script_core 0.2.6 → 0.2.7

data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+table = [
+    {"syscall": "read", "error": 0, "arg_cnt": 0 },
+    {"syscall": "write", "error": 1, "arg_cnt": 0 },
+    {"syscall": "open", "error": 2, "arg_cnt": 0 },
+    {"syscall": "close", "error": 3, "arg_cnt": 2, "arg1": 100, "arg2": 101 },
+    {"syscall": "stat", "error": 4, "arg_cnt": 0 },
+    {"syscall": "fstat", "error": 5, "arg_cnt": 0 },
+    {"syscall": "lstat", "error": 6, "arg_cnt": 0 },
+    {"syscall": "poll", "error": 7, "arg_cnt": 1, "arg1": 102 },
+    {"syscall": "lseek", "error": 8, "arg_cnt": 2, "arg1": 103, "arg2": 104 },
+    {"syscall": "mmap", "error": 9, "arg_cnt": 0 },
+    {"syscall": "mprotect", "error": 10, "arg_cnt": 0 },
+    {"syscall": "munmap", "error": 11, "arg_cnt": 0 },
+    {"syscall": "brk", "error": 12, "arg_cnt": 0 },
+    {"syscall": "rt_sigaction", "error": 13, "arg_cnt": 0 },
+    {"syscall": "rt_sigprocmask", "error": 14, "arg_cnt": 0 },
+    {"syscall": "rt_sigreturn", "error": 15, "arg_cnt": 0 },
+    {"syscall": "ioctl", "error": 16, "arg_cnt": 0 },
+    {"syscall": "pread64", "error": 17, "arg_cnt": 1, "arg1": 105 },
+    {"syscall": "pwrite64", "error": 18, "arg_cnt": 0 },
+    {"syscall": "readv", "error": 19, "arg_cnt": 0 },
+    {"syscall": "writev", "error": 20, "arg_cnt": 0 },
+    {"syscall": "access", "error": 21, "arg_cnt": 0 },
+    {"syscall": "pipe", "error": 22, "arg_cnt": 0 },
+    {"syscall": "select", "error": 23, "arg_cnt": 2, "arg1": 106, "arg2": 107 },
+    {"syscall": "sched_yield", "error": 24, "arg_cnt": 0 },
+    {"syscall": "mremap", "error": 25, "arg_cnt": 2, "arg1": 108, "arg2": 109 },
+    {"syscall": "msync", "error": 26, "arg_cnt": 0 },
+    {"syscall": "mincore", "error": 27, "arg_cnt": 0 },
+    {"syscall": "madvise", "error": 28, "arg_cnt": 0 },
+    {"syscall": "dup", "error": 32, "arg_cnt": 1, "arg1": 112 },
+    {"syscall": "dup2", "error": 33, "arg_cnt": 0 },
+    {"syscall": "pause", "error": 34, "arg_cnt": 0 },
+    {"syscall": "nanosleep", "error": 35, "arg_cnt": 0 },
+    {"syscall": "getitimer", "error": 36, "arg_cnt": 0 },
+    {"syscall": "alarm", "error": 37, "arg_cnt": 0 },
+]
+
+def test(args):
+    f = SyscallFilter(ALLOW)
+
+    f.remove_arch(Arch())
+    f.add_arch(Arch("aarch64"))
+    f.add_arch(Arch("ppc64le"))
+    f.add_arch(Arch("x86_64"))
+
+    for entry in table:
+        if entry["arg_cnt"] == 2:
+            f.add_rule(ERRNO(entry["error"]), entry["syscall"],
+                       Arg(0, EQ, entry["arg1"]),
+                       Arg(1, EQ, entry["arg2"]))
+        elif entry["arg_cnt"] == 1:
+            f.add_rule(ERRNO(entry["error"]), entry["syscall"],
+                       Arg(0, EQ, entry["arg1"]))
+        else:
+            f.add_rule(ERRNO(entry["error"]), entry["syscall"])
+
+    return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.tests

