release: 0.3.1

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/command.go

@@ -2,8 +2,6 @@ package main
 
 import (
 	"context"
-	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -13,19 +11,23 @@ import (
 	"strconv"
 	"sync"
 	"time"
+	_ "unsafe"
 
 	"hakurei.app/command"
-	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
-	"hakurei.app/internal/app"
+	"hakurei.app/internal/env"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/message"
 	"hakurei.app/system/dbus"
 )
 
-func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
+//go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
+func optionalErrorUnwrap(_ error) error
+
+func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
 		flagVerbose bool
 		flagJSON    bool
@@ -48,22 +50,28 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
 
-	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
+	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
 
-	c.Command("app", "Load and start container from configuration file", func(args []string) error {
+	{
-		if len(args) < 1 {
+		var (
-			log.Fatal("app requires at least 1 argument")
+			flagIdentifierFile int
-		}
+		)
+		c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
+			if len(args) < 1 {
+				log.Fatal("app requires at least 1 argument")
+			}
 
-		// config extraArgs...
+			config := tryPath(msg, args[0])
-		config := tryPath(msg, args[0])
+			if config != nil && config.Container != nil {
-		if config != nil && config.Container != nil {
+				config.Container.Args = append(config.Container.Args, args[1:]...)
-			config.Container.Args = append(config.Container.Args, args[1:]...)
+			}
-		}
 
-		app.Main(ctx, msg, config)
+			outcome.Main(ctx, msg, config, flagIdentifierFile)
-		panic("unreachable")
+			panic("unreachable")
-	})
+		}).
+			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
+				"Write identifier of current instance to fd after successful startup")
+	}
 
 	{
 		var (
@@ -78,11 +86,13 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 			flagHomeDir  string
 			flagUserName string
 
+			flagPrivateRuntime, flagPrivateTmpdir bool
+
 			flagWayland, flagX11, flagDBus, flagPulse bool
 		)
 
 		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
-			if flagIdentity < hst.IdentityMin || flagIdentity > hst.IdentityMax {
+			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
 				log.Fatalf("identity %d out of range", flagIdentity)
 			}
 
@@ -91,7 +101,7 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				passwd     *user.User
 				passwdOnce sync.Once
 				passwdFunc = func() {
-					us := strconv.Itoa(app.HsuUid(new(app.Hsu).MustIDMsg(msg), flagIdentity))
+					us := strconv.Itoa(hst.ToUser(new(outcome.Hsu).MustID(msg), flagIdentity))
 					if u, err := user.LookupId(us); err != nil {
 						msg.Verbosef("cannot look up uid %s", us)
 						passwd = &user.User{
@@ -115,7 +125,7 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 			progPath := shell
 			if len(args) > 0 {
 				if p, err := exec.LookPath(args[0]); err != nil {
-					log.Fatal(errors.Unwrap(err))
+					log.Fatal(optionalErrorUnwrap(err))
 					return err
 				} else if progPath, err = check.NewAbs(p); err != nil {
 					log.Fatal(err.Error())
@@ -144,11 +154,6 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				Enablements: hst.NewEnablements(et),
 
 				Container: &hst.ContainerConfig{
-					Userns:       true,
-					HostNet:      true,
-					Tty:          true,
-					HostAbstract: true,
-
 					Filesystem: []hst.FilesystemConfigJSON{
 						// autoroot, includes the home directory
 						{FilesystemConfig: &hst.FSBind{
@@ -164,6 +169,8 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 
 					Path: progPath,
 					Args: args,
+
+					Flags: hst.FUserns | hst.FHostNet | hst.FHostAbstract | hst.FTty,
 				},
 			}
 
@@ -211,6 +218,13 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				}
 			}
 
+			if !flagPrivateRuntime {
+				config.Container.Flags |= hst.FShareRuntime
+			}
+			if !flagPrivateTmpdir {
+				config.Container.Flags |= hst.FShareTmpdir
+			}
+
 			// parse D-Bus config file from flags if applicable
 			if flagDBus {
 				if flagDBusConfigSession == "builtin" {
@@ -218,8 +232,11 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				} else {
 					if f, err := os.Open(flagDBusConfigSession); err != nil {
 						log.Fatal(err.Error())
-					} else if err = json.NewDecoder(f).Decode(&config.SessionBus); err != nil {
+					} else {
-						log.Fatalf("cannot load session bus proxy config from %q: %s", flagDBusConfigSession, err)
+						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
+						if err = f.Close(); err != nil {
+							log.Fatal(err.Error())
+						}
 					}
 				}
 
@@ -227,8 +244,11 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				if flagDBusConfigSystem != "nil" {
 					if f, err := os.Open(flagDBusConfigSystem); err != nil {
 						log.Fatal(err.Error())
-					} else if err = json.NewDecoder(f).Decode(&config.SystemBus); err != nil {
+					} else {
-						log.Fatalf("cannot load system bus proxy config from %q: %s", flagDBusConfigSystem, err)
+						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
+						if err = f.Close(); err != nil {
+							log.Fatal(err.Error())
+						}
 					}
 				}
 
@@ -243,7 +263,7 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				}
 			}
 
-			app.Main(ctx, msg, config)
+			outcome.Main(ctx, msg, config, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
@@ -264,6 +284,10 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				"Container home directory").
 			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
+			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
+				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
+			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
+				"Do not share TMPDIR between containers under the same identity").
 			Flag(&flagWayland, "wayland", command.BoolFlag(false),
 				"Enable connection to Wayland via security-context-v1").
 			Flag(&flagX11, "X", command.BoolFlag(false),
@@ -275,7 +299,10 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 	}
 
 	{
-		var flagShort bool
+		var (
+			flagShort   bool
+			flagNoStore bool
+		)
 		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
 			switch len(args) {
 			case 0: // system
@@ -283,10 +310,23 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 
 			case 1: // instance
 				name := args[0]
-				config, entry := tryShort(msg, name)
+
-				if config == nil {
+				var (
-					config = tryPath(msg, name)
+					config *hst.Config
+					entry  *hst.State
+				)
+				if !flagNoStore {
+					var sc hst.Paths
+					env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+					entry = tryIdentifier(msg, name, outcome.NewStore(&sc))
 				}
+
+				if entry == nil {
+					config = tryPath(msg, name)
+				} else {
+					config = entry.Config
+				}
+
 				if !printShowInstance(os.Stdout, time.Now().UTC(), entry, config, flagShort, flagJSON) {
 					os.Exit(1)
 				}
@@ -295,22 +335,24 @@ func buildCommand(ctx context.Context, msg container.Msg, early *earlyHardeningE
 				log.Fatal("show requires 1 argument")
 			}
 			return errSuccess
-		}).Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information")
+		}).
+			Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information").
+			Flag(&flagNoStore, "no-store", command.BoolFlag(false), "Do not attempt to match from active instances")
 	}
 
 	{
 		var flagShort bool
 		c.NewCommand("ps", "List active instances", func(args []string) error {
 			var sc hst.Paths
-			app.CopyPaths().Copy(&sc, new(app.Hsu).MustID())
+			env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
-			printPs(os.Stdout, time.Now().UTC(), state.NewMulti(msg, sc.RunDirPath.String()), flagShort, flagJSON)
+			printPs(msg, os.Stdout, time.Now().UTC(), outcome.NewStore(&sc), flagShort, flagJSON)
 			return errSuccess
 		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
 	}
 
 	c.Command("version", "Display version information", func(args []string) error { fmt.Println(internal.Version()); return errSuccess })
 	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
-	c.Command("template", "Produce a config template", func(args []string) error { printJSON(os.Stdout, false, hst.Template()); return errSuccess })
+	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
 	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })
 
 	return c

cmd/hakurei/command_test.go

@@ -7,10 +7,12 @@ import (
 	"testing"
 
 	"hakurei.app/command"
-	"hakurei.app/container"
+	"hakurei.app/message"
 )
 
 func TestHelp(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		args []string
@@ -34,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
 
 Flags:
   -X	Enable direct connection to X11
@@ -56,6 +58,10 @@ Flags:
     	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
   -mpris
     	Allow owning MPRIS D-Bus path, has no effect if custom config is available
+  -private-runtime
+    	Do not share XDG_RUNTIME_DIR between containers under the same identity
+  -private-tmpdir
+    	Do not share TMPDIR between containers under the same identity
   -pulse
     	Enable direct connection to PulseAudio
   -u string
@@ -68,8 +74,10 @@ Flags:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			out := new(bytes.Buffer)
-			c := buildCommand(t.Context(), container.NewMsg(nil), new(earlyHardeningErrs), out)
+			c := buildCommand(t.Context(), message.New(nil), new(earlyHardeningErrs), out)
 			if err := c.Parse(tc.args); !errors.Is(err, command.ErrHelp) && !errors.Is(err, flag.ErrHelp) {
 				t.Errorf("Parse: error = %v; want %v",
 					err, command.ErrHelp)

cmd/hakurei/json.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"strconv"
+)
+
+// decodeJSON decodes json from r and stores it in v. A non-nil error results in a call to fatal.
+func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any) {
+	err := json.NewDecoder(r).Decode(v)
+	if err == nil {
+		return
+	}
+
+	var (
+		syntaxError        *json.SyntaxError
+		unmarshalTypeError *json.UnmarshalTypeError
+
+		msg string
+	)
+
+	switch {
+	case errors.As(err, &syntaxError) && syntaxError != nil:
+		msg = syntaxError.Error() +
+			" at byte " + strconv.FormatInt(syntaxError.Offset, 10)
+
+	case errors.As(err, &unmarshalTypeError) && unmarshalTypeError != nil:
+		msg = "inappropriate " + unmarshalTypeError.Value +
+			" at byte " + strconv.FormatInt(unmarshalTypeError.Offset, 10)
+
+	default:
+		// InvalidUnmarshalError: incorrect usage, does not need to be handled
+		// io.ErrUnexpectedEOF: no additional error information available
+		msg = err.Error()
+	}
+
+	fatal("cannot " + op + ": " + msg)
+}
+
+// encodeJSON encodes v to output. A non-nil error results in a call to fatal.
+func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any) {
+	encoder := json.NewEncoder(output)
+	if !short {
+		encoder.SetIndent("", "  ")
+	}
+
+	if err := encoder.Encode(v); err != nil {
+		var marshalerError *json.MarshalerError
+		if errors.As(err, &marshalerError) && marshalerError != nil {
+			// this likely indicates an implementation error in hst
+			fatal("cannot encode json for " + marshalerError.Type.String() + ": " + marshalerError.Err.Error())
+			return
+		}
+
+		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does not need to be handled
+		fatal("cannot write json: " + err.Error())
+	}
+}

cmd/hakurei/json_test.go

@@ -0,0 +1,107 @@
+package main_test
+
+import (
+	"io"
+	"reflect"
+	"strings"
+	"testing"
+	_ "unsafe"
+
+	"hakurei.app/container/stub"
+)
+
+//go:linkname decodeJSON hakurei.app/cmd/hakurei.decodeJSON
+func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any)
+
+func TestDecodeJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		t    reflect.Type
+		data string
+		want any
+		msg  string
+	}{
+		{"success", reflect.TypeFor[uintptr](), "3735928559\n", uintptr(0xdeadbeef), ""},
+
+		{"syntax", reflect.TypeFor[*int](), "\x00", nil,
+			`cannot load sample: invalid character '\x00' looking for beginning of value at byte 1`},
+		{"type", reflect.TypeFor[uintptr](), "-1", nil,
+			`cannot load sample: inappropriate number -1 at byte 2`},
+		{"default", reflect.TypeFor[*int](), "{", nil,
+			"cannot load sample: unexpected EOF"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				gotP   = reflect.New(tc.t)
+				gotMsg *string
+			)
+			decodeJSON(func(v ...any) {
+				if gotMsg != nil {
+					t.Fatal("fatal called twice")
+				}
+				msg := v[0].(string)
+				gotMsg = &msg
+			}, "load sample", strings.NewReader(tc.data), gotP.Interface())
+			if tc.msg != "" {
+				if gotMsg == nil {
+					t.Errorf("decodeJSON: success, want fatal %q", tc.msg)
+				} else if *gotMsg != tc.msg {
+					t.Errorf("decodeJSON: fatal = %q, want %q", *gotMsg, tc.msg)
+				}
+			} else if gotMsg != nil {
+				t.Errorf("decodeJSON: fatal = %q", *gotMsg)
+			} else if !reflect.DeepEqual(gotP.Elem().Interface(), tc.want) {
+				t.Errorf("decodeJSON: %#v, want %#v", gotP.Elem().Interface(), tc.want)
+			}
+		})
+	}
+}
+
+//go:linkname encodeJSON hakurei.app/cmd/hakurei.encodeJSON
+func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any)
+
+func TestEncodeJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		v    any
+		want string
+	}{
+		{"marshaler", errorJSONMarshaler{},
+			`cannot encode json for main_test.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
+		{"default", func() {},
+			`cannot write json: json: unsupported type: func()`},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var called bool
+			encodeJSON(func(v ...any) {
+				if called {
+					t.Fatal("fatal called twice")
+				}
+				called = true
+
+				if v[0].(string) != tc.want {
+					t.Errorf("encodeJSON: fatal = %q, want %q", v[0].(string), tc.want)
+				}
+			}, nil, false, tc.v)
+
+			if !called {
+				t.Errorf("encodeJSON: success, want fatal %q", tc.want)
+			}
+		})
+	}
+}
+
+// errorJSONMarshaler implements json.Marshaler.
+type errorJSONMarshaler struct{}
+
+func (errorJSONMarshaler) MarshalJSON() ([]byte, error) { return nil, stub.UniqueError(0xdeadbeef) }

cmd/hakurei/main.go

@@ -13,6 +13,7 @@ import (
 	"syscall"
 
 	"hakurei.app/container"
+	"hakurei.app/message"
 )
 
 var (
@@ -31,7 +32,7 @@ func main() {
 
 	log.SetPrefix("hakurei: ")
 	log.SetFlags(0)
-	msg := container.NewMsg(log.Default())
+	msg := message.New(log.Default())
 
 	early := earlyHardeningErrs{
 		yamaLSM:  container.SetPtracer(0),

cmd/hakurei/parse.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"encoding/json"
+	"encoding/hex"
 	"errors"
 	"io"
 	"log"
@@ -10,14 +10,17 @@ import (
 	"strings"
 	"syscall"
 
-	"hakurei.app/container"
 	"hakurei.app/hst"
-	"hakurei.app/internal/app"
+	"hakurei.app/internal/outcome"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
 )
 
-func tryPath(msg container.Msg, name string) (config *hst.Config) {
+// tryPath attempts to read [hst.Config] from multiple sources.
-	var r io.Reader
+// tryPath reads from [os.Stdin] if name has value "-".
+// Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
+func tryPath(msg message.Msg, name string) (config *hst.Config) {
+	var r io.ReadCloser
 	config = new(hst.Config)
 
 	if name != "-" {
@@ -26,52 +29,75 @@ func tryPath(msg container.Msg, name string) (config *hst.Config) {
 			msg.Verbose("load configuration from file")
 
 			if f, err := os.Open(name); err != nil {
-				log.Fatalf("cannot access configuration file %q: %s", name, err)
+				log.Fatal(err.Error())
+				return
 			} else {
-				// finalizer closes f
 				r = f
 			}
-		} else {
-			defer func() {
-				if err := r.(io.ReadCloser).Close(); err != nil {
-					log.Printf("cannot close config fd: %v", err)
-				}
-			}()
 		}
 	} else {
 		r = os.Stdin
 	}
 
-	if err := json.NewDecoder(r).Decode(&config); err != nil {
+	decodeJSON(log.Fatal, "load configuration", r, &config)
-		log.Fatalf("cannot load configuration: %v", err)
+	if err := r.Close(); err != nil {
+		log.Fatal(err.Error())
 	}
-
 	return
 }
 
-func tryFd(msg container.Msg, name string) io.ReadCloser {
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
+func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
 			msg.Verbosef("name cannot be interpreted as int64: %v", err)
 		}
 		return nil
 	} else {
+		if v < 3 { // reject standard streams
+			return nil
+		}
+
 		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
 		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
-			if errors.Is(errno, syscall.EBADF) {
+			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
 			log.Fatalf("cannot get fd %d: %v", fd, errno)
 		}
+
+		if outcome.IsPollDescriptor(fd) { // reject runtime internals
+			log.Fatalf("invalid config stream %d", fd)
+		}
+
 		return os.NewFile(fd, strconv.Itoa(v))
 	}
 }
 
-func tryShort(msg container.Msg, name string) (config *hst.Config, entry *state.State) {
+// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
-	likePrefix := false
+const shortLengthMin = 1 << 3
-	if len(name) <= 32 {
+
-		likePrefix = true
+// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
+func shortIdentifier(id *hst.ID) string {
+	return shortIdentifierString(id.String())
+}
+
+// shortIdentifierString implements shortIdentifier on an arbitrary string.
+func shortIdentifierString(s string) string {
+	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
+}
+
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
+func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
+	const (
+		likeShort = 1 << iota
+		likeFull
+	)
+
+	var likely uintptr
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
+		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {
 				continue
@@ -79,35 +105,68 @@ func tryShort(msg container.Msg, name string) (config *hst.Config, entry *state.
 			if c >= 'a' && c <= 'f' {
 				continue
 			}
-			likePrefix = false
+			return nil
-			break
 		}
+		likely |= likeShort
+	} else if len(name) == hex.EncodedLen(len(hst.ID{})) {
+		likely |= likeFull
 	}
 
-	// try to match from state store
+	if likely == 0 {
-	if likePrefix && len(name) >= 8 {
+		return nil
-		msg.Verbose("argument looks like prefix")
+	}
 
-		var sc hst.Paths
+	entries, copyError := s.All()
-		app.CopyPaths().Copy(&sc, new(app.Hsu).MustID())
+	defer func() {
-		s := state.NewMulti(msg, sc.RunDirPath.String())
+		if err := copyError(); err != nil {
-		if entries, err := state.Join(s); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
-			log.Printf("cannot join store: %v", err)
+		}
-			// drop to fetch from file
+	}()
-		} else {
+
-			for id := range entries {
+	switch {
-				v := id.String()
+	case likely&likeShort != 0:
-				if strings.HasPrefix(v, name) {
+		msg.Verbose("argument looks like short identifier")
-					// match, use config from this state entry
+		for eh := range entries {
-					entry = entries[id]
+			if eh.DecodeErr != nil {
-					config = entry.Config
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
-					break
+				continue
+			}
+
+			if strings.HasPrefix(eh.ID.String()[len(hst.ID{}):], name) {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
 				}
-
+				return &entry
-				msg.Verbosef("instance %s skipped", v)
 			}
 		}
-	}
+		return nil
 
-	return
+	case likely&likeFull != 0:
+		var likelyID hst.ID
+		if likelyID.UnmarshalText([]byte(name)) != nil {
+			return nil
+		}
+		msg.Verbose("argument looks like identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if eh.ID == likelyID {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
+				}
+				return &entry
+			}
+		}
+		return nil
+
+	default:
+		panic("unreachable")
+	}
 }

cmd/hakurei/parse_test.go

@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"reflect"
+	"testing"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/hst"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+func TestShortIdentifier(t *testing.T) {
+	t.Parallel()
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+
+	const want = "fedcba98"
+	if got := shortIdentifier(&id); got != want {
+		t.Errorf("shortIdentifier: %q, want %q", got, want)
+	}
+}
+
+func TestTryIdentifier(t *testing.T) {
+	t.Parallel()
+
+	msg := message.New(nil)
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+	withBase := func(extra ...hst.State) []hst.State {
+		return append([]hst.State{
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))), PID: 0xbeef, ShimPID: 0xcafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xab}, len(hst.ID{}))), PID: 0x1beef, ShimPID: 0x1cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xf0}, len(hst.ID{}))), PID: 0x2beef, ShimPID: 0x2cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef2)},
+
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfe}, len(hst.ID{}))), PID: 0xbed, ShimPID: 0xfff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = hst.IdentityEnd
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfc}, len(hst.ID{}))), PID: 0x1bed, ShimPID: 0x1fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xfc
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xce}, len(hst.ID{}))), PID: 0x2bed, ShimPID: 0x2fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xce
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe2)},
+		}, extra...)
+	}
+	sampleEntry := hst.State{
+		ID:      id,
+		PID:     0xcafe,
+		ShimPID: 0xdead,
+		Config:  hst.Template(),
+	}
+
+	testCases := []struct {
+		name string
+		s    string
+		data []hst.State
+		want *hst.State
+	}{
+		{"likely entries fault", "ffffffff", nil, nil},
+
+		{"likely short too short", "ff", nil, nil},
+		{"likely short too long", "fffffffffffffffff", nil, nil},
+		{"likely short invalid lower", "fffffff\x00", nil, nil},
+		{"likely short invalid higher", "0000000\xff", nil, nil},
+		{"short no match", "fedcba98", withBase(), nil},
+		{"short match", "fedcba98", withBase(sampleEntry), &sampleEntry},
+		{"short match single", "fedcba98", []hst.State{sampleEntry}, &sampleEntry},
+		{"short match longer", "fedcba98765", withBase(sampleEntry), &sampleEntry},
+
+		{"likely long invalid", "0123456789abcdeffedcba987654321\x00", nil, nil},
+		{"long no match", "0123456789abcdeffedcba9876543210", withBase(), nil},
+		{"long match", "0123456789abcdeffedcba9876543210", withBase(sampleEntry), &sampleEntry},
+		{"long match single", "0123456789abcdeffedcba9876543210", []hst.State{sampleEntry}, &sampleEntry},
+	}
+	for _, tc := range testCases {
+		base := check.MustAbs(t.TempDir()).Append("store")
+		s := store.New(base)
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := tryIdentifier(msg, tc.s, store.New(base))
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("tryIdentifier: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}

cmd/hakurei/print.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"encoding/json"
+	"bytes"
 	"fmt"
 	"io"
 	"log"
@@ -11,24 +11,28 @@ import (
 	"text/tabwriter"
 	"time"
 
-	"hakurei.app/container"
 	"hakurei.app/hst"
-	"hakurei.app/internal/app"
+	"hakurei.app/internal"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/env"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
 )
 
+// printShowSystem populates and writes a representation of [hst.Info] to output.
 func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	info := &hst.Info{User: new(app.Hsu).MustID()}
+	info := &hst.Info{Version: internal.Version(), User: new(outcome.Hsu).MustID(nil)}
-	app.CopyPaths().Copy(&info.Paths, info.User)
+	env.CopyPaths().Copy(&info.Paths, info.User)
 
 	if flagJSON {
-		printJSON(output, short, info)
+		encodeJSON(log.Fatal, output, short, info)
 		return
 	}
 
+	t.Printf("Version:\t%s\n", info.Version)
 	t.Printf("User:\t%d\n", info.User)
 	t.Printf("TempDir:\t%s\n", info.TempDir)
 	t.Printf("SharePath:\t%s\n", info.SharePath)
@@ -36,17 +40,19 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
 }
 
+// printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
 func printShowInstance(
 	output io.Writer, now time.Time,
-	instance *state.State, config *hst.Config,
+	instance *hst.State, config *hst.Config,
-	short, flagJSON bool) (valid bool) {
+	short, flagJSON bool,
+) (valid bool) {
 	valid = true
 
 	if flagJSON {
 		if instance != nil {
-			printJSON(output, short, instance)
+			encodeJSON(log.Fatal, output, short, instance)
 		} else {
-			printJSON(output, short, config)
+			encodeJSON(log.Fatal, output, short, config)
 		}
 		return
 	}
@@ -56,14 +62,19 @@ func printShowInstance(
 
 	if err := config.Validate(); err != nil {
 		valid = false
-		if m, ok := container.GetErrorMessage(err); ok {
+		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")
 		}
 	}
 
+	if config == nil {
+		// nothing to print
+		return
+	}
+
 	if instance != nil {
 		t.Printf("State\n")
-		t.Printf(" Instance:\t%s (%d)\n", instance.ID.String(), instance.PID)
+		t.Printf(" Instance:\t%s (%d -> %d)\n", instance.ID.String(), instance.PID, instance.ShimPID)
 		t.Printf(" Uptime:\t%s\n", now.Sub(instance.Time).Round(time.Second).String())
 		t.Printf("\n")
 	}
@@ -79,37 +90,31 @@ func printShowInstance(
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
 	if config.Container != nil {
-		params := config.Container
+		if config.Container.Home != nil {
-		if params.Home != nil {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
-			t.Printf(" Home:\t%s\n", params.Home)
 		}
-		if params.Hostname != "" {
+		if config.Container.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", params.Hostname)
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
 		}
-		flags := make([]string, 0, 7)
+		flags := config.Container.Flags.String()
-		writeFlag := func(name string, value bool) {
+
-			if value {
+		// this is included in the upper hst.Config struct but is relevant here
-				flags = append(flags, name)
+		const flagDirectWayland = "directwl"
+		if config.DirectWayland {
+			// hardcoded value when every flag is unset
+			if flags == "none" {
+				flags = flagDirectWayland
+			} else {
+				flags += ", " + flagDirectWayland
 			}
 		}
-		writeFlag("userns", params.Userns)
+		t.Printf(" Flags:\t%s\n", flags)
-		writeFlag("devel", params.Devel)
-		writeFlag("net", params.HostNet)
-		writeFlag("abstract", params.HostAbstract)
-		writeFlag("device", params.Device)
-		writeFlag("tty", params.Tty)
-		writeFlag("mapuid", params.MapRealUID)
-		writeFlag("directwl", config.DirectWayland)
-		if len(flags) == 0 {
-			flags = append(flags, "none")
-		}
-		t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))
 
-		if params.Path != nil {
+		if config.Container.Path != nil {
-			t.Printf(" Path:\t%s\n", params.Path)
+			t.Printf(" Path:\t%s\n", config.Container.Path)
 		}
-		if len(params.Args) > 0 {
+		if len(config.Container.Args) > 0 {
-			t.Printf(" Arguments:\t%s\n", strings.Join(params.Args, " "))
+			t.Printf(" Arguments:\t%s\n", strings.Join(config.Container.Args, " "))
 		}
 	}
 	t.Printf("\n")
@@ -129,11 +134,8 @@ func printShowInstance(
 		}
 		if len(config.ExtraPerms) > 0 {
 			t.Printf("Extra ACL\n")
-			for _, p := range config.ExtraPerms {
+			for i := range config.ExtraPerms {
-				if p == nil {
+				t.Printf(" %s\n", config.ExtraPerms[i].String())
-					continue
-				}
-				t.Printf(" %s\n", p.String())
 			}
 			t.Printf("\n")
 		}
@@ -171,57 +173,53 @@ func printShowInstance(
 	return
 }
 
-func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON bool) {
+// printPs writes a representation of active instances to output.
-	var entries state.Entries
+func printPs(msg message.Msg, output io.Writer, now time.Time, s *store.Store, short, flagJSON bool) {
-	if e, err := state.Join(s); err != nil {
+	f := func(a func(eh *store.EntryHandle)) {
-		log.Fatalf("cannot join store: %v", err)
+		entries, copyError := s.All()
-	} else {
+		for eh := range entries {
-		entries = e
+			a(eh)
-	}
+		}
-	if err := s.Close(); err != nil {
+		if err := copyError(); err != nil {
-		log.Printf("cannot close store: %v", err)
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
 	}
 
-	if !short && flagJSON {
+	if short { // short output requires identifier only
-		es := make(map[string]*state.State, len(entries))
+		var identifiers []*hst.ID
-		for id, instance := range entries {
+		f(func(eh *store.EntryHandle) {
-			es[id.String()] = instance
+			if _, err := eh.Load(nil); err != nil { // passes through decode error
+				msg.GetLogger().Println(getMessage("cannot validate state entry header:", err))
+				return
+			}
+			identifiers = append(identifiers, &eh.ID)
+		})
+		slices.SortFunc(identifiers, func(a, b *hst.ID) int { return bytes.Compare(a[:], b[:]) })
+
+		if flagJSON {
+			encodeJSON(log.Fatal, output, short, identifiers)
+		} else {
+			for _, id := range identifiers {
+				mustPrintln(output, shortIdentifier(id))
+			}
 		}
-		printJSON(output, short, es)
 		return
 	}
 
-	// sort state entries by id string to ensure consistency between runs
+	// long output requires full instance state
-	exp := make([]*expandedStateEntry, 0, len(entries))
+	var instances []*hst.State
-	for id, instance := range entries {
+	f(func(eh *store.EntryHandle) {
-		// gracefully skip nil states
+		var state hst.State
-		if instance == nil {
+		if _, err := eh.Load(&state); err != nil { // passes through decode error
-			log.Printf("got invalid state entry %s", id.String())
+			msg.GetLogger().Println(getMessage("cannot load state entry:", err))
-			continue
+			return
 		}
+		instances = append(instances, &state)
+	})
+	slices.SortFunc(instances, func(a, b *hst.State) int { return bytes.Compare(a.ID[:], b.ID[:]) })
 
-		// gracefully skip inconsistent states
+	if flagJSON {
-		if id != instance.ID {
+		encodeJSON(log.Fatal, output, short, instances)
-			log.Printf("possible store corruption: entry %s has id %s",
-				id.String(), instance.ID.String())
-			continue
-		}
-		exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
-	}
-	slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
-
-	if short {
-		if flagJSON {
-			v := make([]string, len(exp))
-			for i, e := range exp {
-				v[i] = e.s
-			}
-			printJSON(output, short, v)
-		} else {
-			for _, e := range exp {
-				mustPrintln(output, e.s[:8])
-			}
-		}
 		return
 	}
 
@@ -229,61 +227,48 @@ func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON boo
 	defer t.MustFlush()
 
 	t.Println("\tInstance\tPID\tApplication\tUptime")
-	for _, e := range exp {
+	for _, instance := range instances {
-		if len(e.s) != 1<<5 {
-			// unreachable
-			log.Printf("possible store corruption: invalid instance string %s", e.s)
-			continue
-		}
-
 		as := "(No configuration information)"
-		if e.Config != nil {
+		if instance.Config != nil {
-			as = strconv.Itoa(e.Config.Identity)
+			as = strconv.Itoa(instance.Config.Identity)
-			id := e.Config.ID
+			id := instance.Config.ID
 			if id == "" {
-				id = "app.hakurei." + e.s[:8]
+				id = "app.hakurei." + shortIdentifier(&instance.ID)
 			}
 			as += " (" + id + ")"
 		}
 		t.Printf("\t%s\t%d\t%s\t%s\n",
-			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String())
+			shortIdentifier(&instance.ID), instance.PID, as, now.Sub(instance.Time).Round(time.Second).String())
-	}
-}
-
-type expandedStateEntry struct {
-	s string
-	*state.State
-}
-
-func printJSON(output io.Writer, short bool, v any) {
-	encoder := json.NewEncoder(output)
-	if !short {
-		encoder.SetIndent("", "  ")
-	}
-	if err := encoder.Encode(v); err != nil {
-		log.Fatalf("cannot serialise: %v", err)
 	}
 }
 
+// newPrinter returns a configured, wrapped [tabwriter.Writer].
 func newPrinter(output io.Writer) *tp { return &tp{tabwriter.NewWriter(output, 0, 1, 4, ' ', 0)} }
 
+// tp wraps [tabwriter.Writer] to provide additional formatting methods.
 type tp struct{ *tabwriter.Writer }
 
+// Printf calls [fmt.Fprintf] on the underlying [tabwriter.Writer].
 func (p *tp) Printf(format string, a ...any) {
 	if _, err := fmt.Fprintf(p, format, a...); err != nil {
 		log.Fatalf("cannot write to tabwriter: %v", err)
 	}
 }
+
+// Println calls [fmt.Fprintln] on the underlying [tabwriter.Writer].
 func (p *tp) Println(a ...any) {
 	if _, err := fmt.Fprintln(p, a...); err != nil {
 		log.Fatalf("cannot write to tabwriter: %v", err)
 	}
 }
+
+// MustFlush calls the Flush method of [tabwriter.Writer] and calls [log.Fatalf] on a non-nil error.
 func (p *tp) MustFlush() {
 	if err := p.Writer.Flush(); err != nil {
 		log.Fatalf("cannot flush tabwriter: %v", err)
 	}
 }
+
 func mustPrint(output io.Writer, a ...any) {
 	if _, err := fmt.Fprint(output, a...); err != nil {
 		log.Fatalf("cannot print: %v", err)
@@ -294,3 +279,11 @@ func mustPrintln(output io.Writer, a ...any) {
 		log.Fatalf("cannot print: %v", err)
 	}
 }
+
+// getMessage returns a [message.Error] message if available, or err prefixed with fallback otherwise.
+func getMessage(fallback string, err error) string {
+	if m, ok := message.GetMessage(err); ok {
+		return m
+	}
+	return fmt.Sprintln(fallback, err)
+}

cmd/hakurei/print_test.go

@@ -1,47 +1,72 @@
 package main
 
 import (
+	"bytes"
+	"log"
 	"strings"
 	"testing"
 	"time"
 
+	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
 )
 
 var (
-	testID = state.ID{
+	testID = hst.ID{
 		0x8e, 0x2c, 0x76, 0xb0,
 		0x66, 0xda, 0xbe, 0x57,
 		0x4c, 0xf0, 0x73, 0xbd,
 		0xb4, 0x6e, 0xb5, 0xc1,
 	}
-	testState = &state.State{
+	testState = hst.State{
-		ID:     testID,
+		ID:      testID,
-		PID:    0xDEADBEEF,
+		PID:     0xcafe,
-		Config: hst.Template(),
+		ShimPID: 0xdead,
-		Time:   testAppTime,
+		Config:  hst.Template(),
+		Time:    testAppTime,
+	}
+	testStateSmall = hst.State{
+		ID:      (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))),
+		PID:     0xbeef,
+		ShimPID: 0xcafe,
+		Config: &hst.Config{
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPulse),
+			Identity:    1,
+			Container: &hst.ContainerConfig{
+				Shell: check.MustAbs("/bin/sh"),
+				Home:  check.MustAbs("/data/data/uk.gensokyo.cat"),
+				Path:  check.MustAbs("/usr/bin/cat"),
+				Args:  []string{"cat"},
+				Flags: hst.FUserns,
+			},
+		},
+		Time: time.Unix(0, 0xdeadbeef).UTC(),
 	}
 	testTime    = time.Unix(3752, 1).UTC()
 	testAppTime = time.Unix(0, 9).UTC()
 )
 
 func TestPrintShowInstance(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name        string
-		instance    *state.State
+		instance    *hst.State
 		config      *hst.Config
 		short, json bool
 		want        string
 		valid       bool
 	}{
+		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
 		{"config", nil, hst.Template(), false, false, `App
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pulseaudio
  Groups:         video, dialout, plugdev
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
- Flags:          userns devel net abstract device tty mapuid
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
@@ -49,8 +74,7 @@ Filesystem
  autoroot:w:/var/lib/hakurei/base/org.debian
  autoetc:/etc/
  w+ephemeral(-rwxr-xr-x):/tmp/
- w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
+ w*/nix/store:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work:/var/lib/hakurei/base/org.nixos/ro-store
- */nix/store
  /run/current-system@
  /run/opengl-driver@
  w-/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
@@ -87,7 +111,23 @@ App
  Flags:          none
 
 `, false},
-		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory!
+		{"config flag none directwl", nil, &hst.Config{DirectWayland: true, Container: new(hst.ContainerConfig)}, false, false, `Error: container configuration missing path to home directory!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+ Flags:          directwl
+
+`, false},
+		{"config flag directwl", nil, &hst.Config{DirectWayland: true, Container: &hst.ContainerConfig{Flags: hst.FMultiarch}}, false, false, `Error: container configuration missing path to home directory!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+ Flags:          multiarch, directwl
+
+`, false},
+		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory!
 
 App
  Identity:       0
@@ -98,6 +138,7 @@ Filesystem
  <invalid>
 
 Extra ACL
+ <invalid>
 
 `, false},
 		{"config pd dbus see", nil, &hst.Config{SessionBus: &hst.BusConfig{See: []string{"org.example.test"}}}, false, false, `Error: configuration missing container state!
@@ -112,8 +153,8 @@ Session bus
 
 `, false},
 
-		{"instance", testState, hst.Template(), false, false, `State
+		{"instance", &testState, hst.Template(), false, false, `State
- Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (3735928559)
+ Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (51966 -> 57005)
  Uptime:      1h2m32s
 
 App
@@ -122,7 +163,7 @@ App
  Groups:         video, dialout, plugdev
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
- Flags:          userns devel net abstract device tty mapuid
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
@@ -130,8 +171,7 @@ Filesystem
  autoroot:w:/var/lib/hakurei/base/org.debian
  autoetc:/etc/
  w+ephemeral(-rwxr-xr-x):/tmp/
- w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
+ w*/nix/store:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work:/var/lib/hakurei/base/org.nixos/ro-store
- */nix/store
  /run/current-system@
  /run/opengl-driver@
  w-/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
@@ -153,10 +193,10 @@ System bus
  Talk:      ["org.bluez" "org.freedesktop.Avahi" "org.freedesktop.UPower"]
 
 `, true},
-		{"instance pd", testState, new(hst.Config), false, false, `Error: configuration missing container state!
+		{"instance pd", &testState, new(hst.Config), false, false, `Error: configuration missing container state!
 
