++always requesting the notification fd whenever possible this results
++in problems at filter load time.
++
++Our solution is to move the notification fd out of the filter context
++and into the global task context, using a newly created task_state
++structure. This allows us to store, and retrieve the notification
++outside the scope of an individual filter context. It also provides
++some implementation improvements by giving us a convenient place to
++stash all of the API level related support variables. We also extend
++the seccomp_reset() API call to reset this internal global state when
++passed a NULL filter context.
++
++There is one potential case which we don't currently handle well:
++threads. At the moment libseccomp is thread ignorant, and that works
++well as the only global state up to this point was the currently
++supported API level information which was common to all threads in a
++process. Unfortunately, it appears that the notification fd need not
++be common to all threads in a process, yet this patch treats it as if
++it is common. I suspect this is a very unusual use case so I decided
++to keep this patch simple and ignore this case, but in the future if
++we need to support this properly we should be able to do so without
++API changes by keeping an internal list of notification fds indexed
++by gettid(2).
++
++This fixes the GitHub issue below:
++* https://github.com/seccomp/libseccomp/issues/273
++
++Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++(imported from commit ce314fe4111887c593e3c6b17c60d93bc6ab66b9)
++---
++ doc/man/man3/seccomp_init.3 | 10 +-
++ doc/man/man3/seccomp_notify_alloc.3 | 3 +-
++ src/api.c | 19 ++-
++ src/db.c | 1 -
++ src/db.h | 3 +-
++ src/system.c | 204 ++++++++++++++++++----------
++ src/system.h | 3 +
++ tests/11-basic-basic_errors.c | 9 +-
++ tests/51-live-user_notification.c | 21 +++
++ tests/51-live-user_notification.py | 4 +
++ 10 files changed, 187 insertions(+), 90 deletions(-)
++
++diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
++index 3ab68fef..87520cd3 100644
++--- a/doc/man/man3/seccomp_init.3
+++++ b/doc/man/man3/seccomp_init.3
++@@ -36,7 +36,15 @@ The
++ function releases the existing filter context state before reinitializing it
++ and can only be called after a call to
++ .BR seccomp_init ()
++-has succeeded.
+++has succeeded. If
+++.BR seccomp_reset ()
+++is called with a NULL filter, it resets the library's global task state;
+++normally this is not needed, but it may be required to continue using the
+++library after a
+++.BR fork ()
+++or
+++.BR clone ()
+++call to ensure the API level and user notification state is properly reset.
++ .P
++ When the caller is finished configuring the seccomp filter and has loaded it
++ into the kernel, the caller should call
++diff --git a/doc/man/man3/seccomp_notify_alloc.3 b/doc/man/man3/seccomp_notify_alloc.3
++index 50c89706..cb1c0480 100644
++--- a/doc/man/man3/seccomp_notify_alloc.3
+++++ b/doc/man/man3/seccomp_notify_alloc.3
++@@ -59,7 +59,8 @@ returns the notification fd of a filter after it has been loaded.
++ .\" //////////////////////////////////////////////////////////////////////////
++ The
++ .BR seccomp_notify_fd ()
++-returns the notification fd of the loaded filter.
+++returns the notification fd of the loaded filter, -1 if a notification fd has
+++not yet been created, and -EINVAL if the filter context is invalid.
++ .P
++ The
++ .BR seccomp_notify_id_valid ()
++diff --git a/src/api.c b/src/api.c
++index 00975ad5..5cec0883 100644
++--- a/src/api.c
+++++ b/src/api.c
++@@ -301,10 +301,18 @@ API int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action)
++ {
++ struct db_filter_col *col = (struct db_filter_col *)ctx;
++
++- /* use a NULL filter collection here since we are resetting it */
++- if (ctx == NULL || db_col_action_valid(NULL, def_action) < 0)
+++ /* a NULL filter context indicates we are resetting the global state */
+++ if (ctx == NULL) {
+++ /* reset the global state and redetermine the api level */
+++ sys_reset_state();
+++ _seccomp_api_update();
+++ return _rc_filter(0);
+++ }
+++ /* ensure the default action is valid */
+++ if (db_col_action_valid(NULL, def_action) < 0)
++ return _rc_filter(-EINVAL);
++
+++ /* reset the filter */
++ return _rc_filter(db_col_reset(col, def_action));
++ }
++
++@@ -675,16 +683,17 @@ API int seccomp_notify_id_valid(int fd, uint64_t id)
++ /* NOTE - function header comment in include/seccomp.h */
++ API int seccomp_notify_fd(const scmp_filter_ctx ctx)
++ {
++- struct db_filter_col *col;
+++ /* NOTE: for historical reasons, and possibly future use, we require a
+++ * valid filter context even though we don't actual use it here; the
+++ * api update is also not strictly necessary, but keep it for now */
++
++ /* force a runtime api level detection */
++ _seccomp_api_update();
++
++ if (_ctx_valid(ctx))
++ return _rc_filter(-EINVAL);
++- col = (struct db_filter_col *)ctx;
++
++- return _rc_filter(col->notify_fd);
+++ return _rc_filter(sys_notify_fd());
++ }
++
++ /* NOTE - function header comment in include/seccomp.h */
++diff --git a/src/db.c b/src/db.c
++index 4a87ea36..836171ae 100644
++--- a/src/db.c
+++++ b/src/db.c
++@@ -1057,7 +1057,6 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action)
++ if (col->filters)
++ free(col->filters);
++ col->filters = NULL;
++- col->notify_fd = -1;
++
++ /* set the endianess to undefined */
++ col->endian = 0;
++diff --git a/src/db.h b/src/db.h
++index b96b1049..765c607e 100644
++--- a/src/db.h
+++++ b/src/db.h
++@@ -160,8 +160,7 @@ struct db_filter_col {
++ /* transaction snapshots */
++ struct db_filter_snap *snapshots;
++
++- /* notification fd that was returned from seccomp() */
++- int notify_fd;
+++ /* userspace notification */
++ bool notify_used;
++ };
++
++diff --git a/src/system.c b/src/system.c
++index 6cdfc16a..3b43b2a9 100644
++--- a/src/system.c
+++++ b/src/system.c
++@@ -40,16 +40,61 @@
++ * our next release we may have to enable the allowlist */
++ #define SYSCALL_ALLOWLIST_ENABLE 0
++
++-static int _nr_seccomp = -1;
++-static int _support_seccomp_syscall = -1;
++-static int _support_seccomp_flag_tsync = -1;
++-static int _support_seccomp_flag_log = -1;
++-static int _support_seccomp_action_log = -1;
++-static int _support_seccomp_kill_process = -1;
++-static int _support_seccomp_flag_spec_allow = -1;
++-static int _support_seccomp_flag_new_listener = -1;
++-static int _support_seccomp_user_notif = -1;
++-static int _support_seccomp_flag_tsync_esrch = -1;
+++/* task global state */
+++struct task_state {
+++ /* seccomp(2) syscall */
+++ int nr_seccomp;
+++
+++ /* userspace notification fd */
+++ int notify_fd;
+++
+++ /* runtime support flags */
+++ int sup_syscall;
+++ int sup_flag_tsync;
+++ int sup_flag_log;
+++ int sup_action_log;
+++ int sup_kill_process;
+++ int sup_flag_spec_allow;
+++ int sup_flag_new_listener;
+++ int sup_user_notif;
+++ int sup_flag_tsync_esrch;
+++};
+++static struct task_state state = {
+++ .nr_seccomp = -1,
+++
+++ .notify_fd = -1,
+++
+++ .sup_syscall = -1,
+++ .sup_flag_tsync = -1,
+++ .sup_flag_log = -1,
+++ .sup_action_log = -1,
+++ .sup_kill_process = -1,
+++ .sup_flag_spec_allow = -1,
+++ .sup_flag_new_listener = -1,
+++ .sup_user_notif = -1,
+++ .sup_flag_tsync_esrch = -1,
+++};
+++
+++/**
+++ * Reset the task state
+++ *
+++ * This function fully resets the library's global "system task state".
