shared/seccomp-util: address family filtering is broken on ppc

This reverts the gist of da1921a5c396547261c8c7fcd94173346eb3b718 and
0d9fca76bb69e162265b2d25cb79f1890c0da31b (for ppc).

Quoting #17559:
> libseccomp 2.5 added socket syscall multiplexing on ppc64(el):
> https://github.com/seccomp/libseccomp/pull/229
>
> Like with i386, s390 and s390x this breaks socket argument filtering, so
> RestrictAddressFamilies doesn't work.
>
> This causes the unit test to fail:
> /* test_restrict_address_families */
> Operating on architecture: ppc
> Failed to install socket family rules for architecture ppc, skipping: Operation canceled
> Operating on architecture: ppc64
> Failed to add socket() rule for architecture ppc64, skipping: Invalid argument
> Operating on architecture: ppc64-le
> Failed to add socket() rule for architecture ppc64-le, skipping: Invalid argument
> Assertion 'fd < 0' failed at src/test/test-seccomp.c:424, function test_restrict_address_families(). Aborting.
>
> The socket filters can't be added so `socket(AF_UNIX, SOCK_DGRAM, 0);` still
> works, triggering the assertion.

Fixes #17559.

hwdb.d/60-evdev.hwdb

@@ -422,6 +422,13 @@ evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPadT430:*
  EVDEV_ABS_35=1250:5631:58
  EVDEV_ABS_36=1309:4826:78
 
+# Lenovo Thinkpad X1 Carbon Extreme 3rd gen.
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*pvrThinkPadX1ExtremeGen3*
+ EVDEV_ABS_00=1354:5678:43
+ EVDEV_ABS_01=1169:4695:51
+ EVDEV_ABS_35=1354:5678:43
+ EVDEV_ABS_36=1169:4695:51
+
 # Lenovo Thinkpad Carbon X1 4th gen. and X1 Yoga 1st gen.
 evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPadX1Carbon4th:*
  EVDEV_ABS_00=1262:5679:44

po/zh_CN.po

@@ -6,13 +6,14 @@
 # Boyuan Yang <073plan@gmail.com>, 2015.
 # Jeff Bai <jeffbai@aosc.xyz>, 2016.
 # Charles Lee <lchopn@gmail.com>, 2020.
+# Whired Planck <fungdaat31@outlook.com>, 2020.
 msgid ""
 msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2020-08-19 18:02+0200\n"
-"PO-Revision-Date: 2020-09-24 04:29+0000\n"
-"Last-Translator: Charles Lee <lchopn@gmail.com>\n"
+"PO-Revision-Date: 2020-11-26 11:35+0000\n"
+"Last-Translator: Whired Planck <fungdaat31@outlook.com>\n"
 "Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/"
 "projects/systemd/master/zh_CN/>\n"
 "Language: zh_CN\n"
@@ -20,7 +21,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 4.2.2\n"
+"X-Generator: Weblate 4.3.2\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -67,70 +68,56 @@ msgstr "重新载入 systemd 状态需要认证。"
 
 #: src/home/org.freedesktop.home1.policy:13
 msgid "Create a home area"
-msgstr ""
+msgstr "创建一个家区域"
 
 #: src/home/org.freedesktop.home1.policy:14
-#, fuzzy
-#| msgid "Authentication is required to reload the systemd state."
 msgid "Authentication is required to create a user's home area."
-msgstr "重新载入 systemd 状态需要认证。"
+msgstr "创建用户家区域需要认证。"
 
 #: src/home/org.freedesktop.home1.policy:23
 msgid "Remove a home area"
-msgstr ""
+msgstr "移除一个家区域"
 
 #: src/home/org.freedesktop.home1.policy:24
-#, fuzzy
-#| msgid "Authentication is required to reload the systemd state."
 msgid "Authentication is required to remove a user's home area."
-msgstr "重新载入 systemd 状态需要认证。"
+msgstr "移除用户家区域需要认证。"
 
 #: src/home/org.freedesktop.home1.policy:33
 msgid "Check credentials of a home area"
-msgstr ""
+msgstr "检查家区域凭证"
 