 State
- Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (3735928559)
+ Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (51966 -> 57005)
  Uptime:      1h2m32s
 
 App
@@ -167,176 +207,156 @@ App
 
 		{"json nil", nil, nil, false, true, `null
 `, true},
-		{"json instance", testState, nil, false, true, `{
+		{"json instance", &testState, nil, false, true, `{
-  "instance": [
+  "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
-    142,
+  "pid": 51966,
-    44,
+  "shim_pid": 57005,
-    118,
+  "id": "org.chromium.Chromium",
-    176,
+  "enablements": {
-    102,
+    "wayland": true,
-    218,
+    "dbus": true,
-    190,
+    "pulse": true
-    87,
+  },
-    76,
+  "session_bus": {
-    240,
+    "see": null,
-    115,
+    "talk": [
-    189,
+      "org.freedesktop.Notifications",
-    180,
+      "org.freedesktop.FileManager1",
-    110,
+      "org.freedesktop.ScreenSaver",
-    181,
+      "org.freedesktop.secrets",
-    193
+      "org.kde.kwalletd5",
+      "org.kde.kwalletd6",
+      "org.gnome.SessionManager"
+    ],
+    "own": [
+      "org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.chromium.*"
+    ],
+    "call": {
+      "org.freedesktop.portal.*": "*"
+    },
+    "broadcast": {
+      "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+    },
+    "filter": true
+  },
+  "system_bus": {
+    "see": null,
+    "talk": [
+      "org.bluez",
+      "org.freedesktop.Avahi",
+      "org.freedesktop.UPower"
+    ],
+    "own": null,
+    "call": null,
+    "broadcast": null,
+    "filter": true
+  },
+  "extra_perms": [
+    {
+      "ensure": true,
+      "path": "/var/lib/hakurei/u0",
+      "x": true
+    },
+    {
+      "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+      "r": true,
+      "w": true,
+      "x": true
+    }
   ],
-  "pid": 3735928559,
+  "identity": 9,
-  "config": {
+  "groups": [
-    "id": "org.chromium.Chromium",
+    "video",
-    "enablements": {
+    "dialout",
-      "wayland": true,
+    "plugdev"
-      "dbus": true,
+  ],
-      "pulse": true
+  "container": {
+    "hostname": "localhost",
+    "wait_delay": -1,
+    "env": {
+      "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+      "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+      "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
     },
-    "session_bus": {
+    "filesystem": [
-      "see": null,
-      "talk": [
-        "org.freedesktop.Notifications",
-        "org.freedesktop.FileManager1",
-        "org.freedesktop.ScreenSaver",
-        "org.freedesktop.secrets",
-        "org.kde.kwalletd5",
-        "org.kde.kwalletd6",
-        "org.gnome.SessionManager"
-      ],
-      "own": [
-        "org.chromium.Chromium.*",
-        "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-        "org.mpris.MediaPlayer2.chromium.*"
-      ],
-      "call": {
-        "org.freedesktop.portal.*": "*"
-      },
-      "broadcast": {
-        "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
-      },
-      "filter": true
-    },
-    "system_bus": {
-      "see": null,
-      "talk": [
-        "org.bluez",
-        "org.freedesktop.Avahi",
-        "org.freedesktop.UPower"
-      ],
-      "own": null,
-      "call": null,
-      "broadcast": null,
-      "filter": true
-    },
-    "extra_perms": [
       {
-        "ensure": true,
+        "type": "bind",
-        "path": "/var/lib/hakurei/u0",
+        "dst": "/",
-        "x": true
+        "src": "/var/lib/hakurei/base/org.debian",
+        "write": true,
+        "special": true
       },
       {
-        "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "type": "bind",
-        "r": true,
+        "dst": "/etc/",
-        "w": true,
+        "src": "/etc/",
-        "x": true
+        "special": true
+      },
+      {
+        "type": "ephemeral",
+        "dst": "/tmp/",
+        "write": true,
+        "perm": 493
+      },
+      {
+        "type": "overlay",
+        "dst": "/nix/store",
+        "lower": [
+          "/var/lib/hakurei/base/org.nixos/ro-store"
+        ],
+        "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+        "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+      },
+      {
+        "type": "link",
+        "dst": "/run/current-system",
+        "linkname": "/run/current-system",
+        "dereference": true
+      },
+      {
+        "type": "link",
+        "dst": "/run/opengl-driver",
+        "linkname": "/run/opengl-driver",
+        "dereference": true
+      },
+      {
+        "type": "bind",
+        "dst": "/data/data/org.chromium.Chromium",
+        "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "write": true,
+        "ensure": true
+      },
+      {
+        "type": "bind",
+        "src": "/dev/dri",
+        "dev": true,
+        "optional": true
       }
     ],
-    "identity": 9,
+    "username": "chronos",
-    "groups": [
+    "shell": "/run/current-system/sw/bin/zsh",
-      "video",
+    "home": "/data/data/org.chromium.Chromium",
-      "dialout",
+    "path": "/run/current-system/sw/bin/chromium",
-      "plugdev"
+    "args": [
+      "chromium",
+      "--ignore-gpu-blocklist",
+      "--disable-smooth-scrolling",
+      "--enable-features=UseOzonePlatform",
+      "--ozone-platform=wayland"
     ],
-    "container": {
+    "seccomp_compat": true,
-      "hostname": "localhost",
+    "devel": true,
-      "wait_delay": -1,
+    "userns": true,
-      "seccomp_compat": true,
+    "host_net": true,
-      "devel": true,
+    "host_abstract": true,
-      "userns": true,
+    "tty": true,
-      "host_net": true,
+    "multiarch": true,
-      "host_abstract": true,
+    "map_real_uid": true,
-      "tty": true,
+    "device": true,
-      "multiarch": true,
+    "share_runtime": true,
-      "env": {
+    "share_tmpdir": true
-        "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-        "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
-        "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
-      },
-      "map_real_uid": true,
-      "device": true,
-      "filesystem": [
-        {
-          "type": "bind",
-          "dst": "/",
-          "src": "/var/lib/hakurei/base/org.debian",
-          "write": true,
-          "special": true
-        },
-        {
-          "type": "bind",
-          "dst": "/etc/",
-          "src": "/etc/",
-          "special": true
-        },
-        {
-          "type": "ephemeral",
-          "dst": "/tmp/",
-          "write": true,
-          "perm": 493
-        },
-        {
-          "type": "overlay",
-          "dst": "/nix/store",
-          "lower": [
-            "/mnt-root/nix/.ro-store"
-          ],
-          "upper": "/mnt-root/nix/.rw-store/upper",
-          "work": "/mnt-root/nix/.rw-store/work"
-        },
-        {
-          "type": "bind",
-          "src": "/nix/store"
-        },
-        {
-          "type": "link",
-          "dst": "/run/current-system",
-          "linkname": "/run/current-system",
-          "dereference": true
-        },
-        {
-          "type": "link",
-          "dst": "/run/opengl-driver",
-          "linkname": "/run/opengl-driver",
-          "dereference": true
-        },
-        {
-          "type": "bind",
-          "dst": "/data/data/org.chromium.Chromium",
-          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-          "write": true,
-          "ensure": true
-        },
-        {
-          "type": "bind",
-          "src": "/dev/dri",
-          "dev": true,
-          "optional": true
-        }
-      ],
-      "username": "chronos",
-      "shell": "/run/current-system/sw/bin/zsh",
-      "home": "/data/data/org.chromium.Chromium",
-      "path": "/run/current-system/sw/bin/chromium",
-      "args": [
-        "chromium",
-        "--ignore-gpu-blocklist",
-        "--disable-smooth-scrolling",
-        "--enable-features=UseOzonePlatform",
-        "--ozone-platform=wayland"
-      ]
-    }
   },
   "time": "1970-01-01T00:00:00.000000009Z"
 }
@@ -406,20 +426,11 @@ App
   "container": {
     "hostname": "localhost",
     "wait_delay": -1,
-    "seccomp_compat": true,
-    "devel": true,
-    "userns": true,
-    "host_net": true,
-    "host_abstract": true,
-    "tty": true,
-    "multiarch": true,
     "env": {
       "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
       "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
       "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
     },
-    "map_real_uid": true,
-    "device": true,
     "filesystem": [
       {
         "type": "bind",
@@ -444,14 +455,10 @@ App
         "type": "overlay",
         "dst": "/nix/store",
         "lower": [
-          "/mnt-root/nix/.ro-store"
+          "/var/lib/hakurei/base/org.nixos/ro-store"
         ],
-        "upper": "/mnt-root/nix/.rw-store/upper",
+        "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
-        "work": "/mnt-root/nix/.rw-store/work"
+        "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
-      },
-      {
-        "type": "bind",
-        "src": "/nix/store"
       },
       {
         "type": "link",
@@ -489,7 +496,18 @@ App
       "--disable-smooth-scrolling",
       "--enable-features=UseOzonePlatform",
       "--ozone-platform=wayland"
-    ]
+    ],
+    "seccomp_compat": true,
+    "devel": true,
+    "userns": true,
+    "host_net": true,
+    "host_abstract": true,
+    "tty": true,
+    "multiarch": true,
+    "map_real_uid": true,
+    "device": true,
+    "share_runtime": true,
+    "share_tmpdir": true
   }
 }
 `, true},
@@ -497,6 +515,8 @@ App
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			output := new(strings.Builder)
 			gotValid := printShowInstance(output, testTime, tc.instance, tc.config, tc.short, tc.json)
 			if got := output.String(); got != tc.want {
@@ -511,222 +531,247 @@ App
 }
 
 func TestPrintPs(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name        string
-		entries     state.Entries
+		data        []hst.State
 		short, json bool
-		want        string
+		want, log   string
 	}{
-		{"no entries", make(state.Entries), false, false, "    Instance    PID    Application    Uptime\n"},
+		{"no entries", []hst.State{}, false, false, "    Instance    PID    Application    Uptime\n", ""},
-		{"no entries short", make(state.Entries), true, false, ""},
+		{"no entries short", []hst.State{}, true, false, "", ""},
-		{"nil instance", state.Entries{testID: nil}, false, false, "    Instance    PID    Application    Uptime\n"},
-		{"state corruption", state.Entries{state.ID{}: testState}, false, false, "    Instance    PID    Application    Uptime\n"},
 
-		{"valid pd", state.Entries{testID: &state.State{ID: testID, PID: 1 << 8, Config: new(hst.Config), Time: testAppTime}}, false, false, `    Instance    PID    Application                 Uptime
+		{"invalid config", []hst.State{{ID: testID, PID: 1 << 8, Config: new(hst.Config), Time: testAppTime}}, false, false, "    Instance    PID    Application    Uptime\n", "check: configuration missing container state\n"},
-    8e2c76b0    256    0 (app.hakurei.8e2c76b0)    1h2m32s
-`},
 
-		{"valid", state.Entries{testID: testState}, false, false, `    Instance    PID           Application                  Uptime
+		{"valid", []hst.State{testStateSmall, testState}, false, false, `    Instance    PID      Application                  Uptime
-    8e2c76b0    3735928559    9 (org.chromium.Chromium)    1h2m32s
+    4cf073bd    51966    9 (org.chromium.Chromium)    1h2m32s
-`},
+    aaaaaaaa    48879    1 (app.hakurei.aaaaaaaa)     1h2m28s
-		{"valid short", state.Entries{testID: testState}, true, false, "8e2c76b0\n"},
+`, ""},
-		{"valid json", state.Entries{testID: testState}, false, true, `{
+		{"valid single", []hst.State{testState}, false, false, `    Instance    PID      Application                  Uptime
-  "8e2c76b066dabe574cf073bdb46eb5c1": {
+    4cf073bd    51966    9 (org.chromium.Chromium)    1h2m32s
-    "instance": [
+`, ""},
-      142,
+
-      44,
+		{"valid short", []hst.State{testStateSmall, testState}, true, false, "4cf073bd\naaaaaaaa\n", ""},
-      118,
+		{"valid short single", []hst.State{testState}, true, false, "4cf073bd\n", ""},
-      176,
+
-      102,
+		{"valid json", []hst.State{testState, testStateSmall}, false, true, `[
-      218,
+  {
-      190,
+    "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
-      87,
+    "pid": 51966,
-      76,
+    "shim_pid": 57005,
-      240,
+    "id": "org.chromium.Chromium",
-      115,
+    "enablements": {
-      189,
+      "wayland": true,
-      180,
+      "dbus": true,
-      110,
+      "pulse": true
-      181,
+    },
-      193
+    "session_bus": {
+      "see": null,
+      "talk": [
+        "org.freedesktop.Notifications",
+        "org.freedesktop.FileManager1",
+        "org.freedesktop.ScreenSaver",
+        "org.freedesktop.secrets",
+        "org.kde.kwalletd5",
+        "org.kde.kwalletd6",
+        "org.gnome.SessionManager"
+      ],
+      "own": [
+        "org.chromium.Chromium.*",
+        "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+        "org.mpris.MediaPlayer2.chromium.*"
+      ],
+      "call": {
+        "org.freedesktop.portal.*": "*"
+      },
+      "broadcast": {
+        "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+      },
+      "filter": true
+    },
+    "system_bus": {
+      "see": null,
+      "talk": [
+        "org.bluez",
+        "org.freedesktop.Avahi",
+        "org.freedesktop.UPower"
+      ],
+      "own": null,
+      "call": null,
+      "broadcast": null,
+      "filter": true
+    },
+    "extra_perms": [
+      {
+        "ensure": true,
+        "path": "/var/lib/hakurei/u0",
+        "x": true
+      },
+      {
+        "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "r": true,
+        "w": true,
+        "x": true
+      }
     ],
-    "pid": 3735928559,
+    "identity": 9,
-    "config": {
+    "groups": [
-      "id": "org.chromium.Chromium",
+      "video",
-      "enablements": {
+      "dialout",
-        "wayland": true,
+      "plugdev"
-        "dbus": true,
+    ],
-        "pulse": true
+    "container": {
+      "hostname": "localhost",
+      "wait_delay": -1,
+      "env": {
+        "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+        "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+        "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
       },
-      "session_bus": {
+      "filesystem": [
-        "see": null,
-        "talk": [
-          "org.freedesktop.Notifications",
-          "org.freedesktop.FileManager1",
-          "org.freedesktop.ScreenSaver",
-          "org.freedesktop.secrets",
-          "org.kde.kwalletd5",
-          "org.kde.kwalletd6",
-          "org.gnome.SessionManager"
-        ],
-        "own": [
-          "org.chromium.Chromium.*",
-          "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-          "org.mpris.MediaPlayer2.chromium.*"
-        ],
-        "call": {
-          "org.freedesktop.portal.*": "*"
-        },
-        "broadcast": {
-          "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
-        },
-        "filter": true
-      },
-      "system_bus": {
-        "see": null,
-        "talk": [
-          "org.bluez",
-          "org.freedesktop.Avahi",
-          "org.freedesktop.UPower"
-        ],
-        "own": null,
-        "call": null,
-        "broadcast": null,
-        "filter": true
-      },
-      "extra_perms": [
         {
-          "ensure": true,
+          "type": "bind",
-          "path": "/var/lib/hakurei/u0",
+          "dst": "/",
-          "x": true
+          "src": "/var/lib/hakurei/base/org.debian",
+          "write": true,
+          "special": true
         },
         {
-          "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+          "type": "bind",
-          "r": true,
+          "dst": "/etc/",
-          "w": true,
+          "src": "/etc/",
-          "x": true
+          "special": true
+        },
+        {
+          "type": "ephemeral",
+          "dst": "/tmp/",
+          "write": true,
+          "perm": 493
+        },
+        {
+          "type": "overlay",
+          "dst": "/nix/store",
+          "lower": [
+            "/var/lib/hakurei/base/org.nixos/ro-store"
+          ],
+          "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+          "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+        },
+        {
+          "type": "link",
+          "dst": "/run/current-system",
+          "linkname": "/run/current-system",
+          "dereference": true
+        },
+        {
+          "type": "link",
+          "dst": "/run/opengl-driver",
+          "linkname": "/run/opengl-driver",
+          "dereference": true
+        },
+        {
+          "type": "bind",
+          "dst": "/data/data/org.chromium.Chromium",
+          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+          "write": true,
+          "ensure": true
+        },
+        {
+          "type": "bind",
+          "src": "/dev/dri",
+          "dev": true,
+          "optional": true
         }
       ],
-      "identity": 9,
+      "username": "chronos",
-      "groups": [
+      "shell": "/run/current-system/sw/bin/zsh",
-        "video",
+      "home": "/data/data/org.chromium.Chromium",
-        "dialout",
+      "path": "/run/current-system/sw/bin/chromium",
-        "plugdev"
+      "args": [
+        "chromium",
+        "--ignore-gpu-blocklist",
+        "--disable-smooth-scrolling",
+        "--enable-features=UseOzonePlatform",
+        "--ozone-platform=wayland"
       ],
-      "container": {
+      "seccomp_compat": true,
-        "hostname": "localhost",
+      "devel": true,
-        "wait_delay": -1,
+      "userns": true,
-        "seccomp_compat": true,
+      "host_net": true,
-        "devel": true,
+      "host_abstract": true,
-        "userns": true,
+      "tty": true,
-        "host_net": true,
+      "multiarch": true,
-        "host_abstract": true,
+      "map_real_uid": true,
-        "tty": true,
+      "device": true,
-        "multiarch": true,
+      "share_runtime": true,
-        "env": {
+      "share_tmpdir": true
-          "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-          "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
-          "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
-        },
-        "map_real_uid": true,
-        "device": true,
-        "filesystem": [
-          {
-            "type": "bind",
-            "dst": "/",
-            "src": "/var/lib/hakurei/base/org.debian",
-            "write": true,
-            "special": true
-          },
-          {
-            "type": "bind",
-            "dst": "/etc/",
-            "src": "/etc/",
-            "special": true
-          },
-          {
-            "type": "ephemeral",
-            "dst": "/tmp/",
-            "write": true,
-            "perm": 493
-          },
-          {
-            "type": "overlay",
-            "dst": "/nix/store",
-            "lower": [
-              "/mnt-root/nix/.ro-store"
-            ],
-            "upper": "/mnt-root/nix/.rw-store/upper",
-            "work": "/mnt-root/nix/.rw-store/work"
-          },
-          {
-            "type": "bind",
-            "src": "/nix/store"
-          },
-          {
-            "type": "link",
-            "dst": "/run/current-system",
-            "linkname": "/run/current-system",
-            "dereference": true
-          },
-          {
-            "type": "link",
-            "dst": "/run/opengl-driver",
-            "linkname": "/run/opengl-driver",
-            "dereference": true
-          },
-          {
-            "type": "bind",
-            "dst": "/data/data/org.chromium.Chromium",
-            "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-            "write": true,
-            "ensure": true
-          },
-          {
-            "type": "bind",
-            "src": "/dev/dri",
-            "dev": true,
-            "optional": true
-          }
-        ],
-        "username": "chronos",
-        "shell": "/run/current-system/sw/bin/zsh",
-        "home": "/data/data/org.chromium.Chromium",
-        "path": "/run/current-system/sw/bin/chromium",
-        "args": [
-          "chromium",
-          "--ignore-gpu-blocklist",
-          "--disable-smooth-scrolling",
-          "--enable-features=UseOzonePlatform",
-          "--ozone-platform=wayland"
-        ]
-      }
     },
     "time": "1970-01-01T00:00:00.000000009Z"
+  },
+  {
+    "instance": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+    "pid": 48879,
+    "shim_pid": 51966,
+    "enablements": {
+      "wayland": true,
+      "pulse": true
+    },
+    "identity": 1,
+    "groups": null,
+    "container": {
+      "env": null,
+      "filesystem": null,
+      "shell": "/bin/sh",
+      "home": "/data/data/uk.gensokyo.cat",
+      "path": "/usr/bin/cat",
+      "args": [
+        "cat"
+      ],
+      "userns": true,
+      "map_real_uid": false
+    },
+    "time": "1970-01-01T00:00:03.735928559Z"
   }
-}
+]
-`},
+`, ""},
-		{"valid short json", state.Entries{testID: testState}, true, true, `["8e2c76b066dabe574cf073bdb46eb5c1"]
+		{"valid short json", []hst.State{testStateSmall, testState}, true, true, `["8e2c76b066dabe574cf073bdb46eb5c1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
-`},
+`, ""},
 	}
 
 	for _, tc := range testCases {
+		s := store.New(check.MustAbs(t.TempDir()).Append("store"))
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
 		t.Run(tc.name, func(t *testing.T) {
-			output := new(strings.Builder)
+			t.Parallel()
-			printPs(output, testTime, stubStore(tc.entries), tc.short, tc.json)
+
-			if got := output.String(); got != tc.want {
+			var printBuf, logBuf bytes.Buffer
-				t.Errorf("printPs: got\n%s\nwant\n%s",
+			msg := message.New(log.New(&logBuf, "check: ", 0))
-					got, tc.want)
+			msg.SwapVerbose(true)
+			printPs(msg, &printBuf, testTime, s, tc.short, tc.json)
+			if got := printBuf.String(); got != tc.want {
+				t.Errorf("printPs:\n%s\nwant\n%s", got, tc.want)
 				return
 			}
+			if got := logBuf.String(); got != tc.log {
+				t.Errorf("msg:\n%s\nwant\n%s", got, tc.log)
+			}
 		})
 	}
 }
-
-// stubStore implements [state.Store] and returns test samples via [state.Joiner].
-type stubStore state.Entries
-
-func (s stubStore) Join() (state.Entries, error)               { return state.Entries(s), nil }
-func (s stubStore) Do(int, func(c state.Cursor)) (bool, error) { panic("unreachable") }
-func (s stubStore) List() ([]int, error)                       { panic("unreachable") }
-func (s stubStore) Close() error                               { return nil }

cmd/hpkg/app.go

@@ -76,22 +76,14 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []
 		Groups:   app.Groups,
 
 		Container: &hst.ContainerConfig{
-			Hostname:     formatHostname(app.Name),
+			Hostname: formatHostname(app.Name),
-			Devel:        app.Devel,
-			Userns:       app.Userns,
-			HostNet:      app.HostNet,
-			HostAbstract: app.HostAbstract,
-			Device:       app.Device,
-			Tty:          app.Tty || flagDropShell,
-			MapRealUID:   app.MapRealUID,
-			Multiarch:    app.Multiarch,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}},
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsPrivateTmp.Append("app")}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
@@ -108,11 +100,37 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []
 			Path: pathname,
 			Args: argv,
 		},
-		ExtraPerms: []*hst.ExtraPermConfig{
+		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 	}
+
+	if app.Devel {
+		config.Container.Flags |= hst.FDevel
+	}
+	if app.Userns {
+		config.Container.Flags |= hst.FUserns
+	}
+	if app.HostNet {
+		config.Container.Flags |= hst.FHostNet
+	}
+	if app.HostAbstract {
+		config.Container.Flags |= hst.FHostAbstract
+	}
+	if app.Device {
+		config.Container.Flags |= hst.FDevice
+	}
+	if app.Tty || flagDropShell {
+		config.Container.Flags |= hst.FTty
+	}
+	if app.MapRealUID {
+		config.Container.Flags |= hst.FMapRealUID
+	}
+	if app.Multiarch {
+		config.Container.Flags |= hst.FMultiarch
+	}
+	config.Container.Flags |= hst.FShareRuntime | hst.FShareTmpdir
 	return config
 }
 

cmd/hpkg/main.go

@@ -11,10 +11,10 @@ import (
 	"syscall"
 
 	"hakurei.app/command"
-	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/message"
 )
 
 var (
@@ -24,7 +24,7 @@ var (
 func main() {
 	log.SetPrefix("hpkg: ")
 	log.SetFlags(0)
-	msg := container.NewMsg(log.Default())
+	msg := message.New(log.Default())
 
 	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
@@ -162,7 +162,7 @@ func main() {
 
 			withCacheDir(ctx, msg, "install", []string{
 				// export inner bundle path in the environment
-				"export BUNDLE=" + hst.Tmp + "/bundle",
+				"export BUNDLE=" + hst.PrivateTmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
@@ -309,7 +309,7 @@ func main() {
 
 			if a.GPU {
 				config.Container.Filesystem = append(config.Container.Filesystem,
-					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsTmp.Append("nixGL")}})
+					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsPrivateTmp.Append("nixGL")}})
 				appendGPUFilesystem(config)
 			}
 

cmd/hpkg/paths.go

@@ -7,10 +7,10 @@ import (
 	"strconv"
 	"sync/atomic"
 
-	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/message"
 )
 
 const bash = "bash"
@@ -52,7 +52,7 @@ func lookPath(file string) string {
 
 var beforeRunFail = new(atomic.Pointer[func()])
 
-func mustRun(msg container.Msg, name string, arg ...string) {
+func mustRun(msg message.Msg, name string, arg ...string) {
 	msg.Verbosef("spawning process: %q %q", name, arg)
 	cmd := exec.Command(name, arg...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr

cmd/hpkg/proc.go

@@ -9,14 +9,14 @@ import (
 	"os"
 	"os/exec"
 
-	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
+	"hakurei.app/message"
 )
 
-var hakureiPath = internal.MustHakureiPath()
+var hakureiPathVal = internal.MustHakureiPath().String()
 
-func mustRunApp(ctx context.Context, msg container.Msg, config *hst.Config, beforeFail func()) {
+func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
@@ -27,9 +27,9 @@ func mustRunApp(ctx context.Context, msg container.Msg, config *hst.Config, befo
 		log.Fatalf("cannot pipe: %v", err)
 	} else {
 		if msg.IsVerbose() {
-			cmd = exec.CommandContext(ctx, hakureiPath.String(), "-v", "app", "3")
+			cmd = exec.CommandContext(ctx, hakureiPathVal, "-v", "app", "3")
 		} else {
-			cmd = exec.CommandContext(ctx, hakureiPath.String(), "app", "3")
+			cmd = exec.CommandContext(ctx, hakureiPathVal, "app", "3")
 		}
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		cmd.ExtraFiles = []*os.File{r}

cmd/hpkg/test/test.py

@@ -58,15 +58,13 @@ def check_state(name, enablements):
     instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
     if len(instances) != 1:
         raise Exception(f"unexpected state length {len(instances)}")
-    instance = next(iter(instances.values()))
+    instance = instances[0]
 
-    config = instance['config']
+    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
+        raise Exception(f"unexpected args {instance['container']['args']}")
 
-    if len(config['container']['args']) != 1 or not (config['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['container']['args'][0]):
+    if instance['enablements'] != enablements:
-        raise Exception(f"unexpected args {config['container']['args']}")
+        raise Exception(f"unexpected enablements {instance['enablements']}")
-
-    if config['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {config['enablements']}")
 
 
 start_all()
@@ -94,15 +92,19 @@ machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
 check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
 
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")
 
-# Print hakurei runDir contents:
+# Print hakurei share and rundir contents:
-print(machine.succeed("find /run/user/1000/hakurei"))
+print(machine.succeed("find /tmp/hakurei.0 "
+    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
+    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
+    + "-print"))
+print(machine.succeed("find /run/user/1000/hakurei"))

cmd/hpkg/with.go

@@ -5,22 +5,30 @@ import (
 	"os"
 	"strings"
 
-	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/message"
 )
 
 func withNixDaemon(
 	ctx context.Context,
-	msg container.Msg,
+	msg message.Msg,
 	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
+	flags := hst.FMultiarch | hst.FUserns // nix sandbox requires userns
+	if net {
+		flags |= hst.FHostNet
+	}
+	if dropShell {
+		flags |= hst.FTty
+	}
+
 	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
 		ID: app.ID,
 
-		ExtraPerms: []*hst.ExtraPermConfig{
+		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
@@ -28,11 +36,8 @@ func withNixDaemon(
 		Identity: app.Identity,
 
 		Container: &hst.ContainerConfig{
-			Hostname:  formatHostname(app.Name) + "-" + action,
+			Hostname: formatHostname(app.Name) + "-" + action,
-			Userns:    true, // nix sandbox requires userns
+
-			HostNet:   net,
-			Multiarch: true,
-			Tty:       dropShell,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
@@ -58,19 +63,27 @@ func withNixDaemon(
 				// terminate nix-daemon
 				" && pkill nix-daemon",
 			},
+
+			Flags: flags,
 		},
 	}), dropShell, beforeFail)
 }
 
 func withCacheDir(
 	ctx context.Context,
-	msg container.Msg,
+	msg message.Msg,
 	action string, command []string, workDir *check.Absolute,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
+) {
+	flags := hst.FMultiarch
+	if dropShell {
+		flags |= hst.FTty
+	}
+
 	mustRunAppDropShell(ctx, msg, &hst.Config{
 		ID: app.ID,
 
-		ExtraPerms: []*hst.ExtraPermConfig{
+		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			{Path: workDir, Execute: true},
@@ -79,16 +92,15 @@ func withCacheDir(
 		Identity: app.Identity,
 
 		Container: &hst.ContainerConfig{
-			Hostname:  formatHostname(app.Name) + "-" + action,
+			Hostname: formatHostname(app.Name) + "-" + action,
-			Multiarch: true,
+
-			Tty:       dropShell,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: workDir.Append(fhs.Etc), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
+				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsPrivateTmp.Append("bundle")}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
 			},
 
@@ -98,11 +110,13 @@ func withCacheDir(
 
 			Path: pathShell,
 			Args: []string{bash, "-lc", strings.Join(command, " && ")},
+
+			Flags: flags,
 		},
 	}, dropShell, beforeFail)
 }
 
-func mustRunAppDropShell(ctx context.Context, msg container.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
+func mustRunAppDropShell(ctx context.Context, msg message.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
 		if config.Container != nil {
 			config.Container.Args = []string{bash, "-l"}

cmd/hsu/hst.go

@@ -0,0 +1,16 @@
+package main
+
+/* copied from hst and must never be changed */
+
+const (
+	userOffset = 100000
+	rangeSize  = userOffset / 10
+
+	identityStart = 0
+	identityEnd   = appEnd - appStart
+
+	appStart = rangeSize * 1
+	appEnd   = appStart + rangeSize - 1
+)
+
+func toUser(userid, appid uint32) uint32 { return userid*userOffset + appStart + appid }

cmd/hsu/main.go

@@ -8,6 +8,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"runtime"
 	"slices"
 	"strconv"
 	"strings"
@@ -15,18 +16,23 @@ import (
 )
 
 const (
-	hsuConfFile = "/etc/hsurc"
+	// envIdentity is the name of the environment variable holding a
-	envShim     = "HAKUREI_SHIM"
+	// single byte representing the shim setup pipe file descriptor.
-	envIdentity = "HAKUREI_IDENTITY"
+	envShim = "HAKUREI_SHIM"
-	envGroups   = "HAKUREI_GROUPS"
+	// envGroups holds a ' ' separated list of string representations of
-
+	// supplementary group gid. Membership requirements are enforced.
-	PR_SET_NO_NEW_PRIVS = 0x26
+	envGroups = "HAKUREI_GROUPS"
-
-	identityMin = 0
-	identityMax = 9999
 )
 
+// hakureiPath is the absolute path to Hakurei.
+//
+// This is set by the linker.
+var hakureiPath string
+
 func main() {
+	const PR_SET_NO_NEW_PRIVS = 0x26
+	runtime.LockOSThread()
+
 	log.SetFlags(0)
 	log.SetPrefix("hsu: ")
 	log.SetOutput(os.Stderr)
@@ -43,25 +49,25 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}
 
+	if !path.IsAbs(hakureiPath) {
+		log.Fatal("this program is compiled incorrectly")
+		return
+	}
+
 	var toolPath string
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("hakurei executable has been deleted")
-	} else if p != mustCheckPath(hmain) {
+	} else if p != hakureiPath {
 		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
 	}
 
-	// uid = 1000000 +
-	//    id * 10000 +
-	//      identity
-	uid := 1000000
-
 	// refuse to run if hsurc is not protected correctly
-	if s, err := os.Stat(hsuConfFile); err != nil {
+	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
 		log.Fatal("bad hsurc perm")
@@ -70,25 +76,13 @@ func main() {
 	}
 
 	// authenticate before accepting user input
-	var id int
+	userid := mustParseConfig(puid)
-	if f, err := os.Open(hsuConfFile); err != nil {
-		log.Fatal(err)
-	} else if v, ok := mustParseConfig(f, puid); !ok {
-		log.Fatalf("uid %d is not in the hsurc file", puid)
-	} else {
-		id = v
-		if err = f.Close(); err != nil {
-			log.Fatal(err)
-		}
-
-		uid += id * 10000
-	}
 
 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
 		// hakurei requests hsurc user id
-		fmt.Print(id)
+		fmt.Print(userid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
 		log.Fatal("HAKUREI_SHIM holds an invalid value")
@@ -96,13 +90,22 @@ func main() {
 		shimSetupFd = s
 	}
 
-	// allowed identity range 0 to 9999
+	// start is going ahead at this point
-	if as, ok := os.LookupEnv(envIdentity); !ok {
+	identity := mustReadIdentity()
-		log.Fatal("HAKUREI_IDENTITY not set")
+
-	} else if identity, err := parseUint32Fast(as); err != nil || identity < identityMin || identity > identityMax {
+	const (
-		log.Fatal("invalid identity")
+		// first possible uid outcome
-	} else {
+		uidStart = 10000
-		uid += identity
+		// last possible uid outcome
+		uidEnd = 999919999
+	)
+
+	// cast to int for use with library functions
+	uid := int(toUser(userid, identity))
+
+	// final bounds check to catch any bugs
+	if uid < uidStart || uid >= uidEnd {
+		panic("uid out of bounds")
 	}
 
 	// supplementary groups
@@ -132,11 +135,6 @@ func main() {
 		suppGroups = []int{uid}
 	}
 
-	// final bounds check to catch any bugs
-	if uid < 1000000 || uid >= 2000000 {
-		panic("uid out of bounds")
-	}
-
 	// careful! users in the allowlist is effectively allowed to drop groups via hsu
 
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {

cmd/hsu/package.nix

@@ -19,5 +19,5 @@ buildGoModule {
   ldflags = lib.attrsets.foldlAttrs (
     ldflags: name: value:
     ldflags ++ [ "-X main.${name}=${value}" ]
-  ) [ "-s -w" ] { hmain = "${hakurei}/libexec/hakurei"; };
+  ) [ "-s -w" ] { hakureiPath = "${hakurei}/libexec/hakurei"; };
 }

cmd/hsu/parse.go

@@ -6,62 +6,128 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"math"
+	"os"
 	"strings"
 )
 
-func parseUint32Fast(s string) (int, error) {
+const (
+	// useridStart is the first userid.
+	useridStart = 0
+	// useridEnd is the last userid.
+	useridEnd = useridStart + rangeSize - 1
+)
+
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer value
+// using the fast path only. This limits the range of values it is defined in.
+func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
-		return -1, errors.New("zero length string")
+		return 0, errors.New("zero length string")
 	}
 	if sLen > 10 {
-		return -1, errors.New("string too long")
+		return 0, errors.New("string too long")
 	}
 
-	n := 0
+	var n uint32
 	for i, ch := range []byte(s) {
 		ch -= '0'
 		if ch > 9 {
-			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
+			return 0, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
 		}
-		n = n*10 + int(ch)
+		n = n*10 + uint32(ch)
 	}
 	return n, nil
 }
 
-func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
+// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
+//
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
+// of the string representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the string representation of its userid. Duplicate uid
+// entries are ignored, with the first occurrence taking effect.
+//
+// All string representations are parsed by calling parseUint32Fast.
+func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	s := bufio.NewScanner(r)
-	var line, puid0 int
+	var (
+		line  uintptr
+		puid0 uint32
+	)
 	for s.Scan() {
 		line++
 
-		// <puid> <fid>
+		// <puid> <userid>
 		lf := strings.SplitN(s.Text(), " ", 2)
 		if len(lf) != 2 {
-			return -1, false, fmt.Errorf("invalid entry on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid entry on line %d", line)
 		}
 
 		puid0, err = parseUint32Fast(lf[0])
 		if err != nil || puid0 < 1 {
-			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid parent uid on line %d", line)
 		}
 
 		ok = puid0 == puid
 		if ok {
-			// allowed fid range 0 to 99
+			// userid bound to a range, uint32 size allows this to be increased if needed
-			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
+			if userid, err = parseUint32Fast(lf[1]); err != nil ||
-				return -1, false, fmt.Errorf("invalid identity on line %d", line)
+				userid < useridStart || userid > useridEnd {
+				return useridEnd + 1, false, fmt.Errorf("invalid userid on line %d", line)
 			}
 			return
 		}
 	}
-	return -1, false, s.Err()
+	return useridEnd + 1, false, s.Err()
 }
 