+++ *
+++ */
+++void sys_reset_state(void)
+++{
+++ state.nr_seccomp = -1;
+++ state.notify_fd = -1;
+++ state.sup_syscall = -1;
+++ state.sup_flag_tsync = -1;
+++ state.sup_flag_log = -1;
+++ state.sup_action_log = -1;
+++ state.sup_kill_process = -1;
+++ state.sup_flag_spec_allow = -1;
+++ state.sup_flag_new_listener = -1;
+++ state.sup_user_notif = -1;
+++ state.sup_flag_tsync_esrch = -1;
+++}
++
++ /**
++ * Check to see if the seccomp() syscall is supported
++@@ -68,8 +113,8 @@ int sys_chk_seccomp_syscall(void)
++ /* NOTE: it is reasonably safe to assume that we should be able to call
++ * seccomp() when the caller first starts, but we can't rely on
++ * it later so we need to cache our findings for use later */
++- if (_support_seccomp_syscall >= 0)
++- return _support_seccomp_syscall;
+++ if (state.sup_syscall >= 0)
+++ return state.sup_syscall;
++
++ #if SYSCALL_ALLOWLIST_ENABLE
++ /* architecture allowlist */
++@@ -100,11 +145,11 @@ int sys_chk_seccomp_syscall(void)
++ goto supported;
++
++ unsupported:
++- _support_seccomp_syscall = 0;
+++ state.sup_syscall = 0;
++ return 0;
++ supported:
++- _nr_seccomp = nr_seccomp;
++- _support_seccomp_syscall = 1;
+++ state.nr_seccomp = nr_seccomp;
+++ state.sup_syscall = 1;
++ return 1;
++ }
++
++@@ -118,7 +163,7 @@ int sys_chk_seccomp_syscall(void)
++ */
++ void sys_set_seccomp_syscall(bool enable)
++ {
++- _support_seccomp_syscall = (enable ? 1 : 0);
+++ state.sup_syscall = (enable ? 1 : 0);
++ }
++
++ /**
++@@ -132,16 +177,16 @@ void sys_set_seccomp_syscall(bool enable)
++ int sys_chk_seccomp_action(uint32_t action)
++ {
++ if (action == SCMP_ACT_KILL_PROCESS) {
++- if (_support_seccomp_kill_process < 0) {
+++ if (state.sup_kill_process < 0) {
++ if (sys_chk_seccomp_syscall() == 1 &&
++- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
++- &action) == 0)
++- _support_seccomp_kill_process = 1;
+++ syscall(state.nr_seccomp,
+++ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
+++ state.sup_kill_process = 1;
++ else
++- _support_seccomp_kill_process = 0;
+++ state.sup_kill_process = 0;
++ }
++
++- return _support_seccomp_kill_process;
+++ return state.sup_kill_process;
++ } else if (action == SCMP_ACT_KILL_THREAD) {
++ return 1;
++ } else if (action == SCMP_ACT_TRAP) {
++@@ -152,30 +197,30 @@ int sys_chk_seccomp_action(uint32_t action)
++ } else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) {
++ return 1;
++ } else if (action == SCMP_ACT_LOG) {
++- if (_support_seccomp_action_log < 0) {
+++ if (state.sup_action_log < 0) {
++ if (sys_chk_seccomp_syscall() == 1 &&
++- syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
++- &action) == 0)
++- _support_seccomp_action_log = 1;
+++ syscall(state.nr_seccomp,
+++ SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
+++ state.sup_action_log = 1;
++ else
++- _support_seccomp_action_log = 0;
+++ state.sup_action_log = 0;
++ }
++
++- return _support_seccomp_action_log;
+++ return state.sup_action_log;
++ } else if (action == SCMP_ACT_ALLOW) {
++ return 1;
++ } else if (action == SCMP_ACT_NOTIFY) {
++- if (_support_seccomp_user_notif < 0) {
+++ if (state.sup_user_notif < 0) {
++ struct seccomp_notif_sizes sizes;
++ if (sys_chk_seccomp_syscall() == 1 &&
++- syscall(_nr_seccomp, SECCOMP_GET_NOTIF_SIZES, 0,
++- &sizes) == 0)
++- _support_seccomp_user_notif = 1;
+++ syscall(state.nr_seccomp,
+++ SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == 0)
+++ state.sup_user_notif = 1;
++ else
++- _support_seccomp_user_notif = 0;
+++ state.sup_user_notif = 0;
++ }
++
++- return _support_seccomp_user_notif;
+++ return state.sup_user_notif;
++ }
++
++ return 0;
++@@ -193,13 +238,13 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
++ {
++ switch (action) {
++ case SCMP_ACT_LOG:
++- _support_seccomp_action_log = (enable ? 1 : 0);
+++ state.sup_action_log = (enable ? 1 : 0);
++ break;
++ case SCMP_ACT_KILL_PROCESS:
++- _support_seccomp_kill_process = (enable ? 1 : 0);
+++ state.sup_kill_process = (enable ? 1 : 0);
++ break;
++ case SCMP_ACT_NOTIFY:
++- _support_seccomp_user_notif = (enable ? 1 : 0);
+++ state.sup_user_notif = (enable ? 1 : 0);
++ break;
++ }
++ }
++@@ -212,13 +257,14 @@ void sys_set_seccomp_action(uint32_t action, bool enable)
++ * Return one if the flag is supported, zero otherwise.
++ *
++ */
++-static int _sys_chk_seccomp_flag_kernel(int flag)
+++static int _sys_chk_flag_kernel(int flag)
++ {
++ /* this is an invalid seccomp(2) call because the last argument
++ * is NULL, but depending on the errno value of EFAULT we can
++ * guess if the filter flag is supported or not */
++ if (sys_chk_seccomp_syscall() == 1 &&
++- syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
+++ syscall(state.nr_seccomp,
+++ SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
++ errno == EFAULT)
++ return 1;
++
++@@ -238,29 +284,25 @@ int sys_chk_seccomp_flag(int flag)
++ {
++ switch (flag) {
++ case SECCOMP_FILTER_FLAG_TSYNC:
++- if (_support_seccomp_flag_tsync < 0)
++- _support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag);
++-
++- return _support_seccomp_flag_tsync;
+++ if (state.sup_flag_tsync < 0)
+++ state.sup_flag_tsync = _sys_chk_flag_kernel(flag);
+++ return state.sup_flag_tsync;
++ case SECCOMP_FILTER_FLAG_LOG:
++- if (_support_seccomp_flag_log < 0)
++- _support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
++-
++- return _support_seccomp_flag_log;
+++ if (state.sup_flag_log < 0)
+++ state.sup_flag_log = _sys_chk_flag_kernel(flag);
+++ return state.sup_flag_log;
++ case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
++- if (_support_seccomp_flag_spec_allow < 0)
++- _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
++-
++- return _support_seccomp_flag_spec_allow;
+++ if (state.sup_flag_spec_allow < 0)
+++ state.sup_flag_spec_allow = _sys_chk_flag_kernel(flag);
+++ return state.sup_flag_spec_allow;
++ case SECCOMP_FILTER_FLAG_NEW_LISTENER:
++- if (_support_seccomp_flag_new_listener < 0)
++- _support_seccomp_flag_new_listener = _sys_chk_seccomp_flag_kernel(flag);
++-
++- return _support_seccomp_flag_new_listener;
+++ if (state.sup_flag_new_listener < 0)
+++ state.sup_flag_new_listener = _sys_chk_flag_kernel(flag);
+++ return state.sup_flag_new_listener;
++ case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
++- if (_support_seccomp_flag_tsync_esrch < 0)
++- _support_seccomp_flag_tsync_esrch = _sys_chk_seccomp_flag_kernel(flag);
++- return _support_seccomp_flag_tsync_esrch;
+++ if (state.sup_flag_tsync_esrch < 0)
+++ state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag);
+++ return state.sup_flag_tsync_esrch;
++ }
++
++ return -EOPNOTSUPP;
++@@ -279,19 +321,19 @@ void sys_set_seccomp_flag(int flag, bool enable)
++ {
++ switch (flag) {
++ case SECCOMP_FILTER_FLAG_TSYNC:
++- _support_seccomp_flag_tsync = (enable ? 1 : 0);
+++ state.sup_flag_tsync = (enable ? 1 : 0);
++ break;
++ case SECCOMP_FILTER_FLAG_LOG:
++- _support_seccomp_flag_log = (enable ? 1 : 0);
+++ state.sup_flag_log = (enable ? 1 : 0);
++ break;
++ case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
++- _support_seccomp_flag_spec_allow = (enable ? 1 : 0);
+++ state.sup_flag_spec_allow = (enable ? 1 : 0);
++ break;
++ case SECCOMP_FILTER_FLAG_NEW_LISTENER:
++- _support_seccomp_flag_new_listener = (enable ? 1 : 0);
+++ state.sup_flag_new_listener = (enable ? 1 : 0);
++ break;
++ case SECCOMP_FILTER_FLAG_TSYNC_ESRCH:
++- _support_seccomp_flag_tsync_esrch = (enable ? 1 : 0);
+++ state.sup_flag_tsync_esrch = (enable ? 1 : 0);
++ break;
++ }
++ }
++@@ -324,7 +366,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
++ goto filter_load_out;
++ }
++
++- tsync_notify = (_support_seccomp_flag_tsync_esrch > 0);
+++ tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
++
++ /* load the filter into the kernel */
++ if (sys_chk_seccomp_syscall() == 1) {
++@@ -333,28 +375,29 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
++ if (col->attr.tsync_enable)
++ flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
++ SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
++- if (_support_seccomp_user_notif > 0)
+++ if (state.sup_user_notif > 0)
++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
++ } else if (col->attr.tsync_enable)
++ flgs |= SECCOMP_FILTER_FLAG_TSYNC;
++- else if (_support_seccomp_user_notif > 0)
+++ else if (state.sup_user_notif > 0 && state.notify_fd == -1)
++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
++ if (col->attr.log_enable)
++ flgs |= SECCOMP_FILTER_FLAG_LOG;
++ if (col->attr.spec_allow)
++ flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
++- rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
+++ rc = syscall(state.nr_seccomp,
+++ SECCOMP_SET_MODE_FILTER, flgs, prgm);
++ if (tsync_notify && rc > 0) {
++ /* return 0 on NEW_LISTENER success, but save the fd */
++- col->notify_fd = rc;
+++ state.notify_fd = rc;
++ rc = 0;
++ } else if (rc > 0 && col->attr.tsync_enable) {
++ /* always return -ESRCH if we fail to sync threads */
++ errno = ESRCH;
++ rc = -errno;
++- } else if (rc > 0 && _support_seccomp_user_notif > 0) {
+++ } else if (rc > 0 && state.sup_user_notif > 0) {
++ /* return 0 on NEW_LISTENER success, but save the fd */
++- col->notify_fd = rc;
+++ state.notify_fd = rc;
++ rc = 0;
++ }
++ } else
++@@ -370,6 +413,19 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
++ return rc;
++ }
++
+++/**
+++ * Return the userspace notification fd
+++ *
+++ * This function returns the userspace notification fd from
+++ * SECCOMP_FILTER_FLAG_NEW_LISTENER. If the notification fd has not yet been
+++ * set, or an error has occurred, -1 is returned.