 #: src/home/org.freedesktop.home1.policy:34
-#, fuzzy
-#| msgid ""
-#| "Authentication is required to manage active sessions, users and seats."
 msgid ""
 "Authentication is required to check credentials against a user's home area."
-msgstr "管理活动会话、用户与会话座位需要认证。"
+msgstr "根据用户家区域检查凭证需要认证。"
 
 #: src/home/org.freedesktop.home1.policy:43
 msgid "Update a home area"
-msgstr ""
+msgstr "更新一个家区域"
 
 # Pay attention to the concept of "seat".
 #
 # To fully understand the meaning, please refer to session management in old ConsoleKit and new systemd-logind.
 #: src/home/org.freedesktop.home1.policy:44
-#, fuzzy
-#| msgid "Authentication is required to attach a device to a seat."
 msgid "Authentication is required to update a user's home area."
-msgstr "允许将设备附加至某个会话座位需要认证。"
+msgstr "更新用户家区域需要认证。"
 
 #: src/home/org.freedesktop.home1.policy:53
 msgid "Resize a home area"
-msgstr ""
+msgstr "调整家区域大小"
 
 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
-#| msgid "Authentication is required to set a wall message"
 msgid "Authentication is required to resize a user's home area."
-msgstr "设置 wall 消息需要认证。"
+msgstr "调整家区域大小需要认证。"
 
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Change password of a home area"
-msgstr ""
+msgstr "更改家区域的密码"
 
 #: src/home/org.freedesktop.home1.policy:64
-#, fuzzy
-#| msgid ""
-#| "Authentication is required to manage active sessions, users and seats."
 msgid ""
 "Authentication is required to change the password of a user's home area."
-msgstr "管理活动会话、用户与会话座位需要认证。"
+msgstr "更改家区域密码需要认证。"
 
 #: src/hostname/org.freedesktop.hostname1.policy:20
 msgid "Set hostname"
@@ -148,11 +135,10 @@ msgstr "设置静态主机名"
 #
 # There were some discussions, like https://lists.fedoraprojects.org/pipermail/trans-zh_cn/2012-December/001347.html
 #: src/hostname/org.freedesktop.hostname1.policy:31
-#, fuzzy
 msgid ""
 "Authentication is required to set the statically configured local hostname, "
 "as well as the pretty hostname."
-msgstr "设置静态本地主机名或美观主机名需要认证。"
+msgstr "设定静态本地主机名或美观主机名需要认证。"
 
 #: src/hostname/org.freedesktop.hostname1.policy:41
 msgid "Set machine information"
@@ -164,13 +150,11 @@ msgstr "设置本地机器信息需要认证。"
 
 #: src/hostname/org.freedesktop.hostname1.policy:51
 msgid "Get product UUID"
-msgstr ""
+msgstr "获取产品 UUID"
 
 #: src/hostname/org.freedesktop.hostname1.policy:52
-#, fuzzy
-#| msgid "Authentication is required to reload '$(unit)'."
 msgid "Authentication is required to get product UUID."
-msgstr "重新载入“$(unit)”需要认证。"
+msgstr "获取产品 UUID 需要认证。"
 
 #: src/import/org.freedesktop.import1.policy:22
 msgid "Import a VM or container image"
@@ -300,10 +284,8 @@ msgid "Allow non-logged-in user to run programs"
 msgstr "允许未登录用户运行程序"
 
 #: src/login/org.freedesktop.login1.policy:118
-#, fuzzy
-#| msgid "Authentication is required to run programs as a non-logged-in user."
 msgid "Explicit request is required to run programs as a non-logged-in user."
-msgstr "允许未登录用户运行程序需要认证。"
+msgstr "要以未登录用户运行程序，需要明确请求。"
 
 #: src/login/org.freedesktop.login1.policy:127
 msgid "Allow non-logged-in users to run programs"
@@ -389,10 +371,8 @@ msgid ""
 msgstr "在其它应用程序阻止重启时重启系统需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:224
-#, fuzzy
-#| msgid "Hibernate the system"
 msgid "Halt the system"
-msgstr "休眠系统"
+msgstr "停止系统"
 