-func mustParseConfig(r io.Reader, puid int) (int, bool) {
+// hsuConfPath is an absolute pathname to the hsu configuration file.
-	fid, ok, err := parseConfig(r, puid)
+// Its contents are interpreted by parseConfig.
-	if err != nil {
+const hsuConfPath = "/etc/hsurc"
+
+// mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
+// terminating the program if an error is encountered, the syntax is incorrect,
+// or the current user is not authorised to use hsu because its uid is missing.
+//
+// Therefore, code after this function call can assume an authenticated state.
+//
+// mustParseConfig returns the userid value of the current user.
+func mustParseConfig(puid int) (userid uint32) {
+	if puid > math.MaxUint32 {
+		log.Fatalf("got impossible uid %d", puid)
+	}
+
+	var ok bool
+	if f, err := os.Open(hsuConfPath); err != nil {
+		log.Fatal(err)
+	} else if userid, ok, err = parseConfig(f, uint32(puid)); err != nil {
+		log.Fatal(err)
+	} else if err = f.Close(); err != nil {
 		log.Fatal(err)
 	}
-	return fid, ok
+	if !ok {
+		log.Fatalf("uid %d is not in the hsurc file", puid)
+	}
+
+	return
+}
+
+// envIdentity is the name of the environment variable holding a
+// string representation of the current application identity.
+var envIdentity = "HAKUREI_IDENTITY"
+
+// mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
+// terminating the program if the value is not set, malformed, or out of bounds.
+func mustReadIdentity() uint32 {
+	// ranges defined in hst and copied to this package to avoid importing hst
+	if as, ok := os.LookupEnv(envIdentity); !ok {
+		log.Fatal("HAKUREI_IDENTITY not set")
+		panic("unreachable")
+	} else if identity, err := parseUint32Fast(as); err != nil ||
+		identity < identityStart || identity > identityEnd {
+		log.Fatal("invalid identity")
+		panic("unreachable")
+	} else {
+		return identity
+	}
 }

cmd/hsu/parse_test.go

@@ -2,94 +2,105 @@ package main
 
 import (
 	"bytes"
+	"math"
 	"strconv"
 	"testing"
 )
 
-func Test_parseUint32Fast(t *testing.T) {
+func TestParseUint32Fast(t *testing.T) {
+	t.Parallel()
+
 	t.Run("zero-length", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast(""); err == nil || err.Error() != "zero length string" {
 			t.Errorf(`parseUint32Fast(""): error = %v`, err)
 			return
 		}
 	})
+
 	t.Run("overflow", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast("10000000000"); err == nil || err.Error() != "string too long" {
 			t.Errorf("parseUint32Fast: error = %v", err)
 			return
 		}
 	})
+
 	t.Run("invalid byte", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast("meow"); err == nil || err.Error() != "invalid character 'm' at index 0" {
 			t.Errorf(`parseUint32Fast("meow"): error = %v`, err)
 			return
 		}
 	})
-	t.Run("full range", func(t *testing.T) {
+
-		testRange := func(i, end int) {
+	t.Run("range", func(t *testing.T) {
+		t.Parallel()
+
+		testRange := func(i, end uint32) {
 			for ; i < end; i++ {
-				s := strconv.Itoa(i)
+				s := strconv.Itoa(int(i))
 				w := i
 				t.Run("parse "+s, func(t *testing.T) {
 					t.Parallel()
+
 					v, err := parseUint32Fast(s)
 					if err != nil {
-						t.Errorf("parseUint32Fast(%q): error = %v",
+						t.Errorf("parseUint32Fast(%q): error = %v", s, err)
-							s, err)
 						return
 					}
 					if v != w {
-						t.Errorf("parseUint32Fast(%q): got %v",
+						t.Errorf("parseUint32Fast(%q): got %v", s, v)
-							s, v)
 						return
 					}
 				})
 			}
 		}
 
-		testRange(0, 5000)
+		testRange(0, 2500)
-		testRange(105000, 110000)
+		testRange(23002500, 23005000)
-		testRange(23005000, 23010000)
+		testRange(math.MaxUint32-2500, math.MaxUint32)
-		testRange(456005000, 456010000)
-		testRange(7890005000, 7890010000)
 	})
 }
 
-func Test_parseConfig(t *testing.T) {
+func TestParseConfig(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name       string
-		puid, want int
+		puid, want uint32
 		wantErr    string
 		rc         string
 	}{
-		{"empty", 0, -1, "", ``},
+		{"empty", 0, useridEnd + 1, "", ``},
-		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
+		{"invalid field", 0, useridEnd + 1, "invalid entry on line 1", `9`},
-		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
+		{"invalid puid", 0, useridEnd + 1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
+		{"invalid userid", 1000, useridEnd + 1, "invalid userid on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			t.Parallel()
+
+			userid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
 			if err == nil && tc.wantErr != "" {
-				t.Errorf("parseConfig: error = %v; wantErr %q",
+				t.Errorf("parseConfig: error = %v; want %q", err, tc.wantErr)
-					err, tc.wantErr)
 				return
 			}
 			if err != nil && err.Error() != tc.wantErr {
-				t.Errorf("parseConfig: error = %q; wantErr %q",
+				t.Errorf("parseConfig: error = %q; want %q", err, tc.wantErr)
-					err, tc.wantErr)
 				return
 			}
-			if ok == (tc.want == -1) {
+			if ok == (tc.want == useridEnd+1) {
-				t.Errorf("parseConfig: ok = %v; want %v",
+				t.Errorf("parseConfig: ok = %v; want %v", ok, tc.want)
-					ok, tc.want)
 				return
 			}
-			if fid != tc.want {
+			if userid != tc.want {
-				t.Errorf("parseConfig: fid = %v; want %v",
+				t.Errorf("parseConfig: %v; want %v", userid, tc.want)
-					fid, tc.want)
 			}
 		})
 	}

cmd/hsu/path.go

@@ -1,20 +0,0 @@
-package main
-
-import (
-	"log"
-	"path"
-)
-
-const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
-
-var (
-	hmain = compPoison
-)
-
-func mustCheckPath(p string) string {
-	if p != compPoison && p != "" && path.IsAbs(p) {
-		return p
-	}
-	log.Fatal("this program is compiled incorrectly")
-	return compPoison
-}

command/builder_test.go

@@ -7,6 +7,7 @@ import (
 )
 
 func TestBuild(t *testing.T) {
+	t.Parallel()
 	c := command.New(nil, nil, "test", nil)
 	stubHandler := func([]string) error { panic("unreachable") }
 

command/parse_test.go

@@ -14,6 +14,8 @@ import (
 )
 
 func TestParse(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name      string
 		buildTree func(wout, wlog io.Writer) command.Command
@@ -251,6 +253,7 @@ Commands:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			wout, wlog := new(bytes.Buffer), new(bytes.Buffer)
 			c := tc.buildTree(wout, wlog)
 

command/unreachable_test.go

@@ -6,15 +6,19 @@ import (
 )
 
 func TestParseUnreachable(t *testing.T) {
+	t.Parallel()
+
 	// top level bypasses name matching and recursive calls to Parse
 	// returns when encountering zero-length args
 	t.Run("zero-length args", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "attempted to parse with zero length args")
 		_ = newNode(panicWriter{}, nil, " ", " ").Parse(nil)
 	})
 
 	// top level must not have siblings
 	t.Run("toplevel siblings", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid toplevel state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		n.append(newNode(panicWriter{}, nil, "  ", " "))
@@ -23,6 +27,7 @@ func TestParseUnreachable(t *testing.T) {
 
 	// a node with descendents must not have a direct handler
 	t.Run("sub handle conflict", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid subcommand tree state")
 		n := newNode(panicWriter{}, nil, " ", " ")
 		n.adopt(newNode(panicWriter{}, nil, " ", " "))
@@ -32,6 +37,7 @@ func TestParseUnreachable(t *testing.T) {
 
 	// this would only happen if a node was matched twice
 	t.Run("parsed flag set", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid set state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		set := flag.NewFlagSet("parsed", flag.ContinueOnError)

container/autoetc_test.go

@@ -10,7 +10,10 @@ import (
 )
 
 func TestAutoEtcOp(t *testing.T) {
+	t.Parallel()
+
 	t.Run("nonrepeatable", func(t *testing.T) {
+		t.Parallel()
 		wantErr := OpRepeatError("autoetc")
 		if err := (&AutoEtcOp{Prefix: "81ceabb30d37bbdb3868004629cb84e9"}).apply(&setupState{nonrepeatable: nrAutoEtc}, nil); !errors.Is(err, wantErr) {
 			t.Errorf("apply: error = %v, want %v", err, wantErr)
@@ -280,6 +283,7 @@ func TestAutoEtcOp(t *testing.T) {
 	})
 
 	t.Run("host path rel", func(t *testing.T) {
+		t.Parallel()
 		op := &AutoEtcOp{Prefix: "048090b6ed8f9ebb10e275ff5d8c0659"}
 		wantHostPath := "/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"
 		wantHostRel := ".host/048090b6ed8f9ebb10e275ff5d8c0659"

container/autoroot.go

@@ -6,6 +6,7 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
+	"hakurei.app/message"
 )
 
 func init() { gob.Register(new(AutoRootOp)) }
@@ -81,7 +82,7 @@ func (r *AutoRootOp) String() string {
 }
 
 // IsAutoRootBindable returns whether a dir entry name is selected for AutoRoot.
-func IsAutoRootBindable(msg Msg, name string) bool {
+func IsAutoRootBindable(msg message.Msg, name string) bool {
 	switch name {
 	case "proc", "dev", "tmp", "mnt", "etc":
 

container/autoroot_test.go

@@ -5,13 +5,15 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
+	"hakurei.app/message"
 )
 
 func TestAutoRootOp(t *testing.T) {
 	t.Run("nonrepeatable", func(t *testing.T) {
+		t.Parallel()
 		wantErr := OpRepeatError("autoroot")
 		if err := new(AutoRootOp).apply(&setupState{nonrepeatable: nrAutoRoot}, nil); !errors.Is(err, wantErr) {
 			t.Errorf("apply: error = %v, want %v", err, wantErr)
@@ -21,14 +23,14 @@ func TestAutoRootOp(t *testing.T) {
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
 		}, stub.UniqueError(2), nil, nil},
 
 		{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -37,7 +39,7 @@ func TestAutoRootOp(t *testing.T) {
 
 		{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -58,7 +60,7 @@ func TestAutoRootOp(t *testing.T) {
 
 		{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -125,10 +127,10 @@ func TestAutoRootOp(t *testing.T) {
 	})
 
 	checkOpsBuilder(t, []opsBuilderTestCase{
-		{"pd", new(Ops).Root(check.MustAbs("/"), bits.BindWritable), Ops{
+		{"pd", new(Ops).Root(check.MustAbs("/"), std.BindWritable), Ops{
 			&AutoRootOp{
 				Host:  check.MustAbs("/"),
-				Flags: bits.BindWritable,
+				Flags: std.BindWritable,
 			},
 		}},
 	})
@@ -138,47 +140,49 @@ func TestAutoRootOp(t *testing.T) {
 
 		{"internal ne", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:     check.MustAbs("/"),
-			Flags:    bits.BindWritable,
+			Flags:    std.BindWritable,
 			resolved: []*BindMountOp{new(BindMountOp)},
 		}, true},
 
 		{"flags differs", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable | bits.BindDevice,
+			Flags: std.BindWritable | std.BindDevice,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, false},
 
 		{"host differs", &AutoRootOp{
 			Host:  check.MustAbs("/tmp/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, false},
 
 		{"equals", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, true},
 	})
 
 	checkOpMeta(t, []opMetaTestCase{
 		{"root", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: std.BindWritable,
 		}, "setting up", `auto root "/" flags 0x2`},
 	})
 }
 
 func TestIsAutoRootBindable(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		want bool
@@ -195,7 +199,8 @@ func TestIsAutoRootBindable(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			var msg Msg
+			t.Parallel()
+			var msg message.Msg
 			if tc.log {
 				msg = &kstub{nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
 					call("verbose", stub.ExpectArgs{[]any{"got unexpected root entry"}}, nil, nil),

container/bits/bits.go

@@ -1,13 +0,0 @@
-// Package bits contains constants for configuring the container.
-package bits
-
-const (
-	// BindOptional skips nonexistent host paths.
-	BindOptional = 1 << iota
-	// BindWritable mounts filesystem read-write.
-	BindWritable
-	// BindDevice allows access to devices (special files) on this filesystem.
-	BindDevice
-	// BindEnsure attempts to create the host path if it does not exist.
-	BindEnsure
-)

container/capability.go

@@ -49,41 +49,10 @@ func capset(hdrp *capHeader, datap *[2]capData) error {
 }
 
 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
-func capBoundingSetDrop(cap uintptr) error {
+func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }
-	r, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		syscall.PR_CAPBSET_DROP,
-		cap, 0,
-	)
-	if r != 0 {
-		return errno
-	}
-	return nil
-}
 
 // capAmbientClearAll clears the ambient capability set of the calling thread.
-func capAmbientClearAll() error {
+func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }
-	r, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		PR_CAP_AMBIENT,
-		PR_CAP_AMBIENT_CLEAR_ALL, 0,
-	)
-	if r != 0 {
-		return errno
-	}
-	return nil
-}
 
 // capAmbientRaise adds to the ambient capability set of the calling thread.
-func capAmbientRaise(cap uintptr) error {
+func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }
-	r, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		PR_CAP_AMBIENT,
-		PR_CAP_AMBIENT_RAISE,
-		cap,
-	)
-	if r != 0 {
-		return errno
-	}
-	return nil
-}

container/capability_test.go

@@ -3,6 +3,8 @@ package container
 import "testing"
 
 func TestCapToIndex(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		cap  uintptr
@@ -14,6 +16,7 @@ func TestCapToIndex(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			if got := capToIndex(tc.cap); got != tc.want {
 				t.Errorf("capToIndex: %#x, want %#x", got, tc.want)
 			}
@@ -22,6 +25,8 @@ func TestCapToIndex(t *testing.T) {
 }
 
 func TestCapToMask(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		cap  uintptr
@@ -33,6 +38,7 @@ func TestCapToMask(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			if got := capToMask(tc.cap); got != tc.want {
 				t.Errorf("capToMask: %#x, want %#x", got, tc.want)
 			}

container/check/absolute_test.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"syscall"
 	"testing"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	. "hakurei.app/container/check"
 )
@@ -18,6 +18,8 @@ import (
 func unsafeAbs(_ string) *Absolute
 
 func TestAbsoluteError(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 
@@ -27,8 +29,8 @@ func TestAbsoluteError(t *testing.T) {
 	}{
 		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
 		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
-		{"ne val", new(AbsoluteError), &AbsoluteError{"etc"}, false},
+		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
-		{"equals", &AbsoluteError{"etc"}, &AbsoluteError{"etc"}, true},
+		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
 	}
 
 	for _, tc := range testCases {
@@ -38,14 +40,18 @@ func TestAbsoluteError(t *testing.T) {
 	}
 
 	t.Run("string", func(t *testing.T) {
+		t.Parallel()
+
 		want := `path "etc" is not absolute`
-		if got := (&AbsoluteError{"etc"}).Error(); got != want {
+		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
 }
 
 func TestNewAbs(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 
@@ -54,12 +60,14 @@ func TestNewAbs(t *testing.T) {
 		wantErr  error
 	}{
 		{"good", "/etc", MustAbs("/etc"), nil},
-		{"not absolute", "etc", nil, &AbsoluteError{"etc"}},
+		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
-		{"zero", "", nil, &AbsoluteError{""}},
+		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			got, err := NewAbs(tc.pathname)
 			if !reflect.DeepEqual(got, tc.want) {
 				t.Errorf("NewAbs: %#v, want %#v", got, tc.want)
@@ -71,6 +79,8 @@ func TestNewAbs(t *testing.T) {
 	}
 
 	t.Run("must", func(t *testing.T) {
+		t.Parallel()
+
 		defer func() {
 			wantPanic := `path "etc" is not absolute`
 
@@ -85,6 +95,8 @@ func TestNewAbs(t *testing.T) {
 
 func TestAbsoluteString(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
+		t.Parallel()
+
 		pathname := "/etc"
 		if got := unsafeAbs(pathname).String(); got != pathname {
 			t.Errorf("String: %q, want %q", got, pathname)
@@ -92,6 +104,8 @@ func TestAbsoluteString(t *testing.T) {
 	})
 
 	t.Run("zero", func(t *testing.T) {
+		t.Parallel()
+
 		defer func() {
 			wantPanic := "attempted use of zero Absolute"
 
@@ -105,6 +119,8 @@ func TestAbsoluteString(t *testing.T) {
 }
 
 func TestAbsoluteIs(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		a, v *Absolute
@@ -120,6 +136,8 @@ func TestAbsoluteIs(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			if got := tc.a.Is(tc.v); got != tc.want {
 				t.Errorf("Is: %v, want %v", got, tc.want)
 			}
@@ -129,10 +147,12 @@ func TestAbsoluteIs(t *testing.T) {
 
 type sCheck struct {
 	Pathname *Absolute `json:"val"`
-	Magic    int       `json:"magic"`
+	Magic    uint64    `json:"magic"`
 }
 
 func TestCodecAbsolute(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		a    *Absolute
@@ -149,31 +169,36 @@ func TestCodecAbsolute(t *testing.T) {
 		{"good", MustAbs("/etc"),
 			nil,
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x10\xff\x84\x01\x04/etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
-			&AbsoluteError{"etc"},
+			&AbsoluteError{Pathname: "etc"},
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			t.Run("gob", func(t *testing.T) {
 				if tc.gob == "\x00" && tc.sGob == "\x00" {
 					// these values mark the current test to skip gob
 					return
 				}
+				t.Parallel()
 
 				t.Run("encode", func(t *testing.T) {
+					t.Parallel()
+
 					// encode is unchecked
 					if errors.Is(tc.wantErr, syscall.EINVAL) {
 						return
@@ -210,6 +235,8 @@ func TestCodecAbsolute(t *testing.T) {
 				})
 
 				t.Run("decode", func(t *testing.T) {
+					t.Parallel()
+
 					{
 						var gotA *Absolute
 						err := gob.NewDecoder(strings.NewReader(tc.gob)).Decode(&gotA)
@@ -244,7 +271,11 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 
 			t.Run("json", func(t *testing.T) {
+				t.Parallel()
+
 				t.Run("marshal", func(t *testing.T) {
+					t.Parallel()
+
 					// marshal is unchecked
 					if errors.Is(tc.wantErr, syscall.EINVAL) {
 						return
@@ -279,6 +310,8 @@ func TestCodecAbsolute(t *testing.T) {
 				})
 
 				t.Run("unmarshal", func(t *testing.T) {
+					t.Parallel()
+
 					{
 						var gotA *Absolute
 						err := json.Unmarshal([]byte(tc.json), &gotA)
@@ -314,6 +347,8 @@ func TestCodecAbsolute(t *testing.T) {
 	}
 
 	t.Run("json passthrough", func(t *testing.T) {
+		t.Parallel()
+
 		wantErr := "invalid character ':' looking for beginning of value"
 		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
 			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
@@ -322,7 +357,11 @@ func TestCodecAbsolute(t *testing.T) {
 }
 
 func TestAbsoluteWrap(t *testing.T) {
+	t.Parallel()
+
 	t.Run("join", func(t *testing.T) {
+		t.Parallel()
+
 		want := "/etc/nix/nix.conf"
 		if got := MustAbs("/etc").Append("nix", "nix.conf"); got.String() != want {
 			t.Errorf("Append: %q, want %q", got, want)
@@ -330,6 +369,8 @@ func TestAbsoluteWrap(t *testing.T) {
 	})
 
 	t.Run("dir", func(t *testing.T) {
+		t.Parallel()
+
 		want := "/"
 		if got := MustAbs("/etc").Dir(); got.String() != want {
 			t.Errorf("Dir: %q, want %q", got, want)
@@ -337,6 +378,8 @@ func TestAbsoluteWrap(t *testing.T) {
 	})
 
 	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+
 		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
 		got := []*Absolute{MustAbs("/proc"), MustAbs("/sys"), MustAbs("/etc")}
 		SortAbs(got)
@@ -346,6 +389,8 @@ func TestAbsoluteWrap(t *testing.T) {
 	})
 
 	t.Run("compact", func(t *testing.T) {
+		t.Parallel()
+
 		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
 		if got := CompactAbs([]*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/proc"), MustAbs("/sys")}); !reflect.DeepEqual(got, want) {
 			t.Errorf("CompactAbs: %#v, want %#v", got, want)

container/check/overlay_test.go

@@ -7,6 +7,8 @@ import (
 )
 
 func TestEscapeOverlayDataSegment(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		s    string
@@ -19,6 +21,8 @@ func TestEscapeOverlayDataSegment(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			if got := check.EscapeOverlayDataSegment(tc.s); got != tc.want {
 				t.Errorf("escapeOverlayDataSegment: %s, want %s", got, tc.want)
 			}

container/container.go

@@ -11,19 +11,24 @@ import (
 	"os/exec"
 	"runtime"
 	"strconv"
+	"sync"
 	. "syscall"
 	"time"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/message"
 )
 
 const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
-	CancelSignal = SIGTERM
+	CancelSignal = SIGUSR2
+
+	// Timeout for writing initParams to Container.setup.
+	initSetupTimeout = 5 * time.Second
 )
 
 type (
@@ -36,8 +41,8 @@ type (
 		// with behaviour identical to its [exec.Cmd] counterpart.
 		ExtraFiles []*os.File
 
-		// param encoder for shim and init
+		// param pipe for shim and init
-		setup *gob.Encoder
+		setup *os.File
 		// cancels cmd
 		cancel context.CancelFunc
 		// closed after Wait returns
@@ -52,7 +57,7 @@ type (
 
 		cmd *exec.Cmd
 		ctx context.Context
-		msg Msg
+		msg message.Msg
 		Params
 	}
 
@@ -81,11 +86,11 @@ type (
 		*Ops
 
 		// Seccomp system call filter rules.
-		SeccompRules []seccomp.NativeRule
+		SeccompRules []std.NativeRule
 		// Extra seccomp flags.
 		SeccompFlags seccomp.ExportFlag
 		// Seccomp presets. Has no effect unless SeccompRules is zero-length.
-		SeccompPresets bits.FilterPreset
+		SeccompPresets std.FilterPreset
 		// Do not load seccomp program.
 		SeccompDisable bool
 
@@ -139,11 +144,18 @@ func (e *StartError) Error() string {
 // Message returns a user-facing error message.
 func (e *StartError) Message() string {
 	if e.Passthrough {
+		var (
+			numError *strconv.NumError
+		)
+
 		switch {
 		case errors.As(e.Err, new(*os.PathError)),
 			errors.As(e.Err, new(*os.SyscallError)):
 			return "cannot " + e.Err.Error()
 
+		case errors.As(e.Err, &numError) && numError != nil:
+			return "cannot parse " + strconv.Quote(numError.Num) + ": " + numError.Err.Error()
+
 		default:
 			return e.Err.Error()
 		}
@@ -154,6 +166,39 @@ func (e *StartError) Message() string {
 	return "cannot " + e.Error()
 }
 
+// for ensureCloseOnExec
+var (
+	closeOnExecOnce sync.Once
+	closeOnExecErr  error
+)
+
+// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
+// This is only ran once as it is intended to handle files left open by the parent, and any file opened
+// on this side should already have syscall.FD_CLOEXEC set.
+func ensureCloseOnExec() error {
+	closeOnExecOnce.Do(func() {
+		const fdPrefixPath = "/proc/self/fd/"
+
+		var entries []os.DirEntry
+		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
+			return
+		}
+
+		var fd int
+		for _, ent := range entries {
+			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
+				break // not reached
+			}
+			CloseOnExec(fd)
+		}
+	})
+
+	if closeOnExecErr == nil {
+		return nil
+	}
+	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
+}
+
 // Start starts the container init. The init process blocks until Serve is called.
 func (p *Container) Start() error {
 	if p == nil || p.cmd == nil ||
@@ -164,6 +209,10 @@ func (p *Container) Start() error {
 		return errors.New("container: already started")
 	}
 
+	if err := ensureCloseOnExec(); err != nil {
+		return err
+	}
+
 	// map to overflow id to work around ownership checks
 	if p.Uid < 1 {
 		p.Uid = OverflowUid(p.msg)
@@ -173,7 +222,7 @@ func (p *Container) Start() error {
 	}
 
 	if !p.RetainSession {
-		p.SeccompPresets |= bits.PresetDenyTTY
+		p.SeccompPresets |= std.PresetDenyTTY
 	}
 
 	if p.AdoptWaitDelay == 0 {
@@ -227,10 +276,10 @@ func (p *Container) Start() error {
 	}
 
 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
+	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
 		return &StartError{true, "set up params stream", err, false, false}
 	} else {
-		p.setup = e
+		p.setup = f
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
@@ -309,6 +358,9 @@ func (p *Container) Serve() error {
 
 	setup := p.setup
 	p.setup = nil
+	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
+		return &StartError{true, "set init pipe deadline", err, false, true}
+	}
 
 	if p.Path == nil {
 		p.cancel()
@@ -320,18 +372,17 @@ func (p *Container) Serve() error {
 		p.Dir = fhs.AbsRoot
 	}
 	if p.SeccompRules == nil {
-		p.SeccompRules = make([]seccomp.NativeRule, 0)
+		p.SeccompRules = make([]std.NativeRule, 0)
 	}
 
-	err := setup.Encode(
+	err := gob.NewEncoder(setup).Encode(&initParams{
-		&initParams{
+		p.Params,
-			p.Params,
+		Getuid(),
-			Getuid(),
+		Getgid(),
-			Getgid(),
+		len(p.ExtraFiles),
-			len(p.ExtraFiles),
+		p.msg.IsVerbose(),
-			p.msg.IsVerbose(),
+	})
-		},
+	_ = setup.Close()
-	)
 	if err != nil {
 		p.cancel()
 	}
@@ -396,9 +447,9 @@ func (p *Container) ProcessState() *os.ProcessState {
 }
 
 // New returns the address to a new instance of [Container] that requires further initialisation before use.
-func New(ctx context.Context, msg Msg) *Container {
+func New(ctx context.Context, msg message.Msg) *Container {
 	if msg == nil {
-		msg = NewMsg(nil)
+		msg = message.New(nil)
 	}
 
 	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
@@ -409,7 +460,7 @@ func New(ctx context.Context, msg Msg) *Container {
 }
 
 // NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
-func NewCommand(ctx context.Context, msg Msg, pathname *check.Absolute, name string, args ...string) *Container {
+func NewCommand(ctx context.Context, msg message.Msg, pathname *check.Absolute, name string, args ...string) *Container {
 	z := New(ctx, msg)
 	z.Path = pathname
 	z.Args = append([]string{name}, args...)

container/container_test.go

@@ -20,15 +20,18 @@ import (
 
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/vfs"
 	"hakurei.app/hst"
 	"hakurei.app/ldd"
+	"hakurei.app/message"
 )
 
 func TestStartError(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		err  error
@@ -41,8 +44,7 @@ func TestStartError(t *testing.T) {
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   container.ErrReceiveEnv,
-		},
+		}, "set up params stream: environment variable not set",
-			"set up params stream: environment variable not set",
 			container.ErrReceiveEnv, syscall.EBADF,
 			"cannot set up params stream: environment variable not set"},
 
@@ -50,8 +52,7 @@ func TestStartError(t *testing.T) {
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   &os.SyscallError{Syscall: "pipe2", Err: syscall.EBADF},
-		},
+		}, "set up params stream pipe2: bad file descriptor",
-			"set up params stream pipe2: bad file descriptor",
 			syscall.EBADF, os.ErrInvalid,
 			"cannot set up params stream pipe2: bad file descriptor"},
 
@@ -59,16 +60,14 @@ func TestStartError(t *testing.T) {
 			Fatal: true,
 			Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
 			Err:   syscall.EPERM,
-		},
+		}, "prctl(PR_SET_NO_NEW_PRIVS): operation not permitted",
-			"prctl(PR_SET_NO_NEW_PRIVS): operation not permitted",
 			syscall.EPERM, syscall.EACCES,
 			"cannot prctl(PR_SET_NO_NEW_PRIVS): operation not permitted"},
 
 		{"landlock abi", &container.StartError{
 			Step: "get landlock ABI",
 			Err:  syscall.ENOSYS,
-		},
+		}, "get landlock ABI: function not implemented",
-			"get landlock ABI: function not implemented",
 			syscall.ENOSYS, syscall.ENOEXEC,
 			"cannot get landlock ABI: function not implemented"},
 
@@ -76,8 +75,7 @@ func TestStartError(t *testing.T) {
 			Step:   "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
 			Err:    syscall.ENOSYS,
 			Origin: true,
-		},
+		}, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
-			"kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
 			syscall.ENOSYS, syscall.ENOSPC,
 			"kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET"},
 
@@ -85,8 +83,7 @@ func TestStartError(t *testing.T) {
 			Fatal: true,
 			Step:  "create landlock ruleset",
 			Err:   syscall.EBADFD,
-		},
+		}, "create landlock ruleset: file descriptor in bad state",
-			"create landlock ruleset: file descriptor in bad state",
 			syscall.EBADFD, syscall.EBADF,
 			"cannot create landlock ruleset: file descriptor in bad state"},
 
@@ -94,8 +91,7 @@ func TestStartError(t *testing.T) {
 			Fatal: true,
 			Step:  "enforce landlock ruleset",
 			Err:   syscall.ENOTRECOVERABLE,
-		},
+		}, "enforce landlock ruleset: state not recoverable",
-			"enforce landlock ruleset: state not recoverable",
 			syscall.ENOTRECOVERABLE, syscall.ETIMEDOUT,
 			"cannot enforce landlock ruleset: state not recoverable"},
 
@@ -106,8 +102,7 @@ func TestStartError(t *testing.T) {
 				Path: "/proc/nonexistent",
 				Err:  syscall.ENOENT,
 			}, Passthrough: true,
-		},
+		}, "fork/exec /proc/nonexistent: no such file or directory",
-			"fork/exec /proc/nonexistent: no such file or directory",
 			syscall.ENOENT, syscall.ENOSYS,
 			"cannot fork/exec /proc/nonexistent: no such file or directory"},
 
@@ -117,11 +112,19 @@ func TestStartError(t *testing.T) {
 				Syscall: "open",
 				Err:     syscall.ENOSYS,
 			}, Passthrough: true,
-		},
+		}, "open: function not implemented",
-			"open: function not implemented",
 			syscall.ENOSYS, syscall.ENOENT,
 			"cannot open: function not implemented"},
 
+		{"start FD_CLOEXEC", &container.StartError{
+			Fatal:       true,
+			Step:        "set FD_CLOEXEC on all open files",
+			Err:         func() error { _, err := strconv.Atoi("invalid"); return err }(),
+			Passthrough: true,
+		}, `strconv.Atoi: parsing "invalid": invalid syntax`,
+			strconv.ErrSyntax, os.ErrInvalid,
+			`cannot parse "invalid": invalid syntax`},
+
 		{"start other", &container.StartError{
 			Step: "start container init",
 			Err: &net.OpError{
@@ -129,13 +132,14 @@ func TestStartError(t *testing.T) {
 				Net: "unix",
 				Err: syscall.ECONNREFUSED,
 			}, Passthrough: true,
-		},
+		}, "dial unix: connection refused",
-			"dial unix: connection refused",
 			syscall.ECONNREFUSED, syscall.ECONNABORTED,
 			"dial unix: connection refused"},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			t.Run("error", func(t *testing.T) {
 				if got := tc.err.Error(); got != tc.s {
 					t.Errorf("Error: %q, want %q", got, tc.s)
@@ -152,13 +156,13 @@ func TestStartError(t *testing.T) {
 			})
 
 			t.Run("msg", func(t *testing.T) {
-				if got, ok := container.GetErrorMessage(tc.err); !ok {
+				if got, ok := message.GetMessage(tc.err); !ok {
 					if tc.msg != "" {
-						t.Errorf("GetErrorMessage: err does not implement MessageError")
+						t.Errorf("GetMessage: err does not implement MessageError")
 					}
 					return
 				} else if got != tc.msg {
-					t.Errorf("GetErrorMessage: %q, want %q", got, tc.msg)
+					t.Errorf("GetMessage: %q, want %q", got, tc.msg)
 				}
 			})
 		})
@@ -199,31 +203,31 @@ var containerTestCases = []struct {
 	uid int
 	gid int
 
-	rules   []seccomp.NativeRule
+	rules   []std.NativeRule
 	flags   seccomp.ExportFlag
-	presets bits.FilterPreset
+	presets std.FilterPreset
 }{
 	{"minimal", true, false, false, true,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, bits.PresetStrict},
+		1000, 100, nil, 0, std.PresetStrict},
 	{"allow", true, true, true, false,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, bits.PresetExt | bits.PresetDenyDevel},
+		1000, 100, nil, 0, std.PresetExt | std.PresetDenyDevel},
 	{"no filter", false, true, true, true,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, bits.PresetExt},
+		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, bits.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
 
 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
-			Tmpfs(hst.AbsTmp, 0, 0755),
+			Tmpfs(hst.AbsPrivateTmp, 0, 0755),
 		),
 		earlyMnt(
-			ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
+			ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
 		),
-		9, 9, nil, 0, bits.PresetStrict},
+		9, 9, nil, 0, std.PresetStrict},
 
 	{"dev", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
@@ -241,7 +245,7 @@ var containerTestCases = []struct {
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
-		1971, 100, nil, 0, bits.PresetStrict},
+		1971, 100, nil, 0, std.PresetStrict},
 
 	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
@@ -258,7 +262,7 @@ var containerTestCases = []struct {
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
-		1971, 100, nil, 0, bits.PresetStrict},
+		1971, 100, nil, 0, std.PresetStrict},
 
 	{"overlay", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -275,7 +279,7 @@ var containerTestCases = []struct {
 			}
 
 			return new(container.Ops).
-					Overlay(hst.AbsTmp, upper, work, lower0, lower1),
+					Overlay(hst.AbsPrivateTmp, upper, work, lower0, lower1),
 				context.WithValue(context.WithValue(context.WithValue(context.WithValue(t.Context(),
 					testVal("lower1"), lower1),
 					testVal("lower0"), lower0),
@@ -284,7 +288,7 @@ var containerTestCases = []struct {
 		},
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
-				ent("/", hst.Tmp, "rw", "overlay", "overlay",
+				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
 					"rw,lowerdir="+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
@@ -295,7 +299,7 @@ var containerTestCases = []struct {
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, bits.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 
 	{"overlay ephemeral", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -310,16 +314,16 @@ var containerTestCases = []struct {
 			}
 
 			return new(container.Ops).
-					OverlayEphemeral(hst.AbsTmp, lower0, lower1),
+					OverlayEphemeral(hst.AbsPrivateTmp, lower0, lower1),
 				t.Context()
 		},
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				// contains random suffix
-				ent("/", hst.Tmp, "rw", "overlay", "overlay", ignore),
+				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, bits.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 
 	{"overlay readonly", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -333,24 +337,26 @@ var containerTestCases = []struct {
 				}
 			}
 			return new(container.Ops).
-					OverlayReadonly(hst.AbsTmp, lower0, lower1),
+					OverlayReadonly(hst.AbsPrivateTmp, lower0, lower1),
 				context.WithValue(context.WithValue(t.Context(),
 					testVal("lower1"), lower1),
 					testVal("lower0"), lower0)
 		},
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
-				ent("/", hst.Tmp, "rw", "overlay", "overlay",
+				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
 					"ro,lowerdir="+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, bits.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 }
 
 func TestContainer(t *testing.T) {
+	t.Parallel()
+
 	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
 		wantErr := context.Canceled
 		wantExitCode := 0
@@ -384,6 +390,8 @@ func TestContainer(t *testing.T) {
 
 	for i, tc := range containerTestCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			wantOps, wantOpsCtx := tc.ops(t)
 			wantMnt := tc.mnt(t, wantOpsCtx)
 