+++ *
+++ */
+++int sys_notify_fd(void)
+++{
+++ return state.notify_fd;
+++}
+++
++ /**
++ * Allocate a pair of notification request/response structures
++ * @param req the request location
++@@ -386,7 +442,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
++ int rc;
++ static struct seccomp_notif_sizes sizes = { 0, 0, 0 };
++
++- if (_support_seccomp_syscall <= 0)
+++ if (state.sup_syscall <= 0)
++ return -EOPNOTSUPP;
++
++ if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
++@@ -427,7 +483,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
++ */
++ int sys_notify_receive(int fd, struct seccomp_notif *req)
++ {
++- if (_support_seccomp_user_notif <= 0)
+++ if (state.sup_user_notif <= 0)
++ return -EOPNOTSUPP;
++
++ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
++@@ -448,7 +504,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req)
++ */
++ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
++ {
++- if (_support_seccomp_user_notif <= 0)
+++ if (state.sup_user_notif <= 0)
++ return -EOPNOTSUPP;
++
++ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
++@@ -467,7 +523,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
++ */
++ int sys_notify_id_valid(int fd, uint64_t id)
++ {
++- if (_support_seccomp_user_notif <= 0)
+++ if (state.sup_user_notif <= 0)
++ return -EOPNOTSUPP;
++
++ if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
++diff --git a/src/system.h b/src/system.h
++index 133f9b11..096f3cad 100644
++--- a/src/system.h
+++++ b/src/system.h
++@@ -182,6 +182,8 @@ struct seccomp_notif_resp {
++ #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
++ #endif /* SECCOMP_RET_USER_NOTIF */
++
+++void sys_reset_state(void);
+++
++ int sys_chk_seccomp_syscall(void);
++ void sys_set_seccomp_syscall(bool enable);
++
++@@ -193,6 +195,7 @@ void sys_set_seccomp_flag(int flag, bool enable);
++
++ int sys_filter_load(struct db_filter_col *col, bool rawrc);
++
+++int sys_notify_fd(void);
++ int sys_notify_alloc(struct seccomp_notif **req,
++ struct seccomp_notif_resp **resp);
++ int sys_notify_receive(int fd, struct seccomp_notif *req);
++diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
++index d3b22566..da059df2 100644
++--- a/tests/11-basic-basic_errors.c
+++++ b/tests/11-basic-basic_errors.c
++@@ -41,12 +41,9 @@ int main(int argc, char *argv[])
++ seccomp_release(ctx);
++ ctx = NULL;
++
++- /* seccomp_reset error */
++- rc = seccomp_reset(ctx, SCMP_ACT_KILL + 1);
++- if (rc != -EINVAL)
++- return -1;
++- rc = seccomp_reset(ctx, SCMP_ACT_KILL);
++- if (rc != -EINVAL)
+++ /* ensure that seccomp_reset(NULL, ...) is accepted */
+++ rc = seccomp_reset(NULL, SCMP_ACT_ALLOW);
+++ if (rc != 0)
++ return -1;
++
++ /* seccomp_load error */
++diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c
++index 4340194c..4847d8b1 100644
++--- a/tests/51-live-user_notification.c
+++++ b/tests/51-live-user_notification.c
++@@ -99,6 +99,27 @@ int main(int argc, char *argv[])
++ goto out;
++ }
++
+++ rc = seccomp_reset(ctx, SCMP_ACT_ALLOW);
+++ if (rc < 0)
+++ goto out;
+++
+++ rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL);
+++ if (rc)
+++ goto out;
+++
+++ rc = seccomp_load(ctx);
+++ if (rc < 0)
+++ goto out;
+++
+++ rc = seccomp_notify_fd(ctx);
+++ if (rc < 0)
+++ goto out;
+++ if (rc != fd) {
+++ rc = -EFAULT;
+++ goto out;
+++ } else
+++ rc = 0;
+++
++ out:
++ if (fd >= 0)
++ close(fd);
++diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py
++index 0d81f5e1..3449c44c 100755
++--- a/tests/51-live-user_notification.py
+++++ b/tests/51-live-user_notification.py
++@@ -52,6 +52,10 @@ def test():
++ raise RuntimeError("Child process error")
++ if os.WEXITSTATUS(rc) != 0:
++ raise RuntimeError("Child process error")
+++ f.reset(ALLOW)
+++ f.add_rule(NOTIFY, "getppid")
+++ f.load()
+++ # no easy way to check the notification fd here
++ quit(160)
++
++ test()
--- /dev/null
--- /dev/null
++From d1482eaf5a3643f73bc7f599876e7000c502b3d5 Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Sun, 16 Aug 2020 09:56:36 -0400
++Subject: [PATCH] arch: ensure we don't "munge" pseudo syscall numbers
++
++A number of arches/ABIs have either syscall offsets (the MIPS
++family) or specific bits (x32) which are applied to their normal
++syscall numbers. We generally handle that via "munging" in
++libseccomp, and it works reasonably well. Unfortunately we were
++applying this munging process to the negative pseudo syscall
++numbers as well and this was causing problems.
++
++This patch fixes the various offset/bit arches/ABIs by not applying
++the munging to the negative pseudo syscall numbers.
++
++This resolves GH issue #284:
++* https://github.com/seccomp/libseccomp/issues/284
++
++Reported-by: Harald van Dijk <harald@gigawatt.nl>
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++(imported from commit 34cde704979defcbddb8eea64295acf0e477c250)
++---
++ src/arch-arm.c | 8 ++++++--
++ src/arch-mips.c | 8 ++++++--
++ src/arch-mips64.c | 8 ++++++--
++ src/arch-mips64n32.c | 8 ++++++--
++ src/arch-x32.c | 8 ++++++--
++ 5 files changed, 30 insertions(+), 10 deletions(-)
++
++diff --git a/src/arch-arm.c b/src/arch-arm.c
++index 4dd4b631..9c9153ae 100644
++--- a/src/arch-arm.c
+++++ b/src/arch-arm.c
++@@ -50,8 +50,9 @@ int arm_syscall_resolve_name_munge(const char *name)
++ {
++ int sys;
++
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
++ sys = arm_syscall_resolve_name(name);
++- if (sys == __NR_SCMP_ERROR)
+++ if (sys == __NR_SCMP_ERROR || sys < 0)
++ return sys;
++
++ return (sys | __SCMP_NR_BASE);
++@@ -68,7 +69,10 @@ int arm_syscall_resolve_name_munge(const char *name)
++ */
++ const char *arm_syscall_resolve_num_munge(int num)
++ {
++- return arm_syscall_resolve_num(num & (~__SCMP_NR_BASE));
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++ if (num >= 0)
+++ num &= ~__SCMP_NR_BASE;
+++ return arm_syscall_resolve_num(num);
++ }
++
++ const struct arch_def arch_def_arm = {
++diff --git a/src/arch-mips.c b/src/arch-mips.c
++index f0e6a143..06741c7f 100644
++--- a/src/arch-mips.c
+++++ b/src/arch-mips.c
++@@ -43,8 +43,9 @@ int mips_syscall_resolve_name_munge(const char *name)
++ {
++ int sys;
++
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
++ sys = mips_syscall_resolve_name(name);
++- if (sys == __NR_SCMP_ERROR)
+++ if (sys == __NR_SCMP_ERROR || sys < 0)
++ return sys;
++
++ return sys + __SCMP_NR_BASE;
++@@ -61,7 +62,10 @@ int mips_syscall_resolve_name_munge(const char *name)
++ */
++ const char *mips_syscall_resolve_num_munge(int num)
++ {
++- return mips_syscall_resolve_num(num - __SCMP_NR_BASE);
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++ if (num >= __SCMP_NR_BASE)
+++ num -= __SCMP_NR_BASE;
+++ return mips_syscall_resolve_num(num);
++ }
++
++ const struct arch_def arch_def_mips = {
++diff --git a/src/arch-mips64.c b/src/arch-mips64.c
++index 9707d1c5..342d0d88 100644
++--- a/src/arch-mips64.c
+++++ b/src/arch-mips64.c
++@@ -41,8 +41,9 @@ int mips64_syscall_resolve_name_munge(const char *name)
++ {
++ int sys;
++
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
++ sys = mips64_syscall_resolve_name(name);
++- if (sys == __NR_SCMP_ERROR)
+++ if (sys == __NR_SCMP_ERROR || sys < 0)
++ return sys;
++
++ return sys + __SCMP_NR_BASE;
++@@ -59,7 +60,10 @@ int mips64_syscall_resolve_name_munge(const char *name)
++ */
++ const char *mips64_syscall_resolve_num_munge(int num)
++ {
++- return mips64_syscall_resolve_num(num - __SCMP_NR_BASE);
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++ if (num >= __SCMP_NR_BASE)
+++ num -= __SCMP_NR_BASE;
+++ return mips64_syscall_resolve_num(num);
++ }
++
++ const struct arch_def arch_def_mips64 = {
++diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c
++index f8088aee..098864be 100644
++--- a/src/arch-mips64n32.c
+++++ b/src/arch-mips64n32.c
++@@ -43,8 +43,9 @@ int mips64n32_syscall_resolve_name_munge(const char *name)
++ {
++ int sys;
++
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
++ sys = mips64n32_syscall_resolve_name(name);
++- if (sys == __NR_SCMP_ERROR)
+++ if (sys == __NR_SCMP_ERROR || sys < 0)
++ return sys;
++
++ return sys + __SCMP_NR_BASE;
++@@ -61,7 +62,10 @@ int mips64n32_syscall_resolve_name_munge(const char *name)
++ */
++ const char *mips64n32_syscall_resolve_num_munge(int num)
++ {
++- return mips64n32_syscall_resolve_num(num - __SCMP_NR_BASE);
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++ if (num >= __SCMP_NR_BASE)
+++ num -= __SCMP_NR_BASE;
+++ return mips64n32_syscall_resolve_num(num);
++ }
++
++ const struct arch_def arch_def_mips64n32 = {
++diff --git a/src/arch-x32.c b/src/arch-x32.c
++index 38909681..50c502ee 100644
++--- a/src/arch-x32.c
+++++ b/src/arch-x32.c
++@@ -39,8 +39,9 @@ int x32_syscall_resolve_name_munge(const char *name)
++ {
++ int sys;
++
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
++ sys = x32_syscall_resolve_name(name);
++- if (sys == __NR_SCMP_ERROR)
+++ if (sys == __NR_SCMP_ERROR || sys < 0)
++ return sys;
++
++ return (sys | X32_SYSCALL_BIT);
++@@ -57,7 +58,10 @@ int x32_syscall_resolve_name_munge(const char *name)
++ */
++ const char *x32_syscall_resolve_num_munge(int num)
++ {
++- return x32_syscall_resolve_num(num & (~X32_SYSCALL_BIT));
+++ /* NOTE: we don't want to modify the pseudo-syscall numbers */
+++ if (num >= 0)
+++ num &= ~X32_SYSCALL_BIT;
+++ return x32_syscall_resolve_num(num);
++ }
++
++ const struct arch_def arch_def_x32 = {
--- /dev/null
--- /dev/null
++From 3e1a828777f097e55cd831cf7e7f617057c801c5 Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Sun, 2 Aug 2020 09:57:39 -0400
++Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS
++ targets
++
++It turns out that the MIPS GCC compiler defines a "mips" cpp macro
++which was resulting in build failures on MIPS so we need to
++undefine the "mips" macro during build. As this should be safe
++to do in all architectures, just add it to the compiler flags by
++default.