 #: src/login/org.freedesktop.login1.policy:225
 msgid "Authentication is required to halt the system."
@@ -492,13 +472,11 @@ msgstr "对活动会话进行锁定或解锁需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:341
 msgid "Set the reboot \"reason\" in the kernel"
-msgstr ""
+msgstr "在内核中设定重启“原因”"
 
 #: src/login/org.freedesktop.login1.policy:342
-#, fuzzy
-#| msgid "Authentication is required to set the system timezone."
 msgid "Authentication is required to set the reboot \"reason\" in the kernel."
-msgstr "设置系统时区需要认证。"
+msgstr "在内核中设定重启“原因”需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:352
 msgid "Indicate to the firmware to boot to setup interface"
@@ -512,31 +490,23 @@ msgstr "向固件发出启动时进入设置界面的指令需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:363
 msgid "Indicate to the boot loader to boot to the boot loader menu"
-msgstr ""
+msgstr "指示引导加载程序启动至引导加载程序菜单"
 
 #: src/login/org.freedesktop.login1.policy:364
-#, fuzzy
-#| msgid ""
-#| "Authentication is required to indicate to the firmware to boot to setup "
-#| "interface."
 msgid ""
 "Authentication is required to indicate to the boot loader to boot to the "
 "boot loader menu."
-msgstr "向固件发出启动时进入设置界面的指令需要认证。"
+msgstr "指示引导加载程序启动至引导加载程序菜单需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:374
 msgid "Indicate to the boot loader to boot a specific entry"
-msgstr ""
+msgstr "指示引导加载程序启动指定条目"
 
 #: src/login/org.freedesktop.login1.policy:375
-#, fuzzy
-#| msgid ""
-#| "Authentication is required to indicate to the firmware to boot to setup "
-#| "interface."
 msgid ""
 "Authentication is required to indicate to the boot loader to boot into a "
 "specific boot loader entry."
-msgstr "向固件发出启动时进入设置界面的指令需要认证。"
+msgstr "指示引导加载程序启动入指定引导加载条目需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:385
 msgid "Set a wall message"
@@ -548,13 +518,11 @@ msgstr "设置 wall 消息需要认证。"
 
 #: src/login/org.freedesktop.login1.policy:395
 msgid "Change Session"
-msgstr ""
+msgstr "更改会话"
 
 #: src/login/org.freedesktop.login1.policy:396
-#, fuzzy
-#| msgid "Authentication is required to set the local hostname."
 msgid "Authentication is required to change the virtual terminal."
-msgstr "设置本地主机名需要认证。"
+msgstr "更改虚拟终端需要认证。"
 
 #: src/machine/org.freedesktop.machine1.policy:22
 msgid "Log into a local container"
@@ -629,10 +597,8 @@ msgid "Set NTP servers"
 msgstr "设置 NTP 服务器"
 
 #: src/network/org.freedesktop.network1.policy:23
-#, fuzzy
-#| msgid "Authentication is required to set the system time."
 msgid "Authentication is required to set NTP servers."
-msgstr "设置系统时间需要认证。"
+msgstr "设定 NTP 服务器需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:33
 #: src/resolve/org.freedesktop.resolve1.policy:44
@@ -641,10 +607,8 @@ msgstr "设置 DNS 服务器"
 
 #: src/network/org.freedesktop.network1.policy:34
 #: src/resolve/org.freedesktop.resolve1.policy:45
-#, fuzzy
-#| msgid "Authentication is required to set the system time."
 msgid "Authentication is required to set DNS servers."
-msgstr "设置系统时间需要认证。"
+msgstr "设定 DNS 服务器需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:44
 #: src/resolve/org.freedesktop.resolve1.policy:55
@@ -653,10 +617,8 @@ msgstr "设置域名"
 
 #: src/network/org.freedesktop.network1.policy:45
 #: src/resolve/org.freedesktop.resolve1.policy:56
-#, fuzzy
-#| msgid "Authentication is required to stop '$(unit)'."
 msgid "Authentication is required to set domains."
-msgstr "停止“$(unit)”需要认证。"
+msgstr "设定域需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:55
 #: src/resolve/org.freedesktop.resolve1.policy:66
@@ -665,51 +627,43 @@ msgstr "设置默认路由"
 