@@ -503,6 +511,7 @@ func testContainerCancel(
 	waitCheck func(t *testing.T, c *container.Container),
 ) func(t *testing.T) {
 	return func(t *testing.T) {
+		t.Parallel()
 		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
 
 		c := helperNewContainer(ctx, "block")
@@ -545,13 +554,14 @@ func testContainerCancel(
 }
 
 func TestContainerString(t *testing.T) {
-	msg := container.NewMsg(nil)
+	t.Parallel()
+	msg := message.New(nil)
 	c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
 	c.SeccompFlags |= seccomp.AllowMultiarch
 	c.SeccompRules = seccomp.Preset(
-		bits.PresetExt|bits.PresetDenyNS|bits.PresetDenyTTY,
+		std.PresetExt|std.PresetDenyNS|std.PresetDenyTTY,
 		c.SeccompFlags)
-	c.SeccompPresets = bits.PresetStrict
+	c.SeccompPresets = std.PresetStrict
 	want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf`
 	if got := c.String(); got != want {
 		t.Errorf("String: %s, want %s", got, want)
@@ -565,14 +575,13 @@ const (
 func init() {
 	helperCommands = append(helperCommands, func(c command.Command) {
 		c.Command("block", command.UsageInternal, func(args []string) error {
+			sig := make(chan os.Signal, 1)
+			signal.Notify(sig, os.Interrupt)
+			go func() { <-sig; os.Exit(blockExitCodeInterrupt) }()
+
 			if _, err := os.NewFile(3, "sync").Write([]byte{0}); err != nil {
 				return fmt.Errorf("write to sync pipe: %v", err)
 			}
-			{
-				sig := make(chan os.Signal, 1)
-				signal.Notify(sig, os.Interrupt)
-				go func() { <-sig; os.Exit(blockExitCodeInterrupt) }()
-			}
 			select {}
 		})
 
@@ -711,7 +720,8 @@ func TestMain(m *testing.M) {
 }
 
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
-	msg := container.NewMsg(nil)
+	msg := message.New(nil)
+	msg.SwapVerbose(testing.Verbose())
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
 	c.Bind(check.MustAbs(os.Args[0]), absHelperInnerPath, 0)

container/dispatcher.go

@@ -11,6 +11,8 @@ import (
 	"syscall"
 
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/message"
 )
 
 type osFile interface {
@@ -37,7 +39,7 @@ type syscallDispatcher interface {
 	setNoNewPrivs() error
 
 	// lastcap provides [LastCap].
-	lastcap(msg Msg) uintptr
+	lastcap(msg message.Msg) uintptr
 	// capset provides capset.
 	capset(hdrp *capHeader, datap *[2]capData) error
 	// capBoundingSetDrop provides capBoundingSetDrop.
@@ -52,16 +54,16 @@ type syscallDispatcher interface {
 	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
 
 	// bindMount provides procPaths.bindMount.
-	bindMount(msg Msg, source, target string, flags uintptr) error
+	bindMount(msg message.Msg, source, target string, flags uintptr) error
 	// remount provides procPaths.remount.
-	remount(msg Msg, target string, flags uintptr) error
+	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 
 	// seccompLoad provides [seccomp.Load].
-	seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error
+	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
 	// notify provides [signal.Notify].
 	notify(c chan<- os.Signal, sig ...os.Signal)
 	// start starts [os/exec.Cmd].
@@ -122,11 +124,11 @@ type syscallDispatcher interface {
 	wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error)
 
 	// printf provides the Printf method of [log.Logger].
-	printf(msg Msg, format string, v ...any)
+	printf(msg message.Msg, format string, v ...any)
 	// fatal provides the Fatal method of [log.Logger]
-	fatal(msg Msg, v ...any)
+	fatal(msg message.Msg, v ...any)
 	// fatalf provides the Fatalf method of [log.Logger]
-	fatalf(msg Msg, format string, v ...any)
+	fatalf(msg message.Msg, format string, v ...any)
 }
 
 // direct implements syscallDispatcher on the current kernel.
@@ -140,7 +142,7 @@ func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
 func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
 
-func (direct) lastcap(msg Msg) uintptr                         { return LastCap(msg) }
+func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
 func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
@@ -150,10 +152,10 @@ func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
 	return Receive(key, e, fdp)
 }
 
-func (direct) bindMount(msg Msg, source, target string, flags uintptr) error {
+func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {
 	return hostProc.bindMount(msg, source, target, flags)
 }
-func (direct) remount(msg Msg, target string, flags uintptr) error {
+func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 	return hostProc.remount(msg, target, flags)
 }
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
@@ -163,7 +165,7 @@ func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
 
-func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
 }
 func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) }
@@ -221,6 +223,6 @@ func (direct) wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *s
 	return syscall.Wait4(pid, wstatus, options, rusage)
 }
 
-func (direct) printf(msg Msg, format string, v ...any) { msg.GetLogger().Printf(format, v...) }
+func (direct) printf(msg message.Msg, format string, v ...any) { msg.GetLogger().Printf(format, v...) }
-func (direct) fatal(msg Msg, v ...any)                 { msg.GetLogger().Fatal(v...) }
+func (direct) fatal(msg message.Msg, v ...any)                 { msg.GetLogger().Fatal(v...) }
-func (direct) fatalf(msg Msg, format string, v ...any) { msg.GetLogger().Fatalf(format, v...) }
+func (direct) fatalf(msg message.Msg, format string, v ...any) { msg.GetLogger().Fatalf(format, v...) }

container/dispatcher_test.go

@@ -17,7 +17,9 @@ import (
 	"time"
 
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
+	"hakurei.app/message"
 )
 
 type opValidTestCase struct {
@@ -31,10 +33,12 @@ func checkOpsValid(t *testing.T, testCases []opValidTestCase) {
 
 	t.Run("valid", func(t *testing.T) {
 		t.Helper()
+		t.Parallel()
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
+				t.Parallel()
 
 				if got := tc.op.Valid(); got != tc.want {
 					t.Errorf("Valid: %v, want %v", got, tc.want)
@@ -55,10 +59,12 @@ func checkOpsBuilder(t *testing.T, testCases []opsBuilderTestCase) {
 
 	t.Run("build", func(t *testing.T) {
 		t.Helper()
+		t.Parallel()
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
+				t.Parallel()
 
 				if !slices.EqualFunc(*tc.ops, tc.want, func(op Op, v Op) bool { return op.Is(v) }) {
 					t.Errorf("Ops: %#v, want %#v", tc.ops, tc.want)
@@ -79,10 +85,12 @@ func checkOpIs(t *testing.T, testCases []opIsTestCase) {
 
 	t.Run("is", func(t *testing.T) {
 		t.Helper()
+		t.Parallel()
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
+				t.Parallel()
 
 				if got := tc.op.Is(tc.v); got != tc.want {
 					t.Errorf("Is: %v, want %v", got, tc.want)
@@ -105,10 +113,12 @@ func checkOpMeta(t *testing.T, testCases []opMetaTestCase) {
 
 	t.Run("meta", func(t *testing.T) {
 		t.Helper()
+		t.Parallel()
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
+				t.Parallel()
 
 				t.Run("prefix", func(t *testing.T) {
 					t.Helper()
@@ -149,6 +159,7 @@ func checkSimple(t *testing.T, fname string, testCases []simpleTestCase) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Helper()
+			t.Parallel()
 
 			wait4signal := make(chan struct{})
 			k := &kstub{wait4signal, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, s} }, tc.want)}
@@ -182,10 +193,12 @@ func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
 
 	t.Run("behaviour", func(t *testing.T) {
 		t.Helper()
+		t.Parallel()
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
+				t.Parallel()
 
 				k := &kstub{nil, stub.New(t,
 					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, s} },
@@ -329,7 +342,7 @@ func (k *kstub) setDumpable(dumpable uintptr) error {
 }
 
 func (k *kstub) setNoNewPrivs() error { k.Helper(); return k.Expects("setNoNewPrivs").Err }
-func (k *kstub) lastcap(msg Msg) uintptr {
+func (k *kstub) lastcap(msg message.Msg) uintptr {
 	k.Helper()
 	k.checkMsg(msg)
 	return k.Expects("lastcap").Ret.(uintptr)
@@ -409,7 +422,7 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 	return
 }
 
-func (k *kstub) bindMount(msg Msg, source, target string, flags uintptr) error {
+func (k *kstub) bindMount(msg message.Msg, source, target string, flags uintptr) error {
 	k.Helper()
 	k.checkMsg(msg)
 	return k.Expects("bindMount").Error(
@@ -418,7 +431,7 @@ func (k *kstub) bindMount(msg Msg, source, target string, flags uintptr) error {
 		stub.CheckArg(k.Stub, "flags", flags, 2))
 }
 
-func (k *kstub) remount(msg Msg, target string, flags uintptr) error {
+func (k *kstub) remount(msg message.Msg, target string, flags uintptr) error {
 	k.Helper()
 	k.checkMsg(msg)
 	return k.Expects("remount").Error(
@@ -444,7 +457,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 
-func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
 		stub.CheckArgReflect(k.Stub, "rules", rules, 0),
@@ -702,7 +715,7 @@ func (k *kstub) wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage
 	return
 }
 
-func (k *kstub) printf(_ Msg, format string, v ...any) {
+func (k *kstub) printf(_ message.Msg, format string, v ...any) {
 	k.Helper()
 	if k.Expects("printf").Error(
 		stub.CheckArg(k.Stub, "format", format, 0),
@@ -711,7 +724,7 @@ func (k *kstub) printf(_ Msg, format string, v ...any) {
 	}
 }
 
-func (k *kstub) fatal(_ Msg, v ...any) {
+func (k *kstub) fatal(_ message.Msg, v ...any) {
 	k.Helper()
 	if k.Expects("fatal").Error(
 		stub.CheckArgReflect(k.Stub, "v", v, 0)) != nil {
@@ -720,7 +733,7 @@ func (k *kstub) fatal(_ Msg, v ...any) {
 	panic(stub.PanicExit)
 }
 
-func (k *kstub) fatalf(_ Msg, format string, v ...any) {
+func (k *kstub) fatalf(_ message.Msg, format string, v ...any) {
 	k.Helper()
 	if k.Expects("fatalf").Error(
 		stub.CheckArg(k.Stub, "format", format, 0),
@@ -730,7 +743,7 @@ func (k *kstub) fatalf(_ Msg, format string, v ...any) {
 	panic(stub.PanicExit)
 }
 
-func (k *kstub) checkMsg(msg Msg) {
+func (k *kstub) checkMsg(msg message.Msg) {
 	k.Helper()
 	var target *kstub
 

container/errors.go

@@ -59,6 +59,7 @@ func messagePrefixP[V any, T interface {
 	return zeroString, false
 }
 
+// MountError wraps errors returned by syscall.Mount.
 type MountError struct {
 	Source, Target, Fstype string
 
@@ -74,6 +75,7 @@ func (e *MountError) Unwrap() error {
 	return e.Errno
 }
 
+func (e *MountError) Message() string { return "cannot " + e.Error() }
 func (e *MountError) Error() string {
 	if e.Flags&syscall.MS_BIND != 0 {
 		if e.Flags&syscall.MS_REMOUNT != 0 {
@@ -90,6 +92,15 @@ func (e *MountError) Error() string {
 	return "mount " + e.Target + ": " + e.Errno.Error()
 }
 
+// optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
+// if it is not nil, or the original value if it is.
+func optionalErrorUnwrap(err error) error {
+	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
+		return underlyingErr
+	}
+	return err
+}
+
 // errnoFallback returns the concrete errno from an error, or a [os.PathError] fallback.
 func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
 	var errno syscall.Errno

container/errors_test.go

@@ -14,6 +14,8 @@ import (
 )
 
 func TestMessageFromError(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name   string
 		err    error
@@ -44,8 +46,8 @@ func TestMessageFromError(t *testing.T) {
 		{"state", OpStateError("overlay"),
 			"impossible overlay state reached", true},
 
-		{"vfs parse", &vfs.DecoderError{Op: "parse", Line: 0xdeadbeef, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
+		{"vfs parse", &vfs.DecoderError{Op: "parse", Line: 0xdead, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
-			`cannot parse mountinfo at line 3735928559: numeric field "meow" invalid syntax`, true},
+			`cannot parse mountinfo at line 57005: numeric field "meow" invalid syntax`, true},
 
 		{"tmpfs", TmpfsSizeError(-1),
 			"tmpfs size -1 out of bounds", true},
@@ -54,6 +56,7 @@ func TestMessageFromError(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			got, ok := messageFromError(tc.err)
 			if got != tc.want {
 				t.Errorf("messageFromError: %q, want %q", got, tc.want)
@@ -66,6 +69,8 @@ func TestMessageFromError(t *testing.T) {
 }
 
 func TestMountError(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name  string
 		err   error
@@ -111,6 +116,7 @@ func TestMountError(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			t.Run("is", func(t *testing.T) {
 				if !errors.Is(tc.err, tc.errno) {
 					t.Errorf("Is: %#v is not %v", tc.err, tc.errno)
@@ -125,6 +131,7 @@ func TestMountError(t *testing.T) {
 	}
 
 	t.Run("zero", func(t *testing.T) {
+		t.Parallel()
 		if errors.Is(new(MountError), syscall.Errno(0)) {
 			t.Errorf("Is: zero MountError unexpected true")
 		}
@@ -132,6 +139,8 @@ func TestMountError(t *testing.T) {
 }
 
 func TestErrnoFallback(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name      string
 		err       error
@@ -154,6 +163,7 @@ func TestErrnoFallback(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			errno, err := errnoFallback(tc.name, Nonexistent, tc.err)
 			if errno != tc.wantErrno {
 				t.Errorf("errnoFallback: errno = %v, want %v", errno, tc.wantErrno)

container/executable.go

@@ -1,8 +1,12 @@
 package container
 
 import (
+	"fmt"
+	"log"
 	"os"
 	"sync"
+
+	"hakurei.app/message"
 )
 
 var (
@@ -10,16 +14,21 @@ var (
 	executableOnce sync.Once
 )
 
-func copyExecutable(msg Msg) {
+func copyExecutable(msg message.Msg) {
 	if name, err := os.Executable(); err != nil {
-		msg.BeforeExit()
+		m := fmt.Sprintf("cannot read executable path: %v", err)
-		msg.GetLogger().Fatalf("cannot read executable path: %v", err)
+		if msg != nil {
+			msg.BeforeExit()
+			msg.GetLogger().Fatal(m)
+		} else {
+			log.Fatal(m)
+		}
 	} else {
 		executable = name
 	}
 }
 
-func MustExecutable(msg Msg) string {
+func MustExecutable(msg message.Msg) string {
 	executableOnce.Do(func() { copyExecutable(msg) })
 	return executable
 }

container/executable_test.go

@@ -5,13 +5,14 @@ import (
 	"testing"
 
 	"hakurei.app/container"
+	"hakurei.app/message"
 )
 
 func TestExecutable(t *testing.T) {
+	t.Parallel()
 	for i := 0; i < 16; i++ {
-		if got := container.MustExecutable(container.NewMsg(nil)); got != os.Args[0] {
+		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
-			t.Errorf("MustExecutable: %q, want %q",
+			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
-				got, os.Args[0])
 		}
 	}
 }

container/fhs/abs.go

@@ -1,7 +1,7 @@
 package fhs
 
 import (
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/container/check"
 )

container/init.go

@@ -14,6 +14,7 @@ import (
 
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/message"
 )
 
 const (
@@ -61,7 +62,7 @@ type (
 	setupState struct {
 		nonrepeatable uintptr
 		*Params
-		Msg
+		message.Msg
 	}
 )
 
@@ -95,15 +96,14 @@ type initParams struct {
 }
 
 // Init is called by [TryArgv0] if the current process is the container init.
-func Init(msg Msg) {
+func Init(msg message.Msg) { initEntrypoint(direct{}, msg) }
+
+func initEntrypoint(k syscallDispatcher, msg message.Msg) {
+	k.lockOSThread()
+
 	if msg == nil {
 		panic("attempting to call initEntrypoint with nil msg")
 	}
-	initEntrypoint(direct{}, msg)
-}
-
-func initEntrypoint(k syscallDispatcher, msg Msg) {
-	k.lockOSThread()
 
 	if k.getpid() != 1 {
 		k.fatal(msg, "this process must run as pid 1")
@@ -125,7 +125,7 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 			k.fatal(msg, "invalid setup descriptor")
 		}
 		if errors.Is(err, ErrReceiveEnv) {
-			k.fatal(msg, "HAKUREI_SETUP not set")
+			k.fatal(msg, setupEnv+" not set")
 		}
 
 		k.fatalf(msg, "cannot decode init setup payload: %v", err)
@@ -177,7 +177,7 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 	lastcap := k.lastcap(msg)
 
 	if err := k.mount(zeroString, fhs.Root, zeroString, MS_SILENT|MS_SLAVE|MS_REC, zeroString); err != nil {
-		k.fatalf(msg, "cannot make / rslave: %v", err)
+		k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
 	}
 
 	state := &setupState{Params: &params.Params, Msg: msg}
@@ -201,7 +201,7 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 	}
 
 	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		k.fatalf(msg, "cannot mount intermediate root: %v", err)
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
 	}
 	if err := k.chdir(intermediateHostPath); err != nil {
 		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
@@ -211,7 +211,7 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.mount(sysrootDir, sysrootDir, zeroString, MS_SILENT|MS_BIND|MS_REC, zeroString); err != nil {
-		k.fatalf(msg, "cannot bind sysroot: %v", err)
+		k.fatalf(msg, "cannot bind sysroot: %v", optionalErrorUnwrap(err))
 	}
 
 	if err := k.mkdir(hostDir, 0755); err != nil {
@@ -245,7 +245,7 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 
 	// setup requiring host root complete at this point
 	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
-		k.fatalf(msg, "cannot make host root rprivate: %v", err)
+		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
 	}
 	if err := k.unmount(hostDir, MNT_DETACH); err != nil {
 		k.fatalf(msg, "cannot unmount host root: %v", err)
@@ -330,6 +330,10 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 	}
 	k.umask(oldmask)
 
+	if err := closeSetup(); err != nil {
+		k.fatalf(msg, "cannot close setup pipe: %v", err)
+	}
+
 	cmd := exec.Command(params.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
@@ -341,21 +345,19 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	msg.Suspend()
-
-	if err := closeSetup(); err != nil {
-		k.printf(msg, "cannot close setup pipe: %v", err)
-		// not fatal
-	}
 
 	type winfo struct {
 		wpid    int
 		wstatus WaitStatus
 	}
+
+	// info is closed as the wait4 thread terminates
+	// when there are no longer any processes left to reap
 	info := make(chan winfo, 1)
-	done := make(chan struct{})
 
 	k.new(func(k syscallDispatcher) {
+		k.lockOSThread()
+
 		var (
 			err     error
 			wpid    = -2
@@ -381,12 +383,13 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 			k.printf(msg, "unexpected wait4 response: %v", err)
 		}
 
-		close(done)
+		close(info)
 	})
 
 	// handle signals to dump withheld messages
 	sig := make(chan os.Signal, 2)
-	k.notify(sig, os.Interrupt, CancelSignal)
+	k.notify(sig, CancelSignal,
+		os.Interrupt, SIGTERM, SIGQUIT)
 
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
@@ -395,11 +398,6 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 	for {
 		select {
 		case s := <-sig:
-			if msg.Resume() {
-				msg.Verbosef("%s after process start", s.String())
-			} else {
-				msg.Verbosef("got %s", s.String())
-			}
 			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
 				msg.Verbose("forwarding context cancellation")
 				if err := k.signal(cmd, os.Interrupt); err != nil {
@@ -407,13 +405,36 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 				}
 				continue
 			}
+
+			if s == SIGTERM || s == SIGQUIT {
+				msg.Verbosef("got %s, forwarding to initial process", s.String())
+				if err := k.signal(cmd, s); err != nil {
+					k.printf(msg, "cannot forward signal: %v", err)
+				}
+				continue
+			}
+
+			msg.Verbosef("got %s", s.String())
 			msg.BeforeExit()
 			k.exit(0)
 
-		case w := <-info:
+		case w, ok := <-info:
+			if !ok {
+				msg.BeforeExit()
+				k.exit(r)
+				continue // unreachable
+			}
+
 			if w.wpid == cmd.Process.Pid {
-				// initial process exited, output is most likely available again
+				// start timeout early
-				msg.Resume()
+				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
+
+				// close initial process files; this also keeps them alive
+				for _, f := range extraFiles {
+					if err := f.Close(); err != nil {
+						msg.Verbose(err.Error())
+					}
+				}
 
 				switch {
 				case w.wstatus.Exited():
@@ -428,14 +449,8 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 					r = 255
 					msg.Verbosef("initial process exited with status %#x", w.wstatus)
 				}
-
-				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
 			}
 
-		case <-done:
-			msg.BeforeExit()
-			k.exit(r)
-
 		case <-timeout:
 			k.printf(msg, "timeout exceeded waiting for lingering processes")
 			msg.BeforeExit()
@@ -444,15 +459,16 @@ func initEntrypoint(k syscallDispatcher, msg Msg) {
 	}
 }
 
+// initName is the prefix used by log.std in the init process.
 const initName = "init"
 
 // TryArgv0 calls [Init] if the last element of argv0 is "init".
 // If a nil msg is passed, the system logger is used instead.
-func TryArgv0(msg Msg) {
+func TryArgv0(msg message.Msg) {
 	if msg == nil {
 		log.SetPrefix(initName + ": ")
 		log.SetFlags(0)
-		msg = NewMsg(log.Default())
+		msg = message.New(log.Default())
 	}
 
 	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {

container/initbind.go

@@ -6,8 +6,8 @@ import (
 	"os"
 	"syscall"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/std"
 )
 
 func init() { gob.Register(new(BindMountOp)) }
@@ -29,18 +29,18 @@ type BindMountOp struct {
 func (b *BindMountOp) Valid() bool {
 	return b != nil &&
 		b.Source != nil && b.Target != nil &&
-		b.Flags&(bits.BindOptional|bits.BindEnsure) != (bits.BindOptional|bits.BindEnsure)
+		b.Flags&(std.BindOptional|std.BindEnsure) != (std.BindOptional|std.BindEnsure)
 }
 
 func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
-	if b.Flags&bits.BindEnsure != 0 {
+	if b.Flags&std.BindEnsure != 0 {
 		if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
 			return err
 		}
 	}
 
 	if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
-		if os.IsNotExist(err) && b.Flags&bits.BindOptional != 0 {
+		if os.IsNotExist(err) && b.Flags&std.BindOptional != 0 {
 			// leave sourceFinal as nil
 			return nil
 		}
@@ -53,7 +53,7 @@ func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
 
 func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	if b.sourceFinal == nil {
-		if b.Flags&bits.BindOptional == 0 {
+		if b.Flags&std.BindOptional == 0 {
 			// unreachable
 			return OpStateError("bind")
 		}
@@ -76,10 +76,10 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 
 	var flags uintptr = syscall.MS_REC
-	if b.Flags&bits.BindWritable == 0 {
+	if b.Flags&std.BindWritable == 0 {
 		flags |= syscall.MS_RDONLY
 	}
-	if b.Flags&bits.BindDevice == 0 {
+	if b.Flags&std.BindDevice == 0 {
 		flags |= syscall.MS_NODEV
 	}
 

container/initbind_test.go

@@ -6,12 +6,14 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 )
 
 func TestBindMountOp(t *testing.T) {
+	t.Parallel()
+
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"ENOENT not optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
@@ -23,7 +25,7 @@ func TestBindMountOp(t *testing.T) {
 		{"skip optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  bits.BindOptional,
+			Flags:  std.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
 		}, nil, nil, nil},
@@ -31,7 +33,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  bits.BindOptional,
+			Flags:  std.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
@@ -44,7 +46,7 @@ func TestBindMountOp(t *testing.T) {
 		{"ensureFile device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -55,7 +57,7 @@ func TestBindMountOp(t *testing.T) {
 		{"mkdirAll ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  bits.BindEnsure,
+			Flags:  std.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
 		}, stub.UniqueError(4), nil, nil},
@@ -63,7 +65,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/usr/bin/"),
-			Flags:  bits.BindEnsure,
+			Flags:  std.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
@@ -77,7 +79,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success device ro", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  bits.BindDevice,
+			Flags:  std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -90,7 +92,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -164,7 +166,10 @@ func TestBindMountOp(t *testing.T) {
 	})
 
 	t.Run("unreachable", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("nil sourceFinal not optional", func(t *testing.T) {
+			t.Parallel()
 			wantErr := OpStateError("bind")
 			if err := new(BindMountOp).apply(nil, nil); !errors.Is(err, wantErr) {
 				t.Errorf("apply: error = %v, want %v", err, wantErr)
@@ -177,7 +182,7 @@ func TestBindMountOp(t *testing.T) {
 		{"zero", new(BindMountOp), false},
 		{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
 		{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
-		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: bits.BindOptional | bits.BindEnsure}, false},
+		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: std.BindOptional | std.BindEnsure}, false},
 		{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
 	})
 
@@ -212,7 +217,7 @@ func TestBindMountOp(t *testing.T) {
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
-			Flags:  bits.BindOptional,
+			Flags:  std.BindOptional,
 		}, false},
 
 		{"source differs", &BindMountOp{
@@ -251,7 +256,7 @@ func TestBindMountOp(t *testing.T) {
 		{"hostdev", &BindMountOp{
 			Source: check.MustAbs("/dev/"),
 			Target: check.MustAbs("/dev/"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}, "mounting", `"/dev/" flags 0x6`},
 	})
 }

container/initdev_test.go

@@ -9,6 +9,8 @@ import (
 )
 
 func TestMountDevOp(t *testing.T) {
+	t.Parallel()
+
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mountTmpfs", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),

container/initmkdir_test.go

@@ -9,6 +9,8 @@ import (
 )
 
 func TestMkdirOp(t *testing.T) {
+	t.Parallel()
+
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"success", new(Params), &MkdirOp{
 			Path: check.MustAbs("/.hakurei"),

container/initoverlay_test.go

@@ -10,7 +10,11 @@ import (
 )
 
 func TestMountOverlayOp(t *testing.T) {
+	t.Parallel()
+
 	t.Run("argument error", func(t *testing.T) {
+		t.Parallel()
+
 		testCases := []struct {
 			name string
 			err  *OverlayArgumentError
@@ -30,6 +34,7 @@ func TestMountOverlayOp(t *testing.T) {
 		}
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
 				if got := tc.err.Error(); got != tc.want {
 					t.Errorf("Error: %q, want %q", got, tc.want)
 				}
@@ -270,7 +275,10 @@ func TestMountOverlayOp(t *testing.T) {
 	})
 
 	t.Run("unreachable", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("nil Upper non-nil Work not ephemeral", func(t *testing.T) {
+			t.Parallel()
 			wantErr := OpStateError("overlay")
 			if err := (&MountOverlayOp{
 				Work: check.MustAbs("/"),

container/initplace.go

@@ -22,15 +22,6 @@ func (f *Ops) Place(name *check.Absolute, data []byte) *Ops {
 	return f
 }
 
-// PlaceP is like Place but writes the address of [TmpfileOp.Data] to the pointer dataP points to.
-func (f *Ops) PlaceP(name *check.Absolute, dataP **[]byte) *Ops {
-	t := &TmpfileOp{Path: name}
-	*dataP = &t.Data
-
-	*f = append(*f, t)
-	return f
-}
-
 // TmpfileOp places a file on container Path containing Data.
 type TmpfileOp struct {
 	Path *check.Absolute

container/initplace_test.go

@@ -14,6 +14,7 @@ func TestTmpfileOp(t *testing.T) {
 		samplePath = check.MustAbs("/etc/passwd")
 		sampleData = []byte(sampleDataString)
 	)
+	t.Parallel()
 
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"createTemp", &Params{ParentPerm: 0700}, &TmpfileOp{
@@ -82,18 +83,8 @@ func TestTmpfileOp(t *testing.T) {
 	})
 
 	checkOpsBuilder(t, []opsBuilderTestCase{
-		{"noref", new(Ops).Place(samplePath, sampleData), Ops{
+		{"full", new(Ops).Place(samplePath, sampleData), Ops{
-			&TmpfileOp{
+			&TmpfileOp{Path: samplePath, Data: sampleData},
-				Path: samplePath,
-				Data: sampleData,
-			},
-		}},
-
-		{"ref", new(Ops).PlaceP(samplePath, new(*[]byte)), Ops{
-			&TmpfileOp{
-				Path: samplePath,
-				Data: []byte{},
-			},
 		}},
 	})
 

container/initproc_test.go

@@ -9,6 +9,8 @@ import (
 )
 
 func TestMountProcOp(t *testing.T) {
+	t.Parallel()
+
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mkdir", &Params{ParentPerm: 0755},
 			&MountProcOp{

container/initremount_test.go

@@ -9,6 +9,8 @@ import (
 )
 
 func TestRemountOp(t *testing.T) {
+	t.Parallel()
+
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"success", new(Params), &RemountOp{
 			Target: check.MustAbs("/"),

container/initsymlink_test.go

@@ -9,6 +9,8 @@ import (
 )
 
 func TestSymlinkOp(t *testing.T) {
+	t.Parallel()
+
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mkdir", &Params{ParentPerm: 0700}, &SymlinkOp{
 			Target:   check.MustAbs("/etc/nixos"),

container/inittmpfs_test.go

@@ -10,7 +10,10 @@ import (
 )
 
 func TestMountTmpfsOp(t *testing.T) {
+	t.Parallel()
+
 	t.Run("size error", func(t *testing.T) {
+		t.Parallel()
 		tmpfsSizeError := TmpfsSizeError(-1)
 		want := "tmpfs size -1 out of bounds"
 		if got := tmpfsSizeError.Error(); got != want {

container/landlock.go

@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"unsafe"
 
-	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 )
 
 // include/uapi/linux/landlock.h
@@ -14,7 +14,8 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )
 
-type LandlockAccessFS uintptr
+// LandlockAccessFS is bitmask of handled filesystem actions.
+type LandlockAccessFS uint64
 
 const (
 	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
@@ -105,7 +106,8 @@ func (f LandlockAccessFS) String() string {
 	}
 }
 
-type LandlockAccessNet uintptr
+// LandlockAccessNet is bitmask of handled network actions.
+type LandlockAccessNet uint64
 
 const (
 	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
@@ -140,7 +142,8 @@ func (f LandlockAccessNet) String() string {
 	}
 }
 
-type LandlockScope uintptr
+// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+type LandlockScope uint64
 
 const (
 	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
@@ -175,6 +178,7 @@ func (f LandlockScope) String() string {
 	}
 }
 
+// RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
 	HandledAccessFS LandlockAccessFS
@@ -212,7 +216,7 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 		size = unsafe.Sizeof(*rulesetAttr)
 	}
 
-	rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
 	fd = int(rulesetFd)
 	err = errno
 
@@ -231,7 +235,7 @@ func LandlockGetABI() (int, error) {
 }
 
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
-	r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
 	if r != 0 {
 		return errno
 	}

container/landlock_test.go

@@ -8,6 +8,8 @@ import (
 )
 
 func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name        string
 		rulesetAttr *container.RulesetAttr
@@ -46,6 +48,7 @@ func TestLandlockString(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			if got := tc.rulesetAttr.String(); got != tc.want {
 				t.Errorf("String: %s, want %s", got, tc.want)
 			}
@@ -54,6 +57,7 @@ func TestLandlockString(t *testing.T) {
 }
 
 func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
 	want := 24
 	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
 		t.Errorf("Sizeof: %d, want %d", got, want)

container/mount.go

@@ -7,6 +7,7 @@ import (
 	. "syscall"
 
 	"hakurei.app/container/vfs"
+	"hakurei.app/message"
 )
 
 /*
@@ -87,7 +88,7 @@ const (
 )
 
 // bindMount mounts source on target and recursively applies flags if MS_REC is set.
-func (p *procPaths) bindMount(msg Msg, source, target string, flags uintptr) error {
+func (p *procPaths) bindMount(msg message.Msg, source, target string, flags uintptr) error {
 	// syscallDispatcher.bindMount and procPaths.remount must not be called from this function
 
 	if err := p.k.mount(source, target, FstypeNULL, MS_SILENT|MS_BIND|flags&MS_REC, zeroString); err != nil {
@@ -97,7 +98,7 @@ func (p *procPaths) bindMount(msg Msg, source, target string, flags uintptr) err
 }
 
 // remount applies flags on target, recursively if MS_REC is set.
-func (p *procPaths) remount(msg Msg, target string, flags uintptr) error {
+func (p *procPaths) remount(msg message.Msg, target string, flags uintptr) error {
 	// syscallDispatcher methods bindMount, remount must not be called from this function
 
 	var targetFinal string
@@ -159,7 +160,7 @@ func (p *procPaths) remount(msg Msg, target string, flags uintptr) error {
 }
 
 // remountWithFlags remounts mount point described by [vfs.MountInfoNode].
-func remountWithFlags(k syscallDispatcher, msg Msg, n *vfs.MountInfoNode, mf uintptr) error {
+func remountWithFlags(k syscallDispatcher, msg message.Msg, n *vfs.MountInfoNode, mf uintptr) error {
 	// syscallDispatcher methods bindMount, remount must not be called from this function
 
 	kf, unmatched := n.Flags()

container/mount_test.go

@@ -10,6 +10,8 @@ import (
 )
 
 func TestBindMount(t *testing.T) {
+	t.Parallel()
+
 	checkSimple(t, "bindMount", []simpleTestCase{
 		{"mount", func(k *kstub) error {
 			return newProcPaths(k, hostPath).bindMount(nil, "/host/nix", "/sysroot/nix", syscall.MS_RDONLY)
@@ -34,6 +36,8 @@ func TestBindMount(t *testing.T) {
 }
 
 func TestRemount(t *testing.T) {
+	t.Parallel()
+
 	const sampleMountinfoNix = `254 407 253:0 / /host rw,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
 255 254 0:28 / /host/mnt/.ro-cwd ro,noatime master:2 - 9p cwd ro,access=client,msize=16384,trans=virtio
 256 254 0:29 / /host/nix/.ro-store rw,relatime master:3 - 9p nix-store rw,cache=f,access=client,msize=16384,trans=virtio
@@ -65,8 +69,8 @@ func TestRemount(t *testing.T) {
 403 397 0:63 / /host/run/user/1000 rw,nosuid,nodev,relatime master:295 - tmpfs tmpfs rw,size=401060k,nr_inodes=100265,mode=700,uid=1000,gid=100
 404 254 0:46 / /host/mnt/cwd rw,relatime master:96 - overlay overlay rw,lowerdir=/mnt/.ro-cwd,upperdir=/tmp/.cwd/upper,workdir=/tmp/.cwd/work
 405 254 0:47 / /host/mnt/src rw,relatime master:99 - overlay overlay rw,lowerdir=/nix/store/ihcrl3zwvp2002xyylri2wz0drwajx4z-ns0pa7q2b1jpx9pbf1l9352x6rniwxjn-source,upperdir=/tmp/.src/upper,workdir=/tmp/.src/work
-407 253 0:65 / / rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=1000000,gid=1000000
+407 253 0:65 / / rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=10000,gid=10000
-408 407 0:65 /sysroot /sysroot rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=1000000,gid=1000000
+408 407 0:65 /sysroot /sysroot rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=10000,gid=10000
 409 408 253:0 /bin /sysroot/bin rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
 410 408 253:0 /home /sysroot/home rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
 411 408 253:0 /lib64 /sysroot/lib64 rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
@@ -87,24 +91,24 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, stub.UniqueError(5)),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, stub.UniqueError(5)),
 		}}, &os.PathError{Op: "open", Path: "/sysroot/nix", Err: stub.UniqueError(5)}},
 
 		{"readlink", func(k *kstub) error {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", stub.UniqueError(4)),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", stub.UniqueError(4)),
 		}}, stub.UniqueError(4)},
 
 		{"close", func(k *kstub) error {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, stub.UniqueError(3)),
+			call("close", stub.ExpectArgs{0xdead}, nil, stub.UniqueError(3)),
 		}}, &os.PathError{Op: "close", Path: "/sysroot/nix", Err: stub.UniqueError(3)}},
 
 		{"mountinfo no match", func(k *kstub) error {
@@ -112,9 +116,9 @@ func TestRemount(t *testing.T) {
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/.hakurei", nil),
 			call("verbosef", stub.ExpectArgs{"target resolves to %q", []any{"/sysroot/.hakurei"}}, nil, nil),
-			call("open", stub.ExpectArgs{"/sysroot/.hakurei", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/.hakurei", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/.hakurei", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/.hakurei", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 		}}, &vfs.DecoderError{Op: "unfold", Line: -1, Err: vfs.UnfoldTargetError("/sysroot/.hakurei")}},
 
@@ -122,9 +126,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile("\x00"), nil),
 		}}, &vfs.DecoderError{Op: "parse", Line: 0, Err: vfs.ErrMountInfoFields}},
 