++
++This was reported in the following GH issue:
++* https://github.com/seccomp/libseccomp/issues/274
++
++Reported-by: Rongwei Zhang <pudh4418@gmail.com>
++Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++(imported from commit 5cd9059618a0810ee47c21e6b44c5a876b75e23d)
++---
++ configure.ac | 4 +++-
++ src/Makefile.am | 2 +-
++ 2 files changed, 4 insertions(+), 2 deletions(-)
++
++diff --git a/configure.ac b/configure.ac
++index d47c25ca..7b91c7af 100644
++--- a/configure.ac
+++++ b/configure.ac
++@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
++
++ dnl ####
++ dnl build flags
+++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it
+++dnl for us which wreaks havoc on the build
++ dnl ####
++ AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include"
++-AM_CFLAGS="-Wall"
+++AM_CFLAGS="-Wall -Umips"
++ AM_LDFLAGS="-Wl,-z -Wl,relro"
++ AC_SUBST([AM_CPPFLAGS])
++ AC_SUBST([AM_CFLAGS])
++diff --git a/src/Makefile.am b/src/Makefile.am
++index 8d8b97ff..10154e14 100644
++--- a/src/Makefile.am
+++++ b/src/Makefile.am
++@@ -61,7 +61,7 @@ lib_LTLIBRARIES = libseccomp.la
++ arch_syscall_dump_SOURCES = arch-syscall-dump.c ${SOURCES_ALL}
++
++ arch_syscall_check_SOURCES = arch-syscall-check.c ${SOURCES_ALL}
++-arch_syscall_check_CFLAGS = ${CODE_COVERAGE_CFLAGS}
+++arch_syscall_check_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS}
++ arch_syscall_check_LDFLAGS = ${CODE_COVERAGE_LDFLAGS}
++
++ libseccomp_la_SOURCES = ${SOURCES_ALL}
--- /dev/null
--- /dev/null
++all_only_request_the_userspace_notification_fd_once.patch
++system_change_our_notification_fd_handling.patch
++build_undefine_mips_to_prevent_build_problems.patch
++tests_use_openat_and_fstat_instead_of_open_and_stat_syscalls.patch
++arch_ensure_we_dont_munge_pseudo_syscall_numbers.patch
--- /dev/null
--- /dev/null
++From 1db3b323d8b61eb83a186013422e57b75b18ace0 Mon Sep 17 00:00:00 2001
++From: Paul Moore <paul@paul-moore.com>
++Date: Tue, 4 Aug 2020 10:52:08 -0400
++Subject: [PATCH] system: change our notification fd handling
++
++This commit changes how we handle the notification fd by only
++requesting it via _NEW_LISTENER if the filter has a _NOTIFY action
++in it. We also augment the seccomp_reset(NULL, ...) behavior so
++that it closes the notification fd before resetting the global
++state; applications that need to keep their notification fd open
++across a call to seccomp_reset(NULL, ...) can simply dup() it.
++Although one would have to wonder why the application would be
++calling seccomp_reset(NULL, ...) in that case.
++
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++(imported from commit 02812f99e8d1df2e671dac675b4af663d0266303)
++---
++ doc/man/man3/seccomp_init.3 | 6 ++++--
++ src/system.c | 18 +++++++++++++++---
++ 2 files changed, 19 insertions(+), 5 deletions(-)
++
++diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
++index 87520cd3..7881c357 100644
++--- a/doc/man/man3/seccomp_init.3
+++++ b/doc/man/man3/seccomp_init.3
++@@ -38,8 +38,10 @@ and can only be called after a call to
++ .BR seccomp_init ()
++ has succeeded. If
++ .BR seccomp_reset ()
++-is called with a NULL filter, it resets the library's global task state;
++-normally this is not needed, but it may be required to continue using the
+++is called with a NULL filter, it resets the library's global task state,
+++including any notification file descriptors retrieved by
+++.BR seccomp_notify_fd(3) .
+++Normally this is not needed, but it may be required to continue using the
++ library after a
++ .BR fork ()
++ or
++diff --git a/src/system.c b/src/system.c
++index 3b43b2a9..c646c65e 100644
++--- a/src/system.c
+++++ b/src/system.c
++@@ -84,7 +84,11 @@ static struct task_state state = {
++ void sys_reset_state(void)
++ {
++ state.nr_seccomp = -1;
+++
+++ if (state.notify_fd > 0)
+++ close(state.notify_fd);
++ state.notify_fd = -1;
+++
++ state.sup_syscall = -1;
++ state.sup_flag_tsync = -1;
++ state.sup_flag_log = -1;
++@@ -353,6 +357,7 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
++ {
++ int rc;
++ bool tsync_notify;
+++ bool listener_req;
++ struct bpf_program *prgm = NULL;
++
++ rc = gen_bpf_generate(col, &prgm);
++@@ -367,6 +372,8 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
++ }
++
++ tsync_notify = state.sup_flag_tsync_esrch > 0 && state.notify_fd == -1;
+++ listener_req = state.sup_user_notif > 0 && \
+++ col->notify_used && state.notify_fd == -1;
++
++ /* load the filter into the kernel */
++ if (sys_chk_seccomp_syscall() == 1) {
++@@ -375,11 +382,16 @@ int sys_filter_load(struct db_filter_col *col, bool rawrc)
++ if (col->attr.tsync_enable)
++ flgs |= SECCOMP_FILTER_FLAG_TSYNC | \
++ SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
++- if (state.sup_user_notif > 0)
+++ if (listener_req)
++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
++- } else if (col->attr.tsync_enable)
+++ } else if (col->attr.tsync_enable) {
+++ if (listener_req) {
+++ /* NOTE: we _should_ catch this in db.c */
+++ rc = -EFAULT;
+++ goto filter_load_out;
+++ }
++ flgs |= SECCOMP_FILTER_FLAG_TSYNC;
++- else if (state.sup_user_notif > 0 && state.notify_fd == -1)
+++ } else if (listener_req)
++ flgs |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
++ if (col->attr.log_enable)
++ flgs |= SECCOMP_FILTER_FLAG_LOG;
--- /dev/null
--- /dev/null
++From cc580a514f05a7fc1f412f66ed002dd8aee89618 Mon Sep 17 00:00:00 2001
++From: Andreas Schwab <schwab@suse.de>
++Date: Tue, 18 Aug 2020 15:59:54 +0200
++Subject: [PATCH] tests: use openat and fstat instead of open and stat syscalls
++ in tests 04 and 06
++
++Architectures like aarch64 and riscv64, and all future architectures that
++use the generic syscall table, do not support the open and stat syscalls.
++Use the openat and fstat syscalls instead.