 #: src/network/org.freedesktop.network1.policy:56
 #: src/resolve/org.freedesktop.resolve1.policy:67
-#, fuzzy
-#| msgid "Authentication is required to set the local hostname."
 msgid "Authentication is required to set default route."
-msgstr "设置本地主机名需要认证。"
+msgstr "设定默认路由需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:66
 #: src/resolve/org.freedesktop.resolve1.policy:77
 msgid "Enable/disable LLMNR"
-msgstr ""
+msgstr "启用/禁用 LLMNR"
 
 #: src/network/org.freedesktop.network1.policy:67
 #: src/resolve/org.freedesktop.resolve1.policy:78
-#, fuzzy
-#| msgid "Authentication is required to hibernate the system."
 msgid "Authentication is required to enable or disable LLMNR."
-msgstr "休眠系统需要认证。"
+msgstr "启用或禁用 LLMNR 需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:77
 #: src/resolve/org.freedesktop.resolve1.policy:88
 msgid "Enable/disable multicast DNS"
-msgstr ""
+msgstr "启用/禁用多播 DNS"
 
 #: src/network/org.freedesktop.network1.policy:78
 #: src/resolve/org.freedesktop.resolve1.policy:89
-#, fuzzy
-#| msgid "Authentication is required to log into the local host."
 msgid "Authentication is required to enable or disable multicast DNS."
-msgstr "登入本地主机需要认证。"
+msgstr "启用或禁用多播 DNS 需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:88
 #: src/resolve/org.freedesktop.resolve1.policy:99
 msgid "Enable/disable DNS over TLS"
-msgstr ""
+msgstr "启用/禁用 DNS over TLS"
 
 #: src/network/org.freedesktop.network1.policy:89
 #: src/resolve/org.freedesktop.resolve1.policy:100
-#, fuzzy
-#| msgid "Authentication is required to set the local hostname."
 msgid "Authentication is required to enable or disable DNS over TLS."
-msgstr "设置本地主机名需要认证。"
+msgstr "启用或禁用 DNS over TLS 需要认证。"
 
 #: src/network/org.freedesktop.network1.policy:99
 #: src/resolve/org.freedesktop.resolve1.policy:110
 msgid "Enable/disable DNSSEC"
-msgstr ""
+msgstr "启用/禁用 DNSSEC"
 
 #: src/network/org.freedesktop.network1.policy:100
 #: src/resolve/org.freedesktop.resolve1.policy:111

src/basic/cap-list.c

@@ -50,6 +50,9 @@ int capability_from_name(const char *name) {
         return sc->id;
 }
 
+/* This is the number of capability names we are *compiled* with.
+ * For the max capability number of the currently-running kernel,
+ * use cap_last_cap(). */
 int capability_list_length(void) {
         return (int) ELEMENTSOF(capability_names);
 }

src/libsystemd/sd-device/device-internal.h

@@ -8,9 +8,19 @@
 #include "set.h"
 #include "time-util.h"
 
+#define LATEST_UDEV_DATABASE_VERSION 1
+
 struct sd_device {
         unsigned n_ref;
 
+        /* The database version indicates the supported features by the udev database.
+         * This is saved and parsed in V field.
+         *
+         * 0: None of the following features are supported (systemd version <= 246).
+         * 1: The current tags (Q) and the database version (V) features are implemented (>= 247).
+         */
+        unsigned database_version;
+
         int watch_handle;
 
         sd_device *parent;
@@ -88,7 +98,9 @@ struct sd_device {
 
 int device_new_aux(sd_device **ret);
 int device_add_property_aux(sd_device *device, const char *key, const char *value, bool db);
-int device_add_property_internal(sd_device *device, const char *key, const char *value);
+static inline int device_add_property_internal(sd_device *device, const char *key, const char *value) {
+        return device_add_property_aux(device, key, value, false);
+}
 int device_read_uevent_file(sd_device *device);
 
 int device_set_syspath(sd_device *device, const char *_syspath, bool verify);

src/libsystemd/sd-device/device-private.c

@@ -948,6 +948,10 @@ int device_update_db(sd_device *device) {
 
                 SET_FOREACH(tag, device->current_tags)
                         fprintf(f, "Q:%s\n", tag); /* Current tag */
+
+                /* Always write the latest database version here, instead of the value stored in
+                 * device->database_version, as which may be 0. */
+                fputs("V:" STRINGIFY(LATEST_UDEV_DATABASE_VERSION) "\n", f);
         }
 
         r = fflush_and_check(f);

src/libsystemd/sd-device/sd-device.c

@@ -128,10 +128,6 @@ int device_add_property_aux(sd_device *device, const char *_key, const char *_va
         return 0;
 }
 
