api: add a seccomp_version() API call

This will allow callers to dynamically query the libseccomp library
to determine the version information.  We do not currently plan on
exposing this API via any of the supported language bindings.

Signed-off-by: Paul Moore <paul@paul-moore.com>

9 files changed, 210 insertions, 4 deletions

diff --git a/doc/Makefile.am b/doc/Makefile.am
index 0ede147..872d089 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -42,4 +42,5 @@ dist_man3_MANS = \
 	man/man3/seccomp_syscall_resolve_name.3 \
 	man/man3/seccomp_syscall_resolve_name_arch.3 \
 	man/man3/seccomp_syscall_resolve_name_rewrite.3 \
-	man/man3/seccomp_syscall_resolve_num_arch.3
+	man/man3/seccomp_syscall_resolve_num_arch.3 \
+	man/man3/seccomp_version.3
diff --git a/doc/man/man3/seccomp_version.3 b/doc/man/man3/seccomp_version.3
new file mode 100644
index 0000000..830fa06
--- /dev/null
+++ b/doc/man/man3/seccomp_version.3
@@ -0,0 +1,87 @@
+.TH "seccomp_version" 3 "18 February 2016" "paul@paul-moore.com" "libseccomp Documentation"
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NAME
+.\" //////////////////////////////////////////////////////////////////////////
+seccomp_version \- Query the libseccomp version information
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SYNOPSIS
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+.B #include <seccomp.h>
+.sp
+.B struct scmp_version {
+.B 	unsigned int major;
+.B 	unsigned int minor;
+.B 	unsigned int micro;
+.B }
+.sp
+.BI "const struct scmp_version *seccomp_version(" void ");"
+.sp
+Link with \fI\-lseccomp\fP.
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH DESCRIPTION
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The
+.BR seccomp_version ()
+and
+.BR seccomp_reset ()
+functions return a pointer to a
+.B scmp_version
+struct which contains the version information of the currently loaded
+libseccomp library.  This function can be used by applications that need to
+verify that they are linked to a specific libseccomp version at runtime.
+.P
+The caller should not attempt to free the returned
+.B scmp_version
+struct when finished.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH RETURN VALUE
+.\" //////////////////////////////////////////////////////////////////////////
+The
+.BR seccomp_version ()
+function returns a pointer to a
+.B scmp_version
+structure on success, NULL on failure.  The caller should not attempt to free
+the returned structure.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH EXAMPLES
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+	const struct scmp_version *ver;
+
+	ver = seccomp_version();
+	if (ver == NULL)
+		goto err;
+
+	/* ... */
+
+	return 0;
+
+err:
+	return \-1;
+}
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NOTES
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+While the seccomp filter can be generated independent of the kernel, kernel
+support is required to load and enforce the seccomp filter generated by
+libseccomp.
+.P
+The libseccomp project site, with more information and the source code
+repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
+as well as the libseccomp library, is currently under development, please
+report any bugs at the project site or directly to the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH AUTHOR
+.\" //////////////////////////////////////////////////////////////////////////
+Paul Moore <paul@paul-moore.com>
+.\" //////////////////////////////////////////////////////////////////////////
+
diff --git a/include/seccomp.h.in b/include/seccomp.h.in
index 75328da..6bf6751 100644
--- a/include/seccomp.h.in
+++ b/include/seccomp.h.in
@@ -39,6 +39,12 @@ extern "C" {
 #define SCMP_VER_MINOR		@VERSION_MINOR@
 #define SCMP_VER_MICRO		@VERSION_MICRO@
 
+struct scmp_version {
+	unsigned int major;
+	unsigned int minor;
+	unsigned int micro;
+};
+
 /*
  * types
  */
@@ -253,6 +259,15 @@ struct scmp_arg_cmp {
  */
 
 /**
+ * Query the library version information
+ *
+ * This function returns a pointer to a populated scmp_version struct, the
+ * caller does not need to free the structure when finished.
+ *
+ */
+const struct scmp_version *seccomp_version(void);
+
+/**
  * Initialize the filter state
  * @param def_action the default filter action
  *
diff --git a/src/api.c b/src/api.c
index db198e6..7d5b1ec 100644
--- a/src/api.c
+++ b/src/api.c
@@ -38,6 +38,12 @@
 
 #define API	__attribute__((visibility("default")))
 
+const struct scmp_version library_version = {
+	.major = SCMP_VER_MAJOR,
+	.minor = SCMP_VER_MINOR,
+	.micro = SCMP_VER_MICRO,
+};
+
 /**
  * Validate a filter context
  * @param ctx the filter context
@@ -67,6 +73,12 @@ static int _syscall_valid(int syscall)
 }
 
 /* NOTE - function header comment in include/seccomp.h */
+API const struct scmp_version *seccomp_version(void)
+{
+	return &library_version;
+}
+
+/* NOTE - function header comment in include/seccomp.h */
 API scmp_filter_ctx seccomp_init(uint32_t def_action)
 {
 	if (db_action_valid(def_action) < 0)
diff --git a/tests/.gitignore b/tests/.gitignore
index fe51c14..9a0e46e 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -35,3 +35,4 @@ util.pyc
 28-sim-arch_x86
 29-sim-pseudo_syscall
 30-sim-socket_syscalls
+31-basic-version_check
diff --git a/tests/31-basic-version_check.c b/tests/31-basic-version_check.c
new file mode 100644
index 0000000..112f666
--- /dev/null
+++ b/tests/31-basic-version_check.c
@@ -0,0 +1,41 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+	const struct scmp_version *ver;
+
+	ver = seccomp_version();
+	if (ver == NULL)
+		return -1;
+
+	if (ver->major != SCMP_VER_MAJOR ||
+	    ver->minor != SCMP_VER_MINOR ||
+	    ver->micro != SCMP_VER_MICRO)
+		return -2;
+
+	return 0;
+}
diff --git a/tests/31-basic-version_check.py b/tests/31-basic-version_check.py
new file mode 100755
index 0000000..e958bf1
--- /dev/null
+++ b/tests/31-basic-version_check.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+# NOTE: this is a NULL test since we don't support the seccomp_version() API
+#       via the libseccomp python bindings
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/31-basic-version_check.tests b/tests/31-basic-version_check.tests
new file mode 100644
index 0000000..feeda66
--- /dev/null
+++ b/tests/31-basic-version_check.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2016 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+31-basic-version_check
diff --git a/tests/Makefile.am b/tests/Makefile.am
index eba5cbd..fec9e19 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -58,7 +58,8 @@ check_PROGRAMS = \
 	27-sim-bpf_blk_state \
 	28-sim-arch_x86 \
 	29-sim-pseudo_syscall \
-	30-sim-socket_syscalls
+	30-sim-socket_syscalls \
+	31-basic-version_check
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -91,7 +92,8 @@ EXTRA_DIST_TESTPYTHON = \
 	27-sim-bpf_blk_state.py \
 	28-sim-arch_x86.py \
 	29-sim-pseudo_syscall.py \
-	30-sim-socket_syscalls.py
+	30-sim-socket_syscalls.py \
+	31-basic-version_check.py
 
 EXTRA_DIST_TESTCFGS = \
 	01-sim-allow.tests \
@@ -123,7 +125,8 @@ EXTRA_DIST_TESTCFGS = \
 	27-sim-bpf_blk_state.tests \
 	28-sim-arch_x86.tests \
 	29-sim-pseudo_syscall.tests \
-	30-sim-socket_syscalls.tests
+	30-sim-socket_syscalls.tests \
+	31-basic-version_check.tests
 
 EXTRA_DIST_TESTSCRIPTS = regression testdiff testgen