++
++Signed-off-by: Andreas Schwab <schwab@suse.de>
++Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
++Signed-off-by: Paul Moore <paul@paul-moore.com>
++(imported from commit a317fabc1fd915f19f7e7326bf7dcb77493f1210)
++---
++ tests/04-sim-multilevel_chains.c | 2 +-
++ tests/04-sim-multilevel_chains.py | 2 +-
++ tests/04-sim-multilevel_chains.tests | 8 +++++---
++ tests/06-sim-actions.c | 4 ++--
++ tests/06-sim-actions.py | 4 ++--
++ tests/06-sim-actions.tests | 16 +++++++++-------
++ 6 files changed, 20 insertions(+), 16 deletions(-)
++
++diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c
++index a660b40d..e3e4f9bd 100644
++--- a/tests/04-sim-multilevel_chains.c
+++++ b/tests/04-sim-multilevel_chains.c
++@@ -41,7 +41,7 @@ int main(int argc, char *argv[])
++ if (ctx == NULL)
++ return ENOMEM;
++
++- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+++ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
++ if (rc != 0)
++ goto out;
++
++diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py
++index bcf1ee46..a5127a2b 100755
++--- a/tests/04-sim-multilevel_chains.py
+++++ b/tests/04-sim-multilevel_chains.py
++@@ -30,7 +30,7 @@
++
++ def test(args):
++ f = SyscallFilter(KILL)
++- f.add_rule(ALLOW, "open")
+++ f.add_rule(ALLOW, "openat")
++ f.add_rule(ALLOW, "close")
++ f.add_rule(ALLOW, "read",
++ Arg(0, EQ, sys.stdin.fileno()),
++diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests
++index 6613f9a0..b6f75761 100644
++--- a/tests/04-sim-multilevel_chains.tests
+++++ b/tests/04-sim-multilevel_chains.tests
++@@ -8,7 +8,7 @@
++ test type: bpf-sim
++
++ # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
++-04-sim-multilevel_chains all,-aarch64 open 0x856B008 4 N N N N ALLOW
+++04-sim-multilevel_chains all openat 0 0x856B008 4 N N N ALLOW
++ 04-sim-multilevel_chains all close 4 N N N N N ALLOW
++ 04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW
++ 04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
++@@ -27,9 +27,11 @@ test type: bpf-sim
++ 04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW
++ 04-sim-multilevel_chains x86 0-2 N N N N N N KILL
++ 04-sim-multilevel_chains x86 7-172 N N N N N N KILL
++-04-sim-multilevel_chains x86 174-350 N N N N N N KILL
+++04-sim-multilevel_chains x86 174-294 N N N N N N KILL
+++04-sim-multilevel_chains x86 296-350 N N N N N N KILL
++ 04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL
++-04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL
+++04-sim-multilevel_chains x86_64 16-256 N N N N N N KILL
+++04-sim-multilevel_chains x86_64 258-350 N N N N N N KILL
++
++ test type: bpf-sim-fuzz
++
++diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c
++index 10b366c9..da636c94 100644
++--- a/tests/06-sim-actions.c
+++++ b/tests/06-sim-actions.c
++@@ -60,11 +60,11 @@ int main(int argc, char *argv[])
++ if (rc != 0)
++ goto out;
++
++- rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0);
+++ rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(openat), 0);
++ if (rc != 0)
++ goto out;
++
++- rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(stat), 0);
+++ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
++ if (rc != 0)
++ goto out;
++
++diff --git a/tests/06-sim-actions.py b/tests/06-sim-actions.py
++index f14d6ed8..253061df 100755
++--- a/tests/06-sim-actions.py
+++++ b/tests/06-sim-actions.py
++@@ -37,8 +37,8 @@ def test(args):
++ f.add_rule(LOG, "rt_sigreturn")
++ f.add_rule(ERRNO(errno.EPERM), "write")
++ f.add_rule(TRAP, "close")
++- f.add_rule(TRACE(1234), "open")
++- f.add_rule(KILL_PROCESS, "stat")
+++ f.add_rule(TRACE(1234), "openat")
+++ f.add_rule(KILL_PROCESS, "fstat")
++ return f
++
++ args = util.get_opt()
++diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests
++index b830917e..1ef38b32 100644
++--- a/tests/06-sim-actions.tests
+++++ b/tests/06-sim-actions.tests
++@@ -11,15 +11,17 @@ test type: bpf-sim
++ 06-sim-actions all read 4 0x856B008 80 N N N ALLOW
++ 06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
++ 06-sim-actions all close 4 N N N N N TRAP
++-06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234)
++-06-sim-actions all,-aarch64 stat N N N N N N KILL_PROCESS
+++06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234)
+++06-sim-actions all fstat N N N N N N KILL_PROCESS
++ 06-sim-actions all rt_sigreturn N N N N N N LOG
++ 06-sim-actions x86 0-2 N N N N N N KILL
++-06-sim-actions x86 7-105 N N N N N N KILL
++-06-sim-actions x86 107-172 N N N N N N KILL
++-06-sim-actions x86 174-350 N N N N N N KILL
++-06-sim-actions x86_64 5-14 N N N N N N KILL
++-06-sim-actions x86_64 16-350 N N N N N N KILL
+++06-sim-actions x86 7-107 N N N N N N KILL
+++06-sim-actions x86 109-172 N N N N N N KILL
+++06-sim-actions x86 174-294 N N N N N N KILL
+++06-sim-actions x86 296-350 N N N N N N KILL
+++06-sim-actions x86_64 6-14 N N N N N N KILL
+++06-sim-actions x86_64 16-256 N N N N N N KILL
+++06-sim-actions x86_64 258-350 N N N N N N KILL
++
++ test type: bpf-sim-fuzz
++
--- /dev/null
--- /dev/null
++usr/lib/python2.*/dist-packages/seccomp.so
--- /dev/null
--- /dev/null
++usr/lib/python3.*/site-packages/seccomp.cpython-*.so
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++# -*- makefile -*-
++
++# Uncomment this to turn on verbose mode.
++#export DH_VERBOSE=1
++
++# Enable verbose build details.
++export V=1
++
++include /usr/share/dpkg/architecture.mk
++
++%:
++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),)
++ dh $@ --with python3
++else
++ dh $@
++endif
++
++ifeq ($(filter nopython,$(DEB_BUILD_PROFILES)),)
++
++override_dh_auto_install:
++ dh_auto_install
++ for pyver in `py3versions -s`; do \
++ set -e; \
++ if python3 -c "pyver='$$pyver'; exit(0 if float(pyver[6:]) >= 3.8 else 1)"; then \
++ export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata__${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \
++ else \
++ export _PYTHON_SYSCONFIGDATA_NAME='_sysconfigdata_m_${DEB_HOST_ARCH_OS}_${DEB_HOST_MULTIARCH}'; \
++ fi; \
++ dh_auto_configure -- --enable-python PYTHON=$$pyver; \
++ dh_auto_install --sourcedirectory=src/python -- PYTHON=$$pyver; \
++ done
++endif
++
++override_dh_auto_clean:
++ dh_auto_clean
++ rm -f regression.out
--- /dev/null
--- /dev/null
++usr/bin/*
--- /dev/null
--- /dev/null
++debian/tmp/usr/share/man/man1/*
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++SRCDIR="$(pwd)"
++
++mkdir "$AUTOPKGTEST_TMP/tests" "$AUTOPKGTEST_TMP/tools"
++cp -a tests/. "$AUTOPKGTEST_TMP/tests/"
++
++cd "$AUTOPKGTEST_TMP/tests"
++
++# build tools needed for tests
++for tool in scmp_api_level scmp_arch_detect scmp_sys_resolver; do
++ echo "Building $tool ..."
++ gcc -O2 -g "$SRCDIR/tools/$tool.c" "$SRCDIR/tools/util.c" -lseccomp -o ../tools/$tool
++done
--- /dev/null
--- /dev/null
++Tests: testsuite-live
++Depends: libseccomp-dev, build-essential
++Restrictions: isolation-machine
++
++Tests: testsuite-live-python3
++Depends: libseccomp-dev, build-essential, python3-seccomp
++Restrictions: isolation-machine, allow-stderr
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -eu
++
++. debian/tests/common
++
++# manually build necessary files against the installed libseccomp
++
++# build live tests
++for filename in *-live-*.tests; do
++ testname=$(echo "$filename" | cut -f 1 -d '.')
++ echo "Building $testname ..."
++ gcc -O2 -g "${testname}.c" util.c -pthread -lseccomp -o "$testname"
++done
++
++echo "Running test suite ..."
++./regression -T live
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -eu
++
++. debian/tests/common
++
++echo "Running test suite ..."
++./regression -T live -m python
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++set -eu
++
++. debian/tests/common
++
++# make sure "python" points to python3 as this is not configurable
++# in the regression script
++mkdir python3env
++ln -s /usr/bin/python3 python3env/python
++
++echo "Running test suite ..."