-int device_add_property_internal(sd_device *device, const char *key, const char *value) {
-        return device_add_property_aux(device, key, value, false);
-}
-
 int device_set_syspath(sd_device *device, const char *_syspath, bool verify) {
         _cleanup_free_ char *syspath = NULL;
         const char *devpath;
@@ -1208,6 +1204,12 @@ static int handle_db_line(sd_device *device, char key, const char *value) {
                 if (r < 0)
                         return r;
 
+                break;
+        case 'V':
+                r = safe_atou(value, &device->database_version);
+                if (r < 0)
+                        return r;
+
                 break;
         default:
                 log_device_debug(device, "sd-device: Unknown key '%c' in device db, ignoring", key);
@@ -1442,11 +1444,26 @@ _public_ const char *sd_device_get_tag_next(sd_device *device) {
         return v;
 }
 
+static bool device_database_supports_current_tags(sd_device *device) {
+        assert(device);
+
+        (void) device_read_db(device);
+
+        /* The current tags (saved in Q field) feature is implemented in database version 1.
+         * If the database version is 0, then the tags (NOT current tags, saved in G field) are not
+         * sticky. Thus, we can safely bypass the operations for the current tags (Q) to tags (G). */
+
+        return device->database_version >= 1;
+}
+
 _public_ const char *sd_device_get_current_tag_first(sd_device *device) {
         void *v;
 
         assert_return(device, NULL);
 
+        if (!device_database_supports_current_tags(device))
+                return sd_device_get_tag_first(device);
+
         (void) device_read_db(device);
 
         device->current_tags_iterator_generation = device->tags_generation;
@@ -1461,6 +1478,9 @@ _public_ const char *sd_device_get_current_tag_next(sd_device *device) {
 
         assert_return(device, NULL);
 
+        if (!device_database_supports_current_tags(device))
+                return sd_device_get_tag_next(device);
+
         (void) device_read_db(device);
 
         if (device->current_tags_iterator_generation != device->tags_generation)
@@ -1763,6 +1783,9 @@ _public_ int sd_device_has_current_tag(sd_device *device, const char *tag) {
         assert_return(device, -EINVAL);
         assert_return(tag, -EINVAL);
 
+        if (!device_database_supports_current_tags(device))
+                return sd_device_has_tag(device, tag);
+
         (void) device_read_db(device);
 
         return set_contains(device->current_tags, tag);

src/shared/seccomp-util.c

@@ -1394,9 +1394,6 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                 case SCMP_ARCH_X32:
                 case SCMP_ARCH_ARM:
                 case SCMP_ARCH_AARCH64:
-                case SCMP_ARCH_PPC:
-                case SCMP_ARCH_PPC64:
-                case SCMP_ARCH_PPC64LE:
                 case SCMP_ARCH_MIPSEL64N32:
                 case SCMP_ARCH_MIPS64N32:
                 case SCMP_ARCH_MIPSEL64:
@@ -1413,6 +1410,9 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                 case SCMP_ARCH_X86:
                 case SCMP_ARCH_MIPSEL:
                 case SCMP_ARCH_MIPS:
+                case SCMP_ARCH_PPC:
+                case SCMP_ARCH_PPC64:
+                case SCMP_ARCH_PPC64LE:
                 default:
                         /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
                          * don't know */

src/test/test-cap-list.c

@@ -55,7 +55,7 @@ static void test_cap_list(void) {
 
 static void test_capability_set_one(uint64_t c, const char *t) {
         _cleanup_free_ char *t1 = NULL;
-        uint64_t c1, c_masked = c & ((UINT64_C(1) << capability_list_length()) - 1);
+        uint64_t c1, c_masked = c & all_capabilities();
 
         assert_se(capability_set_to_string_alloc(c, &t1) == 0);
         assert_se(streq(t1, t));
@@ -70,7 +70,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
         assert_se(c1 == c_masked);
 }
 
