22 files changed, 210 insertions, 137 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2e6a462f2..751ed7572 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -71,6 +71,8 @@ jobs:
      run: command -V firejail && firejail --version
    - name: lab setup
      run: SHELL=/bin/bash make lab-setup
+    - name: run seccomp extra tests
+      run: SHELL=/bin/bash make test-seccomp-extra
    - name: run firecfg tests
      run: SHELL=/bin/bash make test-firecfg
    - name: run capabilities tests
diff --git a/Makefile b/Makefile
index 9a0482848..98f368789 100644
--- a/Makefile
+++ b/Makefile
@@ -368,7 +368,7 @@ codespell: clean
 # make test
 #
-TESTS=profiles capabilities apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc
+TESTS=profiles capabilities apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc seccomp-extra
 TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 $(TEST_TARGETS):
@@ -378,7 +378,7 @@ $(TEST_TARGETS):
 # extract some data about the testing setup: kernel, network connectivity, user
 lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
-test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-seccomp-extra
        echo "TEST COMPLETE"
 test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
diff --git a/gcov.sh b/gcov.sh
index a4f56136c..53317c098 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -25,6 +25,8 @@ make test-firecfg | grep TESTING
 gcov_generate
 make test-capabilities | grep TESTING
 gcov_generate
+make test-seccomp-extra | grep TESTING
+gcov_generate
 make test-apparmor | grep TESTING
 gcov_generate
 make test-network | grep TESTING
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 57a5a6d67..0b46daf65 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -23,33 +23,33 @@ int arg_quiet = 0;
 int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 static void usage(void) {
-        printf("Usage:\n");
+        printf("Usage:\n"
-        printf("\tfseccomp debug-syscalls\n");
+                "\tfseccomp debug-syscalls\n"
-        printf("\tfseccomp debug-syscalls32\n");
+                "\tfseccomp debug-syscalls32\n"
-        printf("\tfseccomp debug-errnos\n");
+                "\tfseccomp debug-errnos\n"
-        printf("\tfseccomp debug-protocols\n");
+                "\tfseccomp debug-protocols\n"
-        printf("\tfseccomp protocol build list file\n");
+                "\tfseccomp protocol build list file\n"
-        printf("\tfseccomp secondary 64 file\n");
+                "\tfseccomp secondary 64 file\n"
-        printf("\tfseccomp secondary 32 file\n");
+                "\tfseccomp secondary 32 file\n"
-        printf("\tfseccomp secondary block file\n");
+                "\tfseccomp secondary block file\n"
-        printf("\tfseccomp default file\n");
+                "\tfseccomp default file\n"
-        printf("\tfseccomp default file allow-debuggers\n");
+                "\tfseccomp default file allow-debuggers\n"
-        printf("\tfseccomp default32 file\n");
+                "\tfseccomp default32 file\n"
-        printf("\tfseccomp default32 file allow-debuggers\n");
+                "\tfseccomp default32 file allow-debuggers\n"
-        printf("\tfseccomp drop file1 file2 list\n");
+                "\tfseccomp drop file1 file2 list\n"
-        printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
+                "\tfseccomp drop file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp drop32 file1 file2 list\n");
+                "\tfseccomp drop32 file1 file2 list\n"
-        printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
+                "\tfseccomp drop32 file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp default drop file1 file2 list\n");
+                "\tfseccomp default drop file1 file2 list\n"
-        printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
+                "\tfseccomp default drop file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp default32 drop file1 file2 list\n");
+                "\tfseccomp default32 drop file1 file2 list\n"
-        printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
+                "\tfseccomp default32 drop file1 file2 list allow-debuggers\n"
-        printf("\tfseccomp keep file1 file2 list\n");
+                "\tfseccomp keep file1 file2 list\n"
-        printf("\tfseccomp keep32 file1 file2 list\n");
+                "\tfseccomp keep32 file1 file2 list\n"
-        printf("\tfseccomp memory-deny-write-execute file\n");
+                "\tfseccomp memory-deny-write-execute file\n"
-        printf("\tfseccomp memory-deny-write-execute.32 file\n");
+                "\tfseccomp memory-deny-write-execute.32 file\n"