@@ -0,0 +1,65 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019-2020 Oracle and/or its affiliates.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: bpf-sim
+
+# Testname		Arch				Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	read		N	N	N	N	N	N	ERRNO(0)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	write		N	N	N	N	N	N	ERRNO(1)
+53-sim-binary_tree	+x86_64,+ppc64le		open		N	N	N	N	N	N	ERRNO(2)
+53-sim-binary_tree	+aarch64			open		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	close		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	close		100	1234	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	close		100	101	N	N	N	N	ERRNO(3)
+53-sim-binary_tree	+x86_64,+ppc64le		stat		N	N	N	N	N	N	ERRNO(4)
+53-sim-binary_tree	+aarch64			stat		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	fstat		N	N	N	N	N	N	ERRNO(5)
+53-sim-binary_tree	+x86_64,+ppc64le		lstat		N	N	N	N	N	N	ERRNO(6)
+53-sim-binary_tree	+aarch64			lstat		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le		poll		102	N	N	N	N	N	ERRNO(7)
+53-sim-binary_tree	+aarch64			poll		102	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	lseek		103	104	N	N	N	N	ERRNO(8)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	mmap		N	N	N	N	N	N	ERRNO(9)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	mprotect	N	N	N	N	N	N	ERRNO(10)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	munmap		N	N	N	N	N	N	ERRNO(11)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	brk		N	N	N	N	N	N	ERRNO(12)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	rt_sigaction	N	N	N	N	N	N	ERRNO(13)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	rt_sigprocmask	N	N	N	N	N	N	ERRNO(14)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	rt_sigreturn	N	N	N	N	N	N	ERRNO(15)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	ioctl		N	N	N	N	N	N	ERRNO(16)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	pread64		105	N	N	N	N	N	ERRNO(17)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	pwrite64	N	N	N	N	N	N	ERRNO(18)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	readv		N	N	N	N	N	N	ERRNO(19)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	writev		N	N	N	N	N	N	ERRNO(20)
+53-sim-binary_tree	+x86_64,+ppc64le		access		N	N	N	N	N	N	ERRNO(21)
+53-sim-binary_tree	+aarch64			access		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le		pipe		N	N	N	N	N	N	ERRNO(22)
+53-sim-binary_tree	+aarch64			pipe		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	select		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le		select		106	107	N	N	N	N	ERRNO(23)
+53-sim-binary_tree	+aarch64			select		106	107	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	sched_yield	N	N	N	N	N	N	ERRNO(24)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	mremap		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	mremap		108	109	N	N	N	N	ERRNO(25)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	msync		N	N	N	N	N	N	ERRNO(26)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	mincore		N	N	N	N	N	N	ERRNO(27)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	madvise		N	N	N	N	N	N	ERRNO(28)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	dup		112	N	N	N	N	N	ERRNO(32)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	dup		5678	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le		dup2		N	N	N	N	N	N	ERRNO(33)
+53-sim-binary_tree	+aarch64			dup2		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le		pause		N	N	N	N	N	N	ERRNO(34)
+53-sim-binary_tree	+aarch64			pause		N	N	N	N	N	N	ALLOW
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	nanosleep	N	N	N	N	N	N	ERRNO(35)
+53-sim-binary_tree	+x86_64,+ppc64le,+aarch64	getitimer	N	N	N	N	N	N	ERRNO(36)
+53-sim-binary_tree	+x86_64,+ppc64le		alarm		N	N	N	N	N	N	ERRNO(37)
+53-sim-binary_tree	+aarch64			alarm		N	N	N	N	N	N	ALLOW
+
+test type: bpf-valgrind
+
+# Testname
+53-sim-binary_tree

data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.c

@@ -0,0 +1,128 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+/* arbitrary list of syscalls to force seccomp to generate a binary tree */
+static const int denylist[] = {
+	SCMP_SYS(times),
+	SCMP_SYS(ptrace),
+	SCMP_SYS(getuid),
+	SCMP_SYS(syslog),
+	SCMP_SYS(getgid),
+	SCMP_SYS(setuid),
+	SCMP_SYS(setgid),
+	SCMP_SYS(geteuid),
+	SCMP_SYS(getegid),
+	SCMP_SYS(setpgid),
+	SCMP_SYS(getppid),
+	SCMP_SYS(getpgrp),
+	SCMP_SYS(setsid),
+	SCMP_SYS(setreuid),
+	SCMP_SYS(setregid),
+	SCMP_SYS(getgroups),
+	SCMP_SYS(setgroups),
+	SCMP_SYS(setresuid),
+	SCMP_SYS(getresuid),
+	SCMP_SYS(setresgid),
+	SCMP_SYS(getresgid),
+	SCMP_SYS(getpgid),
+	SCMP_SYS(setfsuid),
+	SCMP_SYS(setfsgid),
+};
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	int fd;
+	int i;
+	scmp_filter_ctx ctx = NULL;
+	const char buf[] = "testing";
+	ssize_t buf_len = strlen(buf);
+
+	rc = util_action_parse(argv[1]);
+	if (rc != SCMP_ACT_ALLOW) {
+		rc = 1;
+		goto out;
+	}
+
+	rc = util_trap_install();
+	if (rc != 0)
+		goto out;
+
+	fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+	if (fd < 0) {
+		rc = errno;
+		goto out;
+	}
+
+	ctx = seccomp_init(SCMP_ACT_TRAP);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+			      SCMP_A0(SCMP_CMP_EQ, fd));
+	if (rc != 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+	if (rc != 0)
+		goto out;
+
+	for (i = 0; i < (sizeof(denylist) / sizeof(denylist[0])); i++) {
+		rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, denylist[i], 0);
+		if (rc != 0)
+			goto out;
+	}
+
+	rc = seccomp_load(ctx);
+	if (rc != 0)
+		goto out;
+
+	if (write(fd, buf, buf_len) < buf_len) {
+		rc = errno;
+		goto out;
+	}
+	if (close(fd) < 0) {
+		rc = errno;
+		goto out;
+	}
+
+	rc = 160;
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}

