Switch to github.com/golang/dep for vendoring

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

vendor/github.com/seccomp/libseccomp-golang/.gitignore

@@ -0,0 +1,4 @@
+*~
+*.swp
+*.orig
+tags

vendor/github.com/seccomp/libseccomp-golang/CHANGELOG

@@ -0,0 +1,6 @@
+libseccomp-golang: Releases
+===============================================================================
+https://github.com/seccomp/libseccomp-golang
+
+* Version 0.9.0 - January 5, 2017
+- Initial tagged release

vendor/github.com/seccomp/libseccomp-golang/Makefile

@@ -0,0 +1,26 @@
+# libseccomp-golang
+
+.PHONY: all check check-build check-syntax fix-syntax vet test lint
+
+all: check-build
+
+check: vet test
+
+check-build:
+	go build
+
+check-syntax:
+	gofmt -d .
+
+fix-syntax:
+	gofmt -w .
+
+vet:
+	go vet -v
+
+test:
+	go test -v
+
+lint:
+	@$(if $(shell which golint),true,$(error "install golint and include it in your PATH"))
+	golint -set_exit_status

vendor/github.com/seccomp/libseccomp-golang/README

@@ -24,3 +24,28 @@ please note that a Google account is not required to subscribe to the mailing
 list.
 
 	-> https://groups.google.com/d/forum/libseccomp
+
+Documentation is also available at:
+
+	-> https://godoc.org/github.com/seccomp/libseccomp-golang
+
+* Installing the package
+
+The libseccomp-golang bindings require at least Go v1.2.1 and GCC v4.8.4;
+earlier versions may yield unpredictable results.  If you meet these
+requirements you can install this package using the command below:
+
+	$ go get github.com/seccomp/libseccomp-golang
+
+* Testing the Library
+
+A number of tests and lint related recipes are provided in the Makefile, if
+you want to run the standard regression tests, you can excute the following:
+
+	$ make check
+
+In order to execute the 'make lint' recipe the 'golint' tool is needed, it
+can be found at:
+
+	-> https://github.com/golang/lint
+

