use super::*;

#[test]
fn builds_on_supported_arch() {
    let bytes = build_program_bytes().expect("seccomp program should build");
    assert!(!bytes.is_empty(), "serialized BPF program is empty");
    assert_eq!(bytes.len() % 8, 0, "BPF byte stream must be 8-byte aligned");
}

#[test]
fn allowlist_contains_essential_syscalls() {
    for needed in &[
        "read",
        "write",
        "openat",
        "close",
        "execve",
        "exit_group",
        "mmap",
        "brk",
        "clone",
    ] {
        assert!(
            ALLOWED_SYSCALLS.contains(needed),
            "allowlist missing essential syscall: {needed}"
        );
    }
}

#[test]
fn allowlist_excludes_dangerous_syscalls() {
    for denied in &[
        "bpf",
        "perf_event_open",
        "userfaultfd",
        "kexec_load",
        "kexec_file_load",
        "init_module",
        "finit_module",
        "delete_module",
        "mount",
        "umount",
        "umount2",
        "unshare",
        "setns",
        "pivot_root",
        "ptrace",
        "process_vm_readv",
        "process_vm_writev",
        "keyctl",
        "personality",
        "clone3",
        "io_uring_setup",
        "io_uring_register",
        "io_uring_enter",
        "fanotify_init",
        "fanotify_mark",
        "open_by_handle_at",
        "name_to_handle_at",
        "fsopen",
        "fsconfig",
        "fsmount",
        "fspick",
        "open_tree",
        "move_mount",
        "mount_setattr",
        "reboot",
        "swapon",
        "swapoff",
    ] {
        assert!(
            !ALLOWED_SYSCALLS.contains(denied),
            "allowlist must not contain dangerous syscall: {denied}"
        );
    }
}