++PATH="$(pwd)/python3env:$PATH" ./regression -T live -m python
--- /dev/null
--- /dev/null
++Bug-Database: https://github.com/seccomp/libseccomp/issues
++Bug-Submit: https://github.com/seccomp/libseccomp/issues/new
++Repository: https://github.com/seccomp/libseccomp.git
++Repository-Browse: https://github.com/seccomp/libseccomp
--- /dev/null
--- /dev/null
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBE6TSxkBEACy+4BPGoI7vphGh/q5WET0lmU7LcDwuNs/satPRH/vPoSYLxYU
++FmZ64A2zA4/imlohR+9VMfEVgOX6f23vZWheC2Z12bCtK0/cGLfoGMddFi7mg6aV
++hJeAegYkC6hDAYI+Mc/mt0fYvDB+bSPUCUdnB/NegbWegJMJur2pc0/nQqeeoRdp
++sazOyBEs4ipP1p05DZA/MifGNRASMHJg2bYG2FyC48Vx/xl0B+oactTwPODJlkQS
++n6+yYTcvYh7wIbbainEi0jBnyRj6bi6jODPTjArW2YRzEmPEkqbBsfA/HYEpH4DR
++IyZIJzqkP/+P+F+BVBjPVz4r6CWvCjnTMTlROfaUqIvfmpdKKtBDVN0Cjn6GVYae
++t9yoJM5bcJK+KEp5aNmW3U7vDMG2XEttw4vdfIFc9ZEWnu2kyiltQw9cUk3ucsIH
++79M4o24oVu2+J/z4QNGbRHdbxbO6c9R+IxAfiF/FAz5OhQfRHrDayfQV457cE/Ga
++ZhE1AeT7EdnXFF3G1RhTTE2lomQ1TfBSK6CyIyabU7I0R2Gh0aITpAE0fP4heZNZ
++zA8vPggdtRzgKgu4tC2is2Dg3NQnPc+k4mnU07LwmJuxCluN7pNhhlhtJkNWnA+a
++C2sV8zIicH7SAwmGoeMkp1kluxcdp/jGKsdRIfIDnVax4/t6VPL2+lKQzwARAQAB
++tB5QYXVsIE1vb3JlIDxwY21vb3JlQHVtaWNoLmVkdT6JAjgEEwECACIFAk6TS4MC
++GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFXkWlroynyKs5MP/it8TqV6
++IVXZh9X6ioJbchNcofT+L74+BjHXpzmdlf0awutCrKdZTWz5zC4A7Xrnam5LNg9j
++aZr44oUOhnwIKwm1xxm2KBIGky7nKMinUfsSlYlfJybSJjWA3hv3dKI4Fpd7xsy1
++5CDcmfAD5NfQeW7KD5I0U89zKsdFyGCZV03xWbrvGPitncPB+Sifjp29lWmGwOwY
++5tNcg7Mvby5vi6Zit686Q4wjYzmgoCDKKgk6QSo/VAqXJn8PRttuZArDfckraL+h
++LXsxx1W0zaKVi9qeyR3n/++fDxPcc5rQIsd9TZj7nojj/5qGjoLCPwFDZaR97u8M
++v795+ITrMCLRPYAd8DE94e3sjZK8R+hCtD0Xp9KgaNWofnA4cIHQyWaKI5is4NaT
++9Y638We5RkTaYrFC0dxSgiekmnB0pogDU69smFNa26r0CX85cQf4YKYURc1xnbmS
++Cyh+gvIHXVSGglmGXgKJ436qUBFCq2/BlecLZm/Lk0vQyPdCr08ZzPc7AUfc1hAe
+++PiZ7RDkhJzQaUN3ufjvcyeMGHoUejaO3G9ODE/yVZ6Yi8HQPN7IGmyeh73xaqcv
++5PpSrfpK+yjR13WGdi6PRL1IBfverc1fXtxXBywFhV4o/Jatj6XrS7hsU5EJ43An
++I9Cqa+8FBjLIrqzfAKHng3qYKA3R346+L0pPtB5QYXVsIE1vb3JlIDxwbW9vcmVA
++cmVkaGF0LmNvbT6JAjgEEwECACIFAk6TS60CGwMGCwkIBwMCBhUIAgkKCwQWAgMB
++Ah4BAheAAAoJEFXkWlroynyKK8AP+QFOxGd3sSxMgEgTjT2fUUwqjD0oRZUrC3RZ
++pld+fqmMIoGP0XRQYIpSZubX/ryn0DK9zd7D1o8nOz32lz8QfeEwshh+KAI93V0J
++iIFprZUtCJxXKIO2GuHVgwqyzQs+DbXoov6BiTmbNHDGy1xT+mx4Z0xboHX2ZzKc
++mLj42w7Qv5clL8X+4D3EiePCWeaw5e/p2xlPEVXfaYlu3nsUUrRwdx1RZSZ/qJE6
++CZLL348vp7mf9nR7bGBx8NiHrzbE3nh7ofZ8ai/dUTkkK+cFsxr5Gkt1nHegdv2t
++Q3pk/KoR6YYvGYIDeuyZB0zMs2VW6zLIrD7qPc9sFLIwAsgBW3pWyznZ9mZrpbqp
++JPzkhDYQH5XnTkL5g0tq4z3eDtOCODB2rNRrj/JvZcv3WmT1IK2d3x3E06Bfb4oy
++qMgTzD2z/IHgyL9Wt+yyogB0Y0zyGj3lV3fISIINT2mn+UtutYIqDEeGbSEtQrXx
++yIvQEViPO52mO+QdOtc5ZMfQ9ddsQKbawK/pqbzVMRPXX1z5hYKyx/Tv0roBrAzj
++DSBI2vP0NmfzzSUKZ3POOZLOxE0425AYeNE623SCntrOWNYdgwf9EfnAcMgsY2Kl
++a18e24ZHdAGFmJWBYx+XllheI6diU7dOZAlvuuuslVJfvD8ixzm7SR98elmUk57k
++wf9FO9yxtCBQYXVsIE1vb3JlIDxwYXVsQHBhdWwtbW9vcmUuY29tPokCOgQTAQIA
++JQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAk6TS8ACGQEACgkQVeRaWujK
++fIrtrg/2Kr2XYWu6jYDX2PSWeLQ/5P/VgGzjZI+AKaj5JyEID/5J31yvSKICjK3F
++Wl+lHRo/LQzQx8f6gQ9FEBeDTndpa1t23XQGmBgEDAev6FHX3jmheFTkJJ+dEYpc
++gX7R+jTjmrRYjAFu1Jo2fIblBTvECwlKLxDvSzAvp5giHYj8TDWcYPlZcDqfq9Aq
++5p7UjkRYvAAUlkwSxPE28zcWPwgQuikcyVw/ObPpNWon+0TfruzindsyKnMss7mE
++pxUMhRHAWM8KACBUmScP2TC95xKzm+KtlT6E/pdPXItPXiFg5sg8Vf5Rco8j16+b
++DzviiAC21Mp69wtnV8Mdsl1jiL65wotclG+SMcgUmyqD3rgBW3jSedDFFu6CHQyG
++FuthVj25eNUSXjhVOMCWQSxOgv4uN1jgk89paHJuBqHwKfk55ezQJFB1UlkJqH7L
++NJ2uVd0Go5PTE2mBbkBQ4bvSyfhlOUYbcjNUlZOZSHsaQPVXDUXCW90LjH4azg8j
++ek7YinygvZBpxQurRj7honmoqqyBfvOweA8wDdjIYURFrA4kwYwN8d+xdIDv5Pu5
++8U/ruus+y59MebQDhMr1BaM26QhgPZ6Ur/vHvTkW6bFo+Q0Rg9/abO67O00OZX/+
++oakt1BZ3Tb30L6nGu7ZosTXos+s9Leter/wcOk49JNd5q4WnZbkCDQROk0sZARAA
++7lIE/HyQ5pTSabH0OJKa78mNJckQ+2NsEwUpEj459Ca5s3DvJCT7ZBOUQaL5ctkl
++KgjByI+3BSIT90swim6vdMYxSrS7IpQ17zb3pdV5H5LFQSCvS1Dd466amWFWCyb6
++ZWl3g7kmf5xEEIob9PLMlCe37gsIXp9M0hbRIOVISeqCiWp5HkcMXwMEd5XHxGN6
++CCgG86vzxEOnLKoMdXQIxkenA4ggk5cCBoYd0FMURH53EznhuceS3euNSzu71+H3
++SJjIdjIjYQDhpHF6gXoI+u8NSWsZ9dEn/s+9e/uP2cYvAPmR01a73QyVIZS23eo9
++rmMqlPJNjJbybQ81uaHxQqA5ljC7WWqYl7tia+QSKYMEyMkHvTqnPPhJvghsQoJO
++aeN6j/qIQWIl5fQEENLRzkcGO6SLEDOKzEgABZSwP9Wff47jyzD4JVb71qApI60m
++3TGB829vBavFIkHNzhvr91m+6AfeUvZlWlFmC3v4BsqH/3SzwwQU28cxy53a/EDO
++wm2MDJL4wkVLO2Yh2CZ/4x07VZtjmGmG6wyVOq+9GQ3cnTPEgynfZYsdPaml/RJm
++kbCAmDbHbyV4NhT1RCg803thZZX8HzJcM2nywutGlzi0xxv63tP48tfTAV6ajqyQ
++5jeRGKCq/zpME9Ghr/oH414NlGcomYU0UQ5Fjpdk8eMAEQEAAYkCHwQYAQIACQUC