vendor/github.com/seccomp/libseccomp-golang/SUBMITTING_PATCHES

@@ -0,0 +1,112 @@
+How to Submit Patches to the libseccomp Project
+===============================================================================
+https://github.com/seccomp/libseccomp-golang
+
+This document is intended to act as a guide to help you contribute to the
+libseccomp project.  It is not perfect, and there will always be exceptions
+to the rules described here, but by following the instructions below you
+should have a much easier time getting your work merged with the upstream
+project.
+
+* Test Your Code
+
+There are two possible tests you can run to verify your code.  The first test
+is used to check the formatting and coding style of your changes, you can run
+the test with the following command:
+
+	# make check-syntax
+
+... if there are any problems with your changes a diff/patch will be shown
+which indicates the problems and how to fix them.
+
+The second possible test is used to ensure the sanity of your code changes
+and to test these changes against the included tests.  You can run the test
+with the following command:
+
+	# make check
+
+... if there are any faults or errors they will be displayed.
+
+* Generate the Patch(es)
+
+Depending on how you decided to work with the libseccomp code base and what
+tools you are using there are different ways to generate your patch(es).
+However, regardless of what tools you use, you should always generate your
+patches using the "unified" diff/patch format and the patches should always
+apply to the libseccomp source tree using the following command from the top
+directory of the libseccomp sources:
+
+	# patch -p1 < changes.patch
+
+If you are not using git, stacked git (stgit), or some other tool which can
+generate patch files for you automatically, you may find the following command
+helpful in generating patches, where "libseccomp.orig/" is the unmodified
+source code directory and "libseccomp/" is the source code directory with your
+changes:
+
+	# diff -purN libseccomp-golang.orig/ libseccomp-golang/
+
+When in doubt please generate your patch and try applying it to an unmodified
+copy of the libseccomp sources; if it fails for you, it will fail for the rest
+of us.
+
+* Explain Your Work
+
+At the top of every patch you should include a description of the problem you
+are trying to solve, how you solved it, and why you chose the solution you
+implemented.  If you are submitting a bug fix, it is also incredibly helpful
+if you can describe/include a reproducer for the problem in the description as
+well as instructions on how to test for the bug and verify that it has been
+fixed.
+
+* Sign Your Work
+
+The sign-off is a simple line at the end of the patch description, which
+certifies that you wrote it or otherwise have the right to pass it on as an
+open-source patch.  The "Developer's Certificate of Origin" pledge is taken
+from the Linux Kernel and the rules are pretty simple:
+
+	Developer's Certificate of Origin 1.1
+
+	By making a contribution to this project, I certify that:
+
+	(a) The contribution was created in whole or in part by me and I
+	    have the right to submit it under the open source license
+	    indicated in the file; or
+
+	(b) The contribution is based upon previous work that, to the best
+	    of my knowledge, is covered under an appropriate open source
+	    license and I have the right under that license to submit that
+	    work with modifications, whether created in whole or in part
+	    by me, under the same open source license (unless I am
+	    permitted to submit under a different license), as indicated
+	    in the file; or
+
+	(c) The contribution was provided directly to me by some other
+	    person who certified (a), (b) or (c) and I have not modified
+	    it.
+
+	(d) I understand and agree that this project and the contribution
+	    are public and that a record of the contribution (including all
+	    personal information I submit with it, including my sign-off) is
+	    maintained indefinitely and may be redistributed consistent with
+	    this project or the open source license(s) involved.
+
+... then you just add a line to the bottom of your patch description, with
+your real name, saying:
+
+	Signed-off-by: Random J Developer <random@developer.example.org>
+
+* Email Your Patch(es)
+
+Finally, you will need to email your patches to the mailing list so they can
+be reviewed and potentially merged into the main libseccomp-golang repository.
+When sending patches to the mailing list it is important to send your email in
+text form, no HTML mail please, and ensure that your email client does not
+mangle your patches.  It should be possible to save your raw email to disk and
+apply it directly to the libseccomp source code; if that fails then you likely
+have a problem with your email client.  When in doubt try a test first by
+sending yourself an email with your patch and attempting to apply the emailed
+patch to the libseccomp-golang repository; if it fails for you, it will fail
+for the rest of us trying to test your patch and include it in the main
+libseccomp-golang repository.

vendor/github.com/seccomp/libseccomp-golang/seccomp.go

@@ -27,6 +27,28 @@ import "C"
 
 // Exported types
 
+// VersionError denotes that the system libseccomp version is incompatible
+// with this package.
+type VersionError struct {
+	message string
+	minimum string
+}
+
+func (e VersionError) Error() string {
+	format := "Libseccomp version too low: "
+	if e.message != "" {
+		format += e.message + ": "
+	}
+	format += "minimum supported is "
+	if e.minimum != "" {
+		format += e.minimum + ": "
+	} else {
+		format += "2.1.0: "
+	}
+	format += "detected %d.%d.%d"
+	return fmt.Sprintf(format, verMajor, verMinor, verMicro)
+}
+
 // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
 // per-architecture basis.
 type ScmpArch uint
@@ -151,6 +173,10 @@ const (
 // GetArchFromString returns an ScmpArch constant from a string representing an
 // architecture
 func GetArchFromString(arch string) (ScmpArch, error) {
+	if err := ensureSupportedVersion(); err != nil {
+		return ArchInvalid, err
+	}
+
 	switch strings.ToLower(arch) {
 	case "x86":
 		return ArchX86, nil
@@ -338,6 +364,10 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) {
 // Returns the number of the syscall, or an error if no syscall with that name
 // was found.
 func GetSyscallFromName(name string) (ScmpSyscall, error) {
+	if err := ensureSupportedVersion(); err != nil {
+		return 0, err
+	}
+
 	cString := C.CString(name)
 	defer C.free(unsafe.Pointer(cString))
 