@@ -132,9 +136,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, stub.UniqueError(2)),
 		}}, stub.UniqueError(2)},
@@ -143,9 +147,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, stub.UniqueError(1)),
@@ -166,9 +170,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, syscall.EACCES),
@@ -179,9 +183,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 		}}, nil},
@@ -190,9 +194,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, nil),
@@ -204,9 +208,9 @@ func TestRemount(t *testing.T) {
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/.nix"}, "/sysroot/NIX", nil),
 			call("verbosef", stub.ExpectArgs{"target resolves to %q", []any{"/sysroot/NIX"}}, nil, nil),
-			call("open", stub.ExpectArgs{"/sysroot/NIX", 0x280000, uint32(0)}, 0xdeadbeef, nil),
+			call("open", stub.ExpectArgs{"/sysroot/NIX", 0x280000, uint32(0)}, 0xdead, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, nil),
@@ -216,6 +220,8 @@ func TestRemount(t *testing.T) {
 }
 
 func TestRemountWithFlags(t *testing.T) {
+	t.Parallel()
+
 	checkSimple(t, "remountWithFlags", []simpleTestCase{
 		{"noop unmatched", func(k *kstub) error {
 			return remountWithFlags(k, k, &vfs.MountInfoNode{MountInfoEntry: &vfs.MountInfoEntry{VfsOptstr: "rw,relatime,cat"}}, 0)
@@ -236,6 +242,8 @@ func TestRemountWithFlags(t *testing.T) {
 }
 
 func TestMountTmpfs(t *testing.T) {
+	t.Parallel()
+
 	checkSimple(t, "mountTmpfs", []simpleTestCase{
 		{"mkdirAll", func(k *kstub) error {
 			return mountTmpfs(k, "ephemeral", "/sysroot/run/user/1000", 0, 1<<10, 0700)
@@ -260,6 +268,8 @@ func TestMountTmpfs(t *testing.T) {
 }
 
 func TestParentPerm(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		perm os.FileMode
 		want os.FileMode
@@ -275,6 +285,7 @@ func TestParentPerm(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.perm.String(), func(t *testing.T) {
+			t.Parallel()
 			if got := parentPerm(tc.perm); got != tc.want {
 				t.Errorf("parentPerm: %#o, want %#o", got, tc.want)
 			}

container/params.go

@@ -9,13 +9,13 @@ import (
 )
 
 // Setup appends the read end of a pipe for setup params transmission and returns its fd.
-func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
+func Setup(extraFiles *[]*os.File) (int, *os.File, error) {
 	if r, w, err := os.Pipe(); err != nil {
 		return -1, nil, err
 	} else {
 		fd := 3 + len(*extraFiles)
 		*extraFiles = append(*extraFiles, r)
-		return fd, gob.NewEncoder(w), nil
+		return fd, w, nil
 	}
 }
 
@@ -31,7 +31,7 @@ func Receive(key string, e any, fdp *uintptr) (func() error, error) {
 		return nil, ErrReceiveEnv
 	} else {
 		if fd, err := strconv.Atoi(s); err != nil {
-			return nil, errors.Unwrap(err)
+			return nil, optionalErrorUnwrap(err)
 		} else {
 			setup = os.NewFile(uintptr(fd), "setup")
 			if setup == nil {

container/params_test.go

@@ -1,6 +1,7 @@
 package container_test
 
 import (
+	"encoding/gob"
 	"errors"
 	"os"
 	"slices"
@@ -55,16 +56,20 @@ func TestSetupReceive(t *testing.T) {
 	t.Run("setup receive", func(t *testing.T) {
 		check := func(t *testing.T, useNilFdp bool) {
 			const key = "TEST_SETUP_RECEIVE"
-			payload := []int{syscall.MS_MGC_VAL, syscall.MS_MGC_MSK, syscall.MS_ASYNC, syscall.MS_ACTIVE}
+			payload := []uint64{syscall.MS_MGC_VAL, syscall.MS_MGC_MSK, syscall.MS_ASYNC, syscall.MS_ACTIVE}
 
 			encoderDone := make(chan error, 1)
 			extraFiles := make([]*os.File, 0, 1)
-			if fd, encoder, err := container.Setup(&extraFiles); err != nil {
+			deadline, _ := t.Deadline()
+			if fd, f, err := container.Setup(&extraFiles); err != nil {
 				t.Fatalf("Setup: error = %v", err)
 			} else if fd != 3 {
 				t.Fatalf("Setup: fd = %d, want 3", fd)
 			} else {
-				go func() { encoderDone <- encoder.Encode(payload) }()
+				if err = f.SetDeadline(deadline); err != nil {
+					t.Fatal(err.Error())
+				}
+				go func() { encoderDone <- gob.NewEncoder(f).Encode(payload) }()
 			}
 
 			if len(extraFiles) != 1 {
@@ -81,7 +86,7 @@ func TestSetupReceive(t *testing.T) {
 			}
 
 			var (
-				gotPayload []int
+				gotPayload []uint64
 				fdp        *uintptr
 			)
 			if !useNilFdp {

container/path_test.go

@@ -173,8 +173,8 @@ func TestProcPaths(t *testing.T) {
 			}
 		})
 		t.Run("fd", func(t *testing.T) {
-			want := "/host/proc/self/fd/9223372036854775807"
+			want := "/host/proc/self/fd/2147483647"
-			if got := hostProc.fd(math.MaxInt64); got != want {
+			if got := hostProc.fd(math.MaxInt32); got != want {
 				t.Errorf("stdout: %q, want %q", got, want)
 			}
 		})

container/seccomp/libseccomp-helper.c

@@ -9,14 +9,16 @@
 
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
 
-int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
+int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
-                              uint32_t multiarch,
+                                 uint32_t arch, uint32_t multiarch,
-                              struct hakurei_syscall_rule *rules,
+                                 struct hakurei_syscall_rule *rules,
-                              size_t rules_sz, hakurei_export_flag flags) {
+                                 size_t rules_sz, hakurei_export_flag flags) {
   int i;
   int last_allowed_family;
   int disallowed;
   struct hakurei_syscall_rule *rule;
+  void *buf;
+  size_t len = 0;
 
   int32_t res = 0; /* refer to resPrefix for message */
 
@@ -108,14 +110,26 @@ int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
   seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
                          SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
 
-  if (fd < 0) {
+  if (allocate_p == 0) {
     *ret_p = seccomp_load(ctx);
     if (*ret_p != 0) {
       res = 7;
       goto out;
     }
   } else {
-    *ret_p = seccomp_export_bpf(ctx, fd);
+    *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
+    if (*ret_p != 0) {
+      res = 6;
+      goto out;
+    }
+
+    buf = hakurei_scmp_allocate(allocate_p, len);
+    if (buf == NULL) {
+      res = 4;
+      goto out;
+    }
+
+    *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
     if (*ret_p != 0) {
       res = 6;
       goto out;

container/seccomp/libseccomp-helper.h

@@ -18,7 +18,8 @@ struct hakurei_syscall_rule {
   struct scmp_arg_cmp *arg;
 };
 
-int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
+extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
-                              uint32_t multiarch,
+int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
-                              struct hakurei_syscall_rule *rules,
+                                 uint32_t arch, uint32_t multiarch,
-                              size_t rules_sz, hakurei_export_flag flags);
+                                 struct hakurei_syscall_rule *rules,
+                                 size_t rules_sz, hakurei_export_flag flags);

container/seccomp/libseccomp.go

@@ -3,7 +3,7 @@ package seccomp
 /*
 #cgo linux pkg-config: --static libseccomp
 
-#include <libseccomp-helper.h>
+#include "libseccomp-helper.h"
 #include <sys/personality.h>
 */
 import "C"
@@ -11,24 +11,24 @@ import (
 	"errors"
 	"fmt"
 	"runtime"
+	"runtime/cgo"
 	"syscall"
 	"unsafe"
+
+	"hakurei.app/container/std"
 )
 
-const (
+// ErrInvalidRules is returned for a zero-length rules slice.
-	PER_LINUX   = C.PER_LINUX
+var ErrInvalidRules = errors.New("invalid native rules slice")
-	PER_LINUX32 = C.PER_LINUX32
-)
-
-var (
-	ErrInvalidRules = errors.New("invalid native rules slice")
-)
 
 // LibraryError represents a libseccomp error.
 type LibraryError struct {
-	Prefix  string
+	// User facing description of the libseccomp function returning the error.
+	Prefix string
+	// Negated errno value returned by libseccomp.
 	Seccomp syscall.Errno
-	Errno   error
+	// Global errno value on return.
+	Errno error
 }
 
 func (e *LibraryError) Error() string {
@@ -56,20 +56,16 @@ func (e *LibraryError) Is(err error) bool {
 }
 
 type (
-	ScmpSyscall = C.int
+	// scmpUint is equivalent to [std.ScmpUint].
-	ScmpErrno   = C.int
+	scmpUint = C.uint
+	// scmpInt is equivalent to [std.ScmpInt].
+	scmpInt = C.int
+
+	// syscallRule is equivalent to [std.NativeRule].
+	syscallRule = C.struct_hakurei_syscall_rule
 )
 
-// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
+// ExportFlag configures filter behaviour that are not implemented as rules.
-type NativeRule struct {
-	// Syscall is the arch-dependent syscall number to act against.
-	Syscall ScmpSyscall
-	// Errno is the errno value to return when the condition is satisfied.
-	Errno ScmpErrno
-	// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
-	Arg *ScmpArgCmp
-}
-
 type ExportFlag = C.hakurei_export_flag
 
 const (
@@ -88,12 +84,23 @@ var resPrefix = [...]string{
 	3: "seccomp_arch_add failed (multiarch)",
 	4: "internal libseccomp failure",
 	5: "seccomp_rule_add failed",
-	6: "seccomp_export_bpf failed",
+	6: "seccomp_export_bpf_mem failed",
 	7: "seccomp_load failed",
 }
 
-// Export streams filter contents to fd, or installs it to the current process if fd < 0.
+// cbAllocateBuffer is the function signature for the function handle passed to hakurei_export_filter
-func Export(fd int, rules []NativeRule, flags ExportFlag) error {
+// which allocates the buffer that the resulting bpf program is copied into, and writes its slice header
+// to a value held by the caller.
+type cbAllocateBuffer = func(len C.size_t) (buf unsafe.Pointer)
+
+//export hakurei_scmp_allocate
+func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) {
+	return cgo.Handle(f).Value().(cbAllocateBuffer)(len)
+}
+
+// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p.
+// The filter is installed to the current process if p is nil.
+func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error {
 	if len(rules) == 0 {
 		return ErrInvalidRules
 	}
@@ -117,36 +124,66 @@ func Export(fd int, rules []NativeRule, flags ExportFlag) error {
 
 	var ret C.int
 
-	rulesPinner := new(runtime.Pinner)
+	var scmpPinner runtime.Pinner
 	for i := range rules {
 		rule := &rules[i]
-		rulesPinner.Pin(rule)
+		scmpPinner.Pin(rule)
 		if rule.Arg != nil {
-			rulesPinner.Pin(rule.Arg)
+			scmpPinner.Pin(rule.Arg)
 		}
 	}
-	res, err := C.hakurei_export_filter(
+
-		&ret, C.int(fd),
+	var allocateP cgo.Handle
+	if p != nil {
+		allocateP = cgo.NewHandle(func(len C.size_t) (buf unsafe.Pointer) {
+			// this is so the slice header gets a Go pointer
+			*p = make([]byte, len)
+
+			buf = unsafe.Pointer(unsafe.SliceData(*p))
+			scmpPinner.Pin(buf)
+			return
+		})
+	}
+
+	res, err := C.hakurei_scmp_make_filter(
+		&ret, C.uintptr_t(allocateP),
 		arch, multiarch,
-		(*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])),
+		(*syscallRule)(unsafe.Pointer(&rules[0])),
 		C.size_t(len(rules)),
 		flags,
 	)
-	rulesPinner.Unpin()
+	scmpPinner.Unpin()
+	if p != nil {
+		allocateP.Delete()
+	}
 
 	if prefix := resPrefix[res]; prefix != "" {
-		return &LibraryError{
+		return &LibraryError{prefix, syscall.Errno(-ret), err}
-			prefix,
-			-syscall.Errno(ret),
-			err,
-		}
 	}
 	return err
 }
 
-// ScmpCompare is the equivalent of scmp_compare;
+// Export generates a bpf program from a slice of [std.NativeRule].
-// Comparison operators
+// Errors returned by libseccomp is wrapped in [LibraryError].
-type ScmpCompare = C.enum_scmp_compare
+func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) {
+	err = makeFilter(rules, flags, &data)
+	return
+}
+
+// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process.
+// Errors returned by libseccomp is wrapped in [LibraryError].
+func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
+
+type (
+	// Comparison operators.
+	scmpCompare = C.enum_scmp_compare
+
+	// Argument datum.
+	scmpDatum = C.scmp_datum_t
+
+	// Argument / Value comparison definition.
+	scmpArgCmp = C.struct_scmp_arg_cmp
+)
 
 const (
 	_SCMP_CMP_MIN = C._SCMP_CMP_MIN
@@ -169,26 +206,19 @@ const (
 	_SCMP_CMP_MAX = C._SCMP_CMP_MAX
 )
 
-// ScmpDatum is the equivalent of scmp_datum_t;
+const (
-// Argument datum
+	// PersonaLinux is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
-type ScmpDatum uint64
+	PersonaLinux = C.PER_LINUX
+	// PersonaLinux32 is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
+	PersonaLinux32 = C.PER_LINUX32
+)
 
-// ScmpArgCmp is the equivalent of struct scmp_arg_cmp;
+// syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
-// Argument / Value comparison definition
+// This function is only for testing the lookup tables and included here for convenience.
-type ScmpArgCmp struct {
+func syscallResolveName(s string) (num std.ScmpSyscall, ok bool) {
-	// argument number, starting at 0
-	Arg C.uint
-	// the comparison op, e.g. SCMP_CMP_*
-	Op ScmpCompare
-
-	DatumA, DatumB ScmpDatum
-}
-
-// only used for testing
-func syscallResolveName(s string) (trap int) {
 	v := C.CString(s)
-	trap = int(C.seccomp_syscall_resolve_name(v))
+	num = std.ScmpSyscall(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
-
+	ok = num != C.__NR_SCMP_ERROR
 	return
 }

container/seccomp/libseccomp_test.go

@@ -3,16 +3,77 @@ package seccomp_test
 import (
 	"crypto/sha512"
 	"errors"
-	"io"
-	"slices"
 	"syscall"
 	"testing"
 
-	. "hakurei.app/container/bits"
 	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
 )
 
+func TestLibraryError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		sample  *LibraryError
+		want    string
+		wantIs  bool
+		compare error
+	}{
+		{
+			"full",
+			&LibraryError{Prefix: "seccomp_export_bpf failed", Seccomp: syscall.ECANCELED, Errno: syscall.EBADF},
+			"seccomp_export_bpf failed: operation canceled (bad file descriptor)",
+			true,
+			&LibraryError{Prefix: "seccomp_export_bpf failed", Seccomp: syscall.ECANCELED, Errno: syscall.EBADF},
+		},
+		{
+			"errno only",
+			&LibraryError{Prefix: "seccomp_init failed", Errno: syscall.ENOMEM},
+			"seccomp_init failed: cannot allocate memory",
+			false,
+			nil,
+		},
+		{
+			"seccomp only",
+			&LibraryError{Prefix: "internal libseccomp failure", Seccomp: syscall.EFAULT},
+			"internal libseccomp failure: bad address",
+			true,
+			syscall.EFAULT,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if errors.Is(tc.sample, tc.compare) != tc.wantIs {
+				t.Errorf("errors.Is(%#v, %#v) did not return %v",
+					tc.sample, tc.compare, tc.wantIs)
+			}
+
+			if got := tc.sample.Error(); got != tc.want {
+				t.Errorf("Error: %q, want %q",
+					got, tc.want)
+			}
+		})
+	}
+
+	t.Run("invalid", func(t *testing.T) {
+		t.Parallel()
+
+		wantPanic := "invalid libseccomp error"
+		defer func() {
+			if r := recover(); r != wantPanic {
+				t.Errorf("panic: %q, want %q", r, wantPanic)
+			}
+		}()
+		_ = new(LibraryError).Error()
+	})
+}
+
 func TestExport(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name    string
 		flags   ExportFlag
@@ -32,64 +93,38 @@ func TestExport(t *testing.T) {
 		{"hakurei tty", 0, PresetExt | PresetDenyNS | PresetDenyDevel, false},
 	}
 
-	buf := make([]byte, 8)
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			e := New(Preset(tc.presets, tc.flags), tc.flags)
+			t.Parallel()
-			want := bpfExpected[bpfPreset{tc.flags, tc.presets}]
-			digest := sha512.New()
 
-			if _, err := io.CopyBuffer(digest, e, buf); (err != nil) != tc.wantErr {
+			want := bpfExpected[bpfPreset{tc.flags, tc.presets}]
-				t.Errorf("Exporter: error = %v, wantErr %v", err, tc.wantErr)
+			if data, err := Export(Preset(tc.presets, tc.flags), tc.flags); (err != nil) != tc.wantErr {
+				t.Errorf("Export: error = %v, wantErr %v", err, tc.wantErr)
 				return
-			}
+			} else if got := sha512.Sum512(data); got != want {
-			if err := e.Close(); err != nil {
+				t.Fatalf("Export: hash = %x, want %x", got, want)
-				t.Errorf("Close: error = %v", err)
-			}
-			if got := digest.Sum(nil); !slices.Equal(got, want) {
-				t.Fatalf("Export() hash = %x, want %x",
-					got, want)
 				return
 			}
 		})
 	}
-
-	t.Run("close without use", func(t *testing.T) {
-		e := New(Preset(0, 0), 0)
-		if err := e.Close(); !errors.Is(err, syscall.EINVAL) {
-			t.Errorf("Close: error = %v", err)
-			return
-		}
-	})
-
-	t.Run("close partial read", func(t *testing.T) {
-		e := New(Preset(0, 0), 0)
-		if _, err := e.Read(nil); err != nil {
-			t.Errorf("Read: error = %v", err)
-			return
-		}
-		// the underlying implementation uses buffered io, so the outcome of this is nondeterministic;
-		// that is not harmful however, so both outcomes are checked for here
-		if err := e.Close(); err != nil &&
-			(!errors.Is(err, syscall.ECANCELED) || !errors.Is(err, syscall.EBADF)) {
-			t.Errorf("Close: error = %v", err)
-			return
-		}
-	})
 }
 
 func BenchmarkExport(b *testing.B) {
-	buf := make([]byte, 8)
+	const exportFlags = AllowMultiarch | AllowCAN | AllowBluetooth
+	const presetFlags = PresetExt | PresetDenyNS | PresetDenyTTY | PresetDenyDevel | PresetLinux32
+	var want = bpfExpected[bpfPreset{exportFlags, presetFlags}]
+
 	for b.Loop() {
-		e := New(
+		data, err := Export(Preset(presetFlags, exportFlags), exportFlags)
-			Preset(PresetExt|PresetDenyNS|PresetDenyTTY|PresetDenyDevel|PresetLinux32,
+
-				AllowMultiarch|AllowCAN|AllowBluetooth),
+		b.StopTimer()
-			AllowMultiarch|AllowCAN|AllowBluetooth)
+		if err != nil {
-		if _, err := io.CopyBuffer(io.Discard, e, buf); err != nil {
+			b.Fatalf("Export: error = %v", err)
-			b.Fatalf("cannot export: %v", err)
 		}
-		if err := e.Close(); err != nil {
+		if got := sha512.Sum512(data); got != want {
-			b.Fatalf("cannot close exporter: %v", err)
+			b.Fatalf("Export: hash = %x, want %x", got, want)
+			return
 		}
+		b.StartTimer()
 	}
 }

container/seccomp/presets.go

@@ -5,32 +5,32 @@ package seccomp
 import (
 	. "syscall"
 
-	"hakurei.app/container/bits"
+	. "hakurei.app/container/std"
 )
 
-func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) {
+func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
-	allowedPersonality := PER_LINUX
+	allowedPersonality := PersonaLinux
-	if presets&bits.PresetLinux32 != 0 {
+	if presets&PresetLinux32 != 0 {
-		allowedPersonality = PER_LINUX32
+		allowedPersonality = PersonaLinux32
 	}
 	presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))
 
 	l := len(presetCommon)
-	if presets&bits.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		l += len(presetNamespace)
 	}
-	if presets&bits.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		l += len(presetTTY)
 	}
-	if presets&bits.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		l += len(presetDevelFinal)
 	}
 	if flags&AllowMultiarch == 0 {
 		l += len(presetEmu)
 	}
-	if presets&bits.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		l += len(presetCommonExt)
-		if presets&bits.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			l += len(presetNamespaceExt)
 		}
 		if flags&AllowMultiarch == 0 {
@@ -40,21 +40,21 @@ func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) {
 
 	rules = make([]NativeRule, 0, l)
 	rules = append(rules, presetCommon...)
-	if presets&bits.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		rules = append(rules, presetNamespace...)
 	}
-	if presets&bits.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		rules = append(rules, presetTTY...)
 	}
-	if presets&bits.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		rules = append(rules, presetDevelFinal...)
 	}
 	if flags&AllowMultiarch == 0 {
 		rules = append(rules, presetEmu...)
 	}
-	if presets&bits.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		rules = append(rules, presetCommonExt...)
-		if presets&bits.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			rules = append(rules, presetNamespaceExt...)
 		}
 		if flags&AllowMultiarch == 0 {
@@ -68,121 +68,121 @@ func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) {
 var (
 	presetCommon = []NativeRule{
 		/* Block dmesg */
-		{ScmpSyscall(SYS_SYSLOG), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SYSLOG, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Useless old syscall */
-		{ScmpSyscall(SYS_USELIB), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_USELIB, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Don't allow disabling accounting */
-		{ScmpSyscall(SYS_ACCT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_ACCT, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Don't allow reading current quota use */
-		{ScmpSyscall(SYS_QUOTACTL), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_QUOTACTL, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* Don't allow access to the kernel keyring */
-		{ScmpSyscall(SYS_ADD_KEY), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_ADD_KEY, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_KEYCTL), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_KEYCTL, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_REQUEST_KEY), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_REQUEST_KEY, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* Scary VM/NUMA ops */
-		{ScmpSyscall(SYS_MOVE_PAGES), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MOVE_PAGES, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_MBIND), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MBIND, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_GET_MEMPOLICY), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_GET_MEMPOLICY, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SET_MEMPOLICY), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SET_MEMPOLICY, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_MIGRATE_PAGES), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MIGRATE_PAGES, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	/* hakurei: project-specific extensions */
 	presetCommonExt = []NativeRule{
 		/* system calls for changing the system clock */
-		{ScmpSyscall(SYS_ADJTIMEX), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_ADJTIMEX, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CLOCK_ADJTIME), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CLOCK_ADJTIME, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CLOCK_ADJTIME64), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CLOCK_ADJTIME64, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CLOCK_SETTIME), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CLOCK_SETTIME, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CLOCK_SETTIME64), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CLOCK_SETTIME64, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETTIMEOFDAY), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETTIMEOFDAY, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* loading and unloading of kernel modules */
-		{ScmpSyscall(SYS_DELETE_MODULE), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_DELETE_MODULE, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_FINIT_MODULE), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_FINIT_MODULE, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_INIT_MODULE), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_INIT_MODULE, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* system calls for rebooting and reboot preparation */
-		{ScmpSyscall(SYS_KEXEC_FILE_LOAD), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_KEXEC_FILE_LOAD, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_KEXEC_LOAD), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_KEXEC_LOAD, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_REBOOT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_REBOOT, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* system calls for enabling/disabling swap devices */
-		{ScmpSyscall(SYS_SWAPOFF), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SWAPOFF, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SWAPON), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SWAPON, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	presetNamespace = []NativeRule{
 		/* Don't allow subnamespace setups: */
-		{ScmpSyscall(SYS_UNSHARE), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_UNSHARE, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETNS), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETNS, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_MOUNT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MOUNT, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_UMOUNT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_UMOUNT, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_UMOUNT2), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_UMOUNT2, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_PIVOT_ROOT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_PIVOT_ROOT, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CHROOT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CHROOT, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CLONE), ScmpErrno(EPERM),
+		{Syscall: SNR_CLONE, Errno: ScmpErrno(EPERM),
-			&ScmpArgCmp{cloneArg, SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER}},
+			Arg: &ScmpArgCmp{Arg: cloneArg, Op: SCMP_CMP_MASKED_EQ, DatumA: CLONE_NEWUSER, DatumB: CLONE_NEWUSER}},
 
 		/* seccomp can't look into clone3()'s struct clone_args to check whether
 		 * the flags are OK, so we have no choice but to block clone3().
 		 * Return ENOSYS so user-space will fall back to clone().
 		 * (CVE-2021-41133; see also https://github.com/moby/moby/commit/9f6b562d)
 		 */
-		{ScmpSyscall(SYS_CLONE3), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_CLONE3, Errno: ScmpErrno(ENOSYS), Arg: nil},
 
 		/* New mount manipulation APIs can also change our VFS. There's no
 		 * legitimate reason to do these in the sandbox, so block all of them
 		 * rather than thinking about which ones might be dangerous.
 		 * (CVE-2021-41133) */
-		{ScmpSyscall(SYS_OPEN_TREE), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_OPEN_TREE, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_MOVE_MOUNT), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_MOVE_MOUNT, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_FSOPEN), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_FSOPEN, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_FSCONFIG), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_FSCONFIG, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_FSMOUNT), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_FSMOUNT, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_FSPICK), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_FSPICK, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_MOUNT_SETATTR), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_MOUNT_SETATTR, Errno: ScmpErrno(ENOSYS), Arg: nil},
 	}
 
 	/* hakurei: project-specific extensions */
 	presetNamespaceExt = []NativeRule{
 		/* changing file ownership */
-		{ScmpSyscall(SYS_CHOWN), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CHOWN, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_CHOWN32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CHOWN32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_FCHOWN), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_FCHOWN, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_FCHOWN32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_FCHOWN32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_FCHOWNAT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_FCHOWNAT, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_LCHOWN), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_LCHOWN, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_LCHOWN32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_LCHOWN32, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* system calls for changing user ID and group ID credentials */
-		{ScmpSyscall(SYS_SETGID), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETGID, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETGID32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETGID32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETGROUPS), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETGROUPS, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETGROUPS32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETGROUPS32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETREGID), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETREGID, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETREGID32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETREGID32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETRESGID), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETRESGID, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETRESGID32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETRESGID32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETRESUID), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETRESUID, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETRESUID32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETRESUID32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETREUID), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETREUID, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETREUID32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETREUID32, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETUID), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETUID, Errno: ScmpErrno(EPERM), Arg: nil},
-		{ScmpSyscall(SYS_SETUID32), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETUID32, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	presetTTY = []NativeRule{
 		/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
-		{ScmpSyscall(SYS_IOCTL), ScmpErrno(EPERM),
+		{Syscall: SNR_IOCTL, Errno: ScmpErrno(EPERM),
-			&ScmpArgCmp{1, SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, TIOCSTI}},
+			Arg: &ScmpArgCmp{Arg: 1, Op: SCMP_CMP_MASKED_EQ, DatumA: 0xFFFFFFFF, DatumB: TIOCSTI}},
 		/* In the unlikely event that the controlling tty is a Linux virtual
 		 * console (/dev/tty2 or similar), copy/paste operations have an effect
 		 * similar to TIOCSTI (CVE-2023-28100) */
-		{ScmpSyscall(SYS_IOCTL), ScmpErrno(EPERM),
+		{Syscall: SNR_IOCTL, Errno: ScmpErrno(EPERM),
-			&ScmpArgCmp{1, SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, TIOCLINUX}},
+			Arg: &ScmpArgCmp{Arg: 1, Op: SCMP_CMP_MASKED_EQ, DatumA: 0xFFFFFFFF, DatumB: TIOCLINUX}},
 	}
 
 	presetEmu = []NativeRule{
@@ -190,15 +190,15 @@ var (
 		 * so it's disabled as a hardening measure.
 		 * However, it is required to run old 16-bit applications
 		 * as well as some Wine patches, so it's allowed in multiarch. */
-		{ScmpSyscall(SYS_MODIFY_LDT), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MODIFY_LDT, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	/* hakurei: project-specific extensions */
 	presetEmuExt = []NativeRule{
-		{ScmpSyscall(SYS_SUBPAGE_PROT), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_SUBPAGE_PROT, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_SWITCH_ENDIAN), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_SWITCH_ENDIAN, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_VM86), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_VM86, Errno: ScmpErrno(ENOSYS), Arg: nil},
-		{ScmpSyscall(SYS_VM86OLD), ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_VM86OLD, Errno: ScmpErrno(ENOSYS), Arg: nil},
 	}
 )
 
@@ -206,11 +206,11 @@ func presetDevel(allowedPersonality ScmpDatum) []NativeRule {
 	return []NativeRule{
 		/* Profiling operations; we expect these to be done by tools from outside
 		 * the sandbox.  In particular perf has been the source of many CVEs. */
-		{ScmpSyscall(SYS_PERF_EVENT_OPEN), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_PERF_EVENT_OPEN, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Don't allow you to switch to bsd emulation or whatnot */
-		{ScmpSyscall(SYS_PERSONALITY), ScmpErrno(EPERM),
+		{Syscall: SNR_PERSONALITY, Errno: ScmpErrno(EPERM),
-			&ScmpArgCmp{0, SCMP_CMP_NE, allowedPersonality, 0}},
+			Arg: &ScmpArgCmp{Arg: 0, Op: SCMP_CMP_NE, DatumA: allowedPersonality}},
 
-		{ScmpSyscall(SYS_PTRACE), ScmpErrno(EPERM), nil},
+		{Syscall: SNR_PTRACE, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 }

container/seccomp/presets_386_test.go

@@ -0,0 +1,27 @@
+package seccomp_test
+
+import (
+	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
+)
+
+var bpfExpected = bpfLookup{
+	{AllowMultiarch | AllowCAN |
+		AllowBluetooth, PresetExt |
+		PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
+		PresetLinux32}: toHash(
+		"e67735d24caba42b6801e829ea4393727a36c5e37b8a51e5648e7886047e8454484ff06872aaef810799c29cbd0c1b361f423ad0ef518e33f68436372cc90eb1"),
+
+	{0, 0}: toHash(
+		"5dbcc08a4a1ccd8c12dd0cf6d9817ea6d4f40246e1db7a60e71a50111c4897d69f6fb6d710382d70c18910c2e4fa2d2aeb2daed835dd2fabe3f71def628ade59"),
+	{0, PresetExt}: toHash(
+		"d6c0f130dbb5c793d1c10f730455701875778138bd2d03ca009d674842fd97a10815a8c539b76b7801a73de19463938701216b756c053ec91cfe304cba04a0ed"),
+	{0, PresetStrict}: toHash(
+		"af7d7b66f2e83f9a850472170c1b83d1371426faa9d0dee4e85b179d3ec75ca92828cb8529eb3012b559497494b2eab4d4b140605e3a26c70dfdbe5efe33c105"),
+	{0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash(
+		"adfb4397e6eeae8c477d315d58204aae854d60071687b8df4c758e297780e02deee1af48328cef80e16e4d6ab1a66ef13e42247c3475cf447923f15cbc17a6a6"),
+	{0, PresetExt | PresetDenyDevel}: toHash(
+		"5d641321460cf54a7036a40a08e845082e1f6d65b9dee75db85ef179f2732f321b16aee2258b74273b04e0d24562e8b1e727930a7e787f41eb5c8aaa0bc22793"),
+	{0, PresetExt | PresetDenyNS | PresetDenyDevel}: toHash(
+		"b1f802d39de5897b1e4cb0e82a199f53df0a803ea88e2fd19491fb8c90387c9e2eaa7e323f565fecaa0202a579eb050531f22e6748e04cfd935b8faac35983ec"),
+}

container/seccomp/presets_amd64_test.go

@@ -1,8 +1,8 @@
 package seccomp_test
 
 import (
-	. "hakurei.app/container/bits"
 	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
 )
 
 var bpfExpected = bpfLookup{

container/seccomp/presets_arm64_test.go

@@ -1,8 +1,8 @@
 package seccomp_test
 
 import (
-	. "hakurei.app/container/bits"
 	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
 )
 
 var bpfExpected = bpfLookup{

container/seccomp/presets_test.go

@@ -1,29 +1,30 @@
 package seccomp_test
 
 import (
+	"crypto/sha512"
 	"encoding/hex"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 )
 
 type (
 	bpfPreset = struct {
 		seccomp.ExportFlag
-		bits.FilterPreset
+		std.FilterPreset
 	}
-	bpfLookup map[bpfPreset][]byte
+	bpfLookup map[bpfPreset][sha512.Size]byte
 )
 
