From d54311b2829ac6684bc7609d801d32a7e9039d5d Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sat, 29 Mar 2025 22:34:51 +0900
Subject: [PATCH] test/sandbox: separate check filter

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 test/sandbox/assert.go | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/test/sandbox/assert.go b/test/sandbox/assert.go
index 50d078e..cb35fcc 100644
--- a/test/sandbox/assert.go
+++ b/test/sandbox/assert.go
@@ -129,18 +129,40 @@ func (t *T) MustCheck(want *TestCase) {
 }
 
 func MustCheckFilter(pid int, want string) {
-	if err := ptraceAttach(pid); err != nil {
+	err := CheckFilter(pid, want)
+	if err == nil {
+		return
+	}
+
+	var perr *ptraceError
+	if !errors.As(err, &perr) {
+		fatalf("%s", err)
+	}
+	switch perr.op {
+	case "PTRACE_ATTACH":
 		fatalf("cannot attach to process %d: %v", pid, err)
+	case "PTRACE_SECCOMP_GET_FILTER":
+		if perr.errno == syscall.ENOENT {
+			fatalf("seccomp filter not installed for process %d", pid)
+		}
+		fatalf("cannot get filter: %v", err)
+	default:
+		fatalf("cannot check filter: %v", err)
+	}
+
+	*(*int)(nil) = 0 // not reached
+}
+
+func CheckFilter(pid int, want string) error {
+	if err := ptraceAttach(pid); err != nil {
+		return err
 	}
 	buf, err := getFilter[[8]byte](pid, 0)
 	if err0 := ptraceDetach(pid); err0 != nil {
 		printf("cannot detach from process %d: %v", pid, err0)
 	}
 	if err != nil {
-		if errors.Is(err, syscall.ENOENT) {
-			fatalf("seccomp filter not installed for process %d", pid)
-		}
-		fatalf("cannot get filter: %v", err)
+		return err
 	}
 
 	h := sha512.New()
@@ -149,9 +171,11 @@ func MustCheckFilter(pid int, want string) {
 	}
 
 	if got := hex.EncodeToString(h.Sum(nil)); got != want {
-		fatalf("[FAIL] %s", got)
+		printf("[FAIL] %s", got)
+		return syscall.ENOTRECOVERABLE
 	} else {
 		printf("[ OK ] %s", got)
+		return nil
 	}
 }