@@ -355,6 +385,9 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) {
 // Returns the number of the syscall, or an error if an invalid architecture is
 // passed or a syscall with that name was not found.
 func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
+	if err := ensureSupportedVersion(); err != nil {
+		return 0, err
+	}
 	if err := sanitizeArch(arch); err != nil {
 		return 0, err
 	}
@@ -386,6 +419,10 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
 func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) {
 	var condStruct ScmpCondition
 
+	if err := ensureSupportedVersion(); err != nil {
+		return condStruct, err
+	}
+
 	if comparison == CompareInvalid {
 		return condStruct, fmt.Errorf("invalid comparison operator")
 	} else if arg > 5 {
@@ -413,6 +450,10 @@ func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCo
 // GetNativeArch returns architecture token representing the native kernel
 // architecture
 func GetNativeArch() (ScmpArch, error) {
+	if err := ensureSupportedVersion(); err != nil {
+		return ArchInvalid, err
+	}
+
 	arch := C.seccomp_arch_native()
 
 	return archFromNative(arch)
@@ -435,6 +476,10 @@ type ScmpFilter struct {
 // Returns a reference to a valid filter context, or nil and an error if the
 // filter context could not be created or an invalid default action was given.
 func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
+	if err := ensureSupportedVersion(); err != nil {
+		return nil, err
+	}
+
 	if err := sanitizeAction(defaultAction); err != nil {
 		return nil, err
 	}

vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go

@@ -7,7 +7,6 @@ package seccomp
 
 import (
 	"fmt"
-	"os"
 	"syscall"
 )
 
@@ -192,12 +191,12 @@ func checkVersionAbove(major, minor, micro int) bool {
 		(verMajor == major && verMinor == minor && verMicro >= micro)
 }
 
-// Init function: Verify library version is appropriate
-func init() {
+// Ensure that the library is supported, i.e. >= 2.1.0.
+func ensureSupportedVersion() error {
 	if !checkVersionAbove(2, 1, 0) {
-		fmt.Fprintf(os.Stderr, "Libseccomp version too low: minimum supported is 2.1.0, detected %d.%d.%d", C.C_VERSION_MAJOR, C.C_VERSION_MINOR, C.C_VERSION_MICRO)
-		os.Exit(-1)
+		return VersionError{}
 	}
+	return nil
 }
 
 // Filter helpers
@@ -217,7 +216,10 @@ func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
 	}
 
 	if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {
-		return 0x0, fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")
+		return 0x0, VersionError{
+			message: "thread synchronization attribute is not supported",
+			minimum: "2.2.0",
+		}
 	}
 
 	var attribute C.uint32_t
@@ -240,7 +242,10 @@ func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error
 	}
 
 	if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {
-		return fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")
+		return VersionError{
+			message: "thread synchronization attribute is not supported",
+			minimum: "2.2.0",
+		}
 	}
 
 	retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)
@@ -296,7 +301,10 @@ func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact b
 	} else {
 		// We don't support conditional filtering in library version v2.1
 		if !checkVersionAbove(2, 2, 1) {
-			return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1")
+			return VersionError{
+				message: "conditional filtering is not supported",
+				minimum: "2.2.1",
+			}
 		}
 