-func toHash(s string) []byte {
+func toHash(s string) [sha512.Size]byte {
-	if len(s) != 128 {
+	if len(s) != sha512.Size*2 {
 		panic("bad sha512 string length")
 	}
 	if v, err := hex.DecodeString(s); err != nil {
 		panic(err.Error())
-	} else if len(v) != 64 {
+	} else if len(v) != sha512.Size {
 		panic("unreachable")
 	} else {
-		return v
+		return ([sha512.Size]byte)(v)
 	}
 }

container/seccomp/proc.go

@@ -1,74 +0,0 @@
-package seccomp
-
-import (
-	"context"
-	"errors"
-	"syscall"
-
-	"hakurei.app/helper/proc"
-)
-
-// New returns an inactive Encoder instance.
-func New(rules []NativeRule, flags ExportFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }
-
-// Load loads a filter into the kernel.
-func Load(rules []NativeRule, flags ExportFlag) error { return Export(-1, rules, flags) }
-
-/*
-An Encoder writes a BPF program to an output stream.
-
-Methods of Encoder are not safe for concurrent use.
-
-An Encoder must not be copied after first use.
-*/
-type Encoder struct {
-	*exporter
-}
-
-func (e *Encoder) Read(p []byte) (n int, err error) {
-	if err = e.prepare(); err != nil {
-		return
-	}
-	return e.r.Read(p)
-}
-
-func (e *Encoder) Close() error {
-	if e.r == nil {
-		return syscall.EINVAL
-	}
-
-	// this hangs if the cgo thread fails to exit
-	return errors.Join(e.closeWrite(), <-e.exportErr)
-}
-
-// NewFile returns an instance of exporter implementing [proc.File].
-func NewFile(rules []NativeRule, flags ExportFlag) proc.File {
-	return &File{rules: rules, flags: flags}
-}
-
-// File implements [proc.File] and provides access to the read end of exporter pipe.
-type File struct {
-	rules []NativeRule
-	flags ExportFlag
-	proc.BaseFile
-}
-
-func (f *File) ErrCount() int { return 2 }
-func (f *File) Fulfill(ctx context.Context, dispatchErr func(error)) error {
-	e := newExporter(f.rules, f.flags)
-	if err := e.prepare(); err != nil {
-		return err
-	}
-	f.Set(e.r)
-	go func() {
-		select {
-		case err := <-e.exportErr:
-			dispatchErr(nil)
-			dispatchErr(err)
-		case <-ctx.Done():
-			dispatchErr(e.closeWrite())
-			dispatchErr(<-e.exportErr)
-		}
-	}()
-	return nil
-}

container/seccomp/seccomp.go

@@ -1,60 +0,0 @@
-// Package seccomp provides high level wrappers around libseccomp.
-package seccomp
-
-import (
-	"os"
-	"runtime"
-	"sync"
-)
-
-type exporter struct {
-	rules []NativeRule
-	flags ExportFlag
-	r, w  *os.File
-
-	prepareOnce sync.Once
-	prepareErr  error
-	closeOnce   sync.Once
-	closeErr    error
-	exportErr   <-chan error
-}
-
-func (e *exporter) prepare() error {
-	e.prepareOnce.Do(func() {
-		if r, w, err := os.Pipe(); err != nil {
-			e.prepareErr = err
-			return
-		} else {
-			e.r, e.w = r, w
-		}
-
-		ec := make(chan error, 1)
-		go func(fd uintptr) {
-			ec <- Export(int(fd), e.rules, e.flags)
-			close(ec)
-			_ = e.closeWrite()
-			runtime.KeepAlive(e.w)
-		}(e.w.Fd())
-		e.exportErr = ec
-		runtime.SetFinalizer(e, (*exporter).closeWrite)
-	})
-	return e.prepareErr
-}
-
-func (e *exporter) closeWrite() error {
-	e.closeOnce.Do(func() {
-		if e.w == nil {
-			panic("closeWrite called on invalid exporter")
-		}
-		e.closeErr = e.w.Close()
-
-		// no need for a finalizer anymore
-		runtime.SetFinalizer(e, nil)
-	})
-
-	return e.closeErr
-}
-
-func newExporter(rules []NativeRule, flags ExportFlag) *exporter {
-	return &exporter{rules: rules, flags: flags}
-}

container/seccomp/seccomp_test.go

@@ -1,65 +0,0 @@
-package seccomp_test
-
-import (
-	"errors"
-	"runtime"
-	"syscall"
-	"testing"
-
-	"hakurei.app/container/seccomp"
-)
-
-func TestLibraryError(t *testing.T) {
-	testCases := []struct {
-		name    string
-		sample  *seccomp.LibraryError
-		want    string
-		wantIs  bool
-		compare error
-	}{
-		{
-			"full",
-			&seccomp.LibraryError{Prefix: "seccomp_export_bpf failed", Seccomp: syscall.ECANCELED, Errno: syscall.EBADF},
-			"seccomp_export_bpf failed: operation canceled (bad file descriptor)",
-			true,
-			&seccomp.LibraryError{Prefix: "seccomp_export_bpf failed", Seccomp: syscall.ECANCELED, Errno: syscall.EBADF},
-		},
-		{
-			"errno only",
-			&seccomp.LibraryError{Prefix: "seccomp_init failed", Errno: syscall.ENOMEM},
-			"seccomp_init failed: cannot allocate memory",
-			false,
-			nil,
-		},
-		{
-			"seccomp only",
-			&seccomp.LibraryError{Prefix: "internal libseccomp failure", Seccomp: syscall.EFAULT},
-			"internal libseccomp failure: bad address",
-			true,
-			syscall.EFAULT,
-		},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if errors.Is(tc.sample, tc.compare) != tc.wantIs {
-				t.Errorf("errors.Is(%#v, %#v) did not return %v",
-					tc.sample, tc.compare, tc.wantIs)
-			}
-
-			if got := tc.sample.Error(); got != tc.want {
-				t.Errorf("Error: %q, want %q",
-					got, tc.want)
-			}
-		})
-	}
-
-	t.Run("invalid", func(t *testing.T) {
-		wantPanic := "invalid libseccomp error"
-		defer func() {
-			if r := recover(); r != wantPanic {
-				t.Errorf("panic: %q, want %q", r, wantPanic)
-			}
-		}()
-		runtime.KeepAlive(new(seccomp.LibraryError).Error())
-	})
-}

container/seccomp/std_test.go

@@ -0,0 +1,63 @@
+package seccomp
+
+import (
+	"reflect"
+	"testing"
+	"unsafe"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			// this checks the std implementation against libseccomp.
+			if got, ok := syscallResolveName(name); !ok || got != want {
+				t.Errorf("syscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}
+
+func TestRuleType(t *testing.T) {
+	assertKind[std.ScmpUint, scmpUint](t)
+	assertKind[std.ScmpInt, scmpInt](t)
+
+	assertSize[std.NativeRule, syscallRule](t)
+	assertKind[std.ScmpDatum, scmpDatum](t)
+	assertKind[std.ScmpCompare, scmpCompare](t)
+	assertSize[std.ScmpArgCmp, scmpArgCmp](t)
+}
+
+// assertSize asserts that native and equivalent are of the same size.
+func assertSize[native, equivalent any](t *testing.T) {
+	t.Helper()
+
+	got, want := unsafe.Sizeof(*new(native)), unsafe.Sizeof(*new(equivalent))
+	if got != want {
+		t.Fatalf("%s: %d, want %d", reflect.TypeFor[native]().Name(), got, want)
+	}
+}
+
+// assertKind asserts that native and equivalent are of the same kind.
+func assertKind[native, equivalent any](t *testing.T) {
+	t.Helper()
+
+	assertSize[native, equivalent](t)
+	nativeType, equivalentType := reflect.TypeFor[native](), reflect.TypeFor[equivalent]()
+	got, want := nativeType.Kind(), equivalentType.Kind()
+
+	if got == reflect.Invalid || want == reflect.Invalid {
+		t.Fatalf("%s: invalid call to assertKind", nativeType.Name())
+	}
+	if got == reflect.Struct {
+		t.Fatalf("%s: struct is unsupported by assertKind", nativeType.Name())
+	}
+	if got != want {
+		t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind())
+	}
+}

container/seccomp/syscall_extra_linux_amd64.go

@@ -1,48 +0,0 @@
-package seccomp
-
-/*
-#cgo linux pkg-config: --static libseccomp
-
-#include <seccomp.h>
-*/
-import "C"
-
-var syscallNumExtra = map[string]int{
-	"umount":          SYS_UMOUNT,
-	"subpage_prot":    SYS_SUBPAGE_PROT,
-	"switch_endian":   SYS_SWITCH_ENDIAN,
-	"vm86":            SYS_VM86,
-	"vm86old":         SYS_VM86OLD,
-	"clock_adjtime64": SYS_CLOCK_ADJTIME64,
-	"clock_settime64": SYS_CLOCK_SETTIME64,
-	"chown32":         SYS_CHOWN32,
-	"fchown32":        SYS_FCHOWN32,
-	"lchown32":        SYS_LCHOWN32,
-	"setgid32":        SYS_SETGID32,
-	"setgroups32":     SYS_SETGROUPS32,
-	"setregid32":      SYS_SETREGID32,
-	"setresgid32":     SYS_SETRESGID32,
-	"setresuid32":     SYS_SETRESUID32,
-	"setreuid32":      SYS_SETREUID32,
-	"setuid32":        SYS_SETUID32,
-}
-
-const (
-	SYS_UMOUNT          = C.__SNR_umount
-	SYS_SUBPAGE_PROT    = C.__SNR_subpage_prot
-	SYS_SWITCH_ENDIAN   = C.__SNR_switch_endian
-	SYS_VM86            = C.__SNR_vm86
-	SYS_VM86OLD         = C.__SNR_vm86old
-	SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64
-	SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64
-	SYS_CHOWN32         = C.__SNR_chown32
-	SYS_FCHOWN32        = C.__SNR_fchown32
-	SYS_LCHOWN32        = C.__SNR_lchown32
-	SYS_SETGID32        = C.__SNR_setgid32
-	SYS_SETGROUPS32     = C.__SNR_setgroups32
-	SYS_SETREGID32      = C.__SNR_setregid32
-	SYS_SETRESGID32     = C.__SNR_setresgid32
-	SYS_SETRESUID32     = C.__SNR_setresuid32
-	SYS_SETREUID32      = C.__SNR_setreuid32
-	SYS_SETUID32        = C.__SNR_setuid32
-)

container/seccomp/syscall_extra_linux_arm64.go

@@ -1,61 +0,0 @@
-package seccomp
-
-/*
-#cgo linux pkg-config: --static libseccomp
-
-#include <seccomp.h>
-*/
-import "C"
-import "syscall"
-
-const (
-	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
-)
-
-var syscallNumExtra = map[string]int{
-	"uselib":          SYS_USELIB,
-	"clock_adjtime64": SYS_CLOCK_ADJTIME64,
-	"clock_settime64": SYS_CLOCK_SETTIME64,
-	"umount":          SYS_UMOUNT,
-	"chown":           SYS_CHOWN,
-	"chown32":         SYS_CHOWN32,
-	"fchown32":        SYS_FCHOWN32,
-	"lchown":          SYS_LCHOWN,
-	"lchown32":        SYS_LCHOWN32,
-	"setgid32":        SYS_SETGID32,
-	"setgroups32":     SYS_SETGROUPS32,
-	"setregid32":      SYS_SETREGID32,
-	"setresgid32":     SYS_SETRESGID32,
-	"setresuid32":     SYS_SETRESUID32,
-	"setreuid32":      SYS_SETREUID32,
-	"setuid32":        SYS_SETUID32,
-	"modify_ldt":      SYS_MODIFY_LDT,
-	"subpage_prot":    SYS_SUBPAGE_PROT,
-	"switch_endian":   SYS_SWITCH_ENDIAN,
-	"vm86":            SYS_VM86,
-	"vm86old":         SYS_VM86OLD,
-}
-
-const (
-	SYS_USELIB          = C.__SNR_uselib
-	SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64
-	SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64
-	SYS_UMOUNT          = C.__SNR_umount
-	SYS_CHOWN           = C.__SNR_chown
-	SYS_CHOWN32         = C.__SNR_chown32
-	SYS_FCHOWN32        = C.__SNR_fchown32
-	SYS_LCHOWN          = C.__SNR_lchown
-	SYS_LCHOWN32        = C.__SNR_lchown32
-	SYS_SETGID32        = C.__SNR_setgid32
-	SYS_SETGROUPS32     = C.__SNR_setgroups32
-	SYS_SETREGID32      = C.__SNR_setregid32
-	SYS_SETRESGID32     = C.__SNR_setresgid32
-	SYS_SETRESUID32     = C.__SNR_setresuid32
-	SYS_SETREUID32      = C.__SNR_setreuid32
-	SYS_SETUID32        = C.__SNR_setuid32
-	SYS_MODIFY_LDT      = C.__SNR_modify_ldt
-	SYS_SUBPAGE_PROT    = C.__SNR_subpage_prot
-	SYS_SWITCH_ENDIAN   = C.__SNR_switch_endian
-	SYS_VM86            = C.__SNR_vm86
-	SYS_VM86OLD         = C.__SNR_vm86old
-)

container/seccomp/syscall_linux_amd64.go

@@ -1,459 +0,0 @@
-// mksysnum_linux.pl /usr/include/asm/unistd_64.h
-// Code generated by the command above; DO NOT EDIT.
-
-package seccomp
-
-import . "syscall"
-
-var syscallNum = map[string]int{
-	"read":                    SYS_READ,
-	"write":                   SYS_WRITE,
-	"open":                    SYS_OPEN,
-	"close":                   SYS_CLOSE,
-	"stat":                    SYS_STAT,
-	"fstat":                   SYS_FSTAT,
-	"lstat":                   SYS_LSTAT,
-	"poll":                    SYS_POLL,
-	"lseek":                   SYS_LSEEK,
-	"mmap":                    SYS_MMAP,
-	"mprotect":                SYS_MPROTECT,
-	"munmap":                  SYS_MUNMAP,
-	"brk":                     SYS_BRK,
-	"rt_sigaction":            SYS_RT_SIGACTION,
-	"rt_sigprocmask":          SYS_RT_SIGPROCMASK,
-	"rt_sigreturn":            SYS_RT_SIGRETURN,
-	"ioctl":                   SYS_IOCTL,
-	"pread64":                 SYS_PREAD64,
-	"pwrite64":                SYS_PWRITE64,
-	"readv":                   SYS_READV,
-	"writev":                  SYS_WRITEV,
-	"access":                  SYS_ACCESS,
-	"pipe":                    SYS_PIPE,
-	"select":                  SYS_SELECT,
-	"sched_yield":             SYS_SCHED_YIELD,
-	"mremap":                  SYS_MREMAP,
-	"msync":                   SYS_MSYNC,
-	"mincore":                 SYS_MINCORE,
-	"madvise":                 SYS_MADVISE,
-	"shmget":                  SYS_SHMGET,
-	"shmat":                   SYS_SHMAT,
-	"shmctl":                  SYS_SHMCTL,
-	"dup":                     SYS_DUP,
-	"dup2":                    SYS_DUP2,
-	"pause":                   SYS_PAUSE,
-	"nanosleep":               SYS_NANOSLEEP,
-	"getitimer":               SYS_GETITIMER,
-	"alarm":                   SYS_ALARM,
-	"setitimer":               SYS_SETITIMER,
-	"getpid":                  SYS_GETPID,
-	"sendfile":                SYS_SENDFILE,
-	"socket":                  SYS_SOCKET,
-	"connect":                 SYS_CONNECT,
-	"accept":                  SYS_ACCEPT,
-	"sendto":                  SYS_SENDTO,
-	"recvfrom":                SYS_RECVFROM,
-	"sendmsg":                 SYS_SENDMSG,
-	"recvmsg":                 SYS_RECVMSG,
-	"shutdown":                SYS_SHUTDOWN,
-	"bind":                    SYS_BIND,
-	"listen":                  SYS_LISTEN,
-	"getsockname":             SYS_GETSOCKNAME,
-	"getpeername":             SYS_GETPEERNAME,
-	"socketpair":              SYS_SOCKETPAIR,
-	"setsockopt":              SYS_SETSOCKOPT,
-	"getsockopt":              SYS_GETSOCKOPT,
-	"clone":                   SYS_CLONE,
-	"fork":                    SYS_FORK,
-	"vfork":                   SYS_VFORK,
-	"execve":                  SYS_EXECVE,
-	"exit":                    SYS_EXIT,
-	"wait4":                   SYS_WAIT4,
-	"kill":                    SYS_KILL,
-	"uname":                   SYS_UNAME,
-	"semget":                  SYS_SEMGET,
-	"semop":                   SYS_SEMOP,
-	"semctl":                  SYS_SEMCTL,
-	"shmdt":                   SYS_SHMDT,
-	"msgget":                  SYS_MSGGET,
-	"msgsnd":                  SYS_MSGSND,
-	"msgrcv":                  SYS_MSGRCV,
-	"msgctl":                  SYS_MSGCTL,
-	"fcntl":                   SYS_FCNTL,
-	"flock":                   SYS_FLOCK,
-	"fsync":                   SYS_FSYNC,
-	"fdatasync":               SYS_FDATASYNC,
-	"truncate":                SYS_TRUNCATE,
-	"ftruncate":               SYS_FTRUNCATE,
-	"getdents":                SYS_GETDENTS,
-	"getcwd":                  SYS_GETCWD,
-	"chdir":                   SYS_CHDIR,
-	"fchdir":                  SYS_FCHDIR,
-	"rename":                  SYS_RENAME,
-	"mkdir":                   SYS_MKDIR,
-	"rmdir":                   SYS_RMDIR,
-	"creat":                   SYS_CREAT,
-	"link":                    SYS_LINK,
-	"unlink":                  SYS_UNLINK,
-	"symlink":                 SYS_SYMLINK,
-	"readlink":                SYS_READLINK,
-	"chmod":                   SYS_CHMOD,
-	"fchmod":                  SYS_FCHMOD,
-	"chown":                   SYS_CHOWN,
-	"fchown":                  SYS_FCHOWN,
-	"lchown":                  SYS_LCHOWN,
-	"umask":                   SYS_UMASK,
-	"gettimeofday":            SYS_GETTIMEOFDAY,
-	"getrlimit":               SYS_GETRLIMIT,
-	"getrusage":               SYS_GETRUSAGE,
-	"sysinfo":                 SYS_SYSINFO,
-	"times":                   SYS_TIMES,
-	"ptrace":                  SYS_PTRACE,
-	"getuid":                  SYS_GETUID,
-	"syslog":                  SYS_SYSLOG,
-	"getgid":                  SYS_GETGID,
-	"setuid":                  SYS_SETUID,
-	"setgid":                  SYS_SETGID,
-	"geteuid":                 SYS_GETEUID,
-	"getegid":                 SYS_GETEGID,
-	"setpgid":                 SYS_SETPGID,
-	"getppid":                 SYS_GETPPID,
-	"getpgrp":                 SYS_GETPGRP,
-	"setsid":                  SYS_SETSID,
-	"setreuid":                SYS_SETREUID,
-	"setregid":                SYS_SETREGID,
-	"getgroups":               SYS_GETGROUPS,
-	"setgroups":               SYS_SETGROUPS,
-	"setresuid":               SYS_SETRESUID,
-	"getresuid":               SYS_GETRESUID,
-	"setresgid":               SYS_SETRESGID,
-	"getresgid":               SYS_GETRESGID,
-	"getpgid":                 SYS_GETPGID,
-	"setfsuid":                SYS_SETFSUID,
-	"setfsgid":                SYS_SETFSGID,
-	"getsid":                  SYS_GETSID,
-	"capget":                  SYS_CAPGET,
-	"capset":                  SYS_CAPSET,
-	"rt_sigpending":           SYS_RT_SIGPENDING,
-	"rt_sigtimedwait":         SYS_RT_SIGTIMEDWAIT,
-	"rt_sigqueueinfo":         SYS_RT_SIGQUEUEINFO,
-	"rt_sigsuspend":           SYS_RT_SIGSUSPEND,
-	"sigaltstack":             SYS_SIGALTSTACK,
-	"utime":                   SYS_UTIME,
-	"mknod":                   SYS_MKNOD,
-	"uselib":                  SYS_USELIB,
-	"personality":             SYS_PERSONALITY,
-	"ustat":                   SYS_USTAT,
-	"statfs":                  SYS_STATFS,
-	"fstatfs":                 SYS_FSTATFS,
-	"sysfs":                   SYS_SYSFS,
-	"getpriority":             SYS_GETPRIORITY,
-	"setpriority":             SYS_SETPRIORITY,
-	"sched_setparam":          SYS_SCHED_SETPARAM,
-	"sched_getparam":          SYS_SCHED_GETPARAM,
-	"sched_setscheduler":      SYS_SCHED_SETSCHEDULER,
-	"sched_getscheduler":      SYS_SCHED_GETSCHEDULER,
-	"sched_get_priority_max":  SYS_SCHED_GET_PRIORITY_MAX,
-	"sched_get_priority_min":  SYS_SCHED_GET_PRIORITY_MIN,
-	"sched_rr_get_interval":   SYS_SCHED_RR_GET_INTERVAL,
-	"mlock":                   SYS_MLOCK,
-	"munlock":                 SYS_MUNLOCK,
-	"mlockall":                SYS_MLOCKALL,
-	"munlockall":              SYS_MUNLOCKALL,
-	"vhangup":                 SYS_VHANGUP,
-	"modify_ldt":              SYS_MODIFY_LDT,
-	"pivot_root":              SYS_PIVOT_ROOT,
-	"_sysctl":                 SYS__SYSCTL,
-	"prctl":                   SYS_PRCTL,
-	"arch_prctl":              SYS_ARCH_PRCTL,
-	"adjtimex":                SYS_ADJTIMEX,
-	"setrlimit":               SYS_SETRLIMIT,
-	"chroot":                  SYS_CHROOT,
-	"sync":                    SYS_SYNC,
-	"acct":                    SYS_ACCT,
-	"settimeofday":            SYS_SETTIMEOFDAY,
-	"mount":                   SYS_MOUNT,
-	"umount2":                 SYS_UMOUNT2,
-	"swapon":                  SYS_SWAPON,
-	"swapoff":                 SYS_SWAPOFF,
-	"reboot":                  SYS_REBOOT,
-	"sethostname":             SYS_SETHOSTNAME,
-	"setdomainname":           SYS_SETDOMAINNAME,
-	"iopl":                    SYS_IOPL,
-	"ioperm":                  SYS_IOPERM,
-	"create_module":           SYS_CREATE_MODULE,
-	"init_module":             SYS_INIT_MODULE,
-	"delete_module":           SYS_DELETE_MODULE,
-	"get_kernel_syms":         SYS_GET_KERNEL_SYMS,
-	"query_module":            SYS_QUERY_MODULE,
-	"quotactl":                SYS_QUOTACTL,
-	"nfsservctl":              SYS_NFSSERVCTL,
-	"getpmsg":                 SYS_GETPMSG,
-	"putpmsg":                 SYS_PUTPMSG,
-	"afs_syscall":             SYS_AFS_SYSCALL,
-	"tuxcall":                 SYS_TUXCALL,
-	"security":                SYS_SECURITY,
-	"gettid":                  SYS_GETTID,
-	"readahead":               SYS_READAHEAD,
-	"setxattr":                SYS_SETXATTR,
-	"lsetxattr":               SYS_LSETXATTR,
-	"fsetxattr":               SYS_FSETXATTR,
-	"getxattr":                SYS_GETXATTR,
-	"lgetxattr":               SYS_LGETXATTR,
-	"fgetxattr":               SYS_FGETXATTR,
-	"listxattr":               SYS_LISTXATTR,
-	"llistxattr":              SYS_LLISTXATTR,
-	"flistxattr":              SYS_FLISTXATTR,
-	"removexattr":             SYS_REMOVEXATTR,
-	"lremovexattr":            SYS_LREMOVEXATTR,
-	"fremovexattr":            SYS_FREMOVEXATTR,
-	"tkill":                   SYS_TKILL,
-	"time":                    SYS_TIME,
-	"futex":                   SYS_FUTEX,
-	"sched_setaffinity":       SYS_SCHED_SETAFFINITY,
-	"sched_getaffinity":       SYS_SCHED_GETAFFINITY,
-	"set_thread_area":         SYS_SET_THREAD_AREA,
-	"io_setup":                SYS_IO_SETUP,
-	"io_destroy":              SYS_IO_DESTROY,
-	"io_getevents":            SYS_IO_GETEVENTS,
-	"io_submit":               SYS_IO_SUBMIT,
-	"io_cancel":               SYS_IO_CANCEL,
-	"get_thread_area":         SYS_GET_THREAD_AREA,
-	"lookup_dcookie":          SYS_LOOKUP_DCOOKIE,
-	"epoll_create":            SYS_EPOLL_CREATE,
-	"epoll_ctl_old":           SYS_EPOLL_CTL_OLD,
-	"epoll_wait_old":          SYS_EPOLL_WAIT_OLD,
-	"remap_file_pages":        SYS_REMAP_FILE_PAGES,
-	"getdents64":              SYS_GETDENTS64,
-	"set_tid_address":         SYS_SET_TID_ADDRESS,
-	"restart_syscall":         SYS_RESTART_SYSCALL,
-	"semtimedop":              SYS_SEMTIMEDOP,
-	"fadvise64":               SYS_FADVISE64,
-	"timer_create":            SYS_TIMER_CREATE,
-	"timer_settime":           SYS_TIMER_SETTIME,
-	"timer_gettime":           SYS_TIMER_GETTIME,
-	"timer_getoverrun":        SYS_TIMER_GETOVERRUN,
-	"timer_delete":            SYS_TIMER_DELETE,
-	"clock_settime":           SYS_CLOCK_SETTIME,
-	"clock_gettime":           SYS_CLOCK_GETTIME,
-	"clock_getres":            SYS_CLOCK_GETRES,
-	"clock_nanosleep":         SYS_CLOCK_NANOSLEEP,
-	"exit_group":              SYS_EXIT_GROUP,
-	"epoll_wait":              SYS_EPOLL_WAIT,
-	"epoll_ctl":               SYS_EPOLL_CTL,
-	"tgkill":                  SYS_TGKILL,
-	"utimes":                  SYS_UTIMES,
-	"vserver":                 SYS_VSERVER,
-	"mbind":                   SYS_MBIND,
-	"set_mempolicy":           SYS_SET_MEMPOLICY,
-	"get_mempolicy":           SYS_GET_MEMPOLICY,
-	"mq_open":                 SYS_MQ_OPEN,
-	"mq_unlink":               SYS_MQ_UNLINK,
-	"mq_timedsend":            SYS_MQ_TIMEDSEND,
-	"mq_timedreceive":         SYS_MQ_TIMEDRECEIVE,
-	"mq_notify":               SYS_MQ_NOTIFY,
-	"mq_getsetattr":           SYS_MQ_GETSETATTR,
-	"kexec_load":              SYS_KEXEC_LOAD,
-	"waitid":                  SYS_WAITID,
-	"add_key":                 SYS_ADD_KEY,
-	"request_key":             SYS_REQUEST_KEY,
-	"keyctl":                  SYS_KEYCTL,
-	"ioprio_set":              SYS_IOPRIO_SET,
-	"ioprio_get":              SYS_IOPRIO_GET,
-	"inotify_init":            SYS_INOTIFY_INIT,
-	"inotify_add_watch":       SYS_INOTIFY_ADD_WATCH,
-	"inotify_rm_watch":        SYS_INOTIFY_RM_WATCH,
-	"migrate_pages":           SYS_MIGRATE_PAGES,
-	"openat":                  SYS_OPENAT,
-	"mkdirat":                 SYS_MKDIRAT,
-	"mknodat":                 SYS_MKNODAT,
-	"fchownat":                SYS_FCHOWNAT,
-	"futimesat":               SYS_FUTIMESAT,
-	"newfstatat":              SYS_NEWFSTATAT,
-	"unlinkat":                SYS_UNLINKAT,
-	"renameat":                SYS_RENAMEAT,
-	"linkat":                  SYS_LINKAT,
-	"symlinkat":               SYS_SYMLINKAT,
-	"readlinkat":              SYS_READLINKAT,
-	"fchmodat":                SYS_FCHMODAT,
-	"faccessat":               SYS_FACCESSAT,
-	"pselect6":                SYS_PSELECT6,
-	"ppoll":                   SYS_PPOLL,
-	"unshare":                 SYS_UNSHARE,
-	"set_robust_list":         SYS_SET_ROBUST_LIST,
-	"get_robust_list":         SYS_GET_ROBUST_LIST,
-	"splice":                  SYS_SPLICE,
-	"tee":                     SYS_TEE,
-	"sync_file_range":         SYS_SYNC_FILE_RANGE,
-	"vmsplice":                SYS_VMSPLICE,
-	"move_pages":              SYS_MOVE_PAGES,
-	"utimensat":               SYS_UTIMENSAT,
-	"epoll_pwait":             SYS_EPOLL_PWAIT,
-	"signalfd":                SYS_SIGNALFD,
-	"timerfd_create":          SYS_TIMERFD_CREATE,
-	"eventfd":                 SYS_EVENTFD,
-	"fallocate":               SYS_FALLOCATE,
-	"timerfd_settime":         SYS_TIMERFD_SETTIME,
-	"timerfd_gettime":         SYS_TIMERFD_GETTIME,
-	"accept4":                 SYS_ACCEPT4,
-	"signalfd4":               SYS_SIGNALFD4,
-	"eventfd2":                SYS_EVENTFD2,
-	"epoll_create1":           SYS_EPOLL_CREATE1,
-	"dup3":                    SYS_DUP3,
-	"pipe2":                   SYS_PIPE2,
-	"inotify_init1":           SYS_INOTIFY_INIT1,
-	"preadv":                  SYS_PREADV,
-	"pwritev":                 SYS_PWRITEV,
-	"rt_tgsigqueueinfo":       SYS_RT_TGSIGQUEUEINFO,
-	"perf_event_open":         SYS_PERF_EVENT_OPEN,
-	"recvmmsg":                SYS_RECVMMSG,
-	"fanotify_init":           SYS_FANOTIFY_INIT,
-	"fanotify_mark":           SYS_FANOTIFY_MARK,
-	"prlimit64":               SYS_PRLIMIT64,
-	"name_to_handle_at":       SYS_NAME_TO_HANDLE_AT,
-	"open_by_handle_at":       SYS_OPEN_BY_HANDLE_AT,
-	"clock_adjtime":           SYS_CLOCK_ADJTIME,
-	"syncfs":                  SYS_SYNCFS,
-	"sendmmsg":                SYS_SENDMMSG,
-	"setns":                   SYS_SETNS,
-	"getcpu":                  SYS_GETCPU,
-	"process_vm_readv":        SYS_PROCESS_VM_READV,
-	"process_vm_writev":       SYS_PROCESS_VM_WRITEV,
-	"kcmp":                    SYS_KCMP,
-	"finit_module":            SYS_FINIT_MODULE,
-	"sched_setattr":           SYS_SCHED_SETATTR,
-	"sched_getattr":           SYS_SCHED_GETATTR,
-	"renameat2":               SYS_RENAMEAT2,
-	"seccomp":                 SYS_SECCOMP,
-	"getrandom":               SYS_GETRANDOM,
-	"memfd_create":            SYS_MEMFD_CREATE,
-	"kexec_file_load":         SYS_KEXEC_FILE_LOAD,
-	"bpf":                     SYS_BPF,
-	"execveat":                SYS_EXECVEAT,
-	"userfaultfd":             SYS_USERFAULTFD,
-	"membarrier":              SYS_MEMBARRIER,
-	"mlock2":                  SYS_MLOCK2,
-	"copy_file_range":         SYS_COPY_FILE_RANGE,
-	"preadv2":                 SYS_PREADV2,
-	"pwritev2":                SYS_PWRITEV2,
-	"pkey_mprotect":           SYS_PKEY_MPROTECT,
-	"pkey_alloc":              SYS_PKEY_ALLOC,
-	"pkey_free":               SYS_PKEY_FREE,
-	"statx":                   SYS_STATX,
-	"io_pgetevents":           SYS_IO_PGETEVENTS,
-	"rseq":                    SYS_RSEQ,
-	"uretprobe":               SYS_URETPROBE,
-	"pidfd_send_signal":       SYS_PIDFD_SEND_SIGNAL,
-	"io_uring_setup":          SYS_IO_URING_SETUP,
-	"io_uring_enter":          SYS_IO_URING_ENTER,
-	"io_uring_register":       SYS_IO_URING_REGISTER,
-	"open_tree":               SYS_OPEN_TREE,
-	"move_mount":              SYS_MOVE_MOUNT,
-	"fsopen":                  SYS_FSOPEN,
-	"fsconfig":                SYS_FSCONFIG,
-	"fsmount":                 SYS_FSMOUNT,
-	"fspick":                  SYS_FSPICK,
-	"pidfd_open":              SYS_PIDFD_OPEN,
-	"clone3":                  SYS_CLONE3,
-	"close_range":             SYS_CLOSE_RANGE,
-	"openat2":                 SYS_OPENAT2,
-	"pidfd_getfd":             SYS_PIDFD_GETFD,
-	"faccessat2":              SYS_FACCESSAT2,
-	"process_madvise":         SYS_PROCESS_MADVISE,
-	"epoll_pwait2":            SYS_EPOLL_PWAIT2,
-	"mount_setattr":           SYS_MOUNT_SETATTR,
-	"quotactl_fd":             SYS_QUOTACTL_FD,
-	"landlock_create_ruleset": SYS_LANDLOCK_CREATE_RULESET,
-	"landlock_add_rule":       SYS_LANDLOCK_ADD_RULE,
-	"landlock_restrict_self":  SYS_LANDLOCK_RESTRICT_SELF,
-	"memfd_secret":            SYS_MEMFD_SECRET,
-	"process_mrelease":        SYS_PROCESS_MRELEASE,
-	"futex_waitv":             SYS_FUTEX_WAITV,
-	"set_mempolicy_home_node": SYS_SET_MEMPOLICY_HOME_NODE,
-	"cachestat":               SYS_CACHESTAT,
-	"fchmodat2":               SYS_FCHMODAT2,
-	"map_shadow_stack":        SYS_MAP_SHADOW_STACK,
-	"futex_wake":              SYS_FUTEX_WAKE,
-	"futex_wait":              SYS_FUTEX_WAIT,
-	"futex_requeue":           SYS_FUTEX_REQUEUE,
-	"statmount":               SYS_STATMOUNT,
-	"listmount":               SYS_LISTMOUNT,
-	"lsm_get_self_attr":       SYS_LSM_GET_SELF_ATTR,
-	"lsm_set_self_attr":       SYS_LSM_SET_SELF_ATTR,
-	"lsm_list_modules":        SYS_LSM_LIST_MODULES,
-	"mseal":                   SYS_MSEAL,
-}
-
-const (
-	SYS_NAME_TO_HANDLE_AT       = 303
-	SYS_OPEN_BY_HANDLE_AT       = 304
-	SYS_CLOCK_ADJTIME           = 305
-	SYS_SYNCFS                  = 306
-	SYS_SENDMMSG                = 307
-	SYS_SETNS                   = 308
-	SYS_GETCPU                  = 309
-	SYS_PROCESS_VM_READV        = 310
-	SYS_PROCESS_VM_WRITEV       = 311
-	SYS_KCMP                    = 312
-	SYS_FINIT_MODULE            = 313
-	SYS_SCHED_SETATTR           = 314
-	SYS_SCHED_GETATTR           = 315
-	SYS_RENAMEAT2               = 316
-	SYS_SECCOMP                 = 317
-	SYS_GETRANDOM               = 318
-	SYS_MEMFD_CREATE            = 319
-	SYS_KEXEC_FILE_LOAD         = 320
-	SYS_BPF                     = 321
-	SYS_EXECVEAT                = 322
-	SYS_USERFAULTFD             = 323
-	SYS_MEMBARRIER              = 324
-	SYS_MLOCK2                  = 325
-	SYS_COPY_FILE_RANGE         = 326
-	SYS_PREADV2                 = 327
-	SYS_PWRITEV2                = 328
-	SYS_PKEY_MPROTECT           = 329
-	SYS_PKEY_ALLOC              = 330
-	SYS_PKEY_FREE               = 331
-	SYS_STATX                   = 332
-	SYS_IO_PGETEVENTS           = 333
-	SYS_RSEQ                    = 334
-	SYS_URETPROBE               = 335
-	SYS_PIDFD_SEND_SIGNAL       = 424
-	SYS_IO_URING_SETUP          = 425
-	SYS_IO_URING_ENTER          = 426
-	SYS_IO_URING_REGISTER       = 427
-	SYS_OPEN_TREE               = 428
-	SYS_MOVE_MOUNT              = 429
-	SYS_FSOPEN                  = 430
-	SYS_FSCONFIG                = 431
-	SYS_FSMOUNT                 = 432
-	SYS_FSPICK                  = 433
-	SYS_PIDFD_OPEN              = 434
-	SYS_CLONE3                  = 435
-	SYS_CLOSE_RANGE             = 436
-	SYS_OPENAT2                 = 437
-	SYS_PIDFD_GETFD             = 438
-	SYS_FACCESSAT2              = 439
-	SYS_PROCESS_MADVISE         = 440
-	SYS_EPOLL_PWAIT2            = 441
-	SYS_MOUNT_SETATTR           = 442
-	SYS_QUOTACTL_FD             = 443
-	SYS_LANDLOCK_CREATE_RULESET = 444
-	SYS_LANDLOCK_ADD_RULE       = 445
-	SYS_LANDLOCK_RESTRICT_SELF  = 446
-	SYS_MEMFD_SECRET            = 447
-	SYS_PROCESS_MRELEASE        = 448
-	SYS_FUTEX_WAITV             = 449
-	SYS_SET_MEMPOLICY_HOME_NODE = 450
-	SYS_CACHESTAT               = 451
-	SYS_FCHMODAT2               = 452
-	SYS_MAP_SHADOW_STACK        = 453
-	SYS_FUTEX_WAKE              = 454
-	SYS_FUTEX_WAIT              = 455
-	SYS_FUTEX_REQUEUE           = 456
-	SYS_STATMOUNT               = 457
-	SYS_LISTMOUNT               = 458
-	SYS_LSM_GET_SELF_ATTR       = 459
-	SYS_LSM_SET_SELF_ATTR       = 460
-	SYS_LSM_LIST_MODULES        = 461
-	SYS_MSEAL                   = 462
-)