data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+denylist = [
+    "times",
+    "ptrace",
+    "getuid",
+    "syslog",
+    "getgid",
+    "setuid",
+    "setgid",
+    "geteuid",
+    "getegid",
+    "setpgid",
+    "getppid",
+    "getpgrp",
+    "setsid",
+    "setreuid",
+    "setregid",
+    "getgroups",
+    "setgroups",
+    "setresuid",
+    "getresuid",
+    "setresgid",
+    "getresgid",
+    "getpgid",
+    "setfsuid",
+    "setfsgid",
+]
+
+def test():
+    action = util.parse_action(sys.argv[1])
+    if not action == ALLOW:
+        quit(1)
+    util.install_trap()
+    f = SyscallFilter(TRAP)
+    f.set_attr(Attr.CTL_TSYNC, 1)
+    # NOTE: additional syscalls required for python
+    f.add_rule(ALLOW, "stat")
+    f.add_rule(ALLOW, "fstat")
+    f.add_rule(ALLOW, "open")
+    f.add_rule(ALLOW, "openat")
+    f.add_rule(ALLOW, "mmap")
+    f.add_rule(ALLOW, "munmap")
+    f.add_rule(ALLOW, "read")
+    f.add_rule(ALLOW, "write")
+    f.add_rule(ALLOW, "close")
+    f.add_rule(ALLOW, "rt_sigaction")
+    f.add_rule(ALLOW, "rt_sigreturn")
+    f.add_rule(ALLOW, "sigreturn")
+    f.add_rule(ALLOW, "sigaltstack")
+    f.add_rule(ALLOW, "brk")
+    f.add_rule(ALLOW, "exit_group")
+
+    for syscall in denylist:
+        f.add_rule(KILL, syscall)
+
+    f.load()
+    try:
+        util.write_file("/dev/null")
+    except OSError as ex:
+        quit(ex.errno)
+    quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

data/ext/enterprise_script_service/libseccomp/tests/54-live-binary_tree.tests

@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: live
+
+# Testname		API	Result
+54-live-binary_tree	1	ALLOW

data/ext/enterprise_script_service/libseccomp/tests/55-basic-pfc_binary_tree.c

@@ -0,0 +1,134 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define ARG_COUNT_MAX 2
+
+struct syscall_errno {
+	int syscall;
+	int error;
+	int arg_cnt;
+	/* To make the test more interesting, arguments are added to several
+	 * syscalls.  To keep the test simple, the arguments always use
+	 * SCMP_CMP_EQ.
+	 */
+	int args[ARG_COUNT_MAX];
+};
+
+struct syscall_errno table[] = {
+	{ SCMP_SYS(read), 0, 2, { 100, 101 } },
+	{ SCMP_SYS(write), 1, 1, { 102, 0 } },
+	{ SCMP_SYS(open), 2, 0, { 0, 0 } },
+	{ SCMP_SYS(close), 3, 0, { 0, 0 } },
+	{ SCMP_SYS(stat), 4, 0, { 0, 0 } },
+	{ SCMP_SYS(fstat), 5, 1, { 103, 0 } },
+	{ SCMP_SYS(lstat), 6, 0, { 0, 0 } },
+	{ SCMP_SYS(poll), 7, 0, { 0, 0 } },
+	{ SCMP_SYS(lseek), 8, 1, { 104, 0 } },
+	{ SCMP_SYS(mmap), 9, 0, { 0, 0 } },
+	{ SCMP_SYS(mprotect), 10, 1, { 105, 0 } },
+	{ SCMP_SYS(munmap), 11, 0, { 0, 0 } },
+	{ SCMP_SYS(brk), 12, 0, { 0, 0 } },
+	{ SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } },
+	{ SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } },
+	{ SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } },
+	{ SCMP_SYS(ioctl), 16, 0, { 0, 0 } },
+	{ SCMP_SYS(pread64), 17, 1, { 106, 0 } },
+	{ SCMP_SYS(pwrite64), 18, 2, { 107, 108 } },
+};
+
+const int table_size = sizeof(table) / sizeof(table[0]);
+
+int main(int argc, char *argv[])
+{
+	int rc, fd, i;
+	scmp_filter_ctx ctx = NULL;
+
+	/* stdout */
+	fd = 1;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL) {
+		rc = ENOMEM;
+		goto out;
+	}
+
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+	if (rc < 0)
+		goto out;
+
+	for (i = 0; i < table_size; i++) {
+		switch (table[i].arg_cnt) {
+		case 2:
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 2,
+					      SCMP_A0(SCMP_CMP_EQ,
+						      table[i].args[0]),
+					      SCMP_A1(SCMP_CMP_EQ,
+						      table[i].args[1]));
+			break;
+		case 1:
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 1,
+					      SCMP_A0(SCMP_CMP_EQ,
+						      table[i].args[0]));
+			break;
+		case 0:
+		default:
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 0);
+			break;
+		}
+
+		if (rc < 0)
+			goto out;
+	}
+
+	rc = seccomp_export_pfc(ctx, fd);
+	if (rc < 0)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	close(fd);
+	return (rc < 0 ? -rc : rc);
+}