-        printf("\tfseccomp restrict-namespaces file list\n");
+                "\tfseccomp restrict-namespaces file list\n"
-        printf("\tfseccomp restrict-namespaces.32 file list\n");
+                "\tfseccomp restrict-namespaces.32 file list\n");
 }
 int main(int argc, char **argv) {
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index e19047e6f..56c97482e 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -53,9 +53,6 @@ fi
 echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
 ./seccomp-postexec.exp
-echo "TESTING: noroot (test/filters/noroot.exp)"
-./noroot.exp
 #if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
 #       echo "TESTING: capabilities (test/filters/caps.exp)"
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index dc6befcfe..33a992a93 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -97,61 +97,4 @@ expect {
 }
 after 100
-# memory-deny-write-execute
-send --  "firejail --debug --memory-deny-write-execute sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 24\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-        timeout {puts "TESTING ERROR 25\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 26\n";exit}
-        "done"
-}
-# 64 bit architecture - seccomp.block-secondary
-send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 27\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-        timeout {puts "TESTING ERROR 29\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 31\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 33\n";exit}
-        "done"
-}
-after 100
-# 64 bit architecture - seccomp.block-secondary, profile
-send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 33\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-        timeout {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 37\n";exit}
-        "done"
-}
-after 100
 puts "all done\n"
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
index 0d1bc4c2c..d9da9cb75 100755
--- a/test/network/netstats.exp
+++ b/test/network/netstats.exp
@@ -12,7 +12,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-sleep 2
+sleep 4
 spawn $env(SHELL)
 send -- "firejail --netstats\r"
diff --git a/test/seccomp-extra/block-secondary.exp b/test/seccomp-extra/block-secondary.exp
new file mode 100755
index 000000000..1db512126
--- /dev/null
+++ b/test/seccomp-extra/block-secondary.exp
@@ -0,0 +1,43 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# 64 bit architecture - seccomp.block-secondary
+send --  "firejail --debug --seccomp.block-secondary pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+after 500
+# 64 bit architecture - seccomp.block-secondary, profile
+send --  "firejail --debug --profile=block-secondary.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 10\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+after 500
+puts "all done\n"
diff --git a/test/filters/block-secondary.profile b/test/seccomp-extra/block-secondary.profile
index e32056c3d..e32056c3d 100644
--- a/test/filters/block-secondary.profile
+++ b/test/seccomp-extra/block-secondary.profile
diff --git a/test/filters/memwrexe b/test/seccomp-extra/memwrexe
index 1173cdc07..82ea7631f 100755
--- a/test/filters/memwrexe
+++ b/test/seccomp-extra/memwrexe
Binary files differ
diff --git a/test/filters/memwrexe.c b/test/seccomp-extra/memwrexe.c
index 548320df9..548320df9 100644
--- a/test/filters/memwrexe.c
+++ b/test/seccomp-extra/memwrexe.c
diff --git a/test/seccomp-extra/mrwx.exp b/test/seccomp-extra/mrwx.exp
new file mode 100755
index 000000000..403bc852f
--- /dev/null
+++ b/test/seccomp-extra/mrwx.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# memory-deny-write-execute
+send --  "firejail --debug --memory-deny-write-execute pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+after 500
+send --  "firejail --debug --profile=mrwx.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+after 500
+after 500
+puts "all done\n"
diff --git a/test/seccomp-extra/mrwx.profile b/test/seccomp-extra/mrwx.profile
new file mode 100644
index 000000000..46d6cedee
--- /dev/null
+++ b/test/seccomp-extra/mrwx.profile
@@ -0,0 +1 @@
+memory-deny-write-execute
diff --git a/test/filters/memwrexe.exp b/test/seccomp-extra/mrwx2.exp
index e51b3372e..4703a4014 100755
--- a/test/filters/memwrexe.exp
+++ b/test/seccomp-extra/mrwx2.exp
@@ -17,7 +17,7 @@ expect {
        "mmap successful" {puts "TESTING ERROR 2\n";exit}
        "Parent is shutting down"
 }
-after 100
+after 500
 send --  "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
 expect {
@@ -29,7 +29,7 @@ expect {
        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