 		for _, cond := range conds {

vendor/github.com/seccomp/libseccomp-golang/seccomp_test.go

@@ -0,0 +1,509 @@
+// +build linux
+
+// Tests for public API of libseccomp Go bindings
+
+package seccomp
+
+import (
+	"fmt"
+	"syscall"
+	"testing"
+)
+
+// Type Function Tests
+
+type versionErrorTest struct {
+	err VersionError
+	str string
+}
+
+var versionStr = fmt.Sprintf("%d.%d.%d", verMajor, verMinor, verMicro)
+
+var versionErrorTests = []versionErrorTest{
+	{
+		VersionError{
+			"deadbeef",
+			"x.y.z",
+		},
+		"Libseccomp version too low: deadbeef: " +
+			"minimum supported is x.y.z: detected " + versionStr,
+	},
+	{
+		VersionError{
+			"",
+			"x.y.z",
+		},
+		"Libseccomp version too low: minimum supported is x.y.z: " +
+			"detected " + versionStr,
+	},
+	{
+		VersionError{
+			"deadbeef",
+			"",
+		},
+		"Libseccomp version too low: " +
+			"deadbeef: minimum supported is 2.1.0: " +
+			"detected " + versionStr,
+	},
+	{
+		VersionError{
+			"",
+			"",
+		},
+		"Libseccomp version too low: minimum supported is 2.1.0: " +
+			"detected " + versionStr,
+	},
+}
+
+func TestVersionError(t *testing.T) {
+	for i, test := range versionErrorTests {
+		str := test.err.Error()
+		if str != test.str {
+			t.Errorf("VersionError %d: got %q: expected %q", i, str, test.str)
+		}
+	}
+}
+
+func TestActionSetReturnCode(t *testing.T) {
+	if ActInvalid.SetReturnCode(0x0010) != ActInvalid {
+		t.Errorf("Able to set a return code on invalid action!")
+	}
+
+	codeSet := ActErrno.SetReturnCode(0x0001)
+	if codeSet == ActErrno || codeSet.GetReturnCode() != 0x0001 {
+		t.Errorf("Could not set return code on ActErrno")
+	}
+}
+
+func TestSyscallGetName(t *testing.T) {
+	call1 := ScmpSyscall(0x1)
+	callFail := ScmpSyscall(0x999)
+
+	name, err := call1.GetName()
+	if err != nil {
+		t.Errorf("Error getting syscall name for number 0x1")
+	} else if len(name) == 0 {
+		t.Errorf("Empty name returned for syscall 0x1")
+	}
+	fmt.Printf("Got name of syscall 0x1 on native arch as %s\n", name)
+
+	_, err = callFail.GetName()
+	if err == nil {
+		t.Errorf("Getting nonexistant syscall should error!")
+	}
+}
+
+func TestSyscallGetNameByArch(t *testing.T) {
+	call1 := ScmpSyscall(0x1)
+	callInvalid := ScmpSyscall(0x999)
+	archGood := ArchAMD64
+	archBad := ArchInvalid
+
+	name, err := call1.GetNameByArch(archGood)
+	if err != nil {
+		t.Errorf("Error getting syscall name for number 0x1 and arch AMD64")
+	} else if name != "write" {
+		t.Errorf("Got incorrect name for syscall 0x1 - expected write, got %s", name)
+	}
+
+	_, err = call1.GetNameByArch(archBad)
+	if err == nil {
+		t.Errorf("Bad architecture GetNameByArch() should error!")
+	}
+
+	_, err = callInvalid.GetNameByArch(archGood)
+	if err == nil {
+		t.Errorf("Bad syscall GetNameByArch() should error!")
+	}
+
+	_, err = callInvalid.GetNameByArch(archBad)
+	if err == nil {
+		t.Errorf("Bad syscall and bad arch GetNameByArch() should error!")
+	}
+}
+
+func TestGetSyscallFromName(t *testing.T) {
+	name1 := "write"
+	nameInval := "NOTASYSCALL"
+
+	syscall, err := GetSyscallFromName(name1)
+	if err != nil {
+		t.Errorf("Error getting syscall number of write: %s", err)
+	}
+	fmt.Printf("Got syscall number of write on native arch as %d\n", syscall)
+
+	_, err = GetSyscallFromName(nameInval)
+	if err == nil {
+		t.Errorf("Getting an invalid syscall should error!")