++TpNLGQIbDAAKCRBV5Fpa6Mp8iqQaD/9L2zMdzYznSOnApTz1SHhpgbi8RKaKy88j
++WTz0AxZGrYF6cKv8BH2fFgA7phlONcWhUvWpEEpP208EY52c811lohRocNhSlXgW
++XHYCiG2vydsQe9HEdBB6bUOO0z8g2DPcoBtUGWe1gDZddRW2VbqN2ts8Wxebog2Y
++Y3tvJ0ocMo150t5c0koldlStav/zM2eipz+zTjfsN4Xy04q/WQ63FIbub5o5jcUJ
++j1o177I1VtA8eEumsfnMMRgQBfz0t2bEIc/ZmrsuR+j/H4WlBAuIarNjWtIylH/e
++VJhxFtXGnCI5mO1gN90QG6IpwszcwEPJf3gU7dO8r+HXeTBifLYB/JnzGWixPaek
++DgCrNOZXz+48KEJEoVXUxsnqa8PRIUO5OtVRq3mk2uwcIHqPEBLb0yB6GRQjb9jQ
++qBdRPun2FavjxWRuTZBGS1RItLW8bmAJz1d/ySWizRqnoz8U0s9SyGGHx5OsyJJu
++FO6FFr31m7WZG5LPfQJUNiyR2y9ZrjdPbwXmchywhTLqyTb5N6j5RfAdn74H379t
++ilUhH5c7ieVLt/RLTtWXEnkZzsO7LvP/3X0jHt3eZD2WzvVg4llZFvnuie8C0/yC
++Twhc2xMJOLd2WpH6ZKHNbRqv1a2xg8K2KGdhlZrRo/AYbX/FjZ/k9klZwEjFsefd
++0Ff4mojoNokCNgQoAQgAIBYhBHEAqt+ubm6UDS4K1lXkWlroynyKBQJbxKnWAh0B
++AAoJEFXkWlroynyKGT4P/jXnXhB+VEkr+NL86MssDU+S9Gz+kCYEOSxFPFvhxpmk
++x+Q9Y2SXugaThp9h9IIUH6lhtAZeYimzGC67ObZh+Ev0SIfN24xvZ2nPzLLj1pay
++/2f/OQ0g7LalC7SpaF/7nIrxrYSP3Lyv3QAw/ZCeP8+U0CCV0Nw2Jrxck61ySXOR
++W9diyGKTszNwzWQOPUBOLlMw2BxjudQW0Djy8mYoqyByUYEWtbcGgJ3MSPzE0RgW
++PLgVujdzDunGDeJd9SBeI220ILxAHiB96JZYxmkVoz4trB7PwyA3plg19CXjwZ5J
++ediKZov02JG0aGNpL2678YwJAGDCLMNhBi9gDqx3Xf6rvzqK/CvR3xQs6/bAjiAC
++FHSUjv1oQ+p75yyt0clVrJOaB3kh6DICr+dZYuBvPGbls0yMTvEvCRxrj0rmpd9w
++tI2ZTvN6ak9+5c9ZI7N+tQKYRPonfrVigVR+VgoWS0UMh5IQedkcfMO1vX2S5i/m
++mmtDPT8aTyearL/ZpRoba8UvuTi/jksGTkR9QwKxBQeBWIy4xpKtddtp29RJFAFm
++m3uvsHTGfRIm0oAGnbSgAooQSqZiv9bQvjzP0maWc7A9uNIspKj4CaEjDttqMzPG
++u5GyplMDGnmEuldXbUhyCLlRXzVqmxuE46q0G2vl+qwiwwoYDauNoyvLvHK0AOZb
++uQINBFvEpn0BEACpnI2D7qSeKGEihHtIvbZAhN6x3zkkELaLB2+MmhWZAdTmzfFm
++JU28DXNLuCqxyy7GxATaBdPR5gPyq4LkA/xqTqC5nK9zTZqxtqwh9xTFCchUhmdC
++voSkFy3R1cZlifLVartuIBHQXd9XfYkJMop4whsbPcbzDJ9JYUqHpuqysNAAhHge
++vKIzZ93B7nW5JIBHf1/iVMSnC7+l3gSLMg0n+0UalGiQSpgzUSnyfgnoJjBbbyQT
++JMrOhGSJHviezcCT3OOctnn0j5I0DuU1IRJ5h+MZ4NpgV2YyHCTXdHE9x1DGE9Wu
++ExubFjiAvJtgcYkwcfqyqpbcK2IICWOUv+XJbrApm0PdaclyXbrJZRZ08QBOW9cZ
++8tnrkvb4PtktigiHzTy9LenoWP7lSXVeroju3+g+igkaa9ZbgVkHOkDRrrjtJhNl
++3yPEaK0RplLpJ6J/ysGvjuG9b/pWAsXptsfSN4TCCKIAqOg4/RINiyM5YzzIIqLc
++vwBzm8awFpoMsexhBBUJLdBC3F2s53AZJUkH+NYJ/lZgnDA9/EVYPAOGCXt5u/Ot
++ZyCyJzyYD6fZtLshQiRRdDMkeCZ+W88+HmgxA3Ck6vfSPIPyVUGYQYqREzZqfBVV
++FuANufrr+dBYYxE0R61zYMJdXL8fsNshHR5mlcHg4EODdnhOeRSeIuS+uQARAQAB
++iQI2BBgBCAAgFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAlvEpn0CGwwACgkQVeRa
++WujKfIquIRAArTQcsGL/5Tw+L4g0OxUeH1/E7TQ54UrpT9f4PjPj0SPZevqzsV/b
++uRemr6bqpNx5aMvLhoeoAodq4a0GmC+BX9ucfGKELavgReQWpyAlFFop8/MCbonq
++q+07PdO+6ZJiff0VIMGFAdWOabzQ9VMkYQ4ibF+etTjgWNpJ0UiFhUNric+eT00t
++HMzEq2WdgbnS/bwANsEF7kIA3klF7lkYG5MFN5gTbWssHeavfUn3coR9AJVqmx+m
++bJdUiMxiMrzRORepUO1zs8XJzLMkOb5h2CElk1um0LfGI9T/RZ3nyP5uv3xU5aG/
++Rp2owv4EsvjhpATt+votq3iZk2hkwymYmMbKpZ690sNT7tTYS5E6dX085NRmEQpy
++/U+gX/V5rsWULPmQ2UJEoIizyRrhxq/O73ZinapkDZVO+DeePBrdXDwDOKlhDQ2V
++dMp/uLbOg8Hxs2N+Brnn5Ts6FADeP951F9VxTaRWrppOt9eRQgxasYE9hEzFS61e
++WY3qHfWT59Pnx+KPmuR69SobBrG5Y7qYvlQxHQUsiVhRlPDDlOuZk0nbK7QR4/aX
++7AwNxp2byo7cduCOecs+uSsAcWgA+KMif8yGzHxywHm34dTn7JY0Moqd03n09UY4
++3LISNC1atd/q0BTijMpzroU+4i3omeL3SSHJRBJJSMxSxU5SXV/DBMa5Ag0EW8Sm
++sQEQAOQoaAL4LSK1yQzbIJg4hojiJ+iOIMhz2BG9zVNp2CJ4veyfjgH0eUbSr8kX
++D1OBkdw9hJuyQXIu4hARvkh41H1N9BTDRMXt5VzeiZUQBS0mJlTQ6EJrX6z+Y497
++0OwPXHYTZG7EcBtTrrY9s+Bm0JnBQr5lZ4TdoGWg8sQxGZIY79zUYYjle6naBZQ0
++QFUTgfyKbx4n8gzXqIZbpj/SrbGctFve36HD+YVwmkcjIJuxKBKMcVfTRQ1AG1PV
++qoIyV/gTcmPbVMKcC8L9S0ixkWrqmVhkNJEblzkTEhN0WF5XjzasbxCkUGcJ24Cd
++oM5515LpCKaqOTSyuov2aDJfGrNoXi0LTo93M+xaBq6Li/kVUb9S7KY1CSD7buuw
++9CAriAVJZBYCuvByp49tBwYWSVhn2GURh7mex91NsJ2H7OveLygYEHSvT+S2ARA1
++lvpLDEG8LvIuKo8QrwmCkE5AO4WU6c62gnrajWwTDU0R38vXObD0dquguhvVyLWi
++OEVWacUUXfTN6hCLoqUlOAijKgSmHVhjIs2nngKdR/PLOQiVjKpMxxDoyStMJkfg
++khL8v9D/VBU398QwBOBHXFDovKZLhNz32KU3Ma2pE+RGZYBEQeCAWBK51MNdcpsd
++Q0p26O33H6Np+GWRHSwrtvO00HK0Wd4eOmO5LY2AiSUdK0NXABEBAAGJBGwEGAEI
++ACAWIQRxAKrfrm5ulA0uCtZV5Fpa6Mp8igUCW8SmsQIbAgJACRBV5Fpa6Mp8isF0
++IAQZAQgAHRYhBEtCqM8H8pnVVJd+7+og8tqXN4lzBQJbxKaxAAoJEOog8tqXN4lz
++0fkQAILG/ON167EqJq2VNMCD/e4Su5M5/RzcosEk+0xxmHyjOTn/36TG9uneNSr+
++IaNdSeH926LaVpcauSFdCKbegKjznUTtmMfdJQX+iTdfO7JTSdZACFHQUSva4Rs6
++33VMTnyhJdRerxrGvNAL0aAyDdTG5rc/CSQjj683AJGK9T7iZubgkBKWoYY8jtJi
++nsSuePp+gFetIhCQyG2nSq4yrIgXbd6l/kJdsqq6xEz42mbGJf2uPQ/BEbD/gzWj
++m8sRUAJ91u0lHqz3KjQ4MzdsU+Mm/ngZdyXWzwlfC24QbHAr9cnWwZvtLdvo2G7z
++igMX7PyMwfEq5l7i3gFS0Mny3LtvGqH1AS/YJczDeyonDtR2gAptYlyBHOBftdj7
++hVoZS0QNNss2B0kwHqSWOLtfgMHWiBXFq8buntwWGW2rUXs77gvKYG9TB1a0NYp1