        "Parent is shutting down"
 }
-after 100
+after 500
 send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
 expect {
@@ -42,5 +42,5 @@ expect {
        "Parent is shutting down"
 }
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/seccomp-extra/noroot.exp
index 8a8842cd9..eeb82833e 100755
--- a/test/filters/noroot.exp
+++ b/test/seccomp-extra/noroot.exp
@@ -132,5 +132,5 @@ expect {
 puts "\n"
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/seccomp-extra/protocol-print.exp b/test/seccomp-extra/protocol-print.exp
new file mode 100755
index 000000000..7e76e6ff6
--- /dev/null
+++ b/test/seccomp-extra/protocol-print.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --name=test1 --profile=protocol1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --name=test2 --profile=protocol2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --protocol.print=test0\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "packet" {puts "TESTING ERROR 4\n";exit}
+        "unix,inet,inet6"
+}
+after 500
+send -- "firejail --protocol.print=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "inet" {puts "TESTING ERROR 6\n";exit}
+        "unix"
+}
+after 500
+send -- "firejail --protocol.print=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "unix" {puts "TESTING ERROR 8\n";exit}
+        "inet6,packet"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/filters/protocol.exp b/test/seccomp-extra/protocol.exp
index 5320dde6f..5844e1de3 100755
--- a/test/filters/protocol.exp
+++ b/test/seccomp-extra/protocol.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --noprofile --protocol=unix --debug\r"
+send -- "firejail --noprofile --protocol=unix --debug pwd\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "0009: 20 00 00 00000000"
@@ -29,11 +29,9 @@ expect {
        "0012: 06 00 00 0005005f"
 }
-after 100
+after 500
-send -- "exit\r"
-sleep 1
-send -- "firejail --noprofile --protocol=bluetooth --debug\r"
+send -- "firejail --noprofile --protocol=bluetooth --debug pwd\r"
 expect {
        timeout {puts "TESTING ERROR 11\n";exit}
        "0009: 20 00 00 00000000"
@@ -54,12 +52,9 @@ expect {
        timeout {puts "TESTING ERROR1 5\n";exit}
        "0012: 06 00 00 0005005f"
 }
+after 500
-after 100
+send -- "firejail --noprofile --protocol=inet,inet6 --debug pwd\r"
-send -- "exit\r"
-sleep 1
-send -- "firejail --noprofile --protocol=inet,inet6 --debug\r"
 expect {
        timeout {puts "TESTING ERROR 31\n";exit}
        "0009: 20 00 00 00000000"
@@ -88,10 +83,5 @@ expect {
        timeout {puts "TESTING ERROR 37\n";exit}
        "0014: 06 00 00 0005005f"
 }
+after 500
-after 100
-send -- "exit\r"
-after 100
 puts "\nall done\n"
diff --git a/test/filters/protocol1.profile b/test/seccomp-extra/protocol1.profile
index 3e1ea2a29..3e1ea2a29 100644
--- a/test/filters/protocol1.profile
+++ b/test/seccomp-extra/protocol1.profile
diff --git a/test/filters/protocol2.profile b/test/seccomp-extra/protocol2.profile
index b7eb4ab91..b7eb4ab91 100644
--- a/test/filters/protocol2.profile
+++ b/test/seccomp-extra/protocol2.profile
diff --git a/test/seccomp-extra/seccomp-extra.sh b/test/seccomp-extra/seccomp-extra.sh
new file mode 100755
index 000000000..50852f7e0
--- /dev/null
+++ b/test/seccomp-extra/seccomp-extra.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+echo "TESTING: protocol (test/seccomp-extras/protocol-print.exp)"
+./protocol.exp
+echo "TESTING: protocol.print (test/seccomp-extras/protocol-print.exp)"
+./protocol-print.exp
+echo "TESTING: noroot (test/seccomp-extras/noroot.exp)"
+./noroot.exp
+echo "TESTING: mrwx (test/seccomp-extras/mrwx.exp)"
+./mrwx.exp
+echo "TESTING: mrwx2 (test/seccomp-extras/mrwx.exp)"
+./mrwx2.exp
+echo "TESTING: block-secondary (test/seccomp-extras/block-secondary.exp)"
+./block-secondary.exp
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp
deleted file mode 100755
index f24afc703..000000000
--- a/test/utils/protocol-print.exp
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "firejail --name=test\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-spawn $env(SHELL)
-send -- "firejail --protocol.print=test\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "unix,inet,inet6"
-}
-after 100
-puts "\nall done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 4937cf459..9ff4048ef 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -64,9 +64,6 @@ echo "TESTING: dns.print (test/utils/dns-print.exp)"
 echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)"
 ./seccomp-print.exp
-echo "TESTING: protocol.print (test/utils/protocol-print.exp)"
-./protocol-print.exp
 echo "TESTING: shutdown (test/utils/shutdown.exp)"
 ./shutdown.exp