+	}
+}
+
+func TestGetSyscallFromNameByArch(t *testing.T) {
+	name1 := "write"
+	nameInval := "NOTASYSCALL"
+	arch1 := ArchAMD64
+	archInval := ArchInvalid
+
+	syscall, err := GetSyscallFromNameByArch(name1, arch1)
+	if err != nil {
+		t.Errorf("Error getting syscall number of write on AMD64: %s", err)
+	}
+	fmt.Printf("Got syscall number of write on AMD64 as %d\n", syscall)
+
+	_, err = GetSyscallFromNameByArch(nameInval, arch1)
+	if err == nil {
+		t.Errorf("Getting invalid syscall with valid arch should error")
+	}
+
+	_, err = GetSyscallFromNameByArch(name1, archInval)
+	if err == nil {
+		t.Errorf("Getting valid syscall for invalid arch should error")
+	}
+
+	_, err = GetSyscallFromNameByArch(nameInval, archInval)
+	if err == nil {
+		t.Errorf("Getting invalid syscall for invalid arch should error")
+	}
+}
+
+func TestMakeCondition(t *testing.T) {
+	condition, err := MakeCondition(3, CompareNotEqual, 0x10)
+	if err != nil {
+		t.Errorf("Error making condition struct: %s", err)
+	} else if condition.Argument != 3 || condition.Operand1 != 0x10 ||
+		condition.Operand2 != 0 || condition.Op != CompareNotEqual {
+		t.Errorf("Condition struct was filled incorrectly")
+	}
+
+	condition, err = MakeCondition(3, CompareMaskedEqual, 0x10, 0x20)
+	if err != nil {
+		t.Errorf("Error making condition struct: %s", err)
+	} else if condition.Argument != 3 || condition.Operand1 != 0x10 ||
+		condition.Operand2 != 0x20 || condition.Op != CompareMaskedEqual {
+		t.Errorf("Condition struct was filled incorrectly")
+	}
+
+	_, err = MakeCondition(7, CompareNotEqual, 0x10)
+	if err == nil {
+		t.Errorf("Condition struct with bad syscall argument number should error")
+	}
+
+	_, err = MakeCondition(3, CompareInvalid, 0x10)
+	if err == nil {
+		t.Errorf("Condition struct with bad comparison operator should error")
+	}
+
+	_, err = MakeCondition(3, CompareMaskedEqual, 0x10, 0x20, 0x30)
+	if err == nil {
+		t.Errorf("MakeCondition with more than 2 arguments should fail")
+	}
+
+	_, err = MakeCondition(3, CompareMaskedEqual)
+	if err == nil {
+		t.Errorf("MakeCondition with no arguments should fail")
+	}
+}
+
+// Utility Function Tests
+
+func TestGetNativeArch(t *testing.T) {
+	arch, err := GetNativeArch()
+	if err != nil {
+		t.Errorf("GetNativeArch should not error!")
+	}
+	fmt.Printf("Got native arch of system as %s\n", arch.String())
+}
+
+// Filter Tests
+
+func TestFilterCreateRelease(t *testing.T) {
+	_, err := NewFilter(ActInvalid)
+	if err == nil {
+		t.Errorf("Can create filter with invalid action")
+	}
+
+	filter, err := NewFilter(ActKill)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+
+	if !filter.IsValid() {
+		t.Errorf("Filter created by NewFilter was not valid")
+	}
+
+	filter.Release()
+
+	if filter.IsValid() {
+		t.Errorf("Filter is valid after being released")
+	}
+}
+
+func TestFilterReset(t *testing.T) {
+	filter, err := NewFilter(ActKill)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+	defer filter.Release()
+
+	// Ensure the default action is ActKill
+	action, err := filter.GetDefaultAction()
+	if err != nil {
+		t.Errorf("Error getting default action of filter")
+	} else if action != ActKill {
+		t.Errorf("Default action of filter was set incorrectly!")
+	}
+
+	// Reset with a different default action
+	err = filter.Reset(ActAllow)
+	if err != nil {