++Hv2FOOUCWY9pzs/WBOkW0s5EOiatxoDfAFIoKH7FlqDf7Cnr3IpaKS6tXDH+7B35
++QBptYgMIY43v+GhqIEELkaYow3VnnTcbQFi0VfBxh/GgyhydhFyaUs5djklCZ091
++nRRYeDSyUhB1nlr7FnuLK91/rm6YI+IWmw2j3Z6urlnD6TNYPFfeZzXDoJgtlRsc
++HFQL2/HCIiCcObVFd8HbCvHmNpMdRxId8qogOr/y5Lu2FYvzRzEP/A8NNqwqj7zX
++Wk5w6lj4tVk796B4gPNZ0NUIXYeUobEtuuPjrh4SQSVOluvADCV5/8quP4fdw/iN
++tmaoTqYqmhpHArFgP9gjHQ7vL3+eHCQIqV0hdhsLm0t8ol5ArP3BgNtfS3RcQf3k
++Q9aQdIYscz5iTvCpcncVrMXDxz3wO7YKylzNHDUF7bo1FMc9HPedcKbzG/BRFnpw
++YNn8w24xlr9+o1YEzwgc48N7djcAsYl7KCIKq82vWrbeePNHLA4yo0rdqS1RP7jI
++lOlMWfxF+IGODkwCfiuMWVo35h5uMPueA0xyEfGobX1OtK6pkeFq1b1mNYCVr++4
++eWaJj64cv3ijx/sA+Ni51pD1dHrwURuX5FIixRJm0awwoJgxbsXLy54PGVgatNoa
++1Wx4lnt/6HA32MtM7Im0NMLGAt298GD/AIr3bAnbovevNTjaxwpO8KlMNLhANqYt
++GjFlhucGfQjVOxOU0c3QL1wBJ5s0bNltz5C8LqCRpqjJc43v3CfQ/IZzqZ+g51wJ
++WWgN9wAj62doD4x6JlVg17AZm6WRoGQjslyDUuBE3ZtZd2XXpc7P/rbmfZQCcr1W
++1h8moBknbU2eOji/cULgGM3Y8W5V3RwNgD7IFHDKr1I19PyBEMr+Qk+KVHpsw09S
++xOtqJHdjtKxzOrgL0rG+n0VYx6dl2Lt4mQINBF3C4AkBEADQxp4jfxmbJ3t/ZuKc
++sV4JxG8mhuGXBkzMB0k2uGULCpY4yh7dsN4PBU7PuHgUMkxJnJlbg0xVR2nux20I
++NzroYn8xzRe+jSmKTW0fTvNH+Nxyr4k+KgqmVZCcfyvwXuL7IOfG5luc/oSXJV62
++u+LHP891dVcJlVN0Ef9i5Sz9iRkkMUknwoTrOK9q1nZNOA+XoLMhCIdyWIPx6jFm
++PxfZpgEJw6YIeyOSRIPYtH4twuDj50bzQuTTfQ3ph9FdcXVLYwP3BayvfFasGhyJ
++6caqVW9GpMDa/OPvteNmt2WbqaRgcX9CWWOKonhFqkaWAXj0lYFkM65DTzSUKpNt
++oh2MRVA7qyGZ2zlHocNWSplQ8VJlly6ch9O95UEXlSIJFxAi/7NBNuG/CekHQxxQ
++ZhdslUe7LIsujlKS8Fy0bpYsTDPb/g+rUuIHWCOhEC+B0qOYVEf+wcc9jTQjZf6N
++P3zIV4dO+Mc9GVT+d3Kz0y11g1ON0b82qy2ONvRys1NmqXC2vCnXzKCQ6UTHRYt+
++EdV0nlo59G+lolCnT8t1sW7ezuByA4zWMI6hLyk0NLb8xwPK9BT732RGhzba7a7E
++aArTBsPA3rWvObC1kQWSaw+ule5rmnTL5Q4Jw3qDhgM9b2Bg3hLYP5/UU0INq7kr
++H413Kin0C29T1aNmLfMTfmS5EwARAQABtCZUb20gSHJvbWF0a2EgPHRvbS5ocm9t
++YXRrYUBvcmFjbGUuY29tPokCTgQTAQgAOBYhBEemj843x9cCT9ZeETVs5iwrUkCZ
++BQJdwuAJAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDVs5iwrUkCZNL0P
++/3KFyrWXW5ouPuAzWeMMUZrQmyz31T70iVSS8PtPWb8S2QxQdzgpdVPrvxT+wfq5
++zJbdz3X5uPvdOXUeyv0bAQRqYQVX/tkz10zu6+m+Bgx0H6I5Xk9F7EDvag1EDDs/
++BDSLh9VbsTllSaNpLhFjSRj0dVmE1DgaUDX5F66npYMgSIspsAjEI1MZ1PDYQfho
++yxEMiz0ld14yv6HE7hBPekcQW2mAWzlpZmgw9NVIcqShy3znJNGGpQUbLEtGbrv/
++wRMNWjGWPJyfE5dLDvkfQjrdsTRWv5+Sd5/z3fwp0G8dUq1iWeegu6mFe0KRLB5z
++3lcc+QJSlWetyyoYWOhq1Jzn0QHjakZp2Nb4rtp9/b9TdhvD5cOjpsECmL5qMri1
++mn/j4F63AG4yLQaYrwwjWzDcz+jQ8wNuyl7cXQFD6UYbywC1tC9DE0VppV2nOirt
++TOPz8+etXMx6sg40STJ4dbYn/gJLhiycSaUAqGkSHpC24FbcvkVwKz5MBUYuLEgN
++H3RyNKVgnb5JWZofE7ehOVCc+VAmzMyobjE+71FRXlPdmqD/im4vYDsqzb15wX79
++VsXqI0bij+xVYaR7GoQbTfVQ0a6f6slWex6PmKOnZTjfLL7sEu1JhAteqlI9I0Nl
++NJBF/y32T6lQpO+3CJGhY+2rSiCpnI31NMusAkcufnxquQINBF3C4AkBEAC9ReOz
++Yf6nryTLn8lGg6M0kpMX3P7v8GlOV1hZ8hTDlUETpo+xxR3FvNjWEDNyuawCpvNz
++8Pu3OKqxKDIivyVdJNEc335glsMY7BmAevLvAtyfjb0rOzOXqLfhdsn108Nr6Ai+
++lkMs8xlK2hxGI3qpDHzImOYmhWD4J181gxlj5Gaj8fOyV8JZvfY6AZcei2tzlmHp
++j9SSh7K59trUZtaUDljUeVAEP4KfU1sLEYy3BUzS+eb4Qw1tleui+89E/J4zPrgw
++wuLg5OU+ScTigfbEF/05MMUAySiKieKhp8IFsT41+FXOlotBl0wz6Jbo4HxNtY5P
++trpv6BOrBlYfhfhZeANk4+y5OnLqRjjgTvf1p9CHmsgs6sx/lkNyXpzoxKR89Rzx
++HxnrgUATSa80JK9o/0tPZkN33HKJlkSndPQEM4uLrTsIxvNsBSOPIKC09siMbbBe
++I0t811P1pMh8zvTnRl2FSQjiumLoVhr+xxZ2wWiPxztVQkMLuuWXkzcxQUfuw5nE
++QCH+WdqYKNmV6rw2kU6j10q0kvvspWPMTbsI/vBY3KyiP1F8dToXiwulNT1U05NG
++J20YbzEHnYEKatBq9ZILLx63c8eLZ6VppkAE0ZlmgsOvn+zIcv81P4x9mDLvuqTO
++zRj/RuDAY6qJHuICpsV3F5A03z9ne/Z9u0mwSwARAQABiQI2BBgBCAAgFiEER6aP
++zjfH1wJP1l4RNWzmLCtSQJkFAl3C4AkCGwwACgkQNWzmLCtSQJkiQA/8Cm07bQf2
++FIKTdwRECJO7pvpuc3zE1XsSuLyu40qpsWX24Ll97S7cpOK7rN2jSZ6UDoXpNgXV
++iOzma5yiC+GO6UUWxr8xE/CDXeuawxHUt0Xrn+UQnWsirsrZifjVPkXou71QM+ka
++Q9qXy4liOpRaJjf8B7iz3ilgMUACnMcwOVn+jbswLQpNetsKk+vrLwQlILPkWcKG
++xIu1Iro3E7WoIPojHHtT7Co7mSRzaNI00VU7jMwZwXFQL/IbeGsKlaAyxh1BzRLn
++LdPN8hxiYtEq2IG66Uq3EmigtwOvh06d/Qi/gBH6CWxdahRk7HwATyrNvbjfduzN
++nhF+lPA39iKrI5+IGasK6Lp9HklUJD0Q9JK7yac/cUj5LptY/PBFC7eJKHJLyohm
++vlXYgRSeAXEm7uGpU5k/jUZDM4Z1o5JboiNVQoqDWs6iDYJb82cRjKKlvC2d2lFK
++xtBOR3xJZUUsIpoQrstxn1LA5DcBosPvd9ISyIZs38UyJNTz07GUedEpeE3YhLke
++sc6n2iL9D2Yjz/S4ANukxl9YZDW+EFS8LtTchvK11OHWubvWxWFV7txLFmkBYQwk
++2krCi2MVguRZGj8bodqjty1H8ZMfA5NYwAKeyQmsmTHqNmR1Ws/cdQCV7+3q9Rur
++lUtY1AVxx4LtnS16GX+OVCybWzbK1uqLrfo=
++=9JXr
++-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
--- /dev/null
++# See uscan(1) for format
++version=4
++opts="dversionmangle=s/\+dfsg//,pgpsigurlmangle=s/$/.asc/" \
++https://github.com/seccomp/libseccomp/releases \
++ /download/v.*/libseccomp-(.*)\.tar\.gz \
++ debian uupdate
projects / libseccomp.git / commitdiff