internal/rosa/gtk: glib 2.87.5 to 2.88.0

Signed-off-by: Ophestra <cat@gensokyo.uk>
internal/rosa: strace artifact
2026-03-17 20:58:39 +09:00 · 2026-03-17 20:40:17 +09:00 · 2026-03-17 20:09:44 +09:00 · 2026-03-17 17:04:06 +09:00 · 2026-03-17 16:09:14 +09:00 · 2026-03-17 15:56:36 +09:00
250 changed files with 4858 additions and 6136 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -27,10 +27,6 @@ go.work.sum

 # go generate
 /cmd/hakurei/LICENSE
-/cmd/pkgserver/.sass-cache
-/cmd/pkgserver/ui/static/*.js
-/cmd/pkgserver/ui/static/*.css*
-/cmd/pkgserver/ui/static/*.css.map
 /internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz

--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/security/hakurei">
+  <a href="https://git.gensokyo.uk/rosa/hakurei">
    <picture>
      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
    </picture>
@@ -8,16 +8,16 @@

 <p align="center">
  <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
  <br/>
-  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
  <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>

 Hakurei is a tool for running sandboxed desktop applications as dedicated
 subordinate users on the Linux kernel. It implements the application container
-of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
+of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
 self-contained Android-like package manager with modern security features.

 Interaction with hakurei happens entirely through structures described by
@@ -62,4 +62,4 @@ are very likely to be rejected.
 ## NixOS Module (deprecated)

 The NixOS module is in maintenance mode and will be removed once planterette is
-feature-complete. Full module documentation can be found [here](options.md).
+feature-complete. Full module documentation can be found [here](options.md).
--- a/container/check/absolute.go
+++ b/container/check/absolute.go
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -11,12 +11,12 @@ import (
 	"testing"
 	_ "unsafe" // for go:linkname

-	. "hakurei.app/container/check"
+	. "hakurei.app/check"
 )

 // unsafeAbs returns check.Absolute on any string value.
 //
-//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
+//go:linkname unsafeAbs hakurei.app/check.unsafeAbs
 func unsafeAbs(pathname string) *Absolute

 func TestAbsoluteError(t *testing.T) {
--- a/container/check/overlay.go
+++ b/container/check/overlay.go
--- a/container/check/overlay_test.go
+++ b/container/check/overlay_test.go
@@ -3,7 +3,7 @@ package check_test
 import (
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func TestEscapeOverlayDataSegment(t *testing.T) {
--- a/cmd/earlyinit/main.go
+++ b/cmd/earlyinit/main.go
@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"runtime"
+	"strings"
 	. "syscall"
 )

@@ -12,6 +13,22 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")

+	var (
+		option map[string]string
+		flags  []string
+	)
+	if len(os.Args) > 1 {
+		option = make(map[string]string)
+		for _, s := range os.Args[1:] {
+			key, value, ok := strings.Cut(s, "=")
+			if !ok {
+				flags = append(flags, s)
+				continue
+			}
+			option[key] = value
+		}
+	}
+
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
@@ -55,4 +72,56 @@ func main() {
 		}
 	}

+	// staying in rootfs, these are no longer used
+	must(os.Remove("/root"))
+	must(os.Remove("/init"))
+
+	must(os.Mkdir("/proc", 0))
+	mustSyscall("mount proc", Mount(
+		"proc",
+		"/proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"hidepid=1",
+	))
+
+	must(os.Mkdir("/sys", 0))
+	mustSyscall("mount sysfs", Mount(
+		"sysfs",
+		"/sys",
+		"sysfs",
+		0,
+		"",
+	))
+
+	// after top level has been set up
+	mustSyscall("remount root", Mount(
+		"",
+		"/",
+		"",
+		MS_REMOUNT|MS_BIND|
+			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
+		"",
+	))
+
+	must(os.WriteFile(
+		"/sys/module/firmware_class/parameters/path",
+		[]byte("/system/lib/firmware"),
+		0,
+	))
+
+}
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
 }
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -13,10 +13,10 @@ import (
 	"time"
 	_ "unsafe" // for go:linkname

+	"hakurei.app/check"
 	"hakurei.app/command"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
@@ -186,7 +186,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			); err != nil {
 				log.Fatal(err)
 			}
-			config.SchedPriority = std.Int(flagSchedPriority)
+			config.SchedPriority = ext.Int(flagSchedPriority)

 			// bind GPU stuff
 			if et&(hst.EX11|hst.EWayland) != 0 {
--- a/cmd/hakurei/json_test.go
+++ b/cmd/hakurei/json_test.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"

-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestDecodeJSON(t *testing.T) {
--- a/cmd/hakurei/main.go
+++ b/cmd/hakurei/main.go
@@ -13,6 +13,7 @@ import (
 	"syscall"

 	"hakurei.app/container"
+	"hakurei.app/ext"
 	"hakurei.app/message"
 )

@@ -35,8 +36,8 @@ func main() {
 	msg := message.New(log.Default())

 	early := earlyHardeningErrs{
-		yamaLSM:  container.SetPtracer(0),
-		dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
+		yamaLSM:  ext.SetPtracer(0),
+		dumpable: ext.SetDumpable(ext.SUID_DUMP_DISABLE),
 	}

 	if os.Geteuid() == 0 {
--- a/cmd/hakurei/parse_test.go
+++ b/cmd/hakurei/parse_test.go
@@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
--- a/cmd/mbf/main.go
+++ b/cmd/mbf/main.go
@@ -18,12 +18,13 @@ import (
 	"time"
 	"unique"

+	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
@@ -271,7 +272,7 @@ func main() {
 				return errors.New("report requires 1 argument")
 			}

-			if container.Isatty(int(w.Fd())) {
+			if ext.Isatty(int(w.Fd())) {
 				return errors.New("output appears to be a terminal")
 			}
 			return rosa.WriteReport(msg, w, cache)
--- a/cmd/pkgserver/api.go
+++ b/cmd/pkgserver/api.go
@@ -1,176 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"net/http"
-	"net/url"
-	"path"
-	"strconv"
-	"sync"
-
-	"hakurei.app/internal/info"
-	"hakurei.app/internal/rosa"
-)
-
-// for lazy initialisation of serveInfo
-var (
-	infoPayload struct {
-		// Current package count.
-		Count int `json:"count"`
-		// Hakurei version, set at link time.
-		HakureiVersion string `json:"hakurei_version"`
-	}
-	infoPayloadOnce sync.Once
-)
-
-// handleInfo writes constant system information.
-func handleInfo(w http.ResponseWriter, _ *http.Request) {
-	infoPayloadOnce.Do(func() {
-		infoPayload.Count = int(rosa.PresetUnexportedStart)
-		infoPayload.HakureiVersion = info.Version()
-	})
-	// TODO(mae): cache entire response if no additional fields are planned
-	writeAPIPayload(w, infoPayload)
-}
-
-// newStatusHandler returns a [http.HandlerFunc] that offers status files for
-// viewing or download, if available.
-func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		m, ok := index.names[path.Base(r.URL.Path)]
-		if !ok || !m.HasReport {
-			http.NotFound(w, r)
-			return
-		}
-
-		contentType := "text/plain; charset=utf-8"
-		if disposition {
-			contentType = "application/octet-stream"
-
-			// quoting like this is unsound, but okay, because metadata is hardcoded
-			contentDisposition := `attachment; filename="`
-			contentDisposition += m.Name + "-"
-			if m.Version != "" {
-				contentDisposition += m.Version + "-"
-			}
-			contentDisposition += m.ids + `.log"`
-			w.Header().Set("Content-Disposition", contentDisposition)
-		}
-		w.Header().Set("Content-Type", contentType)
-		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-		if err := func() (err error) {
-			defer index.handleAccess(&err)()
-			_, err = w.Write(m.status)
-			return
-		}(); err != nil {
-			log.Println(err)
-			http.Error(
-				w, "cannot deliver status, contact maintainers",
-				http.StatusInternalServerError,
-			)
-		}
-	}
-}
-
-// handleGet writes a slice of metadata with specified order.
-func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
-	limit, err := strconv.Atoi(q.Get("limit"))
-	if err != nil || limit > 100 || limit < 1 {
-		http.Error(
-			w, "limit must be an integer between 1 and 100",
-			http.StatusBadRequest,
-		)
-		return
-	}
-	i, err := strconv.Atoi(q.Get("index"))
-	if err != nil || i >= len(index.sorts[0]) || i < 0 {
-		http.Error(
-			w, "index must be an integer between 0 and "+
-				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
-			http.StatusBadRequest,
-		)
-		return
-	}
-	sort, err := strconv.Atoi(q.Get("sort"))
-	if err != nil || sort >= len(index.sorts) || sort < 0 {
-		http.Error(
-			w, "sort must be an integer between 0 and "+
-				strconv.Itoa(sortOrderEnd),
-			http.StatusBadRequest,
-		)
-		return
-	}
-	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
-	writeAPIPayload(w, &struct {
-		Values []*metadata `json:"values"`
-	}{values})
-}
-
-func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
-	limit, err := strconv.Atoi(q.Get("limit"))
-	if err != nil || limit > 100 || limit < 1 {
-		http.Error(
-			w, "limit must be an integer between 1 and 100",
-			http.StatusBadRequest,
-		)
-		return
-	}
-	i, err := strconv.Atoi(q.Get("index"))
-	if err != nil || i >= len(index.sorts[0]) || i < 0 {
-		http.Error(
-			w, "index must be an integer between 0 and "+
-				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
-			http.StatusBadRequest,
-		)
-		return
-	}
-	search, err := url.PathUnescape(q.Get("search"))
-	if len(search) > 100 || err != nil {
-		http.Error(
-			w, "search must be a string between 0 and 100 characters long",
-			http.StatusBadRequest,
-		)
-		return
-	}
-	desc := q.Get("desc") == "true"
-	n, res, err := index.performSearchQuery(limit, i, search, desc)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-	}
-	writeAPIPayload(w, &struct {
-		Count   int            `json:"count"`
-		Results []searchResult `json:"results"`
-	}{n, res})
-}
-
-// apiVersion is the name of the current API revision, as part of the pattern.
-const apiVersion = "v1"
-
-// registerAPI registers API handler functions.
-func (index *packageIndex) registerAPI(mux *http.ServeMux) {
-	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
-	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
-	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
-	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
-	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
-}
-
-// writeAPIPayload sets headers common to API responses and encodes payload as
-// JSON for the response body.
-func writeAPIPayload(w http.ResponseWriter, payload any) {
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Expires", "0")
-
-	if err := json.NewEncoder(w).Encode(payload); err != nil {
-		log.Println(err)
-		http.Error(
-			w, "cannot encode payload, contact maintainers",
-			http.StatusInternalServerError,
-		)
-	}
-}
--- a/cmd/pkgserver/api_test.go
+++ b/cmd/pkgserver/api_test.go
@@ -1,183 +0,0 @@
-package main
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"slices"
-	"strconv"
-	"testing"
-
-	"hakurei.app/internal/info"
-	"hakurei.app/internal/rosa"
-)
-
-// prefix is prepended to every API path.
-const prefix = "/api/" + apiVersion + "/"
-
-func TestAPIInfo(t *testing.T) {
-	t.Parallel()
-
-	w := httptest.NewRecorder()
-	handleInfo(w, httptest.NewRequestWithContext(
-		t.Context(),
-		http.MethodGet,
-		prefix+"info",
-		nil,
-	))
-
-	resp := w.Result()
-	checkStatus(t, resp, http.StatusOK)
-	checkAPIHeader(t, w.Header())
-
-	checkPayload(t, resp, struct {
-		Count          int    `json:"count"`
-		HakureiVersion string `json:"hakurei_version"`
-	}{int(rosa.PresetUnexportedStart), info.Version()})
-}
-
-func TestAPIGet(t *testing.T) {
-	t.Parallel()
-	const target = prefix + "get"
-
-	index := newIndex(t)
-	newRequest := func(suffix string) *httptest.ResponseRecorder {
-		w := httptest.NewRecorder()
-		index.handleGet(w, httptest.NewRequestWithContext(
-			t.Context(),
-			http.MethodGet,
-			target+suffix,
-			nil,
-		))
-		return w
-	}
-
-	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
-		t.Run("invalid", func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest("?" + suffix + "=invalid")
-			resp := w.Result()
-			checkError(t, resp, wantErr, http.StatusBadRequest)
-		})
-
-		t.Run("min", func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
-			resp := w.Result()
-			checkError(t, resp, wantErr, http.StatusBadRequest)
-
-			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
-			resp = w.Result()
-			checkStatus(t, resp, http.StatusOK)
-		})
-
-		t.Run("max", func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
-			resp := w.Result()
-			checkError(t, resp, wantErr, http.StatusBadRequest)
-
-			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
-			resp = w.Result()
-			checkStatus(t, resp, http.StatusOK)
-		})
-	}
-
-	t.Run("limit", func(t *testing.T) {
-		t.Parallel()
-		checkValidate(
-			t, "index=0&sort=0&limit", 1, 100,
-			"limit must be an integer between 1 and 100",
-		)
-	})
-
-	t.Run("index", func(t *testing.T) {
-		t.Parallel()
-		checkValidate(
-			t, "limit=1&sort=0&index", 0, int(rosa.PresetUnexportedStart-1),
-			"index must be an integer between 0 and "+strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
-		)
-	})
-
-	t.Run("sort", func(t *testing.T) {
-		t.Parallel()
-		checkValidate(
-			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
-			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
-		)
-	})
-
-	checkWithSuffix := func(name, suffix string, want []*metadata) {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest(suffix)
-			resp := w.Result()
-			checkStatus(t, resp, http.StatusOK)
-			checkAPIHeader(t, w.Header())
-			checkPayloadFunc(t, resp, func(got *struct {
-				Count  int         `json:"count"`
-				Values []*metadata `json:"values"`
-			}) bool {
-				return got.Count == len(want) &&
-					slices.EqualFunc(got.Values, want, func(a, b *metadata) bool {
-						return (a.Version == b.Version ||
-							a.Version == rosa.Unversioned ||
-							b.Version == rosa.Unversioned) &&
-							a.HasReport == b.HasReport &&
-							a.Name == b.Name &&
-							a.Description == b.Description &&
-							a.Website == b.Website
-					})
-			})
-
-		})
-	}
-
-	checkWithSuffix("declarationAscending", "?limit=2&index=0&sort=0", []*metadata{
-		{
-			Metadata: rosa.GetMetadata(0),
-			Version:  rosa.Std.Version(0),
-		},
-		{
-			Metadata: rosa.GetMetadata(1),
-			Version:  rosa.Std.Version(1),
-		},
-	})
-	checkWithSuffix("declarationAscending offset", "?limit=3&index=5&sort=0", []*metadata{
-		{
-			Metadata: rosa.GetMetadata(5),
-			Version:  rosa.Std.Version(5),
-		},
-		{
-			Metadata: rosa.GetMetadata(6),
-			Version:  rosa.Std.Version(6),
-		},
-		{
-			Metadata: rosa.GetMetadata(7),
-			Version:  rosa.Std.Version(7),
-		},
-	})
-	checkWithSuffix("declarationDescending", "?limit=3&index=0&sort=1", []*metadata{
-		{
-			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 1),
-			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 1),
-		},
-		{
-			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 2),
-			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 2),
-		},
-		{
-			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 3),
-			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 3),
-		},
-	})
-	checkWithSuffix("declarationDescending offset", "?limit=1&index=37&sort=1", []*metadata{
-		{
-			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 38),
-			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 38),
-		},
-	})
-}
--- a/cmd/pkgserver/index.go
+++ b/cmd/pkgserver/index.go
@@ -1,105 +0,0 @@
-package main
-
-import (
-	"cmp"
-	"errors"
-	"slices"
-	"strings"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-)
-
-const (
-	declarationAscending = iota
-	declarationDescending
-	nameAscending
-	nameDescending
-	sizeAscending
-	sizeDescending
-
-	sortOrderEnd = iota - 1
-)
-
-// packageIndex refers to metadata by name and various sort orders.
-type packageIndex struct {
-	sorts  [sortOrderEnd + 1][rosa.PresetUnexportedStart]*metadata
-	names  map[string]*metadata
-	search searchCache
-	// Taken from [rosa.Report] if available.
-	handleAccess func(*error) func()
-}
-
-// metadata holds [rosa.Metadata] extended with additional information.
-type metadata struct {
-	p rosa.PArtifact
-	*rosa.Metadata
-
-	// Populated via [rosa.Toolchain.Version], [rosa.Unversioned] is equivalent
-	// to the zero value. Otherwise, the zero value is invalid.
-	Version string `json:"version,omitempty"`
-	// Output data size, available if present in report.
-	Size int64 `json:"size,omitempty"`
-	// Whether the underlying [pkg.Artifact] is present in the report.
-	HasReport bool `json:"report"`
-
-	// Ident string encoded ahead of time.
-	ids string
-	// Backed by [rosa.Report], access must be prepared by HandleAccess.
-	status []byte
-}
-
-// populate deterministically populates packageIndex, optionally with a report.
-func (index *packageIndex) populate(cache *pkg.Cache, report *rosa.Report) (err error) {
-	if report != nil {
-		defer report.HandleAccess(&err)()
-		index.handleAccess = report.HandleAccess
-	}
-
-	var work [rosa.PresetUnexportedStart]*metadata
-	index.names = make(map[string]*metadata)
-	for p := range rosa.PresetUnexportedStart {
-		m := metadata{
-			p: p,
-
-			Metadata: rosa.GetMetadata(p),
-			Version:  rosa.Std.Version(p),
-		}
-		if m.Version == "" {
-			return errors.New("invalid version from " + m.Name)
-		}
-		if m.Version == rosa.Unversioned {
-			m.Version = ""
-		}
-
-		if cache != nil && report != nil {
-			id := cache.Ident(rosa.Std.Load(p))
-			m.ids = pkg.Encode(id.Value())
-			m.status, m.Size = report.ArtifactOf(id)
-			m.HasReport = m.Size >= 0
-		}
-
-		work[p] = &m
-		index.names[m.Name] = &m
-	}
-
-	index.sorts[declarationAscending] = work
-	index.sorts[declarationDescending] = work
-	slices.Reverse(index.sorts[declarationDescending][:])
-
-	index.sorts[nameAscending] = work
-	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
-		return strings.Compare(a.Name, b.Name)
-	})
-	index.sorts[nameDescending] = index.sorts[nameAscending]
-	slices.Reverse(index.sorts[nameDescending][:])
-
-	index.sorts[sizeAscending] = work
-	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
-		return cmp.Compare(a.Size, b.Size)
-	})
-	index.sorts[sizeDescending] = index.sorts[sizeAscending]
-	slices.Reverse(index.sorts[sizeDescending][:])
-
-	return
-}
--- a/cmd/pkgserver/main.go
+++ b/cmd/pkgserver/main.go
@@ -1,114 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"log"
-	"net/http"
-	"os"
-	"os/signal"
-	"syscall"
-	"time"
-
-	"hakurei.app/command"
-	"hakurei.app/container/check"
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-	"hakurei.app/message"
-)
-
-const shutdownTimeout = 15 * time.Second
-
-func main() {
-	log.SetFlags(0)
-	log.SetPrefix("pkgserver: ")
-
-	var (
-		flagBaseDir string
-		flagAddr    string
-	)
-
-	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
-	defer stop()
-	msg := message.New(log.Default())
-
-	c := command.New(os.Stderr, log.Printf, "pkgserver", func(args []string) error {
-		var (
-			cache  *pkg.Cache
-			report *rosa.Report
-		)
-		switch len(args) {
-		case 0:
-			break
-
-		case 1:
-			baseDir, err := check.NewAbs(flagBaseDir)
-			if err != nil {
-				return err
-			}
-
-			cache, err = pkg.Open(ctx, msg, 0, baseDir)
-			if err != nil {
-				return err
-			}
-			defer cache.Close()
-
-			report, err = rosa.OpenReport(args[0])
-			if err != nil {
-				return err
-			}
-
-		default:
-			return errors.New("pkgserver requires 1 argument")
-
-		}
-
-		var index packageIndex
-		index.search = make(searchCache)
-		if err := index.populate(cache, report); err != nil {
-			return err
-		}
-		ticker := time.NewTicker(1 * time.Minute)
-		go func() {
-			for {
-				select {
-				case <-ctx.Done():
-					ticker.Stop()
-					return
-				case <-ticker.C:
-					index.search.clean()
-				}
-			}
-		}()
-		var mux http.ServeMux
-		uiRoutes(&mux)
-		index.registerAPI(&mux)
-		server := http.Server{
-			Addr:    flagAddr,
-			Handler: &mux,
-		}
-		go func() {
-			<-ctx.Done()
-			c, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
-			defer cancel()
-			if err := server.Shutdown(c); err != nil {
-				log.Fatal(err)
-			}
-		}()
-		return server.ListenAndServe()
-	}).Flag(
-		&flagBaseDir,
-		"b", command.StringFlag(""),
-		"base directory for cache",
-	).Flag(
-		&flagAddr,
-		"addr", command.StringFlag(":8067"),
-		"TCP network address to listen on",
-	)
-	c.MustParse(os.Args[1:], func(err error) {
-		if errors.Is(err, http.ErrServerClosed) {
-			os.Exit(0)
-		}
-		log.Fatal(err)
-	})
-}
--- a/cmd/pkgserver/main_test.go
+++ b/cmd/pkgserver/main_test.go
@@ -1,96 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"reflect"
-	"testing"
-)
-
-// newIndex returns the address of a newly populated packageIndex.
-func newIndex(t *testing.T) *packageIndex {
-	t.Helper()
-
-	var index packageIndex
-	if err := index.populate(nil, nil); err != nil {
-		t.Fatalf("populate: error = %v", err)
-	}
-	return &index
-}
-
-// checkStatus checks response status code.
-func checkStatus(t *testing.T, resp *http.Response, want int) {
-	t.Helper()
-
-	if resp.StatusCode != want {
-		t.Errorf(
-			"StatusCode: %s, want %s",
-			http.StatusText(resp.StatusCode),
-			http.StatusText(want),
-		)
-	}
-}
-
-// checkHeader checks the value of a header entry.
-func checkHeader(t *testing.T, h http.Header, key, want string) {
-	t.Helper()
-
-	if got := h.Get(key); got != want {
-		t.Errorf("%s: %q, want %q", key, got, want)
-	}
-}
-
-// checkAPIHeader checks common entries set for API endpoints.
-func checkAPIHeader(t *testing.T, h http.Header) {
-	t.Helper()
-
-	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
-	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
-	checkHeader(t, h, "Pragma", "no-cache")
-	checkHeader(t, h, "Expires", "0")
-}
-
-// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
-func checkPayloadFunc[T any](
-	t *testing.T,
-	resp *http.Response,
-	f func(got *T) bool,
-) {
-	t.Helper()
-
-	var got T
-	r := io.Reader(resp.Body)
-	if testing.Verbose() {
-		var buf bytes.Buffer
-		r = io.TeeReader(r, &buf)
-		defer func() { t.Helper(); t.Log(buf.String()) }()
-	}
-	if err := json.NewDecoder(r).Decode(&got); err != nil {
-		t.Fatalf("Decode: error = %v", err)
-	}
-
-	if !f(&got) {
-		t.Errorf("Body: %#v", got)
-	}
-}
-
-// checkPayload checks the JSON response of an API endpoint.
-func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
-	t.Helper()
-
-	checkPayloadFunc(t, resp, func(got *T) bool {
-		return reflect.DeepEqual(got, &want)
-	})
-}
-
-func checkError(t *testing.T, resp *http.Response, error string, code int) {
-	t.Helper()
-
-	checkStatus(t, resp, code)
-	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
-		t.Errorf("Body: %q, want %q", string(got), error)
-	}
-}
--- a/cmd/pkgserver/search.go
+++ b/cmd/pkgserver/search.go
@@ -1,77 +0,0 @@
-package main
-
-import (
-	"cmp"
-	"maps"
-	"regexp"
-	"slices"
-	"time"
-)
-
-type searchCache map[string]searchCacheEntry
-type searchResult struct {
-	NameIndices [][]int `json:"name_matches"`
-	DescIndices [][]int `json:"desc_matches,omitempty"`
-	Score       float64 `json:"score"`
-	*metadata
-}
-type searchCacheEntry struct {
-	query   string
-	results []searchResult
-	expiry  time.Time
-}
-
-func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
-	entry, ok := index.search[search]
-	if ok {
-		return len(entry.results), entry.results[i:min(i+limit, len(entry.results))], nil
-	}
-
-	regex, err := regexp.Compile(search)
-	if err != nil {
-		return 0, make([]searchResult, 0), err
-	}
-	res := make([]searchResult, 0)
-	for p := range maps.Values(index.names) {
-		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
-		var descIndices [][]int = nil
-		if desc {
-			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
-		}
-		if nameIndices == nil && descIndices == nil {
-			continue
-		}
-		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
-		if desc {
-			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
-		}
-		res = append(res, searchResult{
-			NameIndices: nameIndices,
-			DescIndices: descIndices,
-			Score:       score,
-			metadata:    p,
-		})
-	}
-	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
-	expiry := time.Now().Add(1 * time.Minute)
-	entry = searchCacheEntry{
-		query:   search,
-		results: res,
-		expiry:  expiry,
-	}
-	index.search[search] = entry
-
-	return len(res), res[i:min(i+limit, len(entry.results))], nil
-}
-func (s *searchCache) clean() {
-	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
-		return v.expiry.Before(time.Now())
-	})
-}
-func indexsum(in [][]int) int {
-	sum := 0
-	for i := 0; i < len(in); i++ {
-		sum += in[i][1] - in[i][0]
-	}
-	return sum
-}
--- a/cmd/pkgserver/ui.go
+++ b/cmd/pkgserver/ui.go
@@ -1,38 +0,0 @@
-package main
-
-import "net/http"
-
-func serveWebUI(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Expires", "0")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("X-XSS-Protection", "1")
-	w.Header().Set("X-Frame-Options", "DENY")
-
-	http.ServeFileFS(w, r, content, "ui/index.html")
-}
-func serveStaticContent(w http.ResponseWriter, r *http.Request) {
-	switch r.URL.Path {
-	case "/static/style.css":
-		darkTheme := r.CookiesNamed("dark_theme")
-		if len(darkTheme) > 0 && darkTheme[0].Value == "true" {
-			http.ServeFileFS(w, r, content, "ui/static/dark.css")
-		} else {
-			http.ServeFileFS(w, r, content, "ui/static/light.css")
-		}
-	case "/favicon.ico":
-		http.ServeFileFS(w, r, content, "ui/static/favicon.ico")
-	case "/static/index.js":
-		http.ServeFileFS(w, r, content, "ui/static/index.js")
-	default:
-		http.NotFound(w, r)
-
-	}
-}
-
-func uiRoutes(mux *http.ServeMux) {
-	mux.HandleFunc("GET /{$}", serveWebUI)
-	mux.HandleFunc("GET /favicon.ico", serveStaticContent)
-	mux.HandleFunc("GET /static/", serveStaticContent)
-}
--- a/cmd/pkgserver/ui/index.html
+++ b/cmd/pkgserver/ui/index.html
@@ -1,35 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <link rel="stylesheet" href="static/style.css">
-    <title>Hakurei PkgServer</title>
-    <script src="static/index.js"></script>
-</head>
-<body>
-<h1>Hakurei PkgServer</h1>
-
-<table id="pkg-list">
-    <tr><td>Loading...</td></tr>
-</table>
-<p>Showing entries <span id="entry-counter"></span>.</p>
-<span class="bottom-nav"><a href="javascript:prevPage()">&laquo; Previous</a> <span id="page-number">1</span> <a href="javascript:nextPage()">Next &raquo;</a></span>
-<span><label for="count">Entries per page: </label><select name="count" id="count">
-    <option value="10">10</option>
-    <option value="20">20</option>
-    <option value="30">30</option>
-    <option value="50">50</option>
-</select></span>
-<span><label for="sort">Sort by: </label><select name="sort" id="sort">
-    <option value="0">Definition (ascending)</option>
-    <option value="1">Definition (descending)</option>
-    <option value="2">Name (ascending)</option>
-    <option value="3">Name (descending)</option>
-    <option value="4">Size (ascending)</option>
-    <option value="5">Size (descending)</option>
-</select></span>
-</body>
-<footer>
-    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
-</footer>
-</html>
--- a/cmd/pkgserver/ui/static/_common.scss
+++ b/cmd/pkgserver/ui/static/_common.scss
--- a/cmd/pkgserver/ui/static/dark.scss
+++ b/cmd/pkgserver/ui/static/dark.scss
@@ -1,6 +0,0 @@
-@use 'common';
-
-html {
-  background-color: #2c2c2c;
-  color: ghostwhite;
-}
--- a/cmd/pkgserver/ui/static/favicon.ico
+++ b/cmd/pkgserver/ui/static/favicon.ico
--- a/cmd/pkgserver/ui/static/index.ts
+++ b/cmd/pkgserver/ui/static/index.ts
@@ -1,155 +0,0 @@
-class PackageIndexEntry {
-    name: string
-    size: number | null
-    description: string | null
-    website: string | null
-    version: string | null
-    report:  boolean
-}
-function toHTML(entry: PackageIndexEntry): HTMLTableRowElement {
-    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
-    let s = entry.size != null ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
-    let d = entry.description != null ? `<p>${escapeHtml(entry.description)}</p>` : ""
-    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
-    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
-    let row = <HTMLTableRowElement>(document.createElement('tr'))
-    row.innerHTML = `<td>
-            <h2>${escapeHtml(entry.name)} ${v}</h2>
-            ${d}
-            ${s}
-            ${w}
-            ${r}
-        </td>`
-    return row
-}
-
-function toByteSizeString(bytes: number): string {
-    if(bytes == null || bytes < 1024) return `${bytes}B`
-    if(bytes < Math.pow(1024, 2)) return `${(bytes/1024).toFixed(2)}kiB`
-    if(bytes < Math.pow(1024, 3)) return `${(bytes/Math.pow(1024, 2)).toFixed(2)}MiB`
-    if(bytes < Math.pow(1024, 4)) return `${(bytes/Math.pow(1024, 3)).toFixed(2)}GiB`
-    if(bytes < Math.pow(1024, 5)) return `${(bytes/Math.pow(1024, 4)).toFixed(2)}TiB`
-    return "not only is it big, it's large"
-}
-
-const API_VERSION = 1
-const ENDPOINT = `/api/v${API_VERSION}`
-class InfoPayload {
-    count: number
-    hakurei_version: string
-}
-
-async function infoRequest(): Promise<InfoPayload> {
-    const res = await fetch(`${ENDPOINT}/info`)
-    const payload = await res.json()
-    return payload as InfoPayload
-}
-class GetPayload {
-    values: PackageIndexEntry[]
-}
-
-enum SortOrders {
-    DeclarationAscending,
-    DeclarationDescending,
-    NameAscending,
-    NameDescending
-}
-async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
-    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
-    const payload = await res.json()
-    return payload as GetPayload
-}
-class State {
-    entriesPerPage: number = 10
-    entryIndex: number = 0
-    maxEntries: number = 0
-    sort: SortOrders = SortOrders.DeclarationAscending
-
-    getEntriesPerPage(): number {
-        return this.entriesPerPage
-    }
-    setEntriesPerPage(entriesPerPage: number) {
-        this.entriesPerPage = entriesPerPage
-        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
-    }
-    getEntryIndex(): number {
-        return this.entryIndex
-    }
-    setEntryIndex(entryIndex: number) {
-        this.entryIndex = entryIndex
-        this.updatePage()
-        this.updateRange()
-        this.updateListings()
-    }
-    getMaxEntries(): number {
-        return this.maxEntries
-    }
-    setMaxEntries(max: number) {
-        this.maxEntries = max
-    }
-    getSortOrder(): SortOrders {
-        return this.sort
-    }
-    setSortOrder(sortOrder: SortOrders) {
-        this.sort = sortOrder
-        this.setEntryIndex(0)
-    }
-    updatePage() {
-        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
-        document.getElementById("page-number").innerText = String(page)
-    }
-    updateRange() {
-        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxEntries())
-        document.getElementById("entry-counter").innerText = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxEntries()}`
-    }
-    updateListings() {
-        getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
-            .then(res => {
-                let table = document.getElementById("pkg-list")
-                table.innerHTML = ''
-                res.values.forEach((row) => {
-                    table.appendChild(toHTML(row))
-                })
-            })
-    }
-
-}
-
-let STATE: State
-
-function prevPage() {
-    let index = STATE.getEntryIndex()
-    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
-}
-function nextPage() {
-    let index = STATE.getEntryIndex()
-    STATE.setEntryIndex(Math.min((Math.ceil(STATE.getMaxEntries() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()) - STATE.getEntriesPerPage(), index + STATE.getEntriesPerPage()))
-}
-
-function escapeHtml(str: string): string {
-    if(str === undefined) return ""
-    return str
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&apos;')
-}
-
-document.addEventListener("DOMContentLoaded", () => {
-    STATE = new State()
-    infoRequest()
-        .then(res => {
-            STATE.setMaxEntries(res.count)
-            document.getElementById("hakurei-version").innerText = res.hakurei_version
-            STATE.updateRange()
-            STATE.updateListings()
-        })
-
-    document.getElementById("count").addEventListener("change", (event) => {
-        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
-    })
-    document.getElementById("sort").addEventListener("change", (event) => {
-        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
-    })
-})
--- a/cmd/pkgserver/ui/static/light.scss
+++ b/cmd/pkgserver/ui/static/light.scss
@@ -1,6 +0,0 @@
-@use 'common';
-
-html {
-  background-color: #d3d3d3;
-  color: black;
-}
--- a/cmd/pkgserver/ui/static/tsconfig.json
+++ b/cmd/pkgserver/ui/static/tsconfig.json
@@ -1,5 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2024"
-  }
-}
--- a/cmd/pkgserver/ui_full.go
+++ b/cmd/pkgserver/ui_full.go
@@ -1,9 +0,0 @@
-//go:build frontend
-
-package main
-
-import "embed"
-
-//go:generate sh -c "sass ui/static/dark.scss ui/static/dark.css && sass ui/static/light.scss ui/static/light.css && tsc -p ui/static"
-//go:embed ui/*
-var content embed.FS
--- a/cmd/pkgserver/ui_stub.go
+++ b/cmd/pkgserver/ui_stub.go
@@ -1,7 +0,0 @@
-//go:build !frontend
-
-package main
-
-import "testing/fstest"
-
-var content fstest.MapFS
--- a/cmd/sharefs/fuse.go
+++ b/cmd/sharefs/fuse.go
@@ -31,10 +31,10 @@ import (
 	"syscall"
 	"unsafe"