+		t.Errorf("Error resetting filter!")
+	}
+
+	valid := filter.IsValid()
+	if !valid {
+		t.Errorf("Filter is no longer valid after reset!")
+	}
+
+	// The default action should no longer be ActKill
+	action, err = filter.GetDefaultAction()
+	if err != nil {
+		t.Errorf("Error getting default action of filter")
+	} else if action != ActAllow {
+		t.Errorf("Default action of filter was set incorrectly!")
+	}
+}
+
+func TestFilterArchFunctions(t *testing.T) {
+	filter, err := NewFilter(ActKill)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+	defer filter.Release()
+
+	arch, err := GetNativeArch()
+	if err != nil {
+		t.Errorf("Error getting native architecture: %s", err)
+	}
+
+	present, err := filter.IsArchPresent(arch)
+	if err != nil {
+		t.Errorf("Error retrieving arch from filter: %s", err)
+	} else if !present {
+		t.Errorf("Filter does not contain native architecture by default")
+	}
+
+	// Adding the native arch again should succeed, as it's already present
+	err = filter.AddArch(arch)
+	if err != nil {
+		t.Errorf("Adding arch to filter already containing it should succeed")
+	}
+
+	// Make sure we don't add the native arch again
+	prospectiveArch := ArchX86
+	if arch == ArchX86 {
+		prospectiveArch = ArchAMD64
+	}
+
+	// Check to make sure this other arch isn't in the filter
+	present, err = filter.IsArchPresent(prospectiveArch)
+	if err != nil {
+		t.Errorf("Error retrieving arch from filter: %s", err)
+	} else if present {
+		t.Errorf("Arch not added to filter is present")
+	}
+
+	// Try removing the nonexistant arch - should succeed
+	err = filter.RemoveArch(prospectiveArch)
+	if err != nil {
+		t.Errorf("Error removing nonexistant arch: %s", err)
+	}
+
+	// Add an arch, see if it's in the filter
+	err = filter.AddArch(prospectiveArch)
+	if err != nil {
+		t.Errorf("Could not add arch %s to filter: %s",
+			prospectiveArch.String(), err)
+	}
+
+	present, err = filter.IsArchPresent(prospectiveArch)
+	if err != nil {
+		t.Errorf("Error retrieving arch from filter: %s", err)
+	} else if !present {
+		t.Errorf("Filter does not contain architecture %s after it was added",
+			prospectiveArch.String())
+	}
+
+	// Remove the arch again, make sure it's not in the filter
+	err = filter.RemoveArch(prospectiveArch)
+	if err != nil {
+		t.Errorf("Could not remove arch %s from filter: %s",
+			prospectiveArch.String(), err)
+	}
+
+	present, err = filter.IsArchPresent(prospectiveArch)
+	if err != nil {
+		t.Errorf("Error retrieving arch from filter: %s", err)
+	} else if present {
+		t.Errorf("Filter contains architecture %s after it was removed",
+			prospectiveArch.String())
+	}
+}
+
+func TestFilterAttributeGettersAndSetters(t *testing.T) {
+	filter, err := NewFilter(ActKill)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+	defer filter.Release()
+
+	act, err := filter.GetDefaultAction()
+	if err != nil {
+		t.Errorf("Error getting default action: %s", err)
+	} else if act != ActKill {
+		t.Errorf("Default action was set incorrectly")
+	}
+
+	err = filter.SetBadArchAction(ActAllow)
+	if err != nil {
+		t.Errorf("Error setting bad arch action: %s", err)
+	}
+
+	act, err = filter.GetBadArchAction()
+	if err != nil {
+		t.Errorf("Error getting bad arch action")
+	} else if act != ActAllow {
+		t.Errorf("Bad arch action was not set correcly!")
+	}
+