-static void test_capability_set(void) {
+static void test_capability_set_from_string(void) {
         uint64_t c;
 
         assert_se(capability_set_from_string(NULL, &c) == 0);
@@ -87,38 +87,42 @@ static void test_capability_set(void) {
 
         assert_se(capability_set_from_string("0 1 2 3", &c) == 0);
         assert_se(c == (UINT64_C(1) << 4) - 1);
+}
 
-        test_capability_set_one(0, "");
-        test_capability_set_one(
-                UINT64_C(1) << CAP_DAC_OVERRIDE,
-                "cap_dac_override");
-        test_capability_set_one(
-                UINT64_C(1) << CAP_DAC_OVERRIDE |
-                UINT64_C(1) << capability_list_length(),
-                "cap_dac_override");
-        test_capability_set_one(
-                UINT64_C(1) << capability_list_length(), "");
-        test_capability_set_one(
-                UINT64_C(1) << CAP_CHOWN |
-                UINT64_C(1) << CAP_DAC_OVERRIDE |
-                UINT64_C(1) << CAP_DAC_READ_SEARCH |
-                UINT64_C(1) << CAP_FOWNER |
-                UINT64_C(1) << CAP_SETGID |
-                UINT64_C(1) << CAP_SETUID |
-                UINT64_C(1) << CAP_SYS_PTRACE |
-                UINT64_C(1) << CAP_SYS_ADMIN |
-                UINT64_C(1) << CAP_AUDIT_CONTROL |
-                UINT64_C(1) << CAP_MAC_OVERRIDE |
-                UINT64_C(1) << CAP_SYSLOG |
-                UINT64_C(1) << (capability_list_length() + 1),
-                "cap_chown cap_dac_override cap_dac_read_search cap_fowner "
-                "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin "
-                "cap_audit_control cap_mac_override cap_syslog");
+static void test_capability_set_to_string(uint64_t invalid_cap_set) {
+        uint64_t c;
+
+        test_capability_set_one(invalid_cap_set, "");
+
+        c = (UINT64_C(1) << CAP_DAC_OVERRIDE | invalid_cap_set);
+        test_capability_set_one(c, "cap_dac_override");
+
+        c = (UINT64_C(1) << CAP_CHOWN |
+             UINT64_C(1) << CAP_DAC_OVERRIDE |
+             UINT64_C(1) << CAP_DAC_READ_SEARCH |
+             UINT64_C(1) << CAP_FOWNER |
+             UINT64_C(1) << CAP_SETGID |
+             UINT64_C(1) << CAP_SETUID |
+             UINT64_C(1) << CAP_SYS_PTRACE |
+             UINT64_C(1) << CAP_SYS_ADMIN |
+             UINT64_C(1) << CAP_AUDIT_CONTROL |
+             UINT64_C(1) << CAP_MAC_OVERRIDE |
+             UINT64_C(1) << CAP_SYSLOG |
+             invalid_cap_set);
+        test_capability_set_one(c, ("cap_chown cap_dac_override cap_dac_read_search cap_fowner "
+                                    "cap_setgid cap_setuid cap_sys_ptrace cap_sys_admin "
+                                    "cap_audit_control cap_mac_override cap_syslog"));
 }
 
 int main(int argc, char *argv[]) {
         test_cap_list();
-        test_capability_set();
+        test_capability_set_from_string();
+        test_capability_set_to_string(0);
+
+        /* once the kernel supports 63 caps, there are no 'invalid' numbers
+         * for us to test with */
+        if (cap_last_cap() < 63)
+                test_capability_set_to_string(all_capabilities() + 1);
 
         return 0;
 }

src/test/test-seccomp.c

@@ -33,7 +33,7 @@
 #include "virt.h"
 
 /* __NR_socket may be invalid due to libseccomp */
-#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__)
 /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
  * and we can't restrict it hence via seccomp. */
 #  define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1