+	"hakurei.app/check"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/helper/proc"
 	"hakurei.app/internal/info"
--- a/cmd/sharefs/fuse_test.go
+++ b/cmd/sharefs/fuse_test.go
@@ -6,7 +6,7 @@ import (
 	"reflect"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func TestParseOpts(t *testing.T) {
--- a/container/autoetc.go
+++ b/container/autoetc.go
@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(AutoEtcOp)) }
--- a/container/autoetc_test.go
+++ b/container/autoetc_test.go
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestAutoEtcOp(t *testing.T) {
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 	"hakurei.app/message"
 )

--- a/container/autoroot_test.go
+++ b/container/autoroot_test.go
@@ -5,9 +5,9 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

--- a/container/capability.go
+++ b/container/capability.go
@@ -3,6 +3,8 @@ package container
 import (
 	"syscall"
 	"unsafe"
+
+	"hakurei.app/ext"
 )

 const (
@@ -51,15 +53,15 @@ func capset(hdrp *capHeader, datap *[2]capData) error {

 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
 func capBoundingSetDrop(cap uintptr) error {
-	return Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
+	return ext.Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
 }

 // capAmbientClearAll clears the ambient capability set of the calling thread.
 func capAmbientClearAll() error {
-	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
+	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
 }

 // capAmbientRaise adds to the ambient capability set of the calling thread.
 func capAmbientRaise(cap uintptr) error {
-	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
+	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
 }
--- a/container/container.go
+++ b/container/container.go
@@ -16,10 +16,11 @@ import (
 	. "syscall"
 	"time"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/message"
 )

@@ -41,10 +42,10 @@ type (
 		// Whether to set SchedPolicy and SchedPriority via sched_setscheduler(2).
 		SetScheduler bool
 		// Scheduling policy to set via sched_setscheduler(2).
-		SchedPolicy std.SchedPolicy
+		SchedPolicy ext.SchedPolicy
 		// Scheduling priority to set via sched_setscheduler(2). The zero value
 		// implies the minimum value supported by the current SchedPolicy.
-		SchedPriority std.Int
+		SchedPriority ext.Int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container, with
@@ -185,31 +186,24 @@ var (
 	closeOnExecErr  error
 )

-// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
-// This is only ran once as it is intended to handle files left open by the parent, and any file opened
-// on this side should already have syscall.FD_CLOEXEC set.
+// ensureCloseOnExec ensures all currently open file descriptors have the
+// syscall.FD_CLOEXEC flag set.
+//
+// This is only ran once as it is intended to handle files left open by the
+// parent, and any file opened on this side should already have
+// syscall.FD_CLOEXEC set.
 func ensureCloseOnExec() error {
-	closeOnExecOnce.Do(func() {
-		const fdPrefixPath = "/proc/self/fd/"
-
-		var entries []os.DirEntry
-		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
-			return
-		}
-
-		var fd int
-		for _, ent := range entries {
-			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
-				break // not reached
-			}
-			CloseOnExec(fd)
-		}
-	})
+	closeOnExecOnce.Do(func() { closeOnExecErr = doCloseOnExec() })

 	if closeOnExecErr == nil {
 		return nil
 	}
-	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
+	return &StartError{
+		Fatal:       true,
+		Step:        "set FD_CLOEXEC on all open files",
+		Err:         closeOnExecErr,
+		Passthrough: true,
+	}
 }

 // Start starts the container init. The init process blocks until Serve is called.
@@ -378,7 +372,7 @@ func (p *Container) Start() error {
 			// sched_setscheduler: thread-directed but acts on all processes
 			// created from the calling thread
 			if p.SetScheduler {
-				if p.SchedPolicy < 0 || p.SchedPolicy > std.SCHED_LAST {
+				if p.SchedPolicy < 0 || p.SchedPolicy > ext.SCHED_LAST {
 					return &StartError{
 						Fatal: false,
 						Step:  "set scheduling policy",
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -18,16 +18,17 @@ import (
 	"testing"
 	"time"

+	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/vfs"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 // Note: this package requires cgo, which is unavailable in the Go playground.
@@ -258,7 +259,7 @@ var containerTestCases = []struct {
 		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: ext.SyscallNum(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},

 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -3,6 +3,7 @@ package container
 import (
 	"io"
 	"io/fs"
+	"net"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -12,6 +13,8 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/internal/netlink"
 	"hakurei.app/message"
 )

@@ -141,8 +144,8 @@ func (k direct) new(f func(k syscallDispatcher)) { go f(k) }

 func (direct) lockOSThread() { runtime.LockOSThread() }

-func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
-func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
+func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
+func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
 func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }

 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
@@ -150,7 +153,7 @@ func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(h
 func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
-func (direct) isatty(fd int) bool                              { return Isatty(fd) }
+func (direct) isatty(fd int) bool                              { return ext.Isatty(fd) }
 func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
 	return Receive(key, e, fdp)
 }
@@ -167,7 +170,47 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
-func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
+func (direct) mustLoopback(msg message.Msg) {
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		msg.GetLogger().Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	c, err := netlink.DialRoute()
+	if err != nil {
+		msg.GetLogger().Fatalln(err)
+	}
+
+	must := func(err error) {
+		if err == nil {
+			return
+		}
+		if closeErr := c.Close(); closeErr != nil {
+			msg.Verbosef("cannot close RTNETLINK: %v", closeErr)
+		}
+
+		switch err.(type) {
+		case *os.SyscallError:
+			msg.GetLogger().Fatalf("cannot %v", err)
+
+		case syscall.Errno:
+			msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+		default:
+			msg.GetLogger().Fatalf("RTNETLINK answers with malformed message")
+		}
+	}
+	must(c.SendNewaddrLo(uint32(lo)))
+	must(c.SendIfInfomsg(syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
+		Family: syscall.AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  syscall.IFF_UP,
+		Change: syscall.IFF_UP,
+	}))
+	must(c.Close())
+}

 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -18,7 +18,7 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

--- a/container/errors.go
+++ b/container/errors.go
@@ -5,9 +5,9 @@ import (
 	"os"
 	"syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 // messageFromError returns a printable error message for a supported concrete type.
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -8,9 +8,9 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
+	"hakurei.app/vfs"
 )

 func TestMessageFromError(t *testing.T) {
--- a/container/executable.go
+++ b/container/executable.go
@@ -1,37 +0,0 @@
-package container
-
-import (
-	"fmt"
-	"log"
-	"os"
-	"sync"
-
-	"hakurei.app/message"
-)
-
-var (
-	executable     string
-	executableOnce sync.Once
-)
-
-func copyExecutable(msg message.Msg) {
-	if name, err := os.Executable(); err != nil {
-		m := fmt.Sprintf("cannot read executable path: %v", err)
-		if msg != nil {
-			msg.BeforeExit()
-			msg.GetLogger().Fatal(m)
-		} else {
-			log.Fatal(m)
-		}
-	} else {
-		executable = name
-	}
-}
-
-// MustExecutable calls [os.Executable] and terminates the process on error.
-//
-// Deprecated: This is no longer used and will be removed in 0.4.
-func MustExecutable(msg message.Msg) string {
-	executableOnce.Do(func() { copyExecutable(msg) })
-	return executable
-}
--- a/container/executable_test.go
+++ b/container/executable_test.go
@@ -1,18 +0,0 @@
-package container_test
-
-import (
-	"os"
-	"testing"
-
-	"hakurei.app/container"
-	"hakurei.app/message"
-)
-
-func TestExecutable(t *testing.T) {
-	t.Parallel()
-	for i := 0; i < 16; i++ {
-		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
-			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
-		}
-	}
-}
--- a/container/init.go
+++ b/container/init.go
@@ -15,8 +15,9 @@ import (
 	. "syscall"
 	"time"

-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/message"
 )

@@ -178,7 +179,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	// write uid/gid map here so parent does not need to set dumpable
-	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
+	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/uid_map",
@@ -196,7 +197,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
+	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err)
 	}

@@ -290,7 +291,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {

 	{
 		var fd int
-		if err := IgnoringEINTR(func() (err error) {
+		if err := ext.IgnoringEINTR(func() (err error) {
 			fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {
--- a/container/init_test.go
+++ b/container/init_test.go
@@ -7,10 +7,10 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestInitEntrypoint(t *testing.T) {
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -6,7 +6,7 @@ import (
 	"os"
 	"syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
 )

--- a/container/initbind_test.go
+++ b/container/initbind_test.go
@@ -6,9 +6,9 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestBindMountOp(t *testing.T) {
--- a/container/initdaemon.go
+++ b/container/initdaemon.go
@@ -12,8 +12,8 @@ import (
 	"syscall"
 	"time"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(DaemonOp)) }
--- a/container/initdaemon_test.go
+++ b/container/initdaemon_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