+	err = filter.SetNoNewPrivsBit(false)
+	if err != nil {
+		t.Errorf("Error setting no new privileges bit")
+	}
+
+	privs, err := filter.GetNoNewPrivsBit()
+	if err != nil {
+		t.Errorf("Error getting no new privileges bit!")
+	} else if privs != false {
+		t.Errorf("No new privileges bit was not set correctly")
+	}
+
+	err = filter.SetBadArchAction(ActInvalid)
+	if err == nil {
+		t.Errorf("Setting bad arch action to an invalid action should error")
+	}
+}
+
+func TestMergeFilters(t *testing.T) {
+	filter1, err := NewFilter(ActAllow)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+
+	filter2, err := NewFilter(ActAllow)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+
+	// Need to remove the native arch and add another to the second filter
+	// Filters must NOT share architectures to be successfully merged
+	nativeArch, err := GetNativeArch()
+	if err != nil {
+		t.Errorf("Error getting native arch: %s", err)
+	}
+
+	prospectiveArch := ArchAMD64
+	if nativeArch == ArchAMD64 {
+		prospectiveArch = ArchX86
+	}
+
+	err = filter2.AddArch(prospectiveArch)
+	if err != nil {
+		t.Errorf("Error adding architecture to filter: %s", err)
+	}
+
+	err = filter2.RemoveArch(nativeArch)
+	if err != nil {
+		t.Errorf("Error removing architecture from filter: %s", err)
+	}
+
+	err = filter1.Merge(filter2)
+	if err != nil {
+		t.Errorf("Error merging filters: %s", err)
+	}
+
+	if filter2.IsValid() {
+		t.Errorf("Source filter should not be valid after merging")
+	}
+
+	filter3, err := NewFilter(ActKill)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+	defer filter3.Release()
+
+	err = filter1.Merge(filter3)
+	if err == nil {
+		t.Errorf("Attributes should have to match to merge filters")
+	}
+}
+
+func TestRuleAddAndLoad(t *testing.T) {
+	// Test #1: Add a trivial filter
+	filter1, err := NewFilter(ActAllow)
+	if err != nil {
+		t.Errorf("Error creating filter: %s", err)
+	}
+	defer filter1.Release()
+
+	call, err := GetSyscallFromName("getpid")
+	if err != nil {
+		t.Errorf("Error getting syscall number of getpid: %s", err)
+	}
+
+	call2, err := GetSyscallFromName("setreuid")
+	if err != nil {
+		t.Errorf("Error getting syscall number of setreuid: %s", err)
+	}
+
+	uid := syscall.Getuid()
+	euid := syscall.Geteuid()
+
+	err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1))
+	if err != nil {
+		t.Errorf("Error adding rule to restrict syscall: %s", err)
+	}
+
+	cond, err := MakeCondition(1, CompareEqual, uint64(euid))
+	if err != nil {
+		t.Errorf("Error making rule to restrict syscall: %s", err)
+	}
+
+	cond2, err := MakeCondition(0, CompareEqual, uint64(uid))
+	if err != nil {
+		t.Errorf("Error making rule to restrict syscall: %s", err)
+	}
+
+	conditions := []ScmpCondition{cond, cond2}
+
+	err = filter1.AddRuleConditional(call2, ActErrno.SetReturnCode(0x2), conditions)
+	if err != nil {
+		t.Errorf("Error adding conditional rule: %s", err)
+	}
+
+	err = filter1.Load()
+	if err != nil {
+		t.Errorf("Error loading filter: %s", err)
+	}
+
+	// Try making a simple syscall, it should error
+	pid := syscall.Getpid()
+	if pid != -1 {
+		t.Errorf("Syscall should have returned error code!")
+	}
+
+	// Try making a Geteuid syscall that should normally succeed
+	err = syscall.Setreuid(uid, euid)
+	if err != syscall.Errno(2) {
+		t.Errorf("Syscall should have returned error code!")
+	}
+}