#!/bin/sh

set -e

# shellcheck source=snap-confine/tests/common.sh
. "${srcdir:-.}/snap-confine/tests/common.sh"

get_common_syscalls >"$TMP"/tmpl
cat >>"$TMP"/tmpl <<EOF
getpriority
EOF

for i in '- - 10' '- 0 10' '- 0 >=0' '- 0 >0' '- 0 <11' '- 0 <=10' ; do
    cat "$TMP"/tmpl >"$TMP"/snap.name.app
    echo "setpriority $i" >>"$TMP"/snap.name.app

    printf "Test good seccomp arg filtering (setpriority %s)" "$i"
    # ensure that the command "true" can run with the right filter
    if $L snap.name.app /usr/bin/nice -n 10 /bin/true ; then
        PASS
    else
        FAIL
    fi
done

cat "$TMP"/tmpl >"$TMP"/snap.name.app
{
    echo "setpriority - - 10"
    echo "setpriority - - <=9"
    echo "setpriority - - >=11"
} >>"$TMP"/snap.name.app

printf "Test good seccomp arg filtering (cumulative setpriority)"
# ensure that the command "true" can run with the right filter
if $L snap.name.app /usr/bin/nice -n 10 /bin/true ; then
    PASS
else
    FAIL
fi

cat "$TMP"/tmpl >"$TMP"/snap.name.app
echo "setpriority - - <=9" >>"$TMP"/snap.name.app
echo "setpriority - - >=11" >>"$TMP"/snap.name.app

printf "Test good seccomp arg filtering (cumulative setpriority blocks (ge/le))"
if $L snap.name.app /usr/bin/nice -n 10 /bin/true 2>/dev/null ; then
    FAIL
else
    PASS
fi

cat "$TMP"/tmpl >"$TMP"/snap.name.app
echo "setpriority - - <10" >>"$TMP"/snap.name.app
echo "setpriority - - >10" >>"$TMP"/snap.name.app

printf "Test good seccomp arg filtering (cumulative setpriority blocks (gt/lt))"
if $L snap.name.app /usr/bin/nice -n 10 /bin/true 2>/dev/null ; then
    FAIL
else
    PASS
fi

# <= SC_ARGS_MAXLENGTH in seccomp.c
for i in '1' '- 2' '- - 3' '- - - 4' '- - - - 5' '- - - - - 6' '1 2 3 4 5 6' ; do
    cat "$TMP"/tmpl >"$TMP"/snap.name.app
    echo "mbind $i" >>"$TMP"/snap.name.app

    printf "Test good seccomp arg filtering (mbind %s)" "$i"
    # ensure that the command "true" can run with the right filter
    if $L snap.name.app /bin/true ; then
        PASS
    else
        FAIL
    fi
done

cat "$TMP"/tmpl >"$TMP"/snap.name.app
echo "mknod - |S_IFIFO" >>"$TMP"/snap.name.app

# use "$SHM"/pipe here since snap-confine uses a mount namespace for /tmp
printf "Test good seccomp arg filtering (mkfifo %s/pipe)" "$SHM"
if $L snap.name.app /usr/bin/mkfifo "$SHM"/pipe ; then
    if [ -p "$SHM"/pipe ]; then
        PASS
    else
        FAIL
    fi
else
    FAIL
fi

printf "Test good seccomp arg filtering (mkfifo -m 0400 %s/rpipe)" "$SHM"
if $L snap.name.app /usr/bin/mkfifo -m 0400 "$SHM"/rpipe ; then
    if [ -p "$SHM"/rpipe ]; then
        # Use stat instead of 'test -w' since the unit tests run as root in
        # spread and 'test -w' returns true regardless of permissions
		perms=$(stat -c "%a" "$SHM"/rpipe)
        if [ "$perms" = "400" ]; then
            PASS
        else
            echo "$SHM/rpipe permissions are not '400'"
            FAIL
        fi
    else
        echo "$SHM/rpipe not found"
        FAIL
    fi
else
    echo "mkfifo failed"
    cat "$TMP"/snap.name.app
    FAIL
fi

cat "$TMP"/tmpl >"$TMP"/snap.name.app
echo "mknod - |S_IFREG" >>"$TMP"/snap.name.app

printf "Test good seccomp arg filtering (mkfifo %s/pipe blocked)" "$SHM"
if $L snap.name.app /usr/bin/mkfifo "$SHM"/pipe 2>/dev/null ; then
    FAIL
else
    PASS
fi