--- a/container/initdev.go
+++ b/container/initdev.go
@@ -6,8 +6,8 @@ import (
 	"path"
 	. "syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(MountDevOp)) }
--- a/container/initdev_test.go
+++ b/container/initdev_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountDevOp(t *testing.T) {
--- a/container/initmkdir.go
+++ b/container/initmkdir.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MkdirOp)) }
--- a/container/initmkdir_test.go
+++ b/container/initmkdir_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMkdirOp(t *testing.T) {
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -6,8 +6,8 @@ import (
 	"slices"
 	"strings"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 const (
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountOverlayOp(t *testing.T) {
--- a/container/initplace.go
+++ b/container/initplace.go
@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 const (
--- a/container/initplace_test.go
+++ b/container/initplace_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestTmpfileOp(t *testing.T) {
--- a/container/initproc.go
+++ b/container/initproc.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	. "syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MountProcOp)) }
--- a/container/initproc_test.go
+++ b/container/initproc_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountProcOp(t *testing.T) {
--- a/container/initremount.go
+++ b/container/initremount.go
@@ -4,7 +4,7 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(RemountOp)) }
--- a/container/initremount_test.go
+++ b/container/initremount_test.go
@@ -4,8 +4,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestRemountOp(t *testing.T) {
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"path"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(SymlinkOp)) }
--- a/container/initsymlink_test.go
+++ b/container/initsymlink_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestSymlinkOp(t *testing.T) {
--- a/container/inittmpfs.go
+++ b/container/inittmpfs.go
@@ -8,7 +8,7 @@ import (
 	"strconv"
 	. "syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MountTmpfsOp)) }
--- a/container/inittmpfs_test.go
+++ b/container/inittmpfs_test.go
@@ -5,8 +5,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountTmpfsOp(t *testing.T) {
--- a/container/landlock.go
+++ b/container/landlock.go
@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"unsafe"

-	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

 // include/uapi/linux/landlock.h
@@ -223,7 +223,7 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	}

 	rulesetFd, _, errno := syscall.Syscall(
-		std.SYS_LANDLOCK_CREATE_RULESET,
+		ext.SYS_LANDLOCK_CREATE_RULESET,
 		pointer, size,
 		flags,
 	)
@@ -247,7 +247,7 @@ func LandlockGetABI() (int, error) {
 // LandlockRestrictSelf applies a loaded ruleset to the calling thread.
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
-		std.SYS_LANDLOCK_RESTRICT_SELF,
+		ext.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),
 		flags,
 		0,
--- a/container/mount.go
+++ b/container/mount.go
@@ -6,8 +6,9 @@ import (
 	"os"
 	. "syscall"

-	"hakurei.app/container/vfs"
+	"hakurei.app/ext"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 /*
@@ -115,7 +116,7 @@ func (p *procPaths) remount(msg message.Msg, target string, flags uintptr) error
 	var targetKFinal string
 	{
 		var destFd int
-		if err := IgnoringEINTR(func() (err error) {
+		if err := ext.IgnoringEINTR(func() (err error) {
 			destFd, err = p.k.open(targetFinal, O_PATH|O_CLOEXEC, 0)
 			return
 		}); err != nil {
--- a/container/mount_test.go
+++ b/container/mount_test.go
@@ -5,8 +5,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/stub"
-	"hakurei.app/container/vfs"
+	"hakurei.app/internal/stub"
+	"hakurei.app/vfs"
 )

 func TestBindMount(t *testing.T) {
--- a/container/netlink.go
+++ b/container/netlink.go
@@ -1,269 +0,0 @@
-package container
-
-import (
-	"encoding/binary"
-	"errors"
-	"net"
-	"os"
-	. "syscall"
-	"unsafe"
-
-	"hakurei.app/container/std"
-	"hakurei.app/message"
-)
-
-// rtnetlink represents a NETLINK_ROUTE socket.
-type rtnetlink struct {
-	// Sent as part of rtnetlink messages.
-	pid uint32
-	// AF_NETLINK socket.
-	fd int
-	// Whether the socket is open.
-	ok bool
-	// Message sequence number.
-	seq uint32
-}
-
-// open creates the underlying NETLINK_ROUTE socket.
-func (s *rtnetlink) open() (err error) {
-	if s.ok || s.fd < 0 {
-		return os.ErrInvalid
-	}
-
-	s.pid = uint32(Getpid())
-	if s.fd, err = Socket(
-		AF_NETLINK,
-		SOCK_RAW|SOCK_CLOEXEC,
-		NETLINK_ROUTE,
-	); err != nil {
-		return os.NewSyscallError("socket", err)
-	} else if err = Bind(s.fd, &SockaddrNetlink{
-		Family: AF_NETLINK,
-		Pid:    s.pid,
-	}); err != nil {
-		_ = s.close()
-		return os.NewSyscallError("bind", err)
-	} else {
-		s.ok = true
-		return nil
-	}
-}
-
-// close closes the underlying NETLINK_ROUTE socket.
-func (s *rtnetlink) close() error {
-	if !s.ok {
-		return os.ErrInvalid
-	}
-
-	s.ok = false
-	err := Close(s.fd)
-	s.fd = -1
-	return err
-}
-
-// roundtrip sends a netlink message and handles the reply.
-func (s *rtnetlink) roundtrip(data []byte) error {
-	if !s.ok {
-		return os.ErrInvalid
-	}
-
-	defer func() { s.seq++ }()
-
-	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
-		Family: AF_NETLINK,
-	}); err != nil {
-		return os.NewSyscallError("sendto", err)
-	}
-	buf := make([]byte, Getpagesize())
-
-done:
-	for {
-		p := buf
-		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
-			return os.NewSyscallError("recvfrom", err)
-		} else if n < NLMSG_HDRLEN {
-			return errors.ErrUnsupported
-		} else {
-			p = p[:n]
-		}
-
-		if msgs, err := ParseNetlinkMessage(p); err != nil {
-			return err
-		} else {
-			for _, m := range msgs {
-				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
-					return errors.ErrUnsupported
-				}
-				if m.Header.Type == NLMSG_DONE {
-					break done
-				}
-				if m.Header.Type == NLMSG_ERROR {
-					if len(m.Data) >= 4 {
-						errno := Errno(-std.Int(binary.NativeEndian.Uint32(m.Data)))
-						if errno == 0 {
-							return nil
-						}
-						return errno
-					}
-					return errors.ErrUnsupported
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
-// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
-func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
-	err := s.roundtrip(data)
-	if err == nil {
-		return
-	}
-	if closeErr := Close(s.fd); closeErr != nil {
-		msg.Verbosef("cannot close: %v", err)
-	}
-
-	switch err.(type) {
-	case *os.SyscallError:
-		msg.GetLogger().Fatalf("cannot %v", err)
-
-	case Errno:
-		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
-
-	default:
-		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
-	}
-}
-
-// newaddrLo represents a RTM_NEWADDR message with two addresses.
-type newaddrLo struct {
-	header NlMsghdr
-	data   IfAddrmsg
-
-	r0 RtAttr
-	a0 [4]byte // in_addr
-	r1 RtAttr
-	a1 [4]byte // in_addr
-}
-
-// sizeofNewaddrLo is the expected size of newaddrLo.
-const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
-
-// newaddrLo returns the address of a populated newaddrLo.
-func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
-	return &newaddrLo{NlMsghdr{
-		Len:   sizeofNewaddrLo,
-		Type:  RTM_NEWADDR,
-		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
-		Seq:   s.seq,
-		Pid:   s.pid,
-	}, IfAddrmsg{
-		Family:    AF_INET,
-		Prefixlen: 8,
-		Flags:     IFA_F_PERMANENT,
-		Scope:     RT_SCOPE_HOST,
-		Index:     uint32(lo),
-	}, RtAttr{
-		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
-		Type: IFA_LOCAL,
-	}, [4]byte{127, 0, 0, 1}, RtAttr{
-		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
-		Type: IFA_ADDRESS,
-	}, [4]byte{127, 0, 0, 1}}
-}
-
-func (msg *newaddrLo) toWireFormat() []byte {
-	var buf [sizeofNewaddrLo]byte
-
-	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
-	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
-	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
-	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
-	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
-
-	buf[16] = msg.data.Family
-	buf[17] = msg.data.Prefixlen
-	buf[18] = msg.data.Flags
-	buf[19] = msg.data.Scope
-	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
-
-	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
-	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
-	copy(buf[28:32], msg.a0[:])
-	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
-	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
-	copy(buf[36:40], msg.a1[:])
-
-	return buf[:]
-}
-
-// newlinkLo represents a RTM_NEWLINK message.
-type newlinkLo struct {
-	header NlMsghdr
-	data   IfInfomsg
-}
-
-// sizeofNewlinkLo is the expected size of newlinkLo.
-const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
-
-// newlinkLo returns the address of a populated newlinkLo.
-func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
-	return &newlinkLo{NlMsghdr{
-		Len:   sizeofNewlinkLo,
-		Type:  RTM_NEWLINK,
-		Flags: NLM_F_REQUEST | NLM_F_ACK,
-		Seq:   s.seq,
-		Pid:   s.pid,
-	}, IfInfomsg{
-		Family: AF_UNSPEC,
-		Index:  int32(lo),
-		Flags:  IFF_UP,
-		Change: IFF_UP,
-	}}
-}
-
-func (msg *newlinkLo) toWireFormat() []byte {
-	var buf [sizeofNewlinkLo]byte
-
-	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
-	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
-	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
-	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
-	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
-
-	buf[16] = msg.data.Family
-	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
-	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
-	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
-	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
-
-	return buf[:]
-}
-
-// mustLoopback creates the loopback address and brings the lo interface up.
-// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
-// user-facing error message if RTNETLINK behaves unexpectedly.
-func mustLoopback(msg message.Msg) {
-	log := msg.GetLogger()
-
-	var lo int
-	if ifi, err := net.InterfaceByName("lo"); err != nil {
-		log.Fatalln(err)
-	} else {
-		lo = ifi.Index
-	}
-
-	var s rtnetlink
-	if err := s.open(); err != nil {
-		log.Fatalln(err)
-	}
-	defer func() {
-		if err := s.close(); err != nil {
-			msg.Verbosef("cannot close netlink: %v", err)
-		}
-	}()
-
-	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
-	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
-}
--- a/container/netlink_test.go
+++ b/container/netlink_test.go
@@ -1,72 +0,0 @@
-package container
-
-import (
-	"testing"
-	"unsafe"
-)
-
-func TestSizeof(t *testing.T) {
-	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
-		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
-	}
-
-	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
-		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
-	}
-}
-
-func TestRtnetlinkMessage(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name string
-		msg  interface{ toWireFormat() []byte }
-		want []byte
-	}{
-		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
-			/* Len   */ 0x28, 0, 0, 0,
-			/* Type  */ 0x14, 0,
-			/* Flags */ 5, 6,
-			/* Seq   */ 0, 0, 0, 0,
-			/* Pid   */ 1, 0, 0, 0,
-
-			/* Family    */ 2,
-			/* Prefixlen */ 8,
-			/* Flags     */ 0x80,
-			/* Scope     */ 0xfe,
-			/* Index     */ 1, 0, 0, 0,
-
-			/* Len     */ 8, 0,
-			/* Type    */ 2, 0,
-			/* in_addr */ 127, 0, 0, 1,
-
-			/* Len     */ 8, 0,
-			/* Type    */ 1, 0,
-			/* in_addr */ 127, 0, 0, 1,
-		}},
-
-		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
-			/* Len   */ 0x20, 0, 0, 0,
-			/* Type  */ 0x10, 0,
-			/* Flags */ 5, 0,
-			/* Seq   */ 1, 0, 0, 0,
-			/* Pid   */ 1, 0, 0, 0,
-
-			/* Family */ 0,
-			/* pad    */ 0,
-			/* Type   */ 0, 0,
-			/* Index  */ 1, 0, 0, 0,
-			/* Flags  */ 1, 0, 0, 0,
-			/* Change */ 1, 0, 0, 0,
-		}},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
-				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
-			}
-		})
-	}
-}
--- a/container/path.go
+++ b/container/path.go
@@ -9,8 +9,8 @@ import (
 	"strings"
 	"syscall"

-	"hakurei.app/container/fhs"
-	"hakurei.app/container/vfs"
+	"hakurei.app/fhs"
+	"hakurei.app/vfs"
 )

 const (
--- a/container/path_test.go
+++ b/container/path_test.go
@@ -10,8 +10,8 @@ import (
 	"testing"
 	"unsafe"

-	"hakurei.app/container/check"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
+	"hakurei.app/vfs"
 )

 func TestToSysroot(t *testing.T) {
--- a/container/seccomp/libseccomp.go
+++ b/container/seccomp/libseccomp.go
@@ -16,6 +16,7 @@ import (
 	"unsafe"

 	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

 // ErrInvalidRules is returned for a zero-length rules slice.
@@ -219,9 +220,9 @@ const (

 // syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
 // This function is only for testing the lookup tables and included here for convenience.
-func syscallResolveName(s string) (num std.ScmpSyscall, ok bool) {
+func syscallResolveName(s string) (num ext.SyscallNum, ok bool) {
 	v := C.CString(s)
-	num = std.ScmpSyscall(C.seccomp_syscall_resolve_name(v))
+	num = ext.SyscallNum(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
 	ok = num != C.__NR_SCMP_ERROR
 	return
--- a/container/seccomp/presets.go
+++ b/container/seccomp/presets.go
@@ -6,6 +6,7 @@ import (
 	. "syscall"

 	. "hakurei.app/container/std"
+	. "hakurei.app/ext"
 )

 func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
--- a/container/seccomp/std_test.go
+++ b/container/seccomp/std_test.go
@@ -6,12 +6,13 @@ import (
 	"unsafe"

 	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

 func TestSyscallResolveName(t *testing.T) {
 	t.Parallel()

-	for name, want := range std.Syscalls() {
+	for name, want := range ext.Syscalls() {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()

@@ -24,8 +25,10 @@ func TestSyscallResolveName(t *testing.T) {
 }

 func TestRuleType(t *testing.T) {
-	assertKind[std.Uint, scmpUint](t)
-	assertKind[std.Int, scmpInt](t)
+	assertKind[ext.Uint, scmpUint](t)
+	assertOverflow(t, ext.Uint(ext.MaxUint))
+	assertKind[ext.Int, scmpInt](t)
+	assertOverflow(t, ext.Int(ext.MaxInt))

 	assertSize[std.NativeRule, syscallRule](t)
 	assertKind[std.ScmpDatum, scmpDatum](t)
@@ -61,3 +64,14 @@ func assertKind[native, equivalent any](t *testing.T) {
 		t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind())
 	}
 }
+
+// assertOverflow asserts that incrementing m overflows.
+func assertOverflow[T ~int32 | ~uint32](t *testing.T, m T) {
+	t.Helper()
+
+	old := m
+	m++
+	if m > old {
+		t.Fatalf("unexpected value %#x", m)
+	}
+}
--- a/container/std/seccomp.go
+++ b/container/std/seccomp.go
@@ -1,34 +1,20 @@
 package std

-import (
-	"encoding/json"
-	"strconv"
-)
+import "hakurei.app/ext"

 type (
-	// ScmpUint is equivalent to C.uint.
-	//
-	// Deprecated: This type has been renamed to Uint and will be removed in 0.4.
-	ScmpUint = Uint
-	// ScmpInt is equivalent to C.int.
-	//
-	// Deprecated: This type has been renamed to Int and will be removed in 0.4.
-	ScmpInt = Int
-
-	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
-	ScmpSyscall Int
 	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno Int
+	ScmpErrno = ext.Int

 	// ScmpCompare is equivalent to enum scmp_compare;
-	ScmpCompare Uint
+	ScmpCompare = ext.Uint
 	// ScmpDatum is equivalent to scmp_datum_t.
-	ScmpDatum uint64
+	ScmpDatum = uint64

 	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
 	ScmpArgCmp struct {
 		// argument number, starting at 0
-		Arg Uint `json:"arg"`
+		Arg ext.Uint `json:"arg"`
 		// the comparison op, e.g. SCMP_CMP_*
 		Op ScmpCompare `json:"op"`