container/seccomp/syscall_linux_arm64.go

@@ -1,382 +0,0 @@
-// mksysnum_linux.pl /usr/include/asm/unistd_64.h
-// Code generated by the command above; DO NOT EDIT.
-
-package seccomp
-
-import . "syscall"
-
-var syscallNum = map[string]int{
-	"io_setup":                SYS_IO_SETUP,
-	"io_destroy":              SYS_IO_DESTROY,
-	"io_submit":               SYS_IO_SUBMIT,
-	"io_cancel":               SYS_IO_CANCEL,
-	"io_getevents":            SYS_IO_GETEVENTS,
-	"setxattr":                SYS_SETXATTR,
-	"lsetxattr":               SYS_LSETXATTR,
-	"fsetxattr":               SYS_FSETXATTR,
-	"getxattr":                SYS_GETXATTR,
-	"lgetxattr":               SYS_LGETXATTR,
-	"fgetxattr":               SYS_FGETXATTR,
-	"listxattr":               SYS_LISTXATTR,
-	"llistxattr":              SYS_LLISTXATTR,
-	"flistxattr":              SYS_FLISTXATTR,
-	"removexattr":             SYS_REMOVEXATTR,
-	"lremovexattr":            SYS_LREMOVEXATTR,
-	"fremovexattr":            SYS_FREMOVEXATTR,
-	"getcwd":                  SYS_GETCWD,
-	"lookup_dcookie":          SYS_LOOKUP_DCOOKIE,
-	"eventfd2":                SYS_EVENTFD2,
-	"epoll_create1":           SYS_EPOLL_CREATE1,
-	"epoll_ctl":               SYS_EPOLL_CTL,
-	"epoll_pwait":             SYS_EPOLL_PWAIT,
-	"dup":                     SYS_DUP,
-	"dup3":                    SYS_DUP3,
-	"fcntl":                   SYS_FCNTL,
-	"inotify_init1":           SYS_INOTIFY_INIT1,
-	"inotify_add_watch":       SYS_INOTIFY_ADD_WATCH,
-	"inotify_rm_watch":        SYS_INOTIFY_RM_WATCH,
-	"ioctl":                   SYS_IOCTL,
-	"ioprio_set":              SYS_IOPRIO_SET,
-	"ioprio_get":              SYS_IOPRIO_GET,
-	"flock":                   SYS_FLOCK,
-	"mknodat":                 SYS_MKNODAT,
-	"mkdirat":                 SYS_MKDIRAT,
-	"unlinkat":                SYS_UNLINKAT,
-	"symlinkat":               SYS_SYMLINKAT,
-	"linkat":                  SYS_LINKAT,
-	"renameat":                SYS_RENAMEAT,
-	"umount2":                 SYS_UMOUNT2,
-	"mount":                   SYS_MOUNT,
-	"pivot_root":              SYS_PIVOT_ROOT,
-	"nfsservctl":              SYS_NFSSERVCTL,
-	"statfs":                  SYS_STATFS,
-	"fstatfs":                 SYS_FSTATFS,
-	"truncate":                SYS_TRUNCATE,
-	"ftruncate":               SYS_FTRUNCATE,
-	"fallocate":               SYS_FALLOCATE,
-	"faccessat":               SYS_FACCESSAT,
-	"chdir":                   SYS_CHDIR,
-	"fchdir":                  SYS_FCHDIR,
-	"chroot":                  SYS_CHROOT,
-	"fchmod":                  SYS_FCHMOD,
-	"fchmodat":                SYS_FCHMODAT,
-	"fchownat":                SYS_FCHOWNAT,
-	"fchown":                  SYS_FCHOWN,
-	"openat":                  SYS_OPENAT,
-	"close":                   SYS_CLOSE,
-	"vhangup":                 SYS_VHANGUP,
-	"pipe2":                   SYS_PIPE2,
-	"quotactl":                SYS_QUOTACTL,
-	"getdents64":              SYS_GETDENTS64,
-	"lseek":                   SYS_LSEEK,
-	"read":                    SYS_READ,
-	"write":                   SYS_WRITE,
-	"readv":                   SYS_READV,
-	"writev":                  SYS_WRITEV,
-	"pread64":                 SYS_PREAD64,
-	"pwrite64":                SYS_PWRITE64,
-	"preadv":                  SYS_PREADV,
-	"pwritev":                 SYS_PWRITEV,
-	"sendfile":                SYS_SENDFILE,
-	"pselect6":                SYS_PSELECT6,
-	"ppoll":                   SYS_PPOLL,
-	"signalfd4":               SYS_SIGNALFD4,
-	"vmsplice":                SYS_VMSPLICE,
-	"splice":                  SYS_SPLICE,
-	"tee":                     SYS_TEE,
-	"readlinkat":              SYS_READLINKAT,
-	"newfstatat":              SYS_NEWFSTATAT,
-	"fstat":                   SYS_FSTAT,
-	"sync":                    SYS_SYNC,
-	"fsync":                   SYS_FSYNC,
-	"fdatasync":               SYS_FDATASYNC,
-	"sync_file_range":         SYS_SYNC_FILE_RANGE,
-	"timerfd_create":          SYS_TIMERFD_CREATE,
-	"timerfd_settime":         SYS_TIMERFD_SETTIME,
-	"timerfd_gettime":         SYS_TIMERFD_GETTIME,
-	"utimensat":               SYS_UTIMENSAT,
-	"acct":                    SYS_ACCT,
-	"capget":                  SYS_CAPGET,
-	"capset":                  SYS_CAPSET,
-	"personality":             SYS_PERSONALITY,
-	"exit":                    SYS_EXIT,
-	"exit_group":              SYS_EXIT_GROUP,
-	"waitid":                  SYS_WAITID,
-	"set_tid_address":         SYS_SET_TID_ADDRESS,
-	"unshare":                 SYS_UNSHARE,
-	"futex":                   SYS_FUTEX,
-	"set_robust_list":         SYS_SET_ROBUST_LIST,
-	"get_robust_list":         SYS_GET_ROBUST_LIST,
-	"nanosleep":               SYS_NANOSLEEP,
-	"getitimer":               SYS_GETITIMER,
-	"setitimer":               SYS_SETITIMER,
-	"kexec_load":              SYS_KEXEC_LOAD,
-	"init_module":             SYS_INIT_MODULE,
-	"delete_module":           SYS_DELETE_MODULE,
-	"timer_create":            SYS_TIMER_CREATE,
-	"timer_gettime":           SYS_TIMER_GETTIME,
-	"timer_getoverrun":        SYS_TIMER_GETOVERRUN,
-	"timer_settime":           SYS_TIMER_SETTIME,
-	"timer_delete":            SYS_TIMER_DELETE,
-	"clock_settime":           SYS_CLOCK_SETTIME,
-	"clock_gettime":           SYS_CLOCK_GETTIME,
-	"clock_getres":            SYS_CLOCK_GETRES,
-	"clock_nanosleep":         SYS_CLOCK_NANOSLEEP,
-	"syslog":                  SYS_SYSLOG,
-	"ptrace":                  SYS_PTRACE,
-	"sched_setparam":          SYS_SCHED_SETPARAM,
-	"sched_setscheduler":      SYS_SCHED_SETSCHEDULER,
-	"sched_getscheduler":      SYS_SCHED_GETSCHEDULER,
-	"sched_getparam":          SYS_SCHED_GETPARAM,
-	"sched_setaffinity":       SYS_SCHED_SETAFFINITY,
-	"sched_getaffinity":       SYS_SCHED_GETAFFINITY,
-	"sched_yield":             SYS_SCHED_YIELD,
-	"sched_get_priority_max":  SYS_SCHED_GET_PRIORITY_MAX,
-	"sched_get_priority_min":  SYS_SCHED_GET_PRIORITY_MIN,
-	"sched_rr_get_interval":   SYS_SCHED_RR_GET_INTERVAL,
-	"restart_syscall":         SYS_RESTART_SYSCALL,
-	"kill":                    SYS_KILL,
-	"tkill":                   SYS_TKILL,
-	"tgkill":                  SYS_TGKILL,
-	"sigaltstack":             SYS_SIGALTSTACK,
-	"rt_sigsuspend":           SYS_RT_SIGSUSPEND,
-	"rt_sigaction":            SYS_RT_SIGACTION,
-	"rt_sigprocmask":          SYS_RT_SIGPROCMASK,
-	"rt_sigpending":           SYS_RT_SIGPENDING,
-	"rt_sigtimedwait":         SYS_RT_SIGTIMEDWAIT,
-	"rt_sigqueueinfo":         SYS_RT_SIGQUEUEINFO,
-	"rt_sigreturn":            SYS_RT_SIGRETURN,
-	"setpriority":             SYS_SETPRIORITY,
-	"getpriority":             SYS_GETPRIORITY,
-	"reboot":                  SYS_REBOOT,
-	"setregid":                SYS_SETREGID,
-	"setgid":                  SYS_SETGID,
-	"setreuid":                SYS_SETREUID,
-	"setuid":                  SYS_SETUID,
-	"setresuid":               SYS_SETRESUID,
-	"getresuid":               SYS_GETRESUID,
-	"setresgid":               SYS_SETRESGID,
-	"getresgid":               SYS_GETRESGID,
-	"setfsuid":                SYS_SETFSUID,
-	"setfsgid":                SYS_SETFSGID,
-	"times":                   SYS_TIMES,
-	"setpgid":                 SYS_SETPGID,
-	"getpgid":                 SYS_GETPGID,
-	"getsid":                  SYS_GETSID,
-	"setsid":                  SYS_SETSID,
-	"getgroups":               SYS_GETGROUPS,
-	"setgroups":               SYS_SETGROUPS,
-	"uname":                   SYS_UNAME,
-	"sethostname":             SYS_SETHOSTNAME,
-	"setdomainname":           SYS_SETDOMAINNAME,
-	"getrlimit":               SYS_GETRLIMIT,
-	"setrlimit":               SYS_SETRLIMIT,
-	"getrusage":               SYS_GETRUSAGE,
-	"umask":                   SYS_UMASK,
-	"prctl":                   SYS_PRCTL,
-	"getcpu":                  SYS_GETCPU,
-	"gettimeofday":            SYS_GETTIMEOFDAY,
-	"settimeofday":            SYS_SETTIMEOFDAY,
-	"adjtimex":                SYS_ADJTIMEX,
-	"getpid":                  SYS_GETPID,
-	"getppid":                 SYS_GETPPID,
-	"getuid":                  SYS_GETUID,
-	"geteuid":                 SYS_GETEUID,
-	"getgid":                  SYS_GETGID,
-	"getegid":                 SYS_GETEGID,
-	"gettid":                  SYS_GETTID,
-	"sysinfo":                 SYS_SYSINFO,
-	"mq_open":                 SYS_MQ_OPEN,
-	"mq_unlink":               SYS_MQ_UNLINK,
-	"mq_timedsend":            SYS_MQ_TIMEDSEND,
-	"mq_timedreceive":         SYS_MQ_TIMEDRECEIVE,
-	"mq_notify":               SYS_MQ_NOTIFY,
-	"mq_getsetattr":           SYS_MQ_GETSETATTR,
-	"msgget":                  SYS_MSGGET,
-	"msgctl":                  SYS_MSGCTL,
-	"msgrcv":                  SYS_MSGRCV,
-	"msgsnd":                  SYS_MSGSND,
-	"semget":                  SYS_SEMGET,
-	"semctl":                  SYS_SEMCTL,
-	"semtimedop":              SYS_SEMTIMEDOP,
-	"semop":                   SYS_SEMOP,
-	"shmget":                  SYS_SHMGET,
-	"shmctl":                  SYS_SHMCTL,
-	"shmat":                   SYS_SHMAT,
-	"shmdt":                   SYS_SHMDT,
-	"socket":                  SYS_SOCKET,
-	"socketpair":              SYS_SOCKETPAIR,
-	"bind":                    SYS_BIND,
-	"listen":                  SYS_LISTEN,
-	"accept":                  SYS_ACCEPT,
-	"connect":                 SYS_CONNECT,
-	"getsockname":             SYS_GETSOCKNAME,
-	"getpeername":             SYS_GETPEERNAME,
-	"sendto":                  SYS_SENDTO,
-	"recvfrom":                SYS_RECVFROM,
-	"setsockopt":              SYS_SETSOCKOPT,
-	"getsockopt":              SYS_GETSOCKOPT,
-	"shutdown":                SYS_SHUTDOWN,
-	"sendmsg":                 SYS_SENDMSG,
-	"recvmsg":                 SYS_RECVMSG,
-	"readahead":               SYS_READAHEAD,
-	"brk":                     SYS_BRK,
-	"munmap":                  SYS_MUNMAP,
-	"mremap":                  SYS_MREMAP,
-	"add_key":                 SYS_ADD_KEY,
-	"request_key":             SYS_REQUEST_KEY,
-	"keyctl":                  SYS_KEYCTL,
-	"clone":                   SYS_CLONE,
-	"execve":                  SYS_EXECVE,
-	"mmap":                    SYS_MMAP,
-	"fadvise64":               SYS_FADVISE64,
-	"swapon":                  SYS_SWAPON,
-	"swapoff":                 SYS_SWAPOFF,
-	"mprotect":                SYS_MPROTECT,
-	"msync":                   SYS_MSYNC,
-	"mlock":                   SYS_MLOCK,
-	"munlock":                 SYS_MUNLOCK,
-	"mlockall":                SYS_MLOCKALL,
-	"munlockall":              SYS_MUNLOCKALL,
-	"mincore":                 SYS_MINCORE,
-	"madvise":                 SYS_MADVISE,
-	"remap_file_pages":        SYS_REMAP_FILE_PAGES,
-	"mbind":                   SYS_MBIND,
-	"get_mempolicy":           SYS_GET_MEMPOLICY,
-	"set_mempolicy":           SYS_SET_MEMPOLICY,
-	"migrate_pages":           SYS_MIGRATE_PAGES,
-	"move_pages":              SYS_MOVE_PAGES,
-	"rt_tgsigqueueinfo":       SYS_RT_TGSIGQUEUEINFO,
-	"perf_event_open":         SYS_PERF_EVENT_OPEN,
-	"accept4":                 SYS_ACCEPT4,
-	"recvmmsg":                SYS_RECVMMSG,
-	"wait4":                   SYS_WAIT4,
-	"prlimit64":               SYS_PRLIMIT64,
-	"fanotify_init":           SYS_FANOTIFY_INIT,
-	"fanotify_mark":           SYS_FANOTIFY_MARK,
-	"name_to_handle_at":       SYS_NAME_TO_HANDLE_AT,
-	"open_by_handle_at":       SYS_OPEN_BY_HANDLE_AT,
-	"clock_adjtime":           SYS_CLOCK_ADJTIME,
-	"syncfs":                  SYS_SYNCFS,
-	"setns":                   SYS_SETNS,
-	"sendmmsg":                SYS_SENDMMSG,
-	"process_vm_readv":        SYS_PROCESS_VM_READV,
-	"process_vm_writev":       SYS_PROCESS_VM_WRITEV,
-	"kcmp":                    SYS_KCMP,
-	"finit_module":            SYS_FINIT_MODULE,
-	"sched_setattr":           SYS_SCHED_SETATTR,
-	"sched_getattr":           SYS_SCHED_GETATTR,
-	"renameat2":               SYS_RENAMEAT2,
-	"seccomp":                 SYS_SECCOMP,
-	"getrandom":               SYS_GETRANDOM,
-	"memfd_create":            SYS_MEMFD_CREATE,
-	"bpf":                     SYS_BPF,
-	"execveat":                SYS_EXECVEAT,
-	"userfaultfd":             SYS_USERFAULTFD,
-	"membarrier":              SYS_MEMBARRIER,
-	"mlock2":                  SYS_MLOCK2,
-	"copy_file_range":         SYS_COPY_FILE_RANGE,
-	"preadv2":                 SYS_PREADV2,
-	"pwritev2":                SYS_PWRITEV2,
-	"pkey_mprotect":           SYS_PKEY_MPROTECT,
-	"pkey_alloc":              SYS_PKEY_ALLOC,
-	"pkey_free":               SYS_PKEY_FREE,
-	"statx":                   SYS_STATX,
-	"io_pgetevents":           SYS_IO_PGETEVENTS,
-	"rseq":                    SYS_RSEQ,
-	"kexec_file_load":         SYS_KEXEC_FILE_LOAD,
-	"pidfd_send_signal":       SYS_PIDFD_SEND_SIGNAL,
-	"io_uring_setup":          SYS_IO_URING_SETUP,
-	"io_uring_enter":          SYS_IO_URING_ENTER,
-	"io_uring_register":       SYS_IO_URING_REGISTER,
-	"open_tree":               SYS_OPEN_TREE,
-	"move_mount":              SYS_MOVE_MOUNT,
-	"fsopen":                  SYS_FSOPEN,
-	"fsconfig":                SYS_FSCONFIG,
-	"fsmount":                 SYS_FSMOUNT,
-	"fspick":                  SYS_FSPICK,
-	"pidfd_open":              SYS_PIDFD_OPEN,
-	"clone3":                  SYS_CLONE3,
-	"close_range":             SYS_CLOSE_RANGE,
-	"openat2":                 SYS_OPENAT2,
-	"pidfd_getfd":             SYS_PIDFD_GETFD,
-	"faccessat2":              SYS_FACCESSAT2,
-	"process_madvise":         SYS_PROCESS_MADVISE,
-	"epoll_pwait2":            SYS_EPOLL_PWAIT2,
-	"mount_setattr":           SYS_MOUNT_SETATTR,
-	"quotactl_fd":             SYS_QUOTACTL_FD,
-	"landlock_create_ruleset": SYS_LANDLOCK_CREATE_RULESET,
-	"landlock_add_rule":       SYS_LANDLOCK_ADD_RULE,
-	"landlock_restrict_self":  SYS_LANDLOCK_RESTRICT_SELF,
-	"memfd_secret":            SYS_MEMFD_SECRET,
-	"process_mrelease":        SYS_PROCESS_MRELEASE,
-	"futex_waitv":             SYS_FUTEX_WAITV,
-	"set_mempolicy_home_node": SYS_SET_MEMPOLICY_HOME_NODE,
-	"cachestat":               SYS_CACHESTAT,
-	"fchmodat2":               SYS_FCHMODAT2,
-	"map_shadow_stack":        SYS_MAP_SHADOW_STACK,
-	"futex_wake":              SYS_FUTEX_WAKE,
-	"futex_wait":              SYS_FUTEX_WAIT,
-	"futex_requeue":           SYS_FUTEX_REQUEUE,
-	"statmount":               SYS_STATMOUNT,
-	"listmount":               SYS_LISTMOUNT,
-	"lsm_get_self_attr":       SYS_LSM_GET_SELF_ATTR,
-	"lsm_set_self_attr":       SYS_LSM_SET_SELF_ATTR,
-	"lsm_list_modules":        SYS_LSM_LIST_MODULES,
-	"mseal":                   SYS_MSEAL,
-}
-
-const (
-	SYS_USERFAULTFD             = 282
-	SYS_MEMBARRIER              = 283
-	SYS_MLOCK2                  = 284
-	SYS_COPY_FILE_RANGE         = 285
-	SYS_PREADV2                 = 286
-	SYS_PWRITEV2                = 287
-	SYS_PKEY_MPROTECT           = 288
-	SYS_PKEY_ALLOC              = 289
-	SYS_PKEY_FREE               = 290
-	SYS_STATX                   = 291
-	SYS_IO_PGETEVENTS           = 292
-	SYS_RSEQ                    = 293
-	SYS_KEXEC_FILE_LOAD         = 294
-	SYS_PIDFD_SEND_SIGNAL       = 424
-	SYS_IO_URING_SETUP          = 425
-	SYS_IO_URING_ENTER          = 426
-	SYS_IO_URING_REGISTER       = 427
-	SYS_OPEN_TREE               = 428
-	SYS_MOVE_MOUNT              = 429
-	SYS_FSOPEN                  = 430
-	SYS_FSCONFIG                = 431
-	SYS_FSMOUNT                 = 432
-	SYS_FSPICK                  = 433
-	SYS_PIDFD_OPEN              = 434
-	SYS_CLONE3                  = 435
-	SYS_CLOSE_RANGE             = 436
-	SYS_OPENAT2                 = 437
-	SYS_PIDFD_GETFD             = 438
-	SYS_FACCESSAT2              = 439
-	SYS_PROCESS_MADVISE         = 440
-	SYS_EPOLL_PWAIT2            = 441
-	SYS_MOUNT_SETATTR           = 442
-	SYS_QUOTACTL_FD             = 443
-	SYS_LANDLOCK_CREATE_RULESET = 444
-	SYS_LANDLOCK_ADD_RULE       = 445
-	SYS_LANDLOCK_RESTRICT_SELF  = 446
-	SYS_MEMFD_SECRET            = 447
-	SYS_PROCESS_MRELEASE        = 448
-	SYS_FUTEX_WAITV             = 449
-	SYS_SET_MEMPOLICY_HOME_NODE = 450
-	SYS_CACHESTAT               = 451
-	SYS_FCHMODAT2               = 452
-	SYS_MAP_SHADOW_STACK        = 453
-	SYS_FUTEX_WAKE              = 454
-	SYS_FUTEX_WAIT              = 455
-	SYS_FUTEX_REQUEUE           = 456
-	SYS_STATMOUNT               = 457
-	SYS_LISTMOUNT               = 458
-	SYS_LSM_GET_SELF_ATTR       = 459
-	SYS_LSM_SET_SELF_ATTR       = 460
-	SYS_LSM_LIST_MODULES        = 461
-	SYS_MSEAL                   = 462
-)

container/seccomp/syscall_test.go

@@ -1,20 +0,0 @@
-package seccomp
-
-import (
-	"testing"
-)
-
-func TestSyscallResolveName(t *testing.T) {
-	for name, want := range Syscalls() {
-		t.Run(name, func(t *testing.T) {
-			if got := syscallResolveName(name); got != want {
-				t.Errorf("syscallResolveName(%q) = %d, want %d",
-					name, got, want)
-			}
-			if got, ok := SyscallResolveName(name); !ok || got != want {
-				t.Errorf("SyscallResolveName(%q) = %d, want %d",
-					name, got, want)
-			}
-		})
-	}
-}

container/std/bits.go

@@ -1,4 +1,16 @@
-package bits
+// Package std contains constants from container packages without depending on cgo.
+package std
+
+const (
+	// BindOptional skips nonexistent host paths.
+	BindOptional = 1 << iota
+	// BindWritable mounts filesystem read-write.
+	BindWritable
+	// BindDevice allows access to devices (special files) on this filesystem.
+	BindDevice
+	// BindEnsure attempts to create the host path if it does not exist.
+	BindEnsure
+)
 
 // FilterPreset specifies parts of the syscall filter preset to enable.
 type FilterPreset int

container/std/mksysnum_linux.pl

@@ -9,6 +9,7 @@ use POSIX ();
 my $command = "mksysnum_linux.pl ". join(' ', @ARGV);
 my $uname_arch = (POSIX::uname)[4];
 my %syscall_cutoff_arch = (
+	"x86" => 340,
 	"x86_64" => 302,
 	"aarch64" => 281,
 );
@@ -17,11 +18,11 @@ print <<EOF;
 // $command
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 
-var syscallNum = map[string]int{
+var syscallNum = map[string]ScmpSyscall{
 EOF
 
 my $offset = 0;
@@ -36,16 +37,14 @@ sub fmt {
 	}
 	(my $name_upper = $name) =~ y/a-z/A-Z/;
 	$num = $num + $offset;
-	if($num > $syscall_cutoff_arch{$uname_arch}){ # not wired in Go standard library
+	if($num > $syscall_cutoff_arch{$uname_arch} && $state == 0){ # not wired in Go standard library
-		if($state < 0){
+		print " SYS_$name_upper = $num\n";
-			print "	\"$name\": SYS_$name_upper,\n";
-		}
-		else{
-			print " SYS_$name_upper = $num;\n";
-		}
 	}
-	elsif($state < 0){
+	elsif($state == -1){
-		print "	\"$name\": SYS_$name_upper,\n";
+		print "	\"$name\": SNR_$name_upper,\n";
+	}
+	elsif($state == 1){
+		print " SNR_$name_upper ScmpSyscall = SYS_$name_upper\n";
 	}
 	else{
 		return;
@@ -80,10 +79,16 @@ while(<GCC>){
 	}
 }
 
-if($state < 0){
+if($state == -1){
-	$state = $state + 1;
 	print "}\n\nconst (\n";
-	goto GENERATE;
 }
+elsif($state == 0){
+	print ")\n\nconst (\n";
+}
+elsif($state == 1){
+	print ")";
+	exit;
+}
+++$state;
+goto GENERATE;
 
-print ")";

container/std/pnr.go

@@ -0,0 +1,267 @@
+// Code generated from include/seccomp-syscalls.h; DO NOT EDIT.
+
+package std
+
+/*
+ * pseudo syscall definitions
+ */
+
+const (
+
+	/* socket syscalls */
+
+	__PNR_socket      = -101
+	__PNR_bind        = -102
+	__PNR_connect     = -103
+	__PNR_listen      = -104
+	__PNR_accept      = -105
+	__PNR_getsockname = -106
+	__PNR_getpeername = -107
+	__PNR_socketpair  = -108
+	__PNR_send        = -109
+	__PNR_recv        = -110
+	__PNR_sendto      = -111
+	__PNR_recvfrom    = -112
+	__PNR_shutdown    = -113
+	__PNR_setsockopt  = -114
+	__PNR_getsockopt  = -115
+	__PNR_sendmsg     = -116
+	__PNR_recvmsg     = -117
+	__PNR_accept4     = -118
+	__PNR_recvmmsg    = -119
+	__PNR_sendmmsg    = -120
+
+	/* ipc syscalls */
+
+	__PNR_semop      = -201
+	__PNR_semget     = -202
+	__PNR_semctl     = -203
+	__PNR_semtimedop = -204
+	__PNR_msgsnd     = -211
+	__PNR_msgrcv     = -212
+	__PNR_msgget     = -213
+	__PNR_msgctl     = -214
+	__PNR_shmat      = -221
+	__PNR_shmdt      = -222
+	__PNR_shmget     = -223
+	__PNR_shmctl     = -224
+
+	/* single syscalls */
+
+	__PNR_arch_prctl                   = -10001
+	__PNR_bdflush                      = -10002
+	__PNR_break                        = -10003
+	__PNR_chown32                      = -10004
+	__PNR_epoll_ctl_old                = -10005
+	__PNR_epoll_wait_old               = -10006
+	__PNR_fadvise64_64                 = -10007
+	__PNR_fchown32                     = -10008
+	__PNR_fcntl64                      = -10009
+	__PNR_fstat64                      = -10010
+	__PNR_fstatat64                    = -10011
+	__PNR_fstatfs64                    = -10012
+	__PNR_ftime                        = -10013
+	__PNR_ftruncate64                  = -10014
+	__PNR_getegid32                    = -10015
+	__PNR_geteuid32                    = -10016
+	__PNR_getgid32                     = -10017
+	__PNR_getgroups32                  = -10018
+	__PNR_getresgid32                  = -10019
+	__PNR_getresuid32                  = -10020
+	__PNR_getuid32                     = -10021
+	__PNR_gtty                         = -10022
+	__PNR_idle                         = -10023
+	__PNR_ipc                          = -10024
+	__PNR_lchown32                     = -10025
+	__PNR__llseek                      = -10026
+	__PNR_lock                         = -10027
+	__PNR_lstat64                      = -10028
+	__PNR_mmap2                        = -10029
+	__PNR_mpx                          = -10030
+	__PNR_newfstatat                   = -10031
+	__PNR__newselect                   = -10032
+	__PNR_nice                         = -10033
+	__PNR_oldfstat                     = -10034
+	__PNR_oldlstat                     = -10035
+	__PNR_oldolduname                  = -10036
+	__PNR_oldstat                      = -10037
+	__PNR_olduname                     = -10038
+	__PNR_prof                         = -10039
+	__PNR_profil                       = -10040
+	__PNR_readdir                      = -10041
+	__PNR_security                     = -10042
+	__PNR_sendfile64                   = -10043
+	__PNR_setfsgid32                   = -10044
+	__PNR_setfsuid32                   = -10045
+	__PNR_setgid32                     = -10046
+	__PNR_setgroups32                  = -10047
+	__PNR_setregid32                   = -10048
+	__PNR_setresgid32                  = -10049
+	__PNR_setresuid32                  = -10050
+	__PNR_setreuid32                   = -10051
+	__PNR_setuid32                     = -10052
+	__PNR_sgetmask                     = -10053
+	__PNR_sigaction                    = -10054
+	__PNR_signal                       = -10055
+	__PNR_sigpending                   = -10056
+	__PNR_sigprocmask                  = -10057
+	__PNR_sigreturn                    = -10058
+	__PNR_sigsuspend                   = -10059
+	__PNR_socketcall                   = -10060
+	__PNR_ssetmask                     = -10061
+	__PNR_stat64                       = -10062
+	__PNR_statfs64                     = -10063
+	__PNR_stime                        = -10064
+	__PNR_stty                         = -10065
+	__PNR_truncate64                   = -10066
+	__PNR_tuxcall                      = -10067
+	__PNR_ugetrlimit                   = -10068
+	__PNR_ulimit                       = -10069
+	__PNR_umount                       = -10070
+	__PNR_vm86                         = -10071
+	__PNR_vm86old                      = -10072
+	__PNR_waitpid                      = -10073
+	__PNR_create_module                = -10074
+	__PNR_get_kernel_syms              = -10075
+	__PNR_get_thread_area              = -10076
+	__PNR_nfsservctl                   = -10077
+	__PNR_query_module                 = -10078
+	__PNR_set_thread_area              = -10079
+	__PNR__sysctl                      = -10080
+	__PNR_uselib                       = -10081
+	__PNR_vserver                      = -10082
+	__PNR_arm_fadvise64_64             = -10083
+	__PNR_arm_sync_file_range          = -10084
+	__PNR_pciconfig_iobase             = -10086
+	__PNR_pciconfig_read               = -10087
+	__PNR_pciconfig_write              = -10088
+	__PNR_sync_file_range2             = -10089
+	__PNR_syscall                      = -10090
+	__PNR_afs_syscall                  = -10091
+	__PNR_fadvise64                    = -10092
+	__PNR_getpmsg                      = -10093
+	__PNR_ioperm                       = -10094
+	__PNR_iopl                         = -10095
+	__PNR_migrate_pages                = -10097
+	__PNR_modify_ldt                   = -10098
+	__PNR_putpmsg                      = -10099
+	__PNR_sync_file_range              = -10100
+	__PNR_select                       = -10101
+	__PNR_vfork                        = -10102
+	__PNR_cachectl                     = -10103
+	__PNR_cacheflush                   = -10104
+	__PNR_sysmips                      = -10106
+	__PNR_timerfd                      = -10107
+	__PNR_time                         = -10108
+	__PNR_getrandom                    = -10109
+	__PNR_memfd_create                 = -10110
+	__PNR_kexec_file_load              = -10111
+	__PNR_sysfs                        = -10145
+	__PNR_oldwait4                     = -10146
+	__PNR_access                       = -10147
+	__PNR_alarm                        = -10148
+	__PNR_chmod                        = -10149
+	__PNR_chown                        = -10150
+	__PNR_creat                        = -10151
+	__PNR_dup2                         = -10152
+	__PNR_epoll_create                 = -10153
+	__PNR_epoll_wait                   = -10154
+	__PNR_eventfd                      = -10155
+	__PNR_fork                         = -10156
+	__PNR_futimesat                    = -10157
+	__PNR_getdents                     = -10158
+	__PNR_getpgrp                      = -10159
+	__PNR_inotify_init                 = -10160
+	__PNR_lchown                       = -10161
+	__PNR_link                         = -10162
+	__PNR_lstat                        = -10163
+	__PNR_mkdir                        = -10164
+	__PNR_mknod                        = -10165
+	__PNR_open                         = -10166
+	__PNR_pause                        = -10167
+	__PNR_pipe                         = -10168
+	__PNR_poll                         = -10169
+	__PNR_readlink                     = -10170
+	__PNR_rename                       = -10171
+	__PNR_rmdir                        = -10172
+	__PNR_signalfd                     = -10173
+	__PNR_stat                         = -10174
+	__PNR_symlink                      = -10175
+	__PNR_unlink                       = -10176
+	__PNR_ustat                        = -10177
+	__PNR_utime                        = -10178
+	__PNR_utimes                       = -10179
+	__PNR_getrlimit                    = -10180
+	__PNR_mmap                         = -10181
+	__PNR_breakpoint                   = -10182
+	__PNR_set_tls                      = -10183
+	__PNR_usr26                        = -10184
+	__PNR_usr32                        = -10185
+	__PNR_multiplexer                  = -10186
+	__PNR_rtas                         = -10187
+	__PNR_spu_create                   = -10188
+	__PNR_spu_run                      = -10189
+	__PNR_swapcontext                  = -10190
+	__PNR_sys_debug_setcontext         = -10191
+	__PNR_switch_endian                = -10191
+	__PNR_get_mempolicy                = -10192
+	__PNR_move_pages                   = -10193
+	__PNR_mbind                        = -10194
+	__PNR_set_mempolicy                = -10195
+	__PNR_s390_runtime_instr           = -10196
+	__PNR_s390_pci_mmio_read           = -10197
+	__PNR_s390_pci_mmio_write          = -10198
+	__PNR_membarrier                   = -10199
+	__PNR_userfaultfd                  = -10200
+	__PNR_pkey_mprotect                = -10201
+	__PNR_pkey_alloc                   = -10202
+	__PNR_pkey_free                    = -10203
+	__PNR_get_tls                      = -10204
+	__PNR_s390_guarded_storage         = -10205
+	__PNR_s390_sthyi                   = -10206
+	__PNR_subpage_prot                 = -10207
+	__PNR_statx                        = -10208
+	__PNR_io_pgetevents                = -10209
+	__PNR_rseq                         = -10210
+	__PNR_setrlimit                    = -10211
+	__PNR_clock_adjtime64              = -10212
+	__PNR_clock_getres_time64          = -10213
+	__PNR_clock_gettime64              = -10214
+	__PNR_clock_nanosleep_time64       = -10215
+	__PNR_clock_settime64              = -10216
+	__PNR_clone3                       = -10217
+	__PNR_fsconfig                     = -10218
+	__PNR_fsmount                      = -10219
+	__PNR_fsopen                       = -10220
+	__PNR_fspick                       = -10221
+	__PNR_futex_time64                 = -10222
+	__PNR_io_pgetevents_time64         = -10223
+	__PNR_move_mount                   = -10224
+	__PNR_mq_timedreceive_time64       = -10225
+	__PNR_mq_timedsend_time64          = -10226
+	__PNR_open_tree                    = -10227
+	__PNR_pidfd_open                   = -10228
+	__PNR_pidfd_send_signal            = -10229
+	__PNR_ppoll_time64                 = -10230
+	__PNR_pselect6_time64              = -10231
+	__PNR_recvmmsg_time64              = -10232
+	__PNR_rt_sigtimedwait_time64       = -10233
+	__PNR_sched_rr_get_interval_time64 = -10234
+	__PNR_semtimedop_time64            = -10235
+	__PNR_timer_gettime64              = -10236
+	__PNR_timer_settime64              = -10237
+	__PNR_timerfd_gettime64            = -10238
+	__PNR_timerfd_settime64            = -10239
+	__PNR_utimensat_time64             = -10240
+	__PNR_ppoll                        = -10241
+	__PNR_renameat                     = -10242
+	__PNR_riscv_flush_icache           = -10243
+	__PNR_memfd_secret                 = -10244
+	__PNR_map_shadow_stack             = -10245
+	__PNR_fstat                        = -10246
+	__PNR_atomic_barrier               = -10247
+	__PNR_atomic_cmpxchg_32            = -10248
+	__PNR_getpagesize                  = -10249
+	__PNR_riscv_hwprobe                = -10250
+	__PNR_uretprobe                    = -10251
+)

container/std/seccomp.go

@@ -0,0 +1,76 @@
+package std
+
+import (
+	"encoding/json"
+	"strconv"
+)
+
+type (
+	// ScmpUint is equivalent to C.uint.
+	ScmpUint uint32
+	// ScmpInt is equivalent to C.int.
+	ScmpInt int32
+
+	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
+	ScmpSyscall ScmpInt
+	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
+	ScmpErrno ScmpInt
+
+	// ScmpCompare is equivalent to enum scmp_compare;
+	ScmpCompare ScmpUint
+	// ScmpDatum is equivalent to scmp_datum_t.
+	ScmpDatum uint64
+
+	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
+	ScmpArgCmp struct {
+		// argument number, starting at 0
+		Arg ScmpUint `json:"arg"`
+		// the comparison op, e.g. SCMP_CMP_*
+		Op ScmpCompare `json:"op"`
+
+		DatumA ScmpDatum `json:"a,omitempty"`
+		DatumB ScmpDatum `json:"b,omitempty"`
+	}
+
+	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
+	NativeRule struct {
+		// Syscall is the arch-dependent syscall number to act against.
+		Syscall ScmpSyscall `json:"syscall"`
+		// Errno is the errno value to return when the condition is satisfied.
+		Errno ScmpErrno `json:"errno"`
+		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
+		Arg *ScmpArgCmp `json:"arg,omitempty"`
+	}
+)
+
+// MarshalJSON resolves the name of [ScmpSyscall] and encodes it as a [json] string.
+// If such a name does not exist, the syscall number is encoded instead.
+func (num *ScmpSyscall) MarshalJSON() ([]byte, error) {
+	n := *num
+	for name, cur := range Syscalls() {
+		if cur == n {
+			return json.Marshal(name)
+		}
+	}
+	return json.Marshal(n)
+}
+
+// SyscallNameError is returned when trying to unmarshal an invalid syscall name into [ScmpSyscall].
+type SyscallNameError string
+
+func (e SyscallNameError) Error() string { return "invalid syscall name " + strconv.Quote(string(e)) }
+
+// UnmarshalJSON looks up the syscall number corresponding to name encoded in data
+// by calling [SyscallResolveName].
+func (num *ScmpSyscall) UnmarshalJSON(data []byte) error {
+	var name string
+	if err := json.Unmarshal(data, &name); err != nil {
+		return err
+	}
+	if n, ok := SyscallResolveName(name); !ok {
+		return SyscallNameError(name)
+	} else {
+		*num = n
+		return nil
+	}
+}

container/std/seccomp_test.go

@@ -0,0 +1,62 @@
+package std_test
+
+import (
+	"encoding/json"
+	"errors"
+	"math"
+	"reflect"
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestScmpSyscall(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		data string
+		want std.ScmpSyscall
+		err  error
+	}{
+		{"epoll_create1", `"epoll_create1"`, std.SNR_EPOLL_CREATE1, nil},
+		{"clone3", `"clone3"`, std.SNR_CLONE3, nil},
+
+		{"oob", `-2147483647`, -math.MaxInt32,
+			&json.UnmarshalTypeError{Value: "number", Type: reflect.TypeFor[string](), Offset: 11}},
+		{"name", `"nonexistent_syscall"`, -math.MaxInt32,
+			std.SyscallNameError("nonexistent_syscall")},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("decode", func(t *testing.T) {
+				var got std.ScmpSyscall
+				if err := json.Unmarshal([]byte(tc.data), &got); !reflect.DeepEqual(err, tc.err) {
+					t.Fatalf("Unmarshal: error = %#v, want %#v", err, tc.err)
+				} else if err == nil && got != tc.want {
+					t.Errorf("Unmarshal: %v, want %v", got, tc.want)
+				}
+			})
+			if errors.As(tc.err, new(std.SyscallNameError)) {
+				return
+			}
+
+			t.Run("encode", func(t *testing.T) {
+				if got, err := json.Marshal(&tc.want); err != nil {
+					t.Fatalf("Marshal: error = %v", err)
+				} else if string(got) != tc.data {
+					t.Errorf("Marshal: %s, want %s", string(got), tc.data)
+				}
+			})
+		})
+	}
+
+	t.Run("error", func(t *testing.T) {
+		const want = `invalid syscall name "\x00"`
+		if got := std.SyscallNameError("\x00").Error(); got != want {
+			t.Fatalf("Error: %q, want %q", got, want)
+		}
+	})
+}

container/std/syscall.go

@@ -1,10 +1,10 @@
-package seccomp
+package std
 
 import "iter"
 