@@ -39,42 +25,10 @@ type (
 	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
 	NativeRule struct {
 		// Syscall is the arch-dependent syscall number to act against.
-		Syscall ScmpSyscall `json:"syscall"`
+		Syscall ext.SyscallNum `json:"syscall"`
 		// Errno is the errno value to return when the condition is satisfied.
 		Errno ScmpErrno `json:"errno"`
 		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
 		Arg *ScmpArgCmp `json:"arg,omitempty"`
 	}
 )
-
-// MarshalJSON resolves the name of [ScmpSyscall] and encodes it as a [json] string.
-// If such a name does not exist, the syscall number is encoded instead.
-func (num *ScmpSyscall) MarshalJSON() ([]byte, error) {
-	n := *num
-	for name, cur := range Syscalls() {
-		if cur == n {
-			return json.Marshal(name)
-		}
-	}
-	return json.Marshal(n)
-}
-
-// SyscallNameError is returned when trying to unmarshal an invalid syscall name into [ScmpSyscall].
-type SyscallNameError string
-
-func (e SyscallNameError) Error() string { return "invalid syscall name " + strconv.Quote(string(e)) }
-
-// UnmarshalJSON looks up the syscall number corresponding to name encoded in data
-// by calling [SyscallResolveName].
-func (num *ScmpSyscall) UnmarshalJSON(data []byte) error {
-	var name string
-	if err := json.Unmarshal(data, &name); err != nil {
-		return err
-	}
-	if n, ok := SyscallResolveName(name); !ok {
-		return SyscallNameError(name)
-	} else {
-		*num = n
-		return nil
-	}
-}
--- a/container/std/syscall_extra_linux_386.go
+++ b/container/std/syscall_extra_linux_386.go
@@ -1,13 +0,0 @@
-package std
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"kexec_file_load": SNR_KEXEC_FILE_LOAD,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-}
-
-const (
-	SNR_KEXEC_FILE_LOAD ScmpSyscall = __PNR_kexec_file_load
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-)
--- a/container/std/syscall_extra_linux_amd64.go
+++ b/container/std/syscall_extra_linux_amd64.go
@@ -1,41 +0,0 @@
-package std
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"umount":          SNR_UMOUNT,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-	"vm86":            SNR_VM86,
-	"vm86old":         SNR_VM86OLD,
-	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
-	"clock_settime64": SNR_CLOCK_SETTIME64,
-	"chown32":         SNR_CHOWN32,
-	"fchown32":        SNR_FCHOWN32,
-	"lchown32":        SNR_LCHOWN32,
-	"setgid32":        SNR_SETGID32,
-	"setgroups32":     SNR_SETGROUPS32,
-	"setregid32":      SNR_SETREGID32,
-	"setresgid32":     SNR_SETRESGID32,
-	"setresuid32":     SNR_SETRESUID32,
-	"setreuid32":      SNR_SETREUID32,
-	"setuid32":        SNR_SETUID32,
-}
-
-const (
-	SNR_UMOUNT          ScmpSyscall = __PNR_umount
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-	SNR_VM86            ScmpSyscall = __PNR_vm86
-	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
-	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
-	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
-	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
-	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
-	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
-	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
-	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
-	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
-	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
-	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
-	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
-	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
-)
--- a/container/std/syscall_extra_linux_arm64.go
+++ b/container/std/syscall_extra_linux_arm64.go
@@ -1,55 +0,0 @@
-package std
-
-import "syscall"
-
-const (
-	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
-)
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"uselib":          SNR_USELIB,
-	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
-	"clock_settime64": SNR_CLOCK_SETTIME64,
-	"umount":          SNR_UMOUNT,
-	"chown":           SNR_CHOWN,
-	"chown32":         SNR_CHOWN32,
-	"fchown32":        SNR_FCHOWN32,
-	"lchown":          SNR_LCHOWN,
-	"lchown32":        SNR_LCHOWN32,
-	"setgid32":        SNR_SETGID32,
-	"setgroups32":     SNR_SETGROUPS32,
-	"setregid32":      SNR_SETREGID32,
-	"setresgid32":     SNR_SETRESGID32,
-	"setresuid32":     SNR_SETRESUID32,
-	"setreuid32":      SNR_SETREUID32,
-	"setuid32":        SNR_SETUID32,
-	"modify_ldt":      SNR_MODIFY_LDT,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-	"vm86":            SNR_VM86,
-	"vm86old":         SNR_VM86OLD,
-}
-
-const (
-	SNR_USELIB          ScmpSyscall = __PNR_uselib
-	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
-	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
-	SNR_UMOUNT          ScmpSyscall = __PNR_umount
-	SNR_CHOWN           ScmpSyscall = __PNR_chown
-	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
-	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
-	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
-	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
-	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
-	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
-	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
-	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
-	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
-	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
-	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
-	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-	SNR_VM86            ScmpSyscall = __PNR_vm86
-	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
-)
--- a/container/std/syscall_extra_linux_riscv64.go
+++ b/container/std/syscall_extra_linux_riscv64.go
@@ -1,55 +0,0 @@
-package std
-
-import "syscall"
-
-const (
-	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
-)
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"uselib":          SNR_USELIB,
-	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
-	"clock_settime64": SNR_CLOCK_SETTIME64,
-	"umount":          SNR_UMOUNT,
-	"chown":           SNR_CHOWN,
-	"chown32":         SNR_CHOWN32,
-	"fchown32":        SNR_FCHOWN32,
-	"lchown":          SNR_LCHOWN,
-	"lchown32":        SNR_LCHOWN32,
-	"setgid32":        SNR_SETGID32,
-	"setgroups32":     SNR_SETGROUPS32,
-	"setregid32":      SNR_SETREGID32,
-	"setresgid32":     SNR_SETRESGID32,
-	"setresuid32":     SNR_SETRESUID32,
-	"setreuid32":      SNR_SETREUID32,
-	"setuid32":        SNR_SETUID32,
-	"modify_ldt":      SNR_MODIFY_LDT,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-	"vm86":            SNR_VM86,
-	"vm86old":         SNR_VM86OLD,
-}
-
-const (
-	SNR_USELIB          ScmpSyscall = __PNR_uselib
-	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
-	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
-	SNR_UMOUNT          ScmpSyscall = __PNR_umount
-	SNR_CHOWN           ScmpSyscall = __PNR_chown
-	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
-	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
-	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
-	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
-	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
-	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
-	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
-	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
-	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
-	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
-	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
-	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-	SNR_VM86            ScmpSyscall = __PNR_vm86
-	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
-)
--- a/container/std/syscall_linux_386.go
+++ b/container/std/syscall_linux_386.go
--- a/container/std/syscall_linux_amd64.go
+++ b/container/std/syscall_linux_amd64.go
@@ -1,837 +0,0 @@
-// mksysnum_linux.pl /usr/include/asm/unistd_64.h
-// Code generated by the command above; DO NOT EDIT.
-
-package std
-
-import . "syscall"
-
-var syscallNum = map[string]ScmpSyscall{
-	"read":                    SNR_READ,
-	"write":                   SNR_WRITE,
-	"open":                    SNR_OPEN,
-	"close":                   SNR_CLOSE,
-	"stat":                    SNR_STAT,
-	"fstat":                   SNR_FSTAT,
-	"lstat":                   SNR_LSTAT,
-	"poll":                    SNR_POLL,
-	"lseek":                   SNR_LSEEK,
-	"mmap":                    SNR_MMAP,
-	"mprotect":                SNR_MPROTECT,
-	"munmap":                  SNR_MUNMAP,
-	"brk":                     SNR_BRK,
-	"rt_sigaction":            SNR_RT_SIGACTION,
-	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
-	"rt_sigreturn":            SNR_RT_SIGRETURN,
-	"ioctl":                   SNR_IOCTL,
-	"pread64":                 SNR_PREAD64,
-	"pwrite64":                SNR_PWRITE64,
-	"readv":                   SNR_READV,
-	"writev":                  SNR_WRITEV,
-	"access":                  SNR_ACCESS,
-	"pipe":                    SNR_PIPE,
-	"select":                  SNR_SELECT,
-	"sched_yield":             SNR_SCHED_YIELD,
-	"mremap":                  SNR_MREMAP,
-	"msync":                   SNR_MSYNC,
-	"mincore":                 SNR_MINCORE,
-	"madvise":                 SNR_MADVISE,
-	"shmget":                  SNR_SHMGET,
-	"shmat":                   SNR_SHMAT,
-	"shmctl":                  SNR_SHMCTL,
-	"dup":                     SNR_DUP,
-	"dup2":                    SNR_DUP2,
-	"pause":                   SNR_PAUSE,
-	"nanosleep":               SNR_NANOSLEEP,
-	"getitimer":               SNR_GETITIMER,
-	"alarm":                   SNR_ALARM,
-	"setitimer":               SNR_SETITIMER,
-	"getpid":                  SNR_GETPID,
-	"sendfile":                SNR_SENDFILE,
-	"socket":                  SNR_SOCKET,
-	"connect":                 SNR_CONNECT,
-	"accept":                  SNR_ACCEPT,
-	"sendto":                  SNR_SENDTO,
-	"recvfrom":                SNR_RECVFROM,
-	"sendmsg":                 SNR_SENDMSG,
-	"recvmsg":                 SNR_RECVMSG,
-	"shutdown":                SNR_SHUTDOWN,
-	"bind":                    SNR_BIND,
-	"listen":                  SNR_LISTEN,
-	"getsockname":             SNR_GETSOCKNAME,
-	"getpeername":             SNR_GETPEERNAME,
-	"socketpair":              SNR_SOCKETPAIR,
-	"setsockopt":              SNR_SETSOCKOPT,
-	"getsockopt":              SNR_GETSOCKOPT,
-	"clone":                   SNR_CLONE,
-	"fork":                    SNR_FORK,
-	"vfork":                   SNR_VFORK,
-	"execve":                  SNR_EXECVE,
-	"exit":                    SNR_EXIT,
-	"wait4":                   SNR_WAIT4,
-	"kill":                    SNR_KILL,
-	"uname":                   SNR_UNAME,
-	"semget":                  SNR_SEMGET,
-	"semop":                   SNR_SEMOP,
-	"semctl":                  SNR_SEMCTL,
-	"shmdt":                   SNR_SHMDT,
-	"msgget":                  SNR_MSGGET,
-	"msgsnd":                  SNR_MSGSND,
-	"msgrcv":                  SNR_MSGRCV,
-	"msgctl":                  SNR_MSGCTL,
-	"fcntl":                   SNR_FCNTL,
-	"flock":                   SNR_FLOCK,
-	"fsync":                   SNR_FSYNC,
-	"fdatasync":               SNR_FDATASYNC,
-	"truncate":                SNR_TRUNCATE,
-	"ftruncate":               SNR_FTRUNCATE,
-	"getdents":                SNR_GETDENTS,
-	"getcwd":                  SNR_GETCWD,
-	"chdir":                   SNR_CHDIR,
-	"fchdir":                  SNR_FCHDIR,
-	"rename":                  SNR_RENAME,
-	"mkdir":                   SNR_MKDIR,
-	"rmdir":                   SNR_RMDIR,
-	"creat":                   SNR_CREAT,
-	"link":                    SNR_LINK,
-	"unlink":                  SNR_UNLINK,
-	"symlink":                 SNR_SYMLINK,
-	"readlink":                SNR_READLINK,
-	"chmod":                   SNR_CHMOD,
-	"fchmod":                  SNR_FCHMOD,
-	"chown":                   SNR_CHOWN,
-	"fchown":                  SNR_FCHOWN,
-	"lchown":                  SNR_LCHOWN,
-	"umask":                   SNR_UMASK,
-	"gettimeofday":            SNR_GETTIMEOFDAY,
-	"getrlimit":               SNR_GETRLIMIT,
-	"getrusage":               SNR_GETRUSAGE,
-	"sysinfo":                 SNR_SYSINFO,
-	"times":                   SNR_TIMES,
-	"ptrace":                  SNR_PTRACE,
-	"getuid":                  SNR_GETUID,
-	"syslog":                  SNR_SYSLOG,
-	"getgid":                  SNR_GETGID,
-	"setuid":                  SNR_SETUID,
-	"setgid":                  SNR_SETGID,
-	"geteuid":                 SNR_GETEUID,
-	"getegid":                 SNR_GETEGID,
-	"setpgid":                 SNR_SETPGID,
-	"getppid":                 SNR_GETPPID,
-	"getpgrp":                 SNR_GETPGRP,
-	"setsid":                  SNR_SETSID,
-	"setreuid":                SNR_SETREUID,
-	"setregid":                SNR_SETREGID,
-	"getgroups":               SNR_GETGROUPS,
-	"setgroups":               SNR_SETGROUPS,
-	"setresuid":               SNR_SETRESUID,
-	"getresuid":               SNR_GETRESUID,
-	"setresgid":               SNR_SETRESGID,
-	"getresgid":               SNR_GETRESGID,
-	"getpgid":                 SNR_GETPGID,
-	"setfsuid":                SNR_SETFSUID,
-	"setfsgid":                SNR_SETFSGID,
-	"getsid":                  SNR_GETSID,
-	"capget":                  SNR_CAPGET,
-	"capset":                  SNR_CAPSET,
-	"rt_sigpending":           SNR_RT_SIGPENDING,
-	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
-	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
-	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
-	"sigaltstack":             SNR_SIGALTSTACK,
-	"utime":                   SNR_UTIME,
-	"mknod":                   SNR_MKNOD,
-	"uselib":                  SNR_USELIB,
-	"personality":             SNR_PERSONALITY,
-	"ustat":                   SNR_USTAT,
-	"statfs":                  SNR_STATFS,
-	"fstatfs":                 SNR_FSTATFS,
-	"sysfs":                   SNR_SYSFS,
-	"getpriority":             SNR_GETPRIORITY,
-	"setpriority":             SNR_SETPRIORITY,
-	"sched_setparam":          SNR_SCHED_SETPARAM,
-	"sched_getparam":          SNR_SCHED_GETPARAM,
-	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
-	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
-	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
-	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
-	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
-	"mlock":                   SNR_MLOCK,
-	"munlock":                 SNR_MUNLOCK,
-	"mlockall":                SNR_MLOCKALL,
-	"munlockall":              SNR_MUNLOCKALL,
-	"vhangup":                 SNR_VHANGUP,
-	"modify_ldt":              SNR_MODIFY_LDT,
-	"pivot_root":              SNR_PIVOT_ROOT,
-	"_sysctl":                 SNR__SYSCTL,
-	"prctl":                   SNR_PRCTL,
-	"arch_prctl":              SNR_ARCH_PRCTL,
-	"adjtimex":                SNR_ADJTIMEX,
-	"setrlimit":               SNR_SETRLIMIT,
-	"chroot":                  SNR_CHROOT,
-	"sync":                    SNR_SYNC,
-	"acct":                    SNR_ACCT,
-	"settimeofday":            SNR_SETTIMEOFDAY,
-	"mount":                   SNR_MOUNT,
-	"umount2":                 SNR_UMOUNT2,
-	"swapon":                  SNR_SWAPON,
-	"swapoff":                 SNR_SWAPOFF,
-	"reboot":                  SNR_REBOOT,
-	"sethostname":             SNR_SETHOSTNAME,
-	"setdomainname":           SNR_SETDOMAINNAME,
-	"iopl":                    SNR_IOPL,
-	"ioperm":                  SNR_IOPERM,
-	"create_module":           SNR_CREATE_MODULE,
-	"init_module":             SNR_INIT_MODULE,
-	"delete_module":           SNR_DELETE_MODULE,
-	"get_kernel_syms":         SNR_GET_KERNEL_SYMS,
-	"query_module":            SNR_QUERY_MODULE,
-	"quotactl":                SNR_QUOTACTL,
-	"nfsservctl":              SNR_NFSSERVCTL,
-	"getpmsg":                 SNR_GETPMSG,
-	"putpmsg":                 SNR_PUTPMSG,
-	"afs_syscall":             SNR_AFS_SYSCALL,
-	"tuxcall":                 SNR_TUXCALL,
-	"security":                SNR_SECURITY,
-	"gettid":                  SNR_GETTID,
-	"readahead":               SNR_READAHEAD,
-	"setxattr":                SNR_SETXATTR,
-	"lsetxattr":               SNR_LSETXATTR,
-	"fsetxattr":               SNR_FSETXATTR,
-	"getxattr":                SNR_GETXATTR,
-	"lgetxattr":               SNR_LGETXATTR,
-	"fgetxattr":               SNR_FGETXATTR,
-	"listxattr":               SNR_LISTXATTR,
-	"llistxattr":              SNR_LLISTXATTR,
-	"flistxattr":              SNR_FLISTXATTR,
-	"removexattr":             SNR_REMOVEXATTR,
-	"lremovexattr":            SNR_LREMOVEXATTR,
-	"fremovexattr":            SNR_FREMOVEXATTR,
-	"tkill":                   SNR_TKILL,
-	"time":                    SNR_TIME,
-	"futex":                   SNR_FUTEX,
-	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
-	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
-	"set_thread_area":         SNR_SET_THREAD_AREA,
-	"io_setup":                SNR_IO_SETUP,
-	"io_destroy":              SNR_IO_DESTROY,
-	"io_getevents":            SNR_IO_GETEVENTS,
-	"io_submit":               SNR_IO_SUBMIT,
-	"io_cancel":               SNR_IO_CANCEL,
-	"get_thread_area":         SNR_GET_THREAD_AREA,
-	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
-	"epoll_create":            SNR_EPOLL_CREATE,
-	"epoll_ctl_old":           SNR_EPOLL_CTL_OLD,
-	"epoll_wait_old":          SNR_EPOLL_WAIT_OLD,
-	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
-	"getdents64":              SNR_GETDENTS64,
-	"set_tid_address":         SNR_SET_TID_ADDRESS,
-	"restart_syscall":         SNR_RESTART_SYSCALL,
-	"semtimedop":              SNR_SEMTIMEDOP,
-	"fadvise64":               SNR_FADVISE64,
-	"timer_create":            SNR_TIMER_CREATE,
-	"timer_settime":           SNR_TIMER_SETTIME,
-	"timer_gettime":           SNR_TIMER_GETTIME,
-	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
-	"timer_delete":            SNR_TIMER_DELETE,
-	"clock_settime":           SNR_CLOCK_SETTIME,
-	"clock_gettime":           SNR_CLOCK_GETTIME,
-	"clock_getres":            SNR_CLOCK_GETRES,
-	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
-	"exit_group":              SNR_EXIT_GROUP,
-	"epoll_wait":              SNR_EPOLL_WAIT,
-	"epoll_ctl":               SNR_EPOLL_CTL,
-	"tgkill":                  SNR_TGKILL,
-	"utimes":                  SNR_UTIMES,
-	"vserver":                 SNR_VSERVER,
-	"mbind":                   SNR_MBIND,
-	"set_mempolicy":           SNR_SET_MEMPOLICY,
-	"get_mempolicy":           SNR_GET_MEMPOLICY,
-	"mq_open":                 SNR_MQ_OPEN,
-	"mq_unlink":               SNR_MQ_UNLINK,
-	"mq_timedsend":            SNR_MQ_TIMEDSEND,
-	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
-	"mq_notify":               SNR_MQ_NOTIFY,
-	"mq_getsetattr":           SNR_MQ_GETSETATTR,
-	"kexec_load":              SNR_KEXEC_LOAD,
-	"waitid":                  SNR_WAITID,
-	"add_key":                 SNR_ADD_KEY,
-	"request_key":             SNR_REQUEST_KEY,
-	"keyctl":                  SNR_KEYCTL,
-	"ioprio_set":              SNR_IOPRIO_SET,
-	"ioprio_get":              SNR_IOPRIO_GET,
-	"inotify_init":            SNR_INOTIFY_INIT,
-	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
-	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
-	"migrate_pages":           SNR_MIGRATE_PAGES,
-	"openat":                  SNR_OPENAT,
-	"mkdirat":                 SNR_MKDIRAT,
-	"mknodat":                 SNR_MKNODAT,
-	"fchownat":                SNR_FCHOWNAT,
-	"futimesat":               SNR_FUTIMESAT,
-	"newfstatat":              SNR_NEWFSTATAT,
-	"unlinkat":                SNR_UNLINKAT,
-	"renameat":                SNR_RENAMEAT,
-	"linkat":                  SNR_LINKAT,
-	"symlinkat":               SNR_SYMLINKAT,
-	"readlinkat":              SNR_READLINKAT,
-	"fchmodat":                SNR_FCHMODAT,
-	"faccessat":               SNR_FACCESSAT,
-	"pselect6":                SNR_PSELECT6,
-	"ppoll":                   SNR_PPOLL,
-	"unshare":                 SNR_UNSHARE,
-	"set_robust_list":         SNR_SET_ROBUST_LIST,
-	"get_robust_list":         SNR_GET_ROBUST_LIST,
-	"splice":                  SNR_SPLICE,
-	"tee":                     SNR_TEE,
-	"sync_file_range":         SNR_SYNC_FILE_RANGE,
-	"vmsplice":                SNR_VMSPLICE,
-	"move_pages":              SNR_MOVE_PAGES,
-	"utimensat":               SNR_UTIMENSAT,
-	"epoll_pwait":             SNR_EPOLL_PWAIT,
-	"signalfd":                SNR_SIGNALFD,
-	"timerfd_create":          SNR_TIMERFD_CREATE,
-	"eventfd":                 SNR_EVENTFD,
-	"fallocate":               SNR_FALLOCATE,
-	"timerfd_settime":         SNR_TIMERFD_SETTIME,
-	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
-	"accept4":                 SNR_ACCEPT4,
-	"signalfd4":               SNR_SIGNALFD4,
-	"eventfd2":                SNR_EVENTFD2,
-	"epoll_create1":           SNR_EPOLL_CREATE1,
-	"dup3":                    SNR_DUP3,
-	"pipe2":                   SNR_PIPE2,
-	"inotify_init1":           SNR_INOTIFY_INIT1,
-	"preadv":                  SNR_PREADV,
-	"pwritev":                 SNR_PWRITEV,
-	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
-	"perf_event_open":         SNR_PERF_EVENT_OPEN,
-	"recvmmsg":                SNR_RECVMMSG,
-	"fanotify_init":           SNR_FANOTIFY_INIT,
-	"fanotify_mark":           SNR_FANOTIFY_MARK,
-	"prlimit64":               SNR_PRLIMIT64,
-	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
-	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
-	"clock_adjtime":           SNR_CLOCK_ADJTIME,
-	"syncfs":                  SNR_SYNCFS,
-	"sendmmsg":                SNR_SENDMMSG,
-	"setns":                   SNR_SETNS,
-	"getcpu":                  SNR_GETCPU,
-	"process_vm_readv":        SNR_PROCESS_VM_READV,
-	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
-	"kcmp":                    SNR_KCMP,
-	"finit_module":            SNR_FINIT_MODULE,
-	"sched_setattr":           SNR_SCHED_SETATTR,
-	"sched_getattr":           SNR_SCHED_GETATTR,
-	"renameat2":               SNR_RENAMEAT2,
-	"seccomp":                 SNR_SECCOMP,
-	"getrandom":               SNR_GETRANDOM,
-	"memfd_create":            SNR_MEMFD_CREATE,
-	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
-	"bpf":                     SNR_BPF,
-	"execveat":                SNR_EXECVEAT,
-	"userfaultfd":             SNR_USERFAULTFD,
-	"membarrier":              SNR_MEMBARRIER,
-	"mlock2":                  SNR_MLOCK2,
-	"copy_file_range":         SNR_COPY_FILE_RANGE,
-	"preadv2":                 SNR_PREADV2,
-	"pwritev2":                SNR_PWRITEV2,
-	"pkey_mprotect":           SNR_PKEY_MPROTECT,
-	"pkey_alloc":              SNR_PKEY_ALLOC,
-	"pkey_free":               SNR_PKEY_FREE,
-	"statx":                   SNR_STATX,
-	"io_pgetevents":           SNR_IO_PGETEVENTS,
-	"rseq":                    SNR_RSEQ,
-	"uretprobe":               SNR_URETPROBE,
-	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
-	"io_uring_setup":          SNR_IO_URING_SETUP,
-	"io_uring_enter":          SNR_IO_URING_ENTER,
-	"io_uring_register":       SNR_IO_URING_REGISTER,
-	"open_tree":               SNR_OPEN_TREE,
-	"move_mount":              SNR_MOVE_MOUNT,
-	"fsopen":                  SNR_FSOPEN,
-	"fsconfig":                SNR_FSCONFIG,
-	"fsmount":                 SNR_FSMOUNT,
-	"fspick":                  SNR_FSPICK,
-	"pidfd_open":              SNR_PIDFD_OPEN,
-	"clone3":                  SNR_CLONE3,
-	"close_range":             SNR_CLOSE_RANGE,
-	"openat2":                 SNR_OPENAT2,
-	"pidfd_getfd":             SNR_PIDFD_GETFD,
-	"faccessat2":              SNR_FACCESSAT2,
-	"process_madvise":         SNR_PROCESS_MADVISE,
-	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
-	"mount_setattr":           SNR_MOUNT_SETATTR,
-	"quotactl_fd":             SNR_QUOTACTL_FD,
-	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
-	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
-	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
-	"memfd_secret":            SNR_MEMFD_SECRET,
-	"process_mrelease":        SNR_PROCESS_MRELEASE,
-	"futex_waitv":             SNR_FUTEX_WAITV,
-	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
-	"cachestat":               SNR_CACHESTAT,
-	"fchmodat2":               SNR_FCHMODAT2,
-	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
-	"futex_wake":              SNR_FUTEX_WAKE,
-	"futex_wait":              SNR_FUTEX_WAIT,
-	"futex_requeue":           SNR_FUTEX_REQUEUE,
-	"statmount":               SNR_STATMOUNT,
-	"listmount":               SNR_LISTMOUNT,
-	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
-	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
-	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
-	"mseal":                   SNR_MSEAL,
-}
-
-const (
-	SYS_NAME_TO_HANDLE_AT       = 303
-	SYS_OPEN_BY_HANDLE_AT       = 304
-	SYS_CLOCK_ADJTIME           = 305
-	SYS_SYNCFS                  = 306
-	SYS_SENDMMSG                = 307
-	SYS_SETNS                   = 308
-	SYS_GETCPU                  = 309
-	SYS_PROCESS_VM_READV        = 310
-	SYS_PROCESS_VM_WRITEV       = 311
-	SYS_KCMP                    = 312
-	SYS_FINIT_MODULE            = 313
-	SYS_SCHED_SETATTR           = 314
-	SYS_SCHED_GETATTR           = 315
-	SYS_RENAMEAT2               = 316
-	SYS_SECCOMP                 = 317
-	SYS_GETRANDOM               = 318
-	SYS_MEMFD_CREATE            = 319
-	SYS_KEXEC_FILE_LOAD         = 320
-	SYS_BPF                     = 321
-	SYS_EXECVEAT                = 322
-	SYS_USERFAULTFD             = 323
-	SYS_MEMBARRIER              = 324
-	SYS_MLOCK2                  = 325
-	SYS_COPY_FILE_RANGE         = 326
-	SYS_PREADV2                 = 327
-	SYS_PWRITEV2                = 328
-	SYS_PKEY_MPROTECT           = 329
-	SYS_PKEY_ALLOC              = 330
-	SYS_PKEY_FREE               = 331
-	SYS_STATX                   = 332
-	SYS_IO_PGETEVENTS           = 333
-	SYS_RSEQ                    = 334
-	SYS_URETPROBE               = 335
-	SYS_PIDFD_SEND_SIGNAL       = 424
-	SYS_IO_URING_SETUP          = 425
-	SYS_IO_URING_ENTER          = 426
-	SYS_IO_URING_REGISTER       = 427
-	SYS_OPEN_TREE               = 428
-	SYS_MOVE_MOUNT              = 429
-	SYS_FSOPEN                  = 430
-	SYS_FSCONFIG                = 431
-	SYS_FSMOUNT                 = 432
-	SYS_FSPICK                  = 433
-	SYS_PIDFD_OPEN              = 434
-	SYS_CLONE3                  = 435
-	SYS_CLOSE_RANGE             = 436
-	SYS_OPENAT2                 = 437
-	SYS_PIDFD_GETFD             = 438
-	SYS_FACCESSAT2              = 439
-	SYS_PROCESS_MADVISE         = 440
-	SYS_EPOLL_PWAIT2            = 441
-	SYS_MOUNT_SETATTR           = 442
-	SYS_QUOTACTL_FD             = 443
-	SYS_LANDLOCK_CREATE_RULESET = 444
-	SYS_LANDLOCK_ADD_RULE       = 445
-	SYS_LANDLOCK_RESTRICT_SELF  = 446
-	SYS_MEMFD_SECRET            = 447
-	SYS_PROCESS_MRELEASE        = 448
-	SYS_FUTEX_WAITV             = 449
-	SYS_SET_MEMPOLICY_HOME_NODE = 450
-	SYS_CACHESTAT               = 451
-	SYS_FCHMODAT2               = 452
-	SYS_MAP_SHADOW_STACK        = 453
-	SYS_FUTEX_WAKE              = 454
-	SYS_FUTEX_WAIT              = 455
-	SYS_FUTEX_REQUEUE           = 456
-	SYS_STATMOUNT               = 457
-	SYS_LISTMOUNT               = 458
-	SYS_LSM_GET_SELF_ATTR       = 459
-	SYS_LSM_SET_SELF_ATTR       = 460
-	SYS_LSM_LIST_MODULES        = 461
-	SYS_MSEAL                   = 462
-)
-
-const (
-	SNR_READ                    ScmpSyscall = SYS_READ
-	SNR_WRITE                   ScmpSyscall = SYS_WRITE
-	SNR_OPEN                    ScmpSyscall = SYS_OPEN
-	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
-	SNR_STAT                    ScmpSyscall = SYS_STAT
-	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
-	SNR_LSTAT                   ScmpSyscall = SYS_LSTAT
-	SNR_POLL                    ScmpSyscall = SYS_POLL
-	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
-	SNR_MMAP                    ScmpSyscall = SYS_MMAP
-	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
-	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
-	SNR_BRK                     ScmpSyscall = SYS_BRK
-	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
-	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
-	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
-	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
-	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
-	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
-	SNR_READV                   ScmpSyscall = SYS_READV
-	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
-	SNR_ACCESS                  ScmpSyscall = SYS_ACCESS
-	SNR_PIPE                    ScmpSyscall = SYS_PIPE
-	SNR_SELECT                  ScmpSyscall = SYS_SELECT
-	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
-	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
-	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
-	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
-	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
-	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
-	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
-	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
-	SNR_DUP                     ScmpSyscall = SYS_DUP
-	SNR_DUP2                    ScmpSyscall = SYS_DUP2
-	SNR_PAUSE                   ScmpSyscall = SYS_PAUSE
-	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
-	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
-	SNR_ALARM                   ScmpSyscall = SYS_ALARM
-	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
-	SNR_GETPID                  ScmpSyscall = SYS_GETPID
-	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
-	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
-	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
-	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
-	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
-	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
-	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
-	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
-	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
-	SNR_BIND                    ScmpSyscall = SYS_BIND
-	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
-	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
-	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
-	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
-	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
-	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
-	SNR_CLONE                   ScmpSyscall = SYS_CLONE
-	SNR_FORK                    ScmpSyscall = SYS_FORK
-	SNR_VFORK                   ScmpSyscall = SYS_VFORK
-	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
-	SNR_EXIT                    ScmpSyscall = SYS_EXIT
-	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
-	SNR_KILL                    ScmpSyscall = SYS_KILL
-	SNR_UNAME                   ScmpSyscall = SYS_UNAME
-	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
-	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
-	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
-	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
-	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
-	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
-	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
-	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
-	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
-	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
-	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
-	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
-	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
-	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
-	SNR_GETDENTS                ScmpSyscall = SYS_GETDENTS
-	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
-	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
-	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
-	SNR_RENAME                  ScmpSyscall = SYS_RENAME
-	SNR_MKDIR                   ScmpSyscall = SYS_MKDIR
-	SNR_RMDIR                   ScmpSyscall = SYS_RMDIR
-	SNR_CREAT                   ScmpSyscall = SYS_CREAT
-	SNR_LINK                    ScmpSyscall = SYS_LINK
-	SNR_UNLINK                  ScmpSyscall = SYS_UNLINK
-	SNR_SYMLINK                 ScmpSyscall = SYS_SYMLINK
-	SNR_READLINK                ScmpSyscall = SYS_READLINK
-	SNR_CHMOD                   ScmpSyscall = SYS_CHMOD
-	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
-	SNR_CHOWN                   ScmpSyscall = SYS_CHOWN
-	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
-	SNR_LCHOWN                  ScmpSyscall = SYS_LCHOWN
-	SNR_UMASK                   ScmpSyscall = SYS_UMASK
-	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
-	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
-	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
-	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
-	SNR_TIMES                   ScmpSyscall = SYS_TIMES
-	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
-	SNR_GETUID                  ScmpSyscall = SYS_GETUID
-	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
-	SNR_GETGID                  ScmpSyscall = SYS_GETGID
-	SNR_SETUID                  ScmpSyscall = SYS_SETUID
-	SNR_SETGID                  ScmpSyscall = SYS_SETGID
-	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
-	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
-	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
-	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
-	SNR_GETPGRP                 ScmpSyscall = SYS_GETPGRP
-	SNR_SETSID                  ScmpSyscall = SYS_SETSID
-	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
-	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
-	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
-	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
-	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
-	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
-	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
-	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
-	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
-	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
-	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
-	SNR_GETSID                  ScmpSyscall = SYS_GETSID
-	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
-	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
-	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
-	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
-	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
-	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
-	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
-	SNR_UTIME                   ScmpSyscall = SYS_UTIME
-	SNR_MKNOD                   ScmpSyscall = SYS_MKNOD
-	SNR_USELIB                  ScmpSyscall = SYS_USELIB
-	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
-	SNR_USTAT                   ScmpSyscall = SYS_USTAT
-	SNR_STATFS                  ScmpSyscall = SYS_STATFS
-	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
-	SNR_SYSFS                   ScmpSyscall = SYS_SYSFS
-	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
-	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
-	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
-	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
-	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
-	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
-	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
-	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
-	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
-	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
-	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
-	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
-	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
-	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
-	SNR_MODIFY_LDT              ScmpSyscall = SYS_MODIFY_LDT
-	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
-	SNR__SYSCTL                 ScmpSyscall = SYS__SYSCTL
-	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
-	SNR_ARCH_PRCTL              ScmpSyscall = SYS_ARCH_PRCTL
-	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
-	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
-	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
-	SNR_SYNC                    ScmpSyscall = SYS_SYNC
-	SNR_ACCT                    ScmpSyscall = SYS_ACCT
-	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
-	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
-	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
-	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
-	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
-	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
-	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
-	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
-	SNR_IOPL                    ScmpSyscall = SYS_IOPL
-	SNR_IOPERM                  ScmpSyscall = SYS_IOPERM
-	SNR_CREATE_MODULE           ScmpSyscall = SYS_CREATE_MODULE
-	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
-	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
-	SNR_GET_KERNEL_SYMS         ScmpSyscall = SYS_GET_KERNEL_SYMS
-	SNR_QUERY_MODULE            ScmpSyscall = SYS_QUERY_MODULE
-	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
-	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
-	SNR_GETPMSG                 ScmpSyscall = SYS_GETPMSG
-	SNR_PUTPMSG                 ScmpSyscall = SYS_PUTPMSG
-	SNR_AFS_SYSCALL             ScmpSyscall = SYS_AFS_SYSCALL
-	SNR_TUXCALL                 ScmpSyscall = SYS_TUXCALL
-	SNR_SECURITY                ScmpSyscall = SYS_SECURITY
-	SNR_GETTID                  ScmpSyscall = SYS_GETTID
-	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
-	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
-	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
-	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
-	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
-	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
-	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
-	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
-	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
-	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
-	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
-	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
-	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
-	SNR_TKILL                   ScmpSyscall = SYS_TKILL
-	SNR_TIME                    ScmpSyscall = SYS_TIME
-	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
-	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
-	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
-	SNR_SET_THREAD_AREA         ScmpSyscall = SYS_SET_THREAD_AREA
-	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
-	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
-	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
-	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
-	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
-	SNR_GET_THREAD_AREA         ScmpSyscall = SYS_GET_THREAD_AREA
-	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
-	SNR_EPOLL_CREATE            ScmpSyscall = SYS_EPOLL_CREATE
-	SNR_EPOLL_CTL_OLD           ScmpSyscall = SYS_EPOLL_CTL_OLD
-	SNR_EPOLL_WAIT_OLD          ScmpSyscall = SYS_EPOLL_WAIT_OLD
-	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
-	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
-	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
-	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
-	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
-	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
-	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
-	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
-	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
-	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
-	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
-	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
-	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
-	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
-	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
-	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
-	SNR_EPOLL_WAIT              ScmpSyscall = SYS_EPOLL_WAIT
-	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
-	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
-	SNR_UTIMES                  ScmpSyscall = SYS_UTIMES
-	SNR_VSERVER                 ScmpSyscall = SYS_VSERVER
-	SNR_MBIND                   ScmpSyscall = SYS_MBIND
-	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
-	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
-	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
-	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
-	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
-	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
-	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
-	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
-	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
-	SNR_WAITID                  ScmpSyscall = SYS_WAITID
-	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
-	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
-	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
-	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
-	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
-	SNR_INOTIFY_INIT            ScmpSyscall = SYS_INOTIFY_INIT
-	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
-	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
-	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
-	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
-	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
-	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
-	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
-	SNR_FUTIMESAT               ScmpSyscall = SYS_FUTIMESAT
-	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
-	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
-	SNR_RENAMEAT                ScmpSyscall = SYS_RENAMEAT
-	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
-	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
-	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
-	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
-	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
-	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
-	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
-	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
-	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
-	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
-	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
-	SNR_TEE                     ScmpSyscall = SYS_TEE
-	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
-	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
-	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
-	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
-	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
-	SNR_SIGNALFD                ScmpSyscall = SYS_SIGNALFD
-	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
-	SNR_EVENTFD                 ScmpSyscall = SYS_EVENTFD
-	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
-	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
-	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
-	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
-	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
-	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
-	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
-	SNR_DUP3                    ScmpSyscall = SYS_DUP3
-	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
-	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
-	SNR_PREADV                  ScmpSyscall = SYS_PREADV
-	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
-	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
-	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
-	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
-	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
-	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
-	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
-	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
-	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
-	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
-	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
-	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
-	SNR_SETNS                   ScmpSyscall = SYS_SETNS
-	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
-	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
-	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
-	SNR_KCMP                    ScmpSyscall = SYS_KCMP
-	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
-	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
-	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
-	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
-	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
-	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
-	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
-	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
-	SNR_BPF                     ScmpSyscall = SYS_BPF
-	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
-	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
-	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
-	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
-	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
-	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
-	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
-	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
-	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
-	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
-	SNR_STATX                   ScmpSyscall = SYS_STATX
-	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
-	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
-	SNR_URETPROBE               ScmpSyscall = SYS_URETPROBE
-	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
-	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
-	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
-	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
-	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
-	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
-	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
-	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
-	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
-	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
-	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
-	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
-	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
-	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
-	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
-	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
-	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
-	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
-	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
-	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
-	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
-	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
-	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
-	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
-	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
-	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
-	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
-	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
-	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
-	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
-	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
-	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
-	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
-	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
-	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
-	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
-	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
-	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
-	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
-)
--- a/container/std/syscall_linux_arm64.go
+++ b/container/std/syscall_linux_arm64.go
@@ -1,703 +0,0 @@
-// mksysnum_linux.pl /usr/include/asm/unistd_64.h
-// Code generated by the command above; DO NOT EDIT.
-
-package std
-
-import . "syscall"
-
-var syscallNum = map[string]ScmpSyscall{
-	"io_setup":                SNR_IO_SETUP,
-	"io_destroy":              SNR_IO_DESTROY,
-	"io_submit":               SNR_IO_SUBMIT,
-	"io_cancel":               SNR_IO_CANCEL,
-	"io_getevents":            SNR_IO_GETEVENTS,
-	"setxattr":                SNR_SETXATTR,
-	"lsetxattr":               SNR_LSETXATTR,
-	"fsetxattr":               SNR_FSETXATTR,
-	"getxattr":                SNR_GETXATTR,
-	"lgetxattr":               SNR_LGETXATTR,
-	"fgetxattr":               SNR_FGETXATTR,
-	"listxattr":               SNR_LISTXATTR,
-	"llistxattr":              SNR_LLISTXATTR,
-	"flistxattr":              SNR_FLISTXATTR,
-	"removexattr":             SNR_REMOVEXATTR,
-	"lremovexattr":            SNR_LREMOVEXATTR,
-	"fremovexattr":            SNR_FREMOVEXATTR,
-	"getcwd":                  SNR_GETCWD,
-	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
-	"eventfd2":                SNR_EVENTFD2,
-	"epoll_create1":           SNR_EPOLL_CREATE1,
-	"epoll_ctl":               SNR_EPOLL_CTL,
-	"epoll_pwait":             SNR_EPOLL_PWAIT,
-	"dup":                     SNR_DUP,
-	"dup3":                    SNR_DUP3,
-	"fcntl":                   SNR_FCNTL,
-	"inotify_init1":           SNR_INOTIFY_INIT1,
-	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
-	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
-	"ioctl":                   SNR_IOCTL,
-	"ioprio_set":              SNR_IOPRIO_SET,
-	"ioprio_get":              SNR_IOPRIO_GET,
-	"flock":                   SNR_FLOCK,
-	"mknodat":                 SNR_MKNODAT,
-	"mkdirat":                 SNR_MKDIRAT,
-	"unlinkat":                SNR_UNLINKAT,
-	"symlinkat":               SNR_SYMLINKAT,
-	"linkat":                  SNR_LINKAT,
-	"renameat":                SNR_RENAMEAT,
-	"umount2":                 SNR_UMOUNT2,
-	"mount":                   SNR_MOUNT,
-	"pivot_root":              SNR_PIVOT_ROOT,
-	"nfsservctl":              SNR_NFSSERVCTL,
-	"statfs":                  SNR_STATFS,
-	"fstatfs":                 SNR_FSTATFS,
-	"truncate":                SNR_TRUNCATE,
-	"ftruncate":               SNR_FTRUNCATE,
-	"fallocate":               SNR_FALLOCATE,
-	"faccessat":               SNR_FACCESSAT,
-	"chdir":                   SNR_CHDIR,
-	"fchdir":                  SNR_FCHDIR,
-	"chroot":                  SNR_CHROOT,
-	"fchmod":                  SNR_FCHMOD,
-	"fchmodat":                SNR_FCHMODAT,
-	"fchownat":                SNR_FCHOWNAT,
-	"fchown":                  SNR_FCHOWN,
-	"openat":                  SNR_OPENAT,
-	"close":                   SNR_CLOSE,
-	"vhangup":                 SNR_VHANGUP,
-	"pipe2":                   SNR_PIPE2,
-	"quotactl":                SNR_QUOTACTL,
-	"getdents64":              SNR_GETDENTS64,
-	"lseek":                   SNR_LSEEK,
-	"read":                    SNR_READ,
-	"write":                   SNR_WRITE,
-	"readv":                   SNR_READV,
-	"writev":                  SNR_WRITEV,
-	"pread64":                 SNR_PREAD64,
-	"pwrite64":                SNR_PWRITE64,
-	"preadv":                  SNR_PREADV,
-	"pwritev":                 SNR_PWRITEV,
-	"sendfile":                SNR_SENDFILE,
-	"pselect6":                SNR_PSELECT6,
-	"ppoll":                   SNR_PPOLL,
-	"signalfd4":               SNR_SIGNALFD4,
-	"vmsplice":                SNR_VMSPLICE,
-	"splice":                  SNR_SPLICE,
-	"tee":                     SNR_TEE,
-	"readlinkat":              SNR_READLINKAT,
-	"newfstatat":              SNR_NEWFSTATAT,
-	"fstat":                   SNR_FSTAT,
-	"sync":                    SNR_SYNC,
-	"fsync":                   SNR_FSYNC,
-	"fdatasync":               SNR_FDATASYNC,
-	"sync_file_range":         SNR_SYNC_FILE_RANGE,
-	"timerfd_create":          SNR_TIMERFD_CREATE,
-	"timerfd_settime":         SNR_TIMERFD_SETTIME,
-	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
-	"utimensat":               SNR_UTIMENSAT,
-	"acct":                    SNR_ACCT,
-	"capget":                  SNR_CAPGET,
-	"capset":                  SNR_CAPSET,
-	"personality":             SNR_PERSONALITY,
-	"exit":                    SNR_EXIT,
-	"exit_group":              SNR_EXIT_GROUP,
-	"waitid":                  SNR_WAITID,
-	"set_tid_address":         SNR_SET_TID_ADDRESS,
-	"unshare":                 SNR_UNSHARE,
-	"futex":                   SNR_FUTEX,
-	"set_robust_list":         SNR_SET_ROBUST_LIST,
-	"get_robust_list":         SNR_GET_ROBUST_LIST,
-	"nanosleep":               SNR_NANOSLEEP,
-	"getitimer":               SNR_GETITIMER,
-	"setitimer":               SNR_SETITIMER,
-	"kexec_load":              SNR_KEXEC_LOAD,
-	"init_module":             SNR_INIT_MODULE,
-	"delete_module":           SNR_DELETE_MODULE,
-	"timer_create":            SNR_TIMER_CREATE,
-	"timer_gettime":           SNR_TIMER_GETTIME,
-	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
-	"timer_settime":           SNR_TIMER_SETTIME,
-	"timer_delete":            SNR_TIMER_DELETE,
-	"clock_settime":           SNR_CLOCK_SETTIME,
-	"clock_gettime":           SNR_CLOCK_GETTIME,
-	"clock_getres":            SNR_CLOCK_GETRES,
-	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
-	"syslog":                  SNR_SYSLOG,
-	"ptrace":                  SNR_PTRACE,
-	"sched_setparam":          SNR_SCHED_SETPARAM,
-	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
-	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
-	"sched_getparam":          SNR_SCHED_GETPARAM,
-	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
-	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
-	"sched_yield":             SNR_SCHED_YIELD,
-	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
-	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
-	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
-	"restart_syscall":         SNR_RESTART_SYSCALL,
-	"kill":                    SNR_KILL,
-	"tkill":                   SNR_TKILL,
-	"tgkill":                  SNR_TGKILL,
-	"sigaltstack":             SNR_SIGALTSTACK,
-	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
-	"rt_sigaction":            SNR_RT_SIGACTION,
-	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
-	"rt_sigpending":           SNR_RT_SIGPENDING,
-	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
-	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
-	"rt_sigreturn":            SNR_RT_SIGRETURN,
-	"setpriority":             SNR_SETPRIORITY,
-	"getpriority":             SNR_GETPRIORITY,
-	"reboot":                  SNR_REBOOT,
-	"setregid":                SNR_SETREGID,
-	"setgid":                  SNR_SETGID,
-	"setreuid":                SNR_SETREUID,
-	"setuid":                  SNR_SETUID,
-	"setresuid":               SNR_SETRESUID,
-	"getresuid":               SNR_GETRESUID,
-	"setresgid":               SNR_SETRESGID,
-	"getresgid":               SNR_GETRESGID,
-	"setfsuid":                SNR_SETFSUID,
-	"setfsgid":                SNR_SETFSGID,
-	"times":                   SNR_TIMES,
-	"setpgid":                 SNR_SETPGID,
-	"getpgid":                 SNR_GETPGID,
-	"getsid":                  SNR_GETSID,
-	"setsid":                  SNR_SETSID,
-	"getgroups":               SNR_GETGROUPS,
-	"setgroups":               SNR_SETGROUPS,
-	"uname":                   SNR_UNAME,
-	"sethostname":             SNR_SETHOSTNAME,
-	"setdomainname":           SNR_SETDOMAINNAME,
-	"getrlimit":               SNR_GETRLIMIT,
-	"setrlimit":               SNR_SETRLIMIT,
-	"getrusage":               SNR_GETRUSAGE,
-	"umask":                   SNR_UMASK,
-	"prctl":                   SNR_PRCTL,
-	"getcpu":                  SNR_GETCPU,
-	"gettimeofday":            SNR_GETTIMEOFDAY,
-	"settimeofday":            SNR_SETTIMEOFDAY,
-	"adjtimex":                SNR_ADJTIMEX,
-	"getpid":                  SNR_GETPID,
-	"getppid":                 SNR_GETPPID,
-	"getuid":                  SNR_GETUID,
-	"geteuid":                 SNR_GETEUID,
-	"getgid":                  SNR_GETGID,
-	"getegid":                 SNR_GETEGID,
-	"gettid":                  SNR_GETTID,
-	"sysinfo":                 SNR_SYSINFO,
-	"mq_open":                 SNR_MQ_OPEN,
-	"mq_unlink":               SNR_MQ_UNLINK,
-	"mq_timedsend":            SNR_MQ_TIMEDSEND,
-	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
-	"mq_notify":               SNR_MQ_NOTIFY,
-	"mq_getsetattr":           SNR_MQ_GETSETATTR,
-	"msgget":                  SNR_MSGGET,
-	"msgctl":                  SNR_MSGCTL,
-	"msgrcv":                  SNR_MSGRCV,
-	"msgsnd":                  SNR_MSGSND,
-	"semget":                  SNR_SEMGET,
-	"semctl":                  SNR_SEMCTL,
-	"semtimedop":              SNR_SEMTIMEDOP,
-	"semop":                   SNR_SEMOP,
-	"shmget":                  SNR_SHMGET,
-	"shmctl":                  SNR_SHMCTL,
-	"shmat":                   SNR_SHMAT,
-	"shmdt":                   SNR_SHMDT,
-	"socket":                  SNR_SOCKET,
-	"socketpair":              SNR_SOCKETPAIR,
-	"bind":                    SNR_BIND,
-	"listen":                  SNR_LISTEN,
-	"accept":                  SNR_ACCEPT,
-	"connect":                 SNR_CONNECT,
-	"getsockname":             SNR_GETSOCKNAME,
-	"getpeername":             SNR_GETPEERNAME,
-	"sendto":                  SNR_SENDTO,
-	"recvfrom":                SNR_RECVFROM,
-	"setsockopt":              SNR_SETSOCKOPT,
-	"getsockopt":              SNR_GETSOCKOPT,
-	"shutdown":                SNR_SHUTDOWN,
-	"sendmsg":                 SNR_SENDMSG,
-	"recvmsg":                 SNR_RECVMSG,
-	"readahead":               SNR_READAHEAD,
-	"brk":                     SNR_BRK,
-	"munmap":                  SNR_MUNMAP,
-	"mremap":                  SNR_MREMAP,
-	"add_key":                 SNR_ADD_KEY,
-	"request_key":             SNR_REQUEST_KEY,
-	"keyctl":                  SNR_KEYCTL,
-	"clone":                   SNR_CLONE,
-	"execve":                  SNR_EXECVE,
-	"mmap":                    SNR_MMAP,
-	"fadvise64":               SNR_FADVISE64,
-	"swapon":                  SNR_SWAPON,
-	"swapoff":                 SNR_SWAPOFF,
-	"mprotect":                SNR_MPROTECT,
-	"msync":                   SNR_MSYNC,
-	"mlock":                   SNR_MLOCK,
-	"munlock":                 SNR_MUNLOCK,
-	"mlockall":                SNR_MLOCKALL,
-	"munlockall":              SNR_MUNLOCKALL,
-	"mincore":                 SNR_MINCORE,
-	"madvise":                 SNR_MADVISE,
-	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
-	"mbind":                   SNR_MBIND,
-	"get_mempolicy":           SNR_GET_MEMPOLICY,
-	"set_mempolicy":           SNR_SET_MEMPOLICY,
-	"migrate_pages":           SNR_MIGRATE_PAGES,
-	"move_pages":              SNR_MOVE_PAGES,
-	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
-	"perf_event_open":         SNR_PERF_EVENT_OPEN,
-	"accept4":                 SNR_ACCEPT4,
-	"recvmmsg":                SNR_RECVMMSG,
-	"wait4":                   SNR_WAIT4,
-	"prlimit64":               SNR_PRLIMIT64,
-	"fanotify_init":           SNR_FANOTIFY_INIT,
-	"fanotify_mark":           SNR_FANOTIFY_MARK,
-	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
-	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
-	"clock_adjtime":           SNR_CLOCK_ADJTIME,
-	"syncfs":                  SNR_SYNCFS,
-	"setns":                   SNR_SETNS,
-	"sendmmsg":                SNR_SENDMMSG,
-	"process_vm_readv":        SNR_PROCESS_VM_READV,
-	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
-	"kcmp":                    SNR_KCMP,
-	"finit_module":            SNR_FINIT_MODULE,
-	"sched_setattr":           SNR_SCHED_SETATTR,
-	"sched_getattr":           SNR_SCHED_GETATTR,
-	"renameat2":               SNR_RENAMEAT2,
-	"seccomp":                 SNR_SECCOMP,
-	"getrandom":               SNR_GETRANDOM,
-	"memfd_create":            SNR_MEMFD_CREATE,
-	"bpf":                     SNR_BPF,
-	"execveat":                SNR_EXECVEAT,
-	"userfaultfd":             SNR_USERFAULTFD,
-	"membarrier":              SNR_MEMBARRIER,
-	"mlock2":                  SNR_MLOCK2,
-	"copy_file_range":         SNR_COPY_FILE_RANGE,
-	"preadv2":                 SNR_PREADV2,
-	"pwritev2":                SNR_PWRITEV2,
-	"pkey_mprotect":           SNR_PKEY_MPROTECT,
-	"pkey_alloc":              SNR_PKEY_ALLOC,
-	"pkey_free":               SNR_PKEY_FREE,
-	"statx":                   SNR_STATX,
-	"io_pgetevents":           SNR_IO_PGETEVENTS,
-	"rseq":                    SNR_RSEQ,
-	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
-	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
-	"io_uring_setup":          SNR_IO_URING_SETUP,
-	"io_uring_enter":          SNR_IO_URING_ENTER,
-	"io_uring_register":       SNR_IO_URING_REGISTER,
-	"open_tree":               SNR_OPEN_TREE,
-	"move_mount":              SNR_MOVE_MOUNT,
-	"fsopen":                  SNR_FSOPEN,
-	"fsconfig":                SNR_FSCONFIG,
-	"fsmount":                 SNR_FSMOUNT,
-	"fspick":                  SNR_FSPICK,
-	"pidfd_open":              SNR_PIDFD_OPEN,
-	"clone3":                  SNR_CLONE3,
-	"close_range":             SNR_CLOSE_RANGE,
-	"openat2":                 SNR_OPENAT2,
-	"pidfd_getfd":             SNR_PIDFD_GETFD,
-	"faccessat2":              SNR_FACCESSAT2,
-	"process_madvise":         SNR_PROCESS_MADVISE,
-	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
-	"mount_setattr":           SNR_MOUNT_SETATTR,
-	"quotactl_fd":             SNR_QUOTACTL_FD,
-	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
-	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
-	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
-	"memfd_secret":            SNR_MEMFD_SECRET,
-	"process_mrelease":        SNR_PROCESS_MRELEASE,
-	"futex_waitv":             SNR_FUTEX_WAITV,
-	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
-	"cachestat":               SNR_CACHESTAT,
-	"fchmodat2":               SNR_FCHMODAT2,
-	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
-	"futex_wake":              SNR_FUTEX_WAKE,
-	"futex_wait":              SNR_FUTEX_WAIT,
-	"futex_requeue":           SNR_FUTEX_REQUEUE,
-	"statmount":               SNR_STATMOUNT,
-	"listmount":               SNR_LISTMOUNT,
-	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
-	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
-	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
-	"mseal":                   SNR_MSEAL,
-}
-
-const (
-	SYS_USERFAULTFD             = 282
-	SYS_MEMBARRIER              = 283
-	SYS_MLOCK2                  = 284
-	SYS_COPY_FILE_RANGE         = 285
-	SYS_PREADV2                 = 286
-	SYS_PWRITEV2                = 287
-	SYS_PKEY_MPROTECT           = 288
-	SYS_PKEY_ALLOC              = 289
-	SYS_PKEY_FREE               = 290
-	SYS_STATX                   = 291
-	SYS_IO_PGETEVENTS           = 292
-	SYS_RSEQ                    = 293
-	SYS_KEXEC_FILE_LOAD         = 294
-	SYS_PIDFD_SEND_SIGNAL       = 424
-	SYS_IO_URING_SETUP          = 425
-	SYS_IO_URING_ENTER          = 426
-	SYS_IO_URING_REGISTER       = 427
-	SYS_OPEN_TREE               = 428
-	SYS_MOVE_MOUNT              = 429
-	SYS_FSOPEN                  = 430
-	SYS_FSCONFIG                = 431
-	SYS_FSMOUNT                 = 432
-	SYS_FSPICK                  = 433
-	SYS_PIDFD_OPEN              = 434
-	SYS_CLONE3                  = 435
-	SYS_CLOSE_RANGE             = 436
-	SYS_OPENAT2                 = 437
-	SYS_PIDFD_GETFD             = 438
-	SYS_FACCESSAT2              = 439
-	SYS_PROCESS_MADVISE         = 440
-	SYS_EPOLL_PWAIT2            = 441
-	SYS_MOUNT_SETATTR           = 442
-	SYS_QUOTACTL_FD             = 443
-	SYS_LANDLOCK_CREATE_RULESET = 444
-	SYS_LANDLOCK_ADD_RULE       = 445
-	SYS_LANDLOCK_RESTRICT_SELF  = 446
-	SYS_MEMFD_SECRET            = 447
-	SYS_PROCESS_MRELEASE        = 448
-	SYS_FUTEX_WAITV             = 449
-	SYS_SET_MEMPOLICY_HOME_NODE = 450
-	SYS_CACHESTAT               = 451
-	SYS_FCHMODAT2               = 452
-	SYS_MAP_SHADOW_STACK        = 453
-	SYS_FUTEX_WAKE              = 454
-	SYS_FUTEX_WAIT              = 455
-	SYS_FUTEX_REQUEUE           = 456
-	SYS_STATMOUNT               = 457
-	SYS_LISTMOUNT               = 458
-	SYS_LSM_GET_SELF_ATTR       = 459
-	SYS_LSM_SET_SELF_ATTR       = 460
-	SYS_LSM_LIST_MODULES        = 461
-	SYS_MSEAL                   = 462
-)
-
-const (
-	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
-	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
-	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
-	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
-	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
-	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
-	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
-	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
-	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
-	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
-	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
-	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
-	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
-	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
-	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
-	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
-	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
-	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
-	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
-	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
-	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
-	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
-	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
-	SNR_DUP                     ScmpSyscall = SYS_DUP
-	SNR_DUP3                    ScmpSyscall = SYS_DUP3
-	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
-	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
-	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
-	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
-	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
-	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
-	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
-	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
-	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
-	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
-	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
-	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
-	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
-	SNR_RENAMEAT                ScmpSyscall = SYS_RENAMEAT
-	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
-	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
-	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
-	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
-	SNR_STATFS                  ScmpSyscall = SYS_STATFS
-	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
-	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
-	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
-	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
-	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
-	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
-	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
-	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
-	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
-	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
-	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
-	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
-	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
-	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
-	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
-	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
-	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
-	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
-	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
-	SNR_READ                    ScmpSyscall = SYS_READ
-	SNR_WRITE                   ScmpSyscall = SYS_WRITE
-	SNR_READV                   ScmpSyscall = SYS_READV
-	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
-	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
-	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
-	SNR_PREADV                  ScmpSyscall = SYS_PREADV
-	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
-	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
-	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
-	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
-	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
-	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
-	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
-	SNR_TEE                     ScmpSyscall = SYS_TEE
-	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
-	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
-	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
-	SNR_SYNC                    ScmpSyscall = SYS_SYNC
-	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
-	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
-	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
-	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
-	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
-	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
-	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
-	SNR_ACCT                    ScmpSyscall = SYS_ACCT
-	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
-	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
-	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
-	SNR_EXIT                    ScmpSyscall = SYS_EXIT
-	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
-	SNR_WAITID                  ScmpSyscall = SYS_WAITID
-	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
-	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
-	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
-	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
-	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
-	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
-	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
-	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
-	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
-	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
-	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
-	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
-	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
-	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
-	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
-	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
-	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
-	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
-	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
-	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
-	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
-	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
-	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
-	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
-	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
-	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
-	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
-	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
-	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
-	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
-	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
-	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
-	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
-	SNR_KILL                    ScmpSyscall = SYS_KILL
-	SNR_TKILL                   ScmpSyscall = SYS_TKILL
-	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
-	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
-	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
-	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
-	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
-	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
-	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
-	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
-	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
-	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
-	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
-	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
-	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
-	SNR_SETGID                  ScmpSyscall = SYS_SETGID
-	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
-	SNR_SETUID                  ScmpSyscall = SYS_SETUID
-	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
-	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
-	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
-	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
-	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
-	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
-	SNR_TIMES                   ScmpSyscall = SYS_TIMES
-	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
-	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
-	SNR_GETSID                  ScmpSyscall = SYS_GETSID
-	SNR_SETSID                  ScmpSyscall = SYS_SETSID
-	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
-	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
-	SNR_UNAME                   ScmpSyscall = SYS_UNAME
-	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
-	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
-	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
-	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
-	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
-	SNR_UMASK                   ScmpSyscall = SYS_UMASK
-	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
-	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
-	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
-	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
-	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
-	SNR_GETPID                  ScmpSyscall = SYS_GETPID
-	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
-	SNR_GETUID                  ScmpSyscall = SYS_GETUID
-	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
-	SNR_GETGID                  ScmpSyscall = SYS_GETGID
-	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
-	SNR_GETTID                  ScmpSyscall = SYS_GETTID
-	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
-	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
-	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
-	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
-	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
-	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
-	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
-	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
-	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
-	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
-	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
-	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
-	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
-	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
-	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
-	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
-	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
-	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
-	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
-	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
-	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
-	SNR_BIND                    ScmpSyscall = SYS_BIND
-	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
-	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
-	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
-	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
-	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
-	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
-	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
-	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
-	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
-	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
-	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
-	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
-	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
-	SNR_BRK                     ScmpSyscall = SYS_BRK
-	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
-	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
-	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
-	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
-	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
-	SNR_CLONE                   ScmpSyscall = SYS_CLONE
-	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
-	SNR_MMAP                    ScmpSyscall = SYS_MMAP
-	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
-	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
-	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
-	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
-	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
-	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
-	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
-	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
-	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
-	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
-	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
-	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
-	SNR_MBIND                   ScmpSyscall = SYS_MBIND
-	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
-	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
-	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
-	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
-	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
-	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
-	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
-	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
-	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
-	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
-	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