 // Syscalls returns an iterator over all wired syscalls.
-func Syscalls() iter.Seq2[string, int] {
+func Syscalls() iter.Seq2[string, ScmpSyscall] {
-	return func(yield func(string, int) bool) {
+	return func(yield func(string, ScmpSyscall) bool) {
 		for name, num := range syscallNum {
 			if !yield(name, num) {
 				return
@@ -19,7 +19,7 @@ func Syscalls() iter.Seq2[string, int] {
 }
 
 // SyscallResolveName resolves a syscall number from its string representation.
-func SyscallResolveName(name string) (num int, ok bool) {
+func SyscallResolveName(name string) (num ScmpSyscall, ok bool) {
 	if num, ok = syscallNum[name]; ok {
 		return
 	}

container/std/syscall_extra_linux_386.go

@@ -0,0 +1,13 @@
+package std
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"kexec_file_load": SNR_KEXEC_FILE_LOAD,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+}
+
+const (
+	SNR_KEXEC_FILE_LOAD ScmpSyscall = __PNR_kexec_file_load
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+)

container/std/syscall_extra_linux_amd64.go

@@ -0,0 +1,41 @@
+package std
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"umount":          SNR_UMOUNT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+}
+
+const (
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+)

container/std/syscall_extra_linux_arm64.go

@@ -0,0 +1,55 @@
+package std
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          ScmpSyscall = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_CHOWN           ScmpSyscall = __PNR_chown
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+)

container/std/syscall_linux_amd64.go

@@ -0,0 +1,837 @@
+// mksysnum_linux.pl /usr/include/asm/unistd_64.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"open":                    SNR_OPEN,
+	"close":                   SNR_CLOSE,
+	"stat":                    SNR_STAT,
+	"fstat":                   SNR_FSTAT,
+	"lstat":                   SNR_LSTAT,
+	"poll":                    SNR_POLL,
+	"lseek":                   SNR_LSEEK,
+	"mmap":                    SNR_MMAP,
+	"mprotect":                SNR_MPROTECT,
+	"munmap":                  SNR_MUNMAP,
+	"brk":                     SNR_BRK,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"ioctl":                   SNR_IOCTL,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"access":                  SNR_ACCESS,
+	"pipe":                    SNR_PIPE,
+	"select":                  SNR_SELECT,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"mremap":                  SNR_MREMAP,
+	"msync":                   SNR_MSYNC,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"shmget":                  SNR_SHMGET,
+	"shmat":                   SNR_SHMAT,
+	"shmctl":                  SNR_SHMCTL,
+	"dup":                     SNR_DUP,
+	"dup2":                    SNR_DUP2,
+	"pause":                   SNR_PAUSE,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"alarm":                   SNR_ALARM,
+	"setitimer":               SNR_SETITIMER,
+	"getpid":                  SNR_GETPID,
+	"sendfile":                SNR_SENDFILE,
+	"socket":                  SNR_SOCKET,
+	"connect":                 SNR_CONNECT,
+	"accept":                  SNR_ACCEPT,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"shutdown":                SNR_SHUTDOWN,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"socketpair":              SNR_SOCKETPAIR,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"clone":                   SNR_CLONE,
+	"fork":                    SNR_FORK,
+	"vfork":                   SNR_VFORK,
+	"execve":                  SNR_EXECVE,
+	"exit":                    SNR_EXIT,
+	"wait4":                   SNR_WAIT4,
+	"kill":                    SNR_KILL,
+	"uname":                   SNR_UNAME,
+	"semget":                  SNR_SEMGET,
+	"semop":                   SNR_SEMOP,
+	"semctl":                  SNR_SEMCTL,
+	"shmdt":                   SNR_SHMDT,
+	"msgget":                  SNR_MSGGET,
+	"msgsnd":                  SNR_MSGSND,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgctl":                  SNR_MSGCTL,
+	"fcntl":                   SNR_FCNTL,
+	"flock":                   SNR_FLOCK,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"getdents":                SNR_GETDENTS,
+	"getcwd":                  SNR_GETCWD,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"rename":                  SNR_RENAME,
+	"mkdir":                   SNR_MKDIR,
+	"rmdir":                   SNR_RMDIR,
+	"creat":                   SNR_CREAT,
+	"link":                    SNR_LINK,
+	"unlink":                  SNR_UNLINK,
+	"symlink":                 SNR_SYMLINK,
+	"readlink":                SNR_READLINK,
+	"chmod":                   SNR_CHMOD,
+	"fchmod":                  SNR_FCHMOD,
+	"chown":                   SNR_CHOWN,
+	"fchown":                  SNR_FCHOWN,
+	"lchown":                  SNR_LCHOWN,
+	"umask":                   SNR_UMASK,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"getrlimit":               SNR_GETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"sysinfo":                 SNR_SYSINFO,
+	"times":                   SNR_TIMES,
+	"ptrace":                  SNR_PTRACE,
+	"getuid":                  SNR_GETUID,
+	"syslog":                  SNR_SYSLOG,
+	"getgid":                  SNR_GETGID,
+	"setuid":                  SNR_SETUID,
+	"setgid":                  SNR_SETGID,
+	"geteuid":                 SNR_GETEUID,
+	"getegid":                 SNR_GETEGID,
+	"setpgid":                 SNR_SETPGID,
+	"getppid":                 SNR_GETPPID,
+	"getpgrp":                 SNR_GETPGRP,
+	"setsid":                  SNR_SETSID,
+	"setreuid":                SNR_SETREUID,
+	"setregid":                SNR_SETREGID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"getpgid":                 SNR_GETPGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"getsid":                  SNR_GETSID,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"utime":                   SNR_UTIME,
+	"mknod":                   SNR_MKNOD,
+	"uselib":                  SNR_USELIB,
+	"personality":             SNR_PERSONALITY,
+	"ustat":                   SNR_USTAT,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"sysfs":                   SNR_SYSFS,
+	"getpriority":             SNR_GETPRIORITY,
+	"setpriority":             SNR_SETPRIORITY,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"vhangup":                 SNR_VHANGUP,
+	"modify_ldt":              SNR_MODIFY_LDT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"_sysctl":                 SNR__SYSCTL,
+	"prctl":                   SNR_PRCTL,
+	"arch_prctl":              SNR_ARCH_PRCTL,
+	"adjtimex":                SNR_ADJTIMEX,
+	"setrlimit":               SNR_SETRLIMIT,
+	"chroot":                  SNR_CHROOT,
+	"sync":                    SNR_SYNC,
+	"acct":                    SNR_ACCT,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"mount":                   SNR_MOUNT,
+	"umount2":                 SNR_UMOUNT2,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"reboot":                  SNR_REBOOT,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"iopl":                    SNR_IOPL,
+	"ioperm":                  SNR_IOPERM,
+	"create_module":           SNR_CREATE_MODULE,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"get_kernel_syms":         SNR_GET_KERNEL_SYMS,
+	"query_module":            SNR_QUERY_MODULE,
+	"quotactl":                SNR_QUOTACTL,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"getpmsg":                 SNR_GETPMSG,
+	"putpmsg":                 SNR_PUTPMSG,
+	"afs_syscall":             SNR_AFS_SYSCALL,
+	"tuxcall":                 SNR_TUXCALL,
+	"security":                SNR_SECURITY,
+	"gettid":                  SNR_GETTID,
+	"readahead":               SNR_READAHEAD,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"tkill":                   SNR_TKILL,
+	"time":                    SNR_TIME,
+	"futex":                   SNR_FUTEX,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"set_thread_area":         SNR_SET_THREAD_AREA,
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"get_thread_area":         SNR_GET_THREAD_AREA,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"epoll_create":            SNR_EPOLL_CREATE,
+	"epoll_ctl_old":           SNR_EPOLL_CTL_OLD,
+	"epoll_wait_old":          SNR_EPOLL_WAIT_OLD,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"getdents64":              SNR_GETDENTS64,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"fadvise64":               SNR_FADVISE64,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"exit_group":              SNR_EXIT_GROUP,
+	"epoll_wait":              SNR_EPOLL_WAIT,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"tgkill":                  SNR_TGKILL,
+	"utimes":                  SNR_UTIMES,
+	"vserver":                 SNR_VSERVER,
+	"mbind":                   SNR_MBIND,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"waitid":                  SNR_WAITID,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"inotify_init":            SNR_INOTIFY_INIT,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"openat":                  SNR_OPENAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"mknodat":                 SNR_MKNODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"futimesat":               SNR_FUTIMESAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"renameat":                SNR_RENAMEAT,
+	"linkat":                  SNR_LINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"readlinkat":              SNR_READLINKAT,
+	"fchmodat":                SNR_FCHMODAT,
+	"faccessat":               SNR_FACCESSAT,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"unshare":                 SNR_UNSHARE,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"vmsplice":                SNR_VMSPLICE,
+	"move_pages":              SNR_MOVE_PAGES,
+	"utimensat":               SNR_UTIMENSAT,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"signalfd":                SNR_SIGNALFD,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"eventfd":                 SNR_EVENTFD,
+	"fallocate":               SNR_FALLOCATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"accept4":                 SNR_ACCEPT4,
+	"signalfd4":               SNR_SIGNALFD4,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"dup3":                    SNR_DUP3,
+	"pipe2":                   SNR_PIPE2,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"recvmmsg":                SNR_RECVMMSG,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"prlimit64":               SNR_PRLIMIT64,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"setns":                   SNR_SETNS,
+	"getcpu":                  SNR_GETCPU,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"uretprobe":               SNR_URETPROBE,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+}
+
+const (
+	SYS_NAME_TO_HANDLE_AT       = 303
+	SYS_OPEN_BY_HANDLE_AT       = 304
+	SYS_CLOCK_ADJTIME           = 305
+	SYS_SYNCFS                  = 306
+	SYS_SENDMMSG                = 307
+	SYS_SETNS                   = 308
+	SYS_GETCPU                  = 309
+	SYS_PROCESS_VM_READV        = 310
+	SYS_PROCESS_VM_WRITEV       = 311
+	SYS_KCMP                    = 312
+	SYS_FINIT_MODULE            = 313
+	SYS_SCHED_SETATTR           = 314
+	SYS_SCHED_GETATTR           = 315
+	SYS_RENAMEAT2               = 316
+	SYS_SECCOMP                 = 317
+	SYS_GETRANDOM               = 318
+	SYS_MEMFD_CREATE            = 319
+	SYS_KEXEC_FILE_LOAD         = 320
+	SYS_BPF                     = 321
+	SYS_EXECVEAT                = 322
+	SYS_USERFAULTFD             = 323
+	SYS_MEMBARRIER              = 324
+	SYS_MLOCK2                  = 325
+	SYS_COPY_FILE_RANGE         = 326
+	SYS_PREADV2                 = 327
+	SYS_PWRITEV2                = 328
+	SYS_PKEY_MPROTECT           = 329
+	SYS_PKEY_ALLOC              = 330
+	SYS_PKEY_FREE               = 331
+	SYS_STATX                   = 332
+	SYS_IO_PGETEVENTS           = 333
+	SYS_RSEQ                    = 334
+	SYS_URETPROBE               = 335
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+)
+
+const (
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_OPEN                    ScmpSyscall = SYS_OPEN
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_STAT                    ScmpSyscall = SYS_STAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_LSTAT                   ScmpSyscall = SYS_LSTAT
+	SNR_POLL                    ScmpSyscall = SYS_POLL
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_ACCESS                  ScmpSyscall = SYS_ACCESS
+	SNR_PIPE                    ScmpSyscall = SYS_PIPE
+	SNR_SELECT                  ScmpSyscall = SYS_SELECT
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP2                    ScmpSyscall = SYS_DUP2
+	SNR_PAUSE                   ScmpSyscall = SYS_PAUSE
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_ALARM                   ScmpSyscall = SYS_ALARM
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_FORK                    ScmpSyscall = SYS_FORK
+	SNR_VFORK                   ScmpSyscall = SYS_VFORK
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_GETDENTS                ScmpSyscall = SYS_GETDENTS
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_RENAME                  ScmpSyscall = SYS_RENAME
+	SNR_MKDIR                   ScmpSyscall = SYS_MKDIR
+	SNR_RMDIR                   ScmpSyscall = SYS_RMDIR
+	SNR_CREAT                   ScmpSyscall = SYS_CREAT
+	SNR_LINK                    ScmpSyscall = SYS_LINK
+	SNR_UNLINK                  ScmpSyscall = SYS_UNLINK
+	SNR_SYMLINK                 ScmpSyscall = SYS_SYMLINK
+	SNR_READLINK                ScmpSyscall = SYS_READLINK
+	SNR_CHMOD                   ScmpSyscall = SYS_CHMOD
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_CHOWN                   ScmpSyscall = SYS_CHOWN
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_LCHOWN                  ScmpSyscall = SYS_LCHOWN
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETPGRP                 ScmpSyscall = SYS_GETPGRP
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_UTIME                   ScmpSyscall = SYS_UTIME
+	SNR_MKNOD                   ScmpSyscall = SYS_MKNOD
+	SNR_USELIB                  ScmpSyscall = SYS_USELIB
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_USTAT                   ScmpSyscall = SYS_USTAT
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_SYSFS                   ScmpSyscall = SYS_SYSFS
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_MODIFY_LDT              ScmpSyscall = SYS_MODIFY_LDT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR__SYSCTL                 ScmpSyscall = SYS__SYSCTL
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_ARCH_PRCTL              ScmpSyscall = SYS_ARCH_PRCTL
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_IOPL                    ScmpSyscall = SYS_IOPL
+	SNR_IOPERM                  ScmpSyscall = SYS_IOPERM
+	SNR_CREATE_MODULE           ScmpSyscall = SYS_CREATE_MODULE
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_GET_KERNEL_SYMS         ScmpSyscall = SYS_GET_KERNEL_SYMS
+	SNR_QUERY_MODULE            ScmpSyscall = SYS_QUERY_MODULE
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_GETPMSG                 ScmpSyscall = SYS_GETPMSG
+	SNR_PUTPMSG                 ScmpSyscall = SYS_PUTPMSG
+	SNR_AFS_SYSCALL             ScmpSyscall = SYS_AFS_SYSCALL
+	SNR_TUXCALL                 ScmpSyscall = SYS_TUXCALL
+	SNR_SECURITY                ScmpSyscall = SYS_SECURITY
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TIME                    ScmpSyscall = SYS_TIME
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SET_THREAD_AREA         ScmpSyscall = SYS_SET_THREAD_AREA
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_GET_THREAD_AREA         ScmpSyscall = SYS_GET_THREAD_AREA
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EPOLL_CREATE            ScmpSyscall = SYS_EPOLL_CREATE
+	SNR_EPOLL_CTL_OLD           ScmpSyscall = SYS_EPOLL_CTL_OLD
+	SNR_EPOLL_WAIT_OLD          ScmpSyscall = SYS_EPOLL_WAIT_OLD
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_EPOLL_WAIT              ScmpSyscall = SYS_EPOLL_WAIT
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_UTIMES                  ScmpSyscall = SYS_UTIMES
+	SNR_VSERVER                 ScmpSyscall = SYS_VSERVER
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_INOTIFY_INIT            ScmpSyscall = SYS_INOTIFY_INIT
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FUTIMESAT               ScmpSyscall = SYS_FUTIMESAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_RENAMEAT                ScmpSyscall = SYS_RENAMEAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_SIGNALFD                ScmpSyscall = SYS_SIGNALFD
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_EVENTFD                 ScmpSyscall = SYS_EVENTFD
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_URETPROBE               ScmpSyscall = SYS_URETPROBE
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+)

container/std/syscall_linux_arm64.go

@@ -0,0 +1,703 @@
+// mksysnum_linux.pl /usr/include/asm/unistd_64.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"getcwd":                  SNR_GETCWD,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"dup":                     SNR_DUP,
+	"dup3":                    SNR_DUP3,
+	"fcntl":                   SNR_FCNTL,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"ioctl":                   SNR_IOCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"flock":                   SNR_FLOCK,
+	"mknodat":                 SNR_MKNODAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"linkat":                  SNR_LINKAT,
+	"renameat":                SNR_RENAMEAT,
+	"umount2":                 SNR_UMOUNT2,
+	"mount":                   SNR_MOUNT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"fallocate":               SNR_FALLOCATE,
+	"faccessat":               SNR_FACCESSAT,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"chroot":                  SNR_CHROOT,
+	"fchmod":                  SNR_FCHMOD,
+	"fchmodat":                SNR_FCHMODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"fchown":                  SNR_FCHOWN,
+	"openat":                  SNR_OPENAT,
+	"close":                   SNR_CLOSE,
+	"vhangup":                 SNR_VHANGUP,
+	"pipe2":                   SNR_PIPE2,
+	"quotactl":                SNR_QUOTACTL,
+	"getdents64":              SNR_GETDENTS64,
+	"lseek":                   SNR_LSEEK,
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"sendfile":                SNR_SENDFILE,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"signalfd4":               SNR_SIGNALFD4,
+	"vmsplice":                SNR_VMSPLICE,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"readlinkat":              SNR_READLINKAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"fstat":                   SNR_FSTAT,
+	"sync":                    SNR_SYNC,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"utimensat":               SNR_UTIMENSAT,
+	"acct":                    SNR_ACCT,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"personality":             SNR_PERSONALITY,
+	"exit":                    SNR_EXIT,
+	"exit_group":              SNR_EXIT_GROUP,
+	"waitid":                  SNR_WAITID,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"unshare":                 SNR_UNSHARE,
+	"futex":                   SNR_FUTEX,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"setitimer":               SNR_SETITIMER,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"syslog":                  SNR_SYSLOG,
+	"ptrace":                  SNR_PTRACE,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"kill":                    SNR_KILL,
+	"tkill":                   SNR_TKILL,
+	"tgkill":                  SNR_TGKILL,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"setpriority":             SNR_SETPRIORITY,
+	"getpriority":             SNR_GETPRIORITY,
+	"reboot":                  SNR_REBOOT,
+	"setregid":                SNR_SETREGID,
+	"setgid":                  SNR_SETGID,
+	"setreuid":                SNR_SETREUID,
+	"setuid":                  SNR_SETUID,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"times":                   SNR_TIMES,
+	"setpgid":                 SNR_SETPGID,
+	"getpgid":                 SNR_GETPGID,
+	"getsid":                  SNR_GETSID,
+	"setsid":                  SNR_SETSID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"uname":                   SNR_UNAME,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"getrlimit":               SNR_GETRLIMIT,
+	"setrlimit":               SNR_SETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"umask":                   SNR_UMASK,
+	"prctl":                   SNR_PRCTL,
+	"getcpu":                  SNR_GETCPU,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"adjtimex":                SNR_ADJTIMEX,
+	"getpid":                  SNR_GETPID,
+	"getppid":                 SNR_GETPPID,
+	"getuid":                  SNR_GETUID,
+	"geteuid":                 SNR_GETEUID,
+	"getgid":                  SNR_GETGID,
+	"getegid":                 SNR_GETEGID,
+	"gettid":                  SNR_GETTID,
+	"sysinfo":                 SNR_SYSINFO,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"msgget":                  SNR_MSGGET,
+	"msgctl":                  SNR_MSGCTL,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgsnd":                  SNR_MSGSND,
+	"semget":                  SNR_SEMGET,
+	"semctl":                  SNR_SEMCTL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"semop":                   SNR_SEMOP,
+	"shmget":                  SNR_SHMGET,
+	"shmctl":                  SNR_SHMCTL,
+	"shmat":                   SNR_SHMAT,
+	"shmdt":                   SNR_SHMDT,
+	"socket":                  SNR_SOCKET,
+	"socketpair":              SNR_SOCKETPAIR,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"accept":                  SNR_ACCEPT,
+	"connect":                 SNR_CONNECT,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"shutdown":                SNR_SHUTDOWN,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"readahead":               SNR_READAHEAD,
+	"brk":                     SNR_BRK,
+	"munmap":                  SNR_MUNMAP,
+	"mremap":                  SNR_MREMAP,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"clone":                   SNR_CLONE,
+	"execve":                  SNR_EXECVE,
+	"mmap":                    SNR_MMAP,
+	"fadvise64":               SNR_FADVISE64,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"mprotect":                SNR_MPROTECT,
+	"msync":                   SNR_MSYNC,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"mbind":                   SNR_MBIND,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"move_pages":              SNR_MOVE_PAGES,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"accept4":                 SNR_ACCEPT4,
+	"recvmmsg":                SNR_RECVMMSG,
+	"wait4":                   SNR_WAIT4,
+	"prlimit64":               SNR_PRLIMIT64,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"setns":                   SNR_SETNS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+}
+
+const (
+	SYS_USERFAULTFD             = 282
+	SYS_MEMBARRIER              = 283
+	SYS_MLOCK2                  = 284
+	SYS_COPY_FILE_RANGE         = 285
+	SYS_PREADV2                 = 286
+	SYS_PWRITEV2                = 287
+	SYS_PKEY_MPROTECT           = 288
+	SYS_PKEY_ALLOC              = 289
+	SYS_PKEY_FREE               = 290
+	SYS_STATX                   = 291
+	SYS_IO_PGETEVENTS           = 292
+	SYS_RSEQ                    = 293
+	SYS_KEXEC_FILE_LOAD         = 294
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+)
+
+const (
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_RENAMEAT                ScmpSyscall = SYS_RENAMEAT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+)

container/std/syscall_test.go

@@ -0,0 +1,21 @@
+package std_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if got, ok := std.SyscallResolveName(name); !ok || got != want {
+				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}

container/stub/call_test.go

@@ -8,13 +8,17 @@ import (
 )
 
 func TestCallError(t *testing.T) {
+	t.Parallel()
+
 	t.Run("contains false", func(t *testing.T) {
+		t.Parallel()
 		if err := new(stub.Call).Error(true, false, true); !reflect.DeepEqual(err, stub.ErrCheck) {
 			t.Errorf("Error: %#v, want %#v", err, stub.ErrCheck)
 		}
 	})
 
 	t.Run("passthrough", func(t *testing.T) {
+		t.Parallel()
 		wantErr := stub.UniqueError(0xbabe)
 		if err := (&stub.Call{Err: wantErr}).Error(true); !reflect.DeepEqual(err, wantErr) {
 			t.Errorf("Error: %#v, want %#v", err, wantErr)

container/stub/errors.go

@@ -13,7 +13,7 @@ var (
 type UniqueError uintptr
 
 func (e UniqueError) Error() string {
-	return "unique error " + strconv.Itoa(int(e)) + " injected by the test suite"
+	return "unique error " + strconv.FormatUint(uint64(e), 10) + " injected by the test suite"
 }
 
 func (e UniqueError) Is(target error) bool {

container/stub/errors_test.go

@@ -9,7 +9,10 @@ import (
 )
 
 func TestUniqueError(t *testing.T) {
+	t.Parallel()
+
 	t.Run("format", func(t *testing.T) {
+		t.Parallel()
 		want := "unique error 2989 injected by the test suite"
 		if got := stub.UniqueError(0xbad).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
@@ -17,13 +20,17 @@ func TestUniqueError(t *testing.T) {
 	})
 
 	t.Run("is", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("type", func(t *testing.T) {
+			t.Parallel()
 			if errors.Is(stub.UniqueError(0), syscall.ENOTRECOVERABLE) {
 				t.Error("Is: unexpected true")
 			}
 		})
 
 		t.Run("val", func(t *testing.T) {
+			t.Parallel()
 			if errors.Is(stub.UniqueError(0), stub.UniqueError(1)) {
 				t.Error("Is: unexpected true")
 			}

container/stub/exit.go

@@ -3,10 +3,10 @@ package stub
 import "testing"
 
 // PanicExit is a magic panic value treated as a simulated exit.
-const PanicExit = 0xdeadbeef
+const PanicExit = 0xdead
 
 const (
-	panicFailNow = 0xcafe0000 + iota
+	panicFailNow = 0xcafe0 + iota
 	panicFatal
 	panicFatalf
 )

container/stub/exit_test.go

@@ -2,7 +2,7 @@ package stub_test
 
 import (
 	"testing"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/container/stub"
 )
@@ -32,13 +32,20 @@ func (o *overrideTFailNow) Fail() {
 }
 
 func TestHandleExit(t *testing.T) {
+	t.Parallel()
+
 	t.Run("exit", func(t *testing.T) {
+		t.Parallel()
 		defer stub.HandleExit(t)
 		panic(stub.PanicExit)
 	})
 
 	t.Run("goexit", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("FailNow", func(t *testing.T) {
+			t.Parallel()
+
 			ot := &overrideTFailNow{T: t}
 			defer func() {
 				if !ot.failNow {
@@ -46,10 +53,12 @@ func TestHandleExit(t *testing.T) {
 				}
 			}()
 			defer stub.HandleExit(ot)
-			panic(0xcafe0000)
+			panic(0xcafe0)
 		})
 
 		t.Run("Fail", func(t *testing.T) {
+			t.Parallel()
+
 			ot := &overrideTFailNow{T: t}
 			defer func() {
 				if !ot.fail {
@@ -57,28 +66,35 @@ func TestHandleExit(t *testing.T) {
 				}
 			}()
 			defer handleExitNew(ot)
-			panic(0xcafe0000)
+			panic(0xcafe0)
 		})
 	})
 
 	t.Run("nil", func(t *testing.T) {
+		t.Parallel()
 		defer stub.HandleExit(t)
 	})
 
 	t.Run("passthrough", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("toplevel", func(t *testing.T) {
+			t.Parallel()
+
 			defer func() {
-				want := 0xcafebabe
+				want := 0xcafe
 				if r := recover(); r != want {
 					t.Errorf("recover: %v, want %v", r, want)
 				}
 
 			}()
 			defer stub.HandleExit(t)
-			panic(0xcafebabe)
+			panic(0xcafe)
 		})
 
 		t.Run("new", func(t *testing.T) {
+			t.Parallel()
+
 			defer func() {
 				want := 0xcafe
 				if r := recover(); r != want {

container/stub/stub.go

@@ -45,12 +45,17 @@ func New[K any](tb testing.TB, makeK func(s *Stub[K]) K, want Expect) *Stub[K] {
 	return &Stub[K]{TB: tb, makeK: makeK, want: want, wg: new(sync.WaitGroup)}
 }
 
-func (s *Stub[K]) FailNow()                          { panic(panicFailNow) }
+func (s *Stub[K]) FailNow()          { s.Helper(); panic(panicFailNow) }
-func (s *Stub[K]) Fatal(args ...any)                 { s.Error(args...); panic(panicFatal) }
+func (s *Stub[K]) Fatal(args ...any) { s.Helper(); s.Error(args...); panic(panicFatal) }
-func (s *Stub[K]) Fatalf(format string, args ...any) { s.Errorf(format, args...); panic(panicFatalf) }
+func (s *Stub[K]) Fatalf(format string, args ...any) {
-func (s *Stub[K]) SkipNow()                          { panic("invalid call to SkipNow") }
+	s.Helper()
-func (s *Stub[K]) Skip(...any)                       { panic("invalid call to Skip") }
+	s.Errorf(format, args...)
-func (s *Stub[K]) Skipf(string, ...any)              { panic("invalid call to Skipf") }
+	panic(panicFatalf)
+}
+
+func (s *Stub[K]) SkipNow()             { s.Helper(); panic("invalid call to SkipNow") }
+func (s *Stub[K]) Skip(...any)          { s.Helper(); panic("invalid call to Skip") }
+func (s *Stub[K]) Skipf(string, ...any) { s.Helper(); panic("invalid call to Skipf") }
 
 // New calls f in a new goroutine
 func (s *Stub[K]) New(f func(k K)) {

container/stub/stub_test.go

@@ -36,49 +36,65 @@ func (t *overrideT) Errorf(format string, args ...any) {
 }
 
 func TestStub(t *testing.T) {
+	t.Parallel()
+
 	t.Run("goexit", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("FailNow", func(t *testing.T) {
+			t.Parallel()
+
 			defer func() {
 				if r := recover(); r != panicFailNow {
 					t.Errorf("recover: %v", r)
 				}
 			}()
-			new(stubHolder).FailNow()
+			stubHolder{&Stub[stubHolder]{TB: t}}.FailNow()
 		})
 
 		t.Run("SkipNow", func(t *testing.T) {
+			t.Parallel()
+
 			defer func() {
 				want := "invalid call to SkipNow"
 				if r := recover(); r != want {
 					t.Errorf("recover: %v, want %v", r, want)
 				}
 			}()
-			new(stubHolder).SkipNow()
+			stubHolder{&Stub[stubHolder]{TB: t}}.SkipNow()
 		})
 
 		t.Run("Skip", func(t *testing.T) {
+			t.Parallel()
+
 			defer func() {
 				want := "invalid call to Skip"
 				if r := recover(); r != want {
 					t.Errorf("recover: %v, want %v", r, want)
 				}
 			}()
-			new(stubHolder).Skip()
+			stubHolder{&Stub[stubHolder]{TB: t}}.Skip()
 		})
 
 		t.Run("Skipf", func(t *testing.T) {
+			t.Parallel()
+
 			defer func() {
 				want := "invalid call to Skipf"
 				if r := recover(); r != want {
 					t.Errorf("recover: %v, want %v", r, want)
 				}
 			}()
-			new(stubHolder).Skipf("")
+			stubHolder{&Stub[stubHolder]{TB: t}}.Skipf("")
 		})
 	})
 
 	t.Run("new", func(t *testing.T) {
+		t.Parallel()
+
 		t.Run("success", func(t *testing.T) {
+			t.Parallel()
+
 			s := New(t, func(s *Stub[stubHolder]) stubHolder { return stubHolder{s} }, Expect{Calls: []Call{
 				{"New", ExpectArgs{}, nil, nil},
 			}, Tracks: []Expect{{Calls: []Call{
@@ -112,6 +128,8 @@ func TestStub(t *testing.T) {
 		})
 
 		t.Run("overrun", func(t *testing.T) {
+			t.Parallel()
+
 			ot := &overrideT{T: t}
 			ot.error.Store(checkError(t, "New: track overrun"))
 			s := New(ot, func(s *Stub[stubHolder]) stubHolder { return stubHolder{s} }, Expect{Calls: []Call{
@@ -135,7 +153,11 @@ func TestStub(t *testing.T) {
 		})
 
 		t.Run("expects", func(t *testing.T) {
+			t.Parallel()
+
 			t.Run("overrun", func(t *testing.T) {
+				t.Parallel()
+
 				ot := &overrideT{T: t}
 				ot.error.Store(checkError(t, "Expects: advancing beyond expected calls"))
 				s := New(ot, func(s *Stub[stubHolder]) stubHolder { return stubHolder{s} }, Expect{})
@@ -143,7 +165,11 @@ func TestStub(t *testing.T) {
 			})
 
 			t.Run("separator", func(t *testing.T) {
+				t.Parallel()
+
 				t.Run("overrun", func(t *testing.T) {
+					t.Parallel()
+
 					ot := &overrideT{T: t}
 					ot.errorf.Store(checkErrorf(t, "Expects: func = %s, separator overrun", "meow"))
 					s := New(ot, func(s *Stub[stubHolder]) stubHolder { return stubHolder{s} }, Expect{Calls: []Call{
@@ -153,6 +179,8 @@ func TestStub(t *testing.T) {
 				})
 
 				t.Run("mismatch", func(t *testing.T) {
+					t.Parallel()
+
 					ot := &overrideT{T: t}
 					ot.errorf.Store(checkErrorf(t, "Expects: separator, want %s", "panic"))
 					s := New(ot, func(s *Stub[stubHolder]) stubHolder { return stubHolder{s} }, Expect{Calls: []Call{
@@ -163,6 +191,8 @@ func TestStub(t *testing.T) {
 			})
 
 			t.Run("mismatch", func(t *testing.T) {
+				t.Parallel()
+
 				ot := &overrideT{T: t}
 				ot.errorf.Store(checkErrorf(t, "Expects: func = %s, want %s", "meow", "nya"))
 				s := New(ot, func(s *Stub[stubHolder]) stubHolder { return stubHolder{s} }, Expect{Calls: []Call{
@@ -176,6 +206,8 @@ func TestStub(t *testing.T) {
 
 func TestCheckArg(t *testing.T) {
 	t.Run("oob negative", func(t *testing.T) {
+		t.Parallel()
+
 		defer func() {
 			want := "invalid call to CheckArg"
 			if r := recover(); r != want {
@@ -191,12 +223,14 @@ func TestCheckArg(t *testing.T) {
 		{"panic", ExpectArgs{PanicExit}, nil, nil},
 		{"meow", ExpectArgs{-1}, nil, nil},
 	}})
+
 	t.Run("match", func(t *testing.T) {
 		s.Expects("panic")
 		if !CheckArg(s, "v", PanicExit, 0) {
 			t.Errorf("CheckArg: unexpected false")
 		}
 	})
+
 	t.Run("mismatch", func(t *testing.T) {
 		defer HandleExit(t)
 		s.Expects("meow")
@@ -205,6 +239,7 @@ func TestCheckArg(t *testing.T) {
 			t.Errorf("CheckArg: unexpected true")
 		}
 	})
+
 	t.Run("oob", func(t *testing.T) {
 		s.pos++
 		defer func() {
@@ -218,7 +253,11 @@ func TestCheckArg(t *testing.T) {
 }
 
 func TestCheckArgReflect(t *testing.T) {
+	t.Parallel()
+
 	t.Run("oob lower", func(t *testing.T) {
+		t.Parallel()
+
 		defer func() {
 			want := "invalid call to CheckArgReflect"
 			if r := recover(); r != want {

container/syscall.go

@@ -1,50 +1,41 @@
 package container
 
 import (
-	"syscall"
+	. "syscall"
 	"unsafe"
 )
 
-// SetPtracer allows processes to ptrace(2) the calling process.
+// Prctl manipulates various aspects of the behavior of the calling thread or process.
-func SetPtracer(pid uintptr) error {
+func Prctl(op, arg2, arg3 uintptr) error {
-	_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PTRACER, pid, 0)
+	r, _, errno := Syscall(SYS_PRCTL, op, arg2, arg3)
-	if errno == 0 {
+	if r < 0 {
-		return nil
+		return errno
 	}
-	return errno
+	return nil
 }
 
+// SetPtracer allows processes to ptrace(2) the calling process.
+func SetPtracer(pid uintptr) error { return Prctl(PR_SET_PTRACER, pid, 0) }
+
+// linux/sched/coredump.h
 const (
 	SUID_DUMP_DISABLE = iota
 	SUID_DUMP_USER
 )
 
 // SetDumpable sets the "dumpable" attribute of the calling process.
-func SetDumpable(dumpable uintptr) error {
+func SetDumpable(dumpable uintptr) error { return Prctl(PR_SET_DUMPABLE, dumpable, 0) }
-	// linux/sched/coredump.h
-	if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, dumpable, 0); errno != 0 {
-		return errno
-	}
-
-	return nil
-}
 
 // SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error {
+func SetNoNewPrivs() error { return Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) }
-	_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0)
-	if errno == 0 {
-		return nil
-	}
-	return errno
-}
 
 // Isatty tests whether a file descriptor refers to a terminal.
 func Isatty(fd int) bool {
 	var buf [8]byte
-	r, _, _ := syscall.Syscall(
+	r, _, _ := Syscall(
-		syscall.SYS_IOCTL,
+		SYS_IOCTL,
 		uintptr(fd),
-		syscall.TIOCGWINSZ,
+		TIOCGWINSZ,
 		uintptr(unsafe.Pointer(&buf[0])),
 	)
 	return r == 0
@@ -60,7 +51,7 @@ func Isatty(fd int) bool {
 func IgnoringEINTR(fn func() error) error {
 	for {
 		err := fn()
-		if err != syscall.EINTR {
+		if err != EINTR {
 			return err
 		}
 	}