-	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
-	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
-	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
-	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
-	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
-	SNR_SETNS                   ScmpSyscall = SYS_SETNS
-	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
-	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
-	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
-	SNR_KCMP                    ScmpSyscall = SYS_KCMP
-	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
-	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
-	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
-	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
-	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
-	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
-	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
-	SNR_BPF                     ScmpSyscall = SYS_BPF
-	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
-	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
-	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
-	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
-	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
-	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
-	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
-	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
-	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
-	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
-	SNR_STATX                   ScmpSyscall = SYS_STATX
-	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
-	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
-	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
-	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
-	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
-	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
-	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
-	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
-	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
-	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
-	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
-	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
-	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
-	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
-	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
-	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
-	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
-	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
-	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
-	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
-	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
-	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
-	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
-	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
-	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
-	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
-	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
-	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
-	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
-	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
-	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
-	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
-	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
-	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
-	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
-	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
-	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
-	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
-	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
-	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
-	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
-	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
-)
--- a/container/std/syscall_linux_riscv64.go
+++ b/container/std/syscall_linux_riscv64.go
@@ -1,719 +0,0 @@
-// mksysnum_linux.pl /usr/include/riscv64-linux-gnu/asm/unistd.h
-// Code generated by the command above; DO NOT EDIT.
-
-package std
-
-import . "syscall"
-
-var syscallNum = map[string]ScmpSyscall{
-	"io_setup":                SNR_IO_SETUP,
-	"io_destroy":              SNR_IO_DESTROY,
-	"io_submit":               SNR_IO_SUBMIT,
-	"io_cancel":               SNR_IO_CANCEL,
-	"io_getevents":            SNR_IO_GETEVENTS,
-	"setxattr":                SNR_SETXATTR,
-	"lsetxattr":               SNR_LSETXATTR,
-	"fsetxattr":               SNR_FSETXATTR,
-	"getxattr":                SNR_GETXATTR,
-	"lgetxattr":               SNR_LGETXATTR,
-	"fgetxattr":               SNR_FGETXATTR,
-	"listxattr":               SNR_LISTXATTR,
-	"llistxattr":              SNR_LLISTXATTR,
-	"flistxattr":              SNR_FLISTXATTR,
-	"removexattr":             SNR_REMOVEXATTR,
-	"lremovexattr":            SNR_LREMOVEXATTR,
-	"fremovexattr":            SNR_FREMOVEXATTR,
-	"getcwd":                  SNR_GETCWD,
-	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
-	"eventfd2":                SNR_EVENTFD2,
-	"epoll_create1":           SNR_EPOLL_CREATE1,
-	"epoll_ctl":               SNR_EPOLL_CTL,
-	"epoll_pwait":             SNR_EPOLL_PWAIT,
-	"dup":                     SNR_DUP,
-	"dup3":                    SNR_DUP3,
-	"fcntl":                   SNR_FCNTL,
-	"inotify_init1":           SNR_INOTIFY_INIT1,
-	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
-	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
-	"ioctl":                   SNR_IOCTL,
-	"ioprio_set":              SNR_IOPRIO_SET,
-	"ioprio_get":              SNR_IOPRIO_GET,
-	"flock":                   SNR_FLOCK,
-	"mknodat":                 SNR_MKNODAT,
-	"mkdirat":                 SNR_MKDIRAT,
-	"unlinkat":                SNR_UNLINKAT,
-	"symlinkat":               SNR_SYMLINKAT,
-	"linkat":                  SNR_LINKAT,
-	"umount2":                 SNR_UMOUNT2,
-	"mount":                   SNR_MOUNT,
-	"pivot_root":              SNR_PIVOT_ROOT,
-	"nfsservctl":              SNR_NFSSERVCTL,
-	"statfs":                  SNR_STATFS,
-	"fstatfs":                 SNR_FSTATFS,
-	"truncate":                SNR_TRUNCATE,
-	"ftruncate":               SNR_FTRUNCATE,
-	"fallocate":               SNR_FALLOCATE,
-	"faccessat":               SNR_FACCESSAT,
-	"chdir":                   SNR_CHDIR,
-	"fchdir":                  SNR_FCHDIR,
-	"chroot":                  SNR_CHROOT,
-	"fchmod":                  SNR_FCHMOD,
-	"fchmodat":                SNR_FCHMODAT,
-	"fchownat":                SNR_FCHOWNAT,
-	"fchown":                  SNR_FCHOWN,
-	"openat":                  SNR_OPENAT,
-	"close":                   SNR_CLOSE,
-	"vhangup":                 SNR_VHANGUP,
-	"pipe2":                   SNR_PIPE2,
-	"quotactl":                SNR_QUOTACTL,
-	"getdents64":              SNR_GETDENTS64,
-	"lseek":                   SNR_LSEEK,
-	"read":                    SNR_READ,
-	"write":                   SNR_WRITE,
-	"readv":                   SNR_READV,
-	"writev":                  SNR_WRITEV,
-	"pread64":                 SNR_PREAD64,
-	"pwrite64":                SNR_PWRITE64,
-	"preadv":                  SNR_PREADV,
-	"pwritev":                 SNR_PWRITEV,
-	"sendfile":                SNR_SENDFILE,
-	"pselect6":                SNR_PSELECT6,
-	"ppoll":                   SNR_PPOLL,
-	"signalfd4":               SNR_SIGNALFD4,
-	"vmsplice":                SNR_VMSPLICE,
-	"splice":                  SNR_SPLICE,
-	"tee":                     SNR_TEE,
-	"readlinkat":              SNR_READLINKAT,
-	"newfstatat":              SNR_NEWFSTATAT,
-	"fstat":                   SNR_FSTAT,
-	"sync":                    SNR_SYNC,
-	"fsync":                   SNR_FSYNC,
-	"fdatasync":               SNR_FDATASYNC,
-	"sync_file_range":         SNR_SYNC_FILE_RANGE,
-	"timerfd_create":          SNR_TIMERFD_CREATE,
-	"timerfd_settime":         SNR_TIMERFD_SETTIME,
-	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
-	"utimensat":               SNR_UTIMENSAT,
-	"acct":                    SNR_ACCT,
-	"capget":                  SNR_CAPGET,
-	"capset":                  SNR_CAPSET,
-	"personality":             SNR_PERSONALITY,
-	"exit":                    SNR_EXIT,
-	"exit_group":              SNR_EXIT_GROUP,
-	"waitid":                  SNR_WAITID,
-	"set_tid_address":         SNR_SET_TID_ADDRESS,
-	"unshare":                 SNR_UNSHARE,
-	"futex":                   SNR_FUTEX,
-	"set_robust_list":         SNR_SET_ROBUST_LIST,
-	"get_robust_list":         SNR_GET_ROBUST_LIST,
-	"nanosleep":               SNR_NANOSLEEP,
-	"getitimer":               SNR_GETITIMER,
-	"setitimer":               SNR_SETITIMER,
-	"kexec_load":              SNR_KEXEC_LOAD,
-	"init_module":             SNR_INIT_MODULE,
-	"delete_module":           SNR_DELETE_MODULE,
-	"timer_create":            SNR_TIMER_CREATE,
-	"timer_gettime":           SNR_TIMER_GETTIME,
-	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
-	"timer_settime":           SNR_TIMER_SETTIME,
-	"timer_delete":            SNR_TIMER_DELETE,
-	"clock_settime":           SNR_CLOCK_SETTIME,
-	"clock_gettime":           SNR_CLOCK_GETTIME,
-	"clock_getres":            SNR_CLOCK_GETRES,
-	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
-	"syslog":                  SNR_SYSLOG,
-	"ptrace":                  SNR_PTRACE,
-	"sched_setparam":          SNR_SCHED_SETPARAM,
-	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
-	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
-	"sched_getparam":          SNR_SCHED_GETPARAM,
-	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
-	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
-	"sched_yield":             SNR_SCHED_YIELD,
-	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
-	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
-	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
-	"restart_syscall":         SNR_RESTART_SYSCALL,
-	"kill":                    SNR_KILL,
-	"tkill":                   SNR_TKILL,
-	"tgkill":                  SNR_TGKILL,
-	"sigaltstack":             SNR_SIGALTSTACK,
-	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
-	"rt_sigaction":            SNR_RT_SIGACTION,
-	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
-	"rt_sigpending":           SNR_RT_SIGPENDING,
-	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
-	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
-	"rt_sigreturn":            SNR_RT_SIGRETURN,
-	"setpriority":             SNR_SETPRIORITY,
-	"getpriority":             SNR_GETPRIORITY,
-	"reboot":                  SNR_REBOOT,
-	"setregid":                SNR_SETREGID,
-	"setgid":                  SNR_SETGID,
-	"setreuid":                SNR_SETREUID,
-	"setuid":                  SNR_SETUID,
-	"setresuid":               SNR_SETRESUID,
-	"getresuid":               SNR_GETRESUID,
-	"setresgid":               SNR_SETRESGID,
-	"getresgid":               SNR_GETRESGID,
-	"setfsuid":                SNR_SETFSUID,
-	"setfsgid":                SNR_SETFSGID,
-	"times":                   SNR_TIMES,
-	"setpgid":                 SNR_SETPGID,
-	"getpgid":                 SNR_GETPGID,
-	"getsid":                  SNR_GETSID,
-	"setsid":                  SNR_SETSID,
-	"getgroups":               SNR_GETGROUPS,
-	"setgroups":               SNR_SETGROUPS,
-	"uname":                   SNR_UNAME,
-	"sethostname":             SNR_SETHOSTNAME,
-	"setdomainname":           SNR_SETDOMAINNAME,
-	"getrlimit":               SNR_GETRLIMIT,
-	"setrlimit":               SNR_SETRLIMIT,
-	"getrusage":               SNR_GETRUSAGE,
-	"umask":                   SNR_UMASK,
-	"prctl":                   SNR_PRCTL,
-	"getcpu":                  SNR_GETCPU,
-	"gettimeofday":            SNR_GETTIMEOFDAY,
-	"settimeofday":            SNR_SETTIMEOFDAY,
-	"adjtimex":                SNR_ADJTIMEX,
-	"getpid":                  SNR_GETPID,
-	"getppid":                 SNR_GETPPID,
-	"getuid":                  SNR_GETUID,
-	"geteuid":                 SNR_GETEUID,
-	"getgid":                  SNR_GETGID,
-	"getegid":                 SNR_GETEGID,
-	"gettid":                  SNR_GETTID,
-	"sysinfo":                 SNR_SYSINFO,
-	"mq_open":                 SNR_MQ_OPEN,
-	"mq_unlink":               SNR_MQ_UNLINK,
-	"mq_timedsend":            SNR_MQ_TIMEDSEND,
-	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
-	"mq_notify":               SNR_MQ_NOTIFY,
-	"mq_getsetattr":           SNR_MQ_GETSETATTR,
-	"msgget":                  SNR_MSGGET,
-	"msgctl":                  SNR_MSGCTL,
-	"msgrcv":                  SNR_MSGRCV,
-	"msgsnd":                  SNR_MSGSND,
-	"semget":                  SNR_SEMGET,
-	"semctl":                  SNR_SEMCTL,
-	"semtimedop":              SNR_SEMTIMEDOP,
-	"semop":                   SNR_SEMOP,
-	"shmget":                  SNR_SHMGET,
-	"shmctl":                  SNR_SHMCTL,
-	"shmat":                   SNR_SHMAT,
-	"shmdt":                   SNR_SHMDT,
-	"socket":                  SNR_SOCKET,
-	"socketpair":              SNR_SOCKETPAIR,
-	"bind":                    SNR_BIND,
-	"listen":                  SNR_LISTEN,
-	"accept":                  SNR_ACCEPT,
-	"connect":                 SNR_CONNECT,
-	"getsockname":             SNR_GETSOCKNAME,
-	"getpeername":             SNR_GETPEERNAME,
-	"sendto":                  SNR_SENDTO,
-	"recvfrom":                SNR_RECVFROM,
-	"setsockopt":              SNR_SETSOCKOPT,
-	"getsockopt":              SNR_GETSOCKOPT,
-	"shutdown":                SNR_SHUTDOWN,
-	"sendmsg":                 SNR_SENDMSG,
-	"recvmsg":                 SNR_RECVMSG,
-	"readahead":               SNR_READAHEAD,
-	"brk":                     SNR_BRK,
-	"munmap":                  SNR_MUNMAP,
-	"mremap":                  SNR_MREMAP,
-	"add_key":                 SNR_ADD_KEY,
-	"request_key":             SNR_REQUEST_KEY,
-	"keyctl":                  SNR_KEYCTL,
-	"clone":                   SNR_CLONE,
-	"execve":                  SNR_EXECVE,
-	"mmap":                    SNR_MMAP,
-	"fadvise64":               SNR_FADVISE64,
-	"swapon":                  SNR_SWAPON,
-	"swapoff":                 SNR_SWAPOFF,
-	"mprotect":                SNR_MPROTECT,
-	"msync":                   SNR_MSYNC,
-	"mlock":                   SNR_MLOCK,
-	"munlock":                 SNR_MUNLOCK,
-	"mlockall":                SNR_MLOCKALL,
-	"munlockall":              SNR_MUNLOCKALL,
-	"mincore":                 SNR_MINCORE,
-	"madvise":                 SNR_MADVISE,
-	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
-	"mbind":                   SNR_MBIND,
-	"get_mempolicy":           SNR_GET_MEMPOLICY,
-	"set_mempolicy":           SNR_SET_MEMPOLICY,
-	"migrate_pages":           SNR_MIGRATE_PAGES,
-	"move_pages":              SNR_MOVE_PAGES,
-	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
-	"perf_event_open":         SNR_PERF_EVENT_OPEN,
-	"accept4":                 SNR_ACCEPT4,
-	"recvmmsg":                SNR_RECVMMSG,
-	"wait4":                   SNR_WAIT4,
-	"prlimit64":               SNR_PRLIMIT64,
-	"fanotify_init":           SNR_FANOTIFY_INIT,
-	"fanotify_mark":           SNR_FANOTIFY_MARK,
-	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
-	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
-	"clock_adjtime":           SNR_CLOCK_ADJTIME,
-	"syncfs":                  SNR_SYNCFS,
-	"setns":                   SNR_SETNS,
-	"sendmmsg":                SNR_SENDMMSG,
-	"process_vm_readv":        SNR_PROCESS_VM_READV,
-	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
-	"kcmp":                    SNR_KCMP,
-	"finit_module":            SNR_FINIT_MODULE,
-	"sched_setattr":           SNR_SCHED_SETATTR,
-	"sched_getattr":           SNR_SCHED_GETATTR,
-	"renameat2":               SNR_RENAMEAT2,
-	"seccomp":                 SNR_SECCOMP,
-	"getrandom":               SNR_GETRANDOM,
-	"memfd_create":            SNR_MEMFD_CREATE,
-	"bpf":                     SNR_BPF,
-	"execveat":                SNR_EXECVEAT,
-	"userfaultfd":             SNR_USERFAULTFD,
-	"membarrier":              SNR_MEMBARRIER,
-	"mlock2":                  SNR_MLOCK2,
-	"copy_file_range":         SNR_COPY_FILE_RANGE,
-	"preadv2":                 SNR_PREADV2,
-	"pwritev2":                SNR_PWRITEV2,
-	"pkey_mprotect":           SNR_PKEY_MPROTECT,
-	"pkey_alloc":              SNR_PKEY_ALLOC,
-	"pkey_free":               SNR_PKEY_FREE,
-	"statx":                   SNR_STATX,
-	"io_pgetevents":           SNR_IO_PGETEVENTS,
-	"rseq":                    SNR_RSEQ,
-	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
-	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
-	"io_uring_setup":          SNR_IO_URING_SETUP,
-	"io_uring_enter":          SNR_IO_URING_ENTER,
-	"io_uring_register":       SNR_IO_URING_REGISTER,
-	"open_tree":               SNR_OPEN_TREE,
-	"move_mount":              SNR_MOVE_MOUNT,
-	"fsopen":                  SNR_FSOPEN,
-	"fsconfig":                SNR_FSCONFIG,
-	"fsmount":                 SNR_FSMOUNT,
-	"fspick":                  SNR_FSPICK,
-	"pidfd_open":              SNR_PIDFD_OPEN,
-	"clone3":                  SNR_CLONE3,
-	"close_range":             SNR_CLOSE_RANGE,
-	"openat2":                 SNR_OPENAT2,
-	"pidfd_getfd":             SNR_PIDFD_GETFD,
-	"faccessat2":              SNR_FACCESSAT2,
-	"process_madvise":         SNR_PROCESS_MADVISE,
-	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
-	"mount_setattr":           SNR_MOUNT_SETATTR,
-	"quotactl_fd":             SNR_QUOTACTL_FD,
-	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
-	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
-	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
-	"memfd_secret":            SNR_MEMFD_SECRET,
-	"process_mrelease":        SNR_PROCESS_MRELEASE,
-	"futex_waitv":             SNR_FUTEX_WAITV,
-	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
-	"cachestat":               SNR_CACHESTAT,
-	"fchmodat2":               SNR_FCHMODAT2,
-	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
-	"futex_wake":              SNR_FUTEX_WAKE,
-	"futex_wait":              SNR_FUTEX_WAIT,
-	"futex_requeue":           SNR_FUTEX_REQUEUE,
-	"statmount":               SNR_STATMOUNT,
-	"listmount":               SNR_LISTMOUNT,
-	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
-	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
-	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
-	"mseal":                   SNR_MSEAL,
-	"setxattrat":              SNR_SETXATTRAT,
-	"getxattrat":              SNR_GETXATTRAT,
-	"listxattrat":             SNR_LISTXATTRAT,
-	"removexattrat":           SNR_REMOVEXATTRAT,
-}
-
-const (
-	SYS_USERFAULTFD             = 282
-	SYS_MEMBARRIER              = 283
-	SYS_MLOCK2                  = 284
-	SYS_COPY_FILE_RANGE         = 285
-	SYS_PREADV2                 = 286
-	SYS_PWRITEV2                = 287
-	SYS_PKEY_MPROTECT           = 288
-	SYS_PKEY_ALLOC              = 289
-	SYS_PKEY_FREE               = 290
-	SYS_STATX                   = 291
-	SYS_IO_PGETEVENTS           = 292
-	SYS_RSEQ                    = 293
-	SYS_KEXEC_FILE_LOAD         = 294
-	SYS_PIDFD_SEND_SIGNAL       = 424
-	SYS_IO_URING_SETUP          = 425
-	SYS_IO_URING_ENTER          = 426
-	SYS_IO_URING_REGISTER       = 427
-	SYS_OPEN_TREE               = 428
-	SYS_MOVE_MOUNT              = 429
-	SYS_FSOPEN                  = 430
-	SYS_FSCONFIG                = 431
-	SYS_FSMOUNT                 = 432
-	SYS_FSPICK                  = 433
-	SYS_PIDFD_OPEN              = 434
-	SYS_CLONE3                  = 435
-	SYS_CLOSE_RANGE             = 436
-	SYS_OPENAT2                 = 437
-	SYS_PIDFD_GETFD             = 438
-	SYS_FACCESSAT2              = 439
-	SYS_PROCESS_MADVISE         = 440
-	SYS_EPOLL_PWAIT2            = 441
-	SYS_MOUNT_SETATTR           = 442
-	SYS_QUOTACTL_FD             = 443
-	SYS_LANDLOCK_CREATE_RULESET = 444
-	SYS_LANDLOCK_ADD_RULE       = 445
-	SYS_LANDLOCK_RESTRICT_SELF  = 446
-	SYS_MEMFD_SECRET            = 447
-	SYS_PROCESS_MRELEASE        = 448
-	SYS_FUTEX_WAITV             = 449
-	SYS_SET_MEMPOLICY_HOME_NODE = 450
-	SYS_CACHESTAT               = 451
-	SYS_FCHMODAT2               = 452
-	SYS_MAP_SHADOW_STACK        = 453
-	SYS_FUTEX_WAKE              = 454
-	SYS_FUTEX_WAIT              = 455
-	SYS_FUTEX_REQUEUE           = 456
-	SYS_STATMOUNT               = 457
-	SYS_LISTMOUNT               = 458
-	SYS_LSM_GET_SELF_ATTR       = 459
-	SYS_LSM_SET_SELF_ATTR       = 460
-	SYS_LSM_LIST_MODULES        = 461
-	SYS_MSEAL                   = 462
-	SYS_SETXATTRAT              = 463
-	SYS_GETXATTRAT              = 464
-	SYS_LISTXATTRAT             = 465
-	SYS_REMOVEXATTRAT           = 466
-	SYS_OPEN_TREE_ATTR          = 467
-	SYS_FILE_GETATTR            = 468
-	SYS_FILE_SETATTR            = 469
-)
-
-const (
-	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
-	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
-	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
-	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
-	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
-	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
-	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
-	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
-	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
-	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
-	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
-	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
-	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
-	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
-	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
-	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
-	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
-	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
-	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
-	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
-	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
-	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
-	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
-	SNR_DUP                     ScmpSyscall = SYS_DUP
-	SNR_DUP3                    ScmpSyscall = SYS_DUP3
-	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
-	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
-	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
-	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
-	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
-	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
-	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
-	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
-	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
-	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
-	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
-	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
-	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
-	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
-	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
-	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
-	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
-	SNR_STATFS                  ScmpSyscall = SYS_STATFS
-	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
-	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
-	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
-	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
-	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
-	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
-	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
-	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
-	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
-	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
-	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
-	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
-	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
-	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
-	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
-	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
-	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
-	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
-	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
-	SNR_READ                    ScmpSyscall = SYS_READ
-	SNR_WRITE                   ScmpSyscall = SYS_WRITE
-	SNR_READV                   ScmpSyscall = SYS_READV
-	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
-	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
-	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
-	SNR_PREADV                  ScmpSyscall = SYS_PREADV
-	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
-	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
-	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
-	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
-	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
-	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
-	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
-	SNR_TEE                     ScmpSyscall = SYS_TEE
-	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
-	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
-	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
-	SNR_SYNC                    ScmpSyscall = SYS_SYNC
-	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
-	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
-	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
-	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
-	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
-	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
-	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
-	SNR_ACCT                    ScmpSyscall = SYS_ACCT
-	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
-	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
-	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
-	SNR_EXIT                    ScmpSyscall = SYS_EXIT
-	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
-	SNR_WAITID                  ScmpSyscall = SYS_WAITID
-	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
-	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
-	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
-	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
-	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
-	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
-	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
-	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
-	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
-	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
-	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
-	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
-	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
-	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
-	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
-	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
-	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
-	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
-	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
-	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
-	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
-	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
-	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
-	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
-	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
-	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
-	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
-	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
-	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
-	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
-	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
-	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
-	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
-	SNR_KILL                    ScmpSyscall = SYS_KILL
-	SNR_TKILL                   ScmpSyscall = SYS_TKILL
-	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
-	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
-	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
-	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
-	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
-	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
-	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
-	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
-	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
-	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
-	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
-	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
-	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
-	SNR_SETGID                  ScmpSyscall = SYS_SETGID
-	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
-	SNR_SETUID                  ScmpSyscall = SYS_SETUID
-	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
-	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
-	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
-	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
-	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
-	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
-	SNR_TIMES                   ScmpSyscall = SYS_TIMES
-	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
-	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
-	SNR_GETSID                  ScmpSyscall = SYS_GETSID
-	SNR_SETSID                  ScmpSyscall = SYS_SETSID
-	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
-	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
-	SNR_UNAME                   ScmpSyscall = SYS_UNAME
-	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
-	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
-	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
-	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
-	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
-	SNR_UMASK                   ScmpSyscall = SYS_UMASK
-	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
-	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
-	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
-	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
-	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
-	SNR_GETPID                  ScmpSyscall = SYS_GETPID
-	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
-	SNR_GETUID                  ScmpSyscall = SYS_GETUID
-	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
-	SNR_GETGID                  ScmpSyscall = SYS_GETGID
-	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
-	SNR_GETTID                  ScmpSyscall = SYS_GETTID
-	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
-	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
-	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
-	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
-	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
-	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
-	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
-	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
-	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
-	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
-	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
-	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
-	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
-	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
-	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
-	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
-	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
-	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
-	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
-	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
-	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
-	SNR_BIND                    ScmpSyscall = SYS_BIND
-	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
-	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
-	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
-	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
-	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
-	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
-	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
-	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
-	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
-	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
-	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
-	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
-	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
-	SNR_BRK                     ScmpSyscall = SYS_BRK
-	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
-	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
-	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
-	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
-	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
-	SNR_CLONE                   ScmpSyscall = SYS_CLONE
-	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
-	SNR_MMAP                    ScmpSyscall = SYS_MMAP
-	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
-	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
-	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
-	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
-	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
-	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
-	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
-	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
-	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
-	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
-	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
-	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
-	SNR_MBIND                   ScmpSyscall = SYS_MBIND
-	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
-	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
-	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
-	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
-	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
-	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
-	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
-	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
-	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
-	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
-	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
-	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
-	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
-	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
-	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
-	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
-	SNR_SETNS                   ScmpSyscall = SYS_SETNS
-	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
-	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
-	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
-	SNR_KCMP                    ScmpSyscall = SYS_KCMP
-	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
-	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
-	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
-	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
-	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
-	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
-	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
-	SNR_BPF                     ScmpSyscall = SYS_BPF
-	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
-	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
-	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
-	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
-	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
-	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
-	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
-	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
-	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
-	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
-	SNR_STATX                   ScmpSyscall = SYS_STATX
-	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
-	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
-	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
-	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
-	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
-	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
-	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
-	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
-	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
-	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
-	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
-	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
-	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
-	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
-	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
-	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
-	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
-	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
-	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
-	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
-	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
-	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
-	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
-	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
-	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
-	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
-	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
-	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
-	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
-	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
-	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
-	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
-	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
-	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
-	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
-	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
-	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
-	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
-	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
-	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
-	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
-	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
-	SNR_SETXATTRAT              ScmpSyscall = SYS_SETXATTRAT
-	SNR_GETXATTRAT              ScmpSyscall = SYS_GETXATTRAT
-	SNR_LISTXATTRAT             ScmpSyscall = SYS_LISTXATTRAT
-	SNR_REMOVEXATTRAT           ScmpSyscall = SYS_REMOVEXATTRAT
-	SNR_OPEN_TREE_ATTR          ScmpSyscall = SYS_OPEN_TREE_ATTR
-	SNR_FILE_GETATTR            ScmpSyscall = SYS_FILE_GETATTR
-	SNR_FILE_SETATTR            ScmpSyscall = SYS_FILE_SETATTR
-)
--- a/container/std/types.go
+++ b/container/std/types.go
@@ -1,8 +0,0 @@
-package std
-
-type (
-	// Uint is equivalent to C.uint.
-	Uint uint32
-	// Int is equivalent to C.int.
-	Int int32
-)
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -4,49 +4,18 @@ import (
 	. "syscall"
 	"unsafe"

-	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

-// Prctl manipulates various aspects of the behavior of the calling thread or process.
-func Prctl(op, arg2, arg3 uintptr) error {
-	r, _, errno := Syscall(SYS_PRCTL, op, arg2, arg3)
-	if r < 0 {
-		return errno
-	}
-	return nil
-}
-
-// SetPtracer allows processes to ptrace(2) the calling process.
-func SetPtracer(pid uintptr) error { return Prctl(PR_SET_PTRACER, pid, 0) }
-
-// linux/sched/coredump.h
-const (
-	SUID_DUMP_DISABLE = iota
-	SUID_DUMP_USER
-)
-
-// SetDumpable sets the "dumpable" attribute of the calling process.
-func SetDumpable(dumpable uintptr) error { return Prctl(PR_SET_DUMPABLE, dumpable, 0) }
-
 // SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error { return Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) }
-
-// Isatty tests whether a file descriptor refers to a terminal.
-func Isatty(fd int) bool {
-	var buf [8]byte
-	r, _, _ := Syscall(
-		SYS_IOCTL,
-		uintptr(fd),
-		TIOCGWINSZ,
-		uintptr(unsafe.Pointer(&buf[0])),
-	)
-	return r == 0
+func SetNoNewPrivs() error {
+	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }

 // schedParam is equivalent to struct sched_param from include/linux/sched.h.
 type schedParam struct {
 	// sched_priority
-	priority std.Int
+	priority ext.Int
 }

 // schedSetscheduler sets both the scheduling policy and parameters for the
@@ -62,7 +31,7 @@ type schedParam struct {
 // this if you do not have something similar in place!
 //
 // [very subtle to use correctly]: https://www.openwall.com/lists/musl/2016/03/01/4
-func schedSetscheduler(tid int, policy std.SchedPolicy, param *schedParam) error {
+func schedSetscheduler(tid int, policy ext.SchedPolicy, param *schedParam) error {
 	if _, _, errno := Syscall(
 		SYS_SCHED_SETSCHEDULER,
 		uintptr(tid),
@@ -73,19 +42,3 @@ func schedSetscheduler(tid int, policy std.SchedPolicy, param *schedParam) error
 	}
 	return nil
 }
-
-// IgnoringEINTR makes a function call and repeats it if it returns an
-// EINTR error. This appears to be required even though we install all
-// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.
-// Also #20400 and #36644 are issues in which a signal handler is
-// installed without setting SA_RESTART. None of these are the common case,
-// but there are enough of them that it seems that we can't avoid
-// an EINTR loop.
-func IgnoringEINTR(fn func() error) error {
-	for {
-		err := fn()
-		if err != EINTR {
-			return err
-		}
-	}
-}
--- a/container/syscall_close_range.go
+++ b/container/syscall_close_range.go
@@ -0,0 +1,11 @@
+//go:build close_range
+
+package container
+
+import "hakurei.app/ext"
+
+// doCloseOnExec implements ensureCloseOnExec by calling CloseRange with
+// CLOSE_RANGE_CLOEXEC.
+func doCloseOnExec() error {
+	return ext.CloseRange(0, ext.MaxUint, ext.CLOSE_RANGE_CLOEXEC)
+}
--- a/container/syscall_range_proc.go
+++ b/container/syscall_range_proc.go
@@ -0,0 +1,28 @@
+//go:build !close_range
+
+package container
+
+import (
+	"os"
+	"strconv"
+	"syscall"
+
+	"hakurei.app/fhs"
+)
+
+// doCloseOnExec implements ensureCloseOnExec by ranging over proc_pid_fd(5).
+func doCloseOnExec() error {
+	entries, err := os.ReadDir(fhs.ProcSelf + "fd/")
+	if err != nil {
+		return err
+	}
+
+	var fd int
+	for _, ent := range entries {
+		if fd, err = strconv.Atoi(ent.Name()); err != nil {
+			return err // not reached
+		}
+		syscall.CloseOnExec(fd)
+	}
+	return nil
+}
--- a/container/sysctl.go
+++ b/container/sysctl.go
@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"sync"

-	"hakurei.app/container/fhs"
+	"hakurei.app/fhs"
 	"hakurei.app/message"
 )

--- a/ext/ext.go
+++ b/ext/ext.go
@@ -0,0 +1,85 @@
+// Package ext provides wrappers around nonportable system interfaces.
+package ext
+
+import (
+	"encoding/json"
+	"iter"
+	"math"
+	"strconv"
+)
+
+// checked in container/seccomp
+type (
+	// Uint is equivalent to C.uint.
+	Uint = uint32
+	// Int is equivalent to C.int.
+	Int = int32
+)
+
+// Integer limit values.
+const (
+	MaxUint = math.MaxUint32
+	MaxInt  = math.MaxInt32
+)
+
+// SyscallNum represents an architecture-specific, Linux syscall number.
+type SyscallNum Int
+
+// Syscalls returns an iterator over all wired syscalls.
+func Syscalls() iter.Seq2[string, SyscallNum] {
+	return func(yield func(string, SyscallNum) bool) {
+		for name, num := range syscallNum {
+			if !yield(name, num) {
+				return
+			}
+		}
+		for name, num := range syscallNumExtra {
+			if !yield(name, num) {
+				return
+			}
+		}
+	}
+}
+
+// SyscallResolveName resolves a syscall number from its string representation.
+func SyscallResolveName(name string) (num SyscallNum, ok bool) {
+	if num, ok = syscallNum[name]; ok {
+		return
+	}
+	num, ok = syscallNumExtra[name]
+	return
+}
+
+// MarshalJSON resolves the name of [Syscall] and encodes it as a [json] string.
+// If such a name does not exist, the syscall number is encoded instead.
+func (num *SyscallNum) MarshalJSON() ([]byte, error) {
+	n := *num
+	for name, cur := range Syscalls() {
+		if cur == n {
+			return json.Marshal(name)
+		}
+	}
+	return json.Marshal(n)
+}
+
+// SyscallNameError is returned when trying to unmarshal an invalid syscall name into [ScmpSyscall].
+type SyscallNameError string
+
+func (e SyscallNameError) Error() string {
+	return "invalid syscall name " + strconv.Quote(string(e))
+}
+
+// UnmarshalJSON looks up the syscall number corresponding to name encoded in data
+// by calling [SyscallResolveName].
+func (num *SyscallNum) UnmarshalJSON(data []byte) error {
+	var name string
+	if err := json.Unmarshal(data, &name); err != nil {
+		return err
+	}
+	if n, ok := SyscallResolveName(name); !ok {
+		return SyscallNameError(name)
+	} else {
+		*num = n
+		return nil
+	}
+}
--- a/container/std/seccomp_test.go
+++ b/container/std/seccomp_test.go
@@ -1,4 +1,4 @@
-package std_test
+package ext_test

 import (
 	"encoding/json"
@@ -7,39 +7,39 @@ import (
 	"reflect"
 	"testing"

-	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

-func TestScmpSyscall(t *testing.T) {
+func TestSyscall(t *testing.T) {
 	t.Parallel()

 	testCases := []struct {
 		name string
 		data string
-		want std.ScmpSyscall
+		want ext.SyscallNum
 		err  error
 	}{
-		{"epoll_create1", `"epoll_create1"`, std.SNR_EPOLL_CREATE1, nil},
-		{"clone3", `"clone3"`, std.SNR_CLONE3, nil},
+		{"epoll_create1", `"epoll_create1"`, ext.SNR_EPOLL_CREATE1, nil},
+		{"clone3", `"clone3"`, ext.SNR_CLONE3, nil},

 		{"oob", `-2147483647`, -math.MaxInt32,
 			&json.UnmarshalTypeError{Value: "number", Type: reflect.TypeFor[string](), Offset: 11}},
 		{"name", `"nonexistent_syscall"`, -math.MaxInt32,
-			std.SyscallNameError("nonexistent_syscall")},
+			ext.SyscallNameError("nonexistent_syscall")},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

 			t.Run("decode", func(t *testing.T) {
-				var got std.ScmpSyscall
+				var got ext.SyscallNum
 				if err := json.Unmarshal([]byte(tc.data), &got); !reflect.DeepEqual(err, tc.err) {
 					t.Fatalf("Unmarshal: error = %#v, want %#v", err, tc.err)
 				} else if err == nil && got != tc.want {
 					t.Errorf("Unmarshal: %v, want %v", got, tc.want)
 				}
 			})
-			if errors.As(tc.err, new(std.SyscallNameError)) {
+			if errors.As(tc.err, new(ext.SyscallNameError)) {
 				return
 			}

@@ -55,8 +55,22 @@ func TestScmpSyscall(t *testing.T) {

 	t.Run("error", func(t *testing.T) {
 		const want = `invalid syscall name "\x00"`
-		if got := std.SyscallNameError("\x00").Error(); got != want {
+		if got := ext.SyscallNameError("\x00").Error(); got != want {
 			t.Fatalf("Error: %q, want %q", got, want)
 		}
 	})
 }
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range ext.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if got, ok := ext.SyscallResolveName(name); !ok || got != want {
+				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}
--- a/container/std/mksysnum_linux.pl
+++ b/container/std/mksysnum_linux.pl
@@ -19,11 +19,11 @@ print <<EOF;
 // $command
 // Code generated by the command above; DO NOT EDIT.

-package std
+package ext

 import . "syscall"

-var syscallNum = map[string]ScmpSyscall{
+var syscallNum = map[string]SyscallNum{
 EOF

 my $offset = 0;
@@ -45,7 +45,7 @@ sub fmt {
 		print "	\"$name\": SNR_$name_upper,\n";
 	}
 	elsif($state == 1){
-		print " SNR_$name_upper ScmpSyscall = SYS_$name_upper\n";
+		print " SNR_$name_upper SyscallNum = SYS_$name_upper\n";
 	}
 	else{
 		return;
--- a/container/std/pnr.go
+++ b/container/std/pnr.go
@@ -1,6 +1,6 @@
 // Code generated from include/seccomp-syscalls.h; DO NOT EDIT.

-package std
+package ext

 /*
 * pseudo syscall definitions
--- a/container/std/syscall.go
+++ b/container/std/syscall.go
@@ -1,36 +1,84 @@
-package std
+package ext

 import (
 	"encoding"
-	"iter"
 	"strconv"
 	"sync"
 	"syscall"
+	"unsafe"
 )

-// Syscalls returns an iterator over all wired syscalls.
-func Syscalls() iter.Seq2[string, ScmpSyscall] {
-	return func(yield func(string, ScmpSyscall) bool) {
-		for name, num := range syscallNum {
-			if !yield(name, num) {
-				return
-			}
-		}
-		for name, num := range syscallNumExtra {
-			if !yield(name, num) {
-				return
-			}
+// Prctl manipulates various aspects of the behavior of the calling thread or process.
+func Prctl(op, arg2, arg3 uintptr) error {
+	r, _, errno := syscall.Syscall(syscall.SYS_PRCTL, op, arg2, arg3)
+	if r < 0 {
+		return errno
+	}
+	return nil
+}
+
+// SetPtracer allows processes to ptrace(2) the calling process.
+func SetPtracer(pid uintptr) error {
+	return Prctl(syscall.PR_SET_PTRACER, pid, 0)
+}
+
+// linux/sched/coredump.h
+const (
+	SUID_DUMP_DISABLE = iota
+	SUID_DUMP_USER
+)
+
+// SetDumpable sets the "dumpable" attribute of the calling process.
+func SetDumpable(dumpable uintptr) error {
+	return Prctl(syscall.PR_SET_DUMPABLE, dumpable, 0)
+}
+
+// Isatty tests whether a file descriptor refers to a terminal.
+func Isatty(fd int) bool {
+	var buf [8]byte
+	r, _, _ := syscall.Syscall(
+		syscall.SYS_IOCTL,
+		uintptr(fd),
+		syscall.TIOCGWINSZ,
+		uintptr(unsafe.Pointer(&buf[0])),
+	)
+	return r == 0
+}
+
+// IgnoringEINTR makes a function call and repeats it if it returns an
+// EINTR error. This appears to be required even though we install all
+// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.
+// Also #20400 and #36644 are issues in which a signal handler is
+// installed without setting SA_RESTART. None of these are the common case,
+// but there are enough of them that it seems that we can't avoid
+// an EINTR loop.
+func IgnoringEINTR(fn func() error) error {
+	for {
+		err := fn()
+		if err != syscall.EINTR {
+			return err
 		}
 	}
 }

-// SyscallResolveName resolves a syscall number from its string representation.
-func SyscallResolveName(name string) (num ScmpSyscall, ok bool) {
-	if num, ok = syscallNum[name]; ok {
-		return
+// include/uapi/linux/close_range.h
+const (
+	CLOSE_RANGE_UNSHARE = 1 << (iota + 1)
+	CLOSE_RANGE_CLOEXEC
+)
+
+// CloseRange close all file descriptors in a given range.
+func CloseRange(first, last Uint, flags Int) error {
+	_, _, errno := syscall.Syscall(
+		SYS_CLOSE_RANGE,
+		uintptr(first),
+		uintptr(last),
+		uintptr(flags),
+	)
+	if errno != 0 {
+		return errno
 	}
-	num, ok = syscallNumExtra[name]
-	return
+	return nil
 }

 // SchedPolicy denotes a scheduling policy defined in include/uapi/linux/sched.h.
--- a/ext/syscall_extra_linux_386.go
+++ b/ext/syscall_extra_linux_386.go
@@ -0,0 +1,13 @@
+package ext
+
+var syscallNumExtra = map[string]SyscallNum{
+	"kexec_file_load": SNR_KEXEC_FILE_LOAD,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+}
+
+const (
+	SNR_KEXEC_FILE_LOAD SyscallNum = __PNR_kexec_file_load
+	SNR_SUBPAGE_PROT    SyscallNum = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   SyscallNum = __PNR_switch_endian
+)
--- a/ext/syscall_extra_linux_amd64.go
+++ b/ext/syscall_extra_linux_amd64.go
@@ -0,0 +1,41 @@
+package ext
+
+var syscallNumExtra = map[string]SyscallNum{
+	"umount":          SNR_UMOUNT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+}
+
+const (
+	SNR_UMOUNT          SyscallNum = __PNR_umount
+	SNR_SUBPAGE_PROT    SyscallNum = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   SyscallNum = __PNR_switch_endian
+	SNR_VM86            SyscallNum = __PNR_vm86
+	SNR_VM86OLD         SyscallNum = __PNR_vm86old
+	SNR_CLOCK_ADJTIME64 SyscallNum = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 SyscallNum = __PNR_clock_settime64
+	SNR_CHOWN32         SyscallNum = __PNR_chown32
+	SNR_FCHOWN32        SyscallNum = __PNR_fchown32
+	SNR_LCHOWN32        SyscallNum = __PNR_lchown32
+	SNR_SETGID32        SyscallNum = __PNR_setgid32
+	SNR_SETGROUPS32     SyscallNum = __PNR_setgroups32
+	SNR_SETREGID32      SyscallNum = __PNR_setregid32
+	SNR_SETRESGID32     SyscallNum = __PNR_setresgid32
+	SNR_SETRESUID32     SyscallNum = __PNR_setresuid32
+	SNR_SETREUID32      SyscallNum = __PNR_setreuid32
+	SNR_SETUID32        SyscallNum = __PNR_setuid32
+)
--- a/ext/syscall_extra_linux_arm64.go
+++ b/ext/syscall_extra_linux_arm64.go
@@ -0,0 +1,55 @@
+package ext
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]SyscallNum{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          SyscallNum = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 SyscallNum = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 SyscallNum = __PNR_clock_settime64
+	SNR_UMOUNT          SyscallNum = __PNR_umount
+	SNR_CHOWN           SyscallNum = __PNR_chown
+	SNR_CHOWN32         SyscallNum = __PNR_chown32
+	SNR_FCHOWN32        SyscallNum = __PNR_fchown32
+	SNR_LCHOWN          SyscallNum = __PNR_lchown
+	SNR_LCHOWN32        SyscallNum = __PNR_lchown32
+	SNR_SETGID32        SyscallNum = __PNR_setgid32
+	SNR_SETGROUPS32     SyscallNum = __PNR_setgroups32
+	SNR_SETREGID32      SyscallNum = __PNR_setregid32
+	SNR_SETRESGID32     SyscallNum = __PNR_setresgid32
+	SNR_SETRESUID32     SyscallNum = __PNR_setresuid32
+	SNR_SETREUID32      SyscallNum = __PNR_setreuid32
+	SNR_SETUID32        SyscallNum = __PNR_setuid32
+	SNR_MODIFY_LDT      SyscallNum = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    SyscallNum = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   SyscallNum = __PNR_switch_endian
+	SNR_VM86            SyscallNum = __PNR_vm86
+	SNR_VM86OLD         SyscallNum = __PNR_vm86old
+)
--- a/ext/syscall_extra_linux_riscv64.go
+++ b/ext/syscall_extra_linux_riscv64.go
@@ -0,0 +1,55 @@
+package ext
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]SyscallNum{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          SyscallNum = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 SyscallNum = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 SyscallNum = __PNR_clock_settime64
+	SNR_UMOUNT          SyscallNum = __PNR_umount
+	SNR_CHOWN           SyscallNum = __PNR_chown
+	SNR_CHOWN32         SyscallNum = __PNR_chown32
+	SNR_FCHOWN32        SyscallNum = __PNR_fchown32
+	SNR_LCHOWN          SyscallNum = __PNR_lchown
+	SNR_LCHOWN32        SyscallNum = __PNR_lchown32
+	SNR_SETGID32        SyscallNum = __PNR_setgid32
+	SNR_SETGROUPS32     SyscallNum = __PNR_setgroups32
+	SNR_SETREGID32      SyscallNum = __PNR_setregid32
+	SNR_SETRESGID32     SyscallNum = __PNR_setresgid32
+	SNR_SETRESUID32     SyscallNum = __PNR_setresuid32
+	SNR_SETREUID32      SyscallNum = __PNR_setreuid32
+	SNR_SETUID32        SyscallNum = __PNR_setuid32
+	SNR_MODIFY_LDT      SyscallNum = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    SyscallNum = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   SyscallNum = __PNR_switch_endian
+	SNR_VM86            SyscallNum = __PNR_vm86
+	SNR_VM86OLD         SyscallNum = __PNR_vm86old
+)
--- a/ext/syscall_linux_386.go
+++ b/ext/syscall_linux_386.go
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ophestra	6cdb6a652b	internal/rosa/gtk: glib 2.87.5 to 2.88.0 Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 20:58:39 +09:00
Ophestra	7c932cbceb	internal/rosa: strace artifact This is not part of the system, but a useful development tool. The test suite is quite broken but that is considered acceptable for now. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 20:40:17 +09:00
Ophestra	20ebddd9bf	internal/rosa: export source kind This is set for an exported field, so export the constants as well. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 20:09:44 +09:00
Ophestra	420c721c7d	all: raise timeout defaults This avoids timing out on systems running very slowly. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 17:04:06 +09:00
Ophestra	bac583f89e	internal/stub: move from container This package solves a very specific stubbing use case, in a less than elegant manner. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 16:09:14 +09:00
Ophestra	722989c682	fhs: move from container This package is not container-specific. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 15:56:36 +09:00
Ophestra	b852402f67	ext: move syscall wrappers from container These are generally useful, and none of them are container-specific. Syscalls subtle to use and requiring container-specific setup remains in container. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 15:48:40 +09:00
Ophestra	6d015a949e	check: move from container This package is not container specific, and widely used across the project. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 15:39:03 +09:00
Ophestra	e9a72490db	vfs: move from container This package is not container-specific. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 15:30:30 +09:00
Ophestra	0a12d456ce	container: set CLOEXEC via close_range This is guarded behind the close_range build tag for now. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 14:19:00 +09:00
Ophestra	d1fc1a3db7	ext: wrap close_range syscall This is useful for container when called with CLOSE_RANGE_CLOEXEC. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 14:15:16 +09:00
Ophestra	1c2d5f6b57	ext: integer limit values For portably using C integers without cgo. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 14:09:38 +09:00
Ophestra	faea1f4bd6	all: remove deprecated packages Closes #24. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 13:54:56 +09:00
Ophestra	0cb1007daa	ldd: remove deprecated API Closes #25. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 13:53:14 +09:00
Ophestra	e292031624	ext: move lookup test This was kept in-place to reduce patch size in the previous patch. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 13:44:59 +09:00
Ophestra	cd5959fe5a	ext: isolate from container/std These are too general to belong in the container package. This targets the v0.4 release to reduce the wrapper maintenance burden. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-17 13:39:26 +09:00
Ophestra	08c35ca24f	container: use new netlink implementation This is adapted from the container netlink implementation and is much more reusable. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 23:33:52 +09:00
Ophestra	72bd3fb05e	internal/netlink: generalise implementation from container This is useful for uevent implementation. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 23:07:51 +09:00
Ophestra	59c66747df	internal/rosa/kernel: 6.12.76 to 6.12.77 Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 15:21:33 +09:00
Ophestra	9e6fe8db4b	internal/rosa/meson: 1.10.1 to 1.10.2 Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 13:41:06 +09:00
Ophestra	5168ee3e13	internal/rosa/python: remove pre_commit This is unused and introduces many dependencies. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 13:39:56 +09:00
Ophestra	c8313c2dc4	internal/rosa/tamago: disable cgo This toolchain does not support cgo for the new target, anyway, and disabling it altogether avoids adding a dependency on arm64. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 13:22:10 +09:00
Ophestra	3fcdadb669	internal/rosa/curl: remove broken test Upstream testdata is not broken on the arm64 builder, but breaks reproducibly on amd64. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-16 12:54:03 +09:00
Ophestra	3966bc5152	internal/rosa/hakurei: 0.3.6 to 0.3.7 Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-15 21:43:55 +09:00
Ophestra	b208af8b85	release: 0.3.7 Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-15 21:04:55 +09:00
Ophestra	8d650c0c8f	all: migrate to rosa/hakurei Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-15 20:12:51 +09:00
Ophestra	a720efc32d	internal/rosa/llvm: arch-specific versions This enables temporarily avoiding a broken release on specific targets. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-15 15:06:36 +09:00
Ophestra	400540cd41	internal/rosa/llvm: arch-specific patches Broken aarch64 tests in LLVM seem unlikely to be fixed soon. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-15 11:37:24 +09:00
Ophestra	1113efa5c2	internal/rosa/kernel: enable arm64 block drivers These are added separately to the amd64 patch due to the arm64 toolchain not being available at that time. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-15 00:22:05 +09:00
Ophestra	8b875f865c	cmd/earlyinit: remount root and set firmware path The default search paths cannot be configured, configuring them here is most sound for now. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-14 19:50:04 +09:00
Ophestra	8905d653ba	cmd/earlyinit: mount pseudo-filesystems The proposal for merging both init programs was unanimously accepted, so this is set up here alongside devtmpfs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-14 19:43:42 +09:00
Ophestra	9c2fb6246f	internal/rosa/kernel: enable FW_LOADER This wants to be loaded early, so having it as a dlkm is not helpful as it will always be loaded anyway. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-14 19:32:14 +09:00
Ophestra	9c116acec6	internal/rosa/kernel: enable amd64 block drivers These have to be built into initramfs, anyway, so build them into the kernel instead. The arm64 toolchain is not yet ready, so will be updated in a later patch. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-14 19:22:56 +09:00
Ophestra	988239a2bc	internal/rosa: basic system image This is a simple image for debugging and is not yet set up for dm-verity. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-14 15:54:13 +09:00
Ophestra	bc03118142	cmd/earlyinit: handle args from cmdline These are set by the bootloader. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-14 15:13:52 +09:00