cmd/pkgserver: add status endpoint

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/rosa/hakurei">
+  <a href="https://git.gensokyo.uk/security/hakurei">
     <picture>
       <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
     </picture>
@@ -8,16 +8,16 @@
 
 <p align="center">
   <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
   <br/>
-  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
   <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
   <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
 
 Hakurei is a tool for running sandboxed desktop applications as dedicated
 subordinate users on the Linux kernel. It implements the application container
-of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
+of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
 self-contained Android-like package manager with modern security features.
 
 Interaction with hakurei happens entirely through structures described by

cmd/earlyinit/main.go

@@ -4,7 +4,6 @@ import (
 	"log"
 	"os"
 	"runtime"
-	"strings"
 	. "syscall"
 )
 
@@ -13,22 +12,6 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")
 
-	var (
-		option map[string]string
-		flags  []string
-	)
-	if len(os.Args) > 1 {
-		option = make(map[string]string)
-		for _, s := range os.Args[1:] {
-			key, value, ok := strings.Cut(s, "=")
-			if !ok {
-				flags = append(flags, s)
-				continue
-			}
-			option[key] = value
-		}
-	}
-
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
@@ -72,56 +55,4 @@ func main() {
 		}
 	}
 
-	// staying in rootfs, these are no longer used
-	must(os.Remove("/root"))
-	must(os.Remove("/init"))
-
-	must(os.Mkdir("/proc", 0))
-	mustSyscall("mount proc", Mount(
-		"proc",
-		"/proc",
-		"proc",
-		MS_NOSUID|MS_NOEXEC|MS_NODEV,
-		"hidepid=1",
-	))
-
-	must(os.Mkdir("/sys", 0))
-	mustSyscall("mount sysfs", Mount(
-		"sysfs",
-		"/sys",
-		"sysfs",
-		0,
-		"",
-	))
-
-	// after top level has been set up
-	mustSyscall("remount root", Mount(
-		"",
-		"/",
-		"",
-		MS_REMOUNT|MS_BIND|
-			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
-		"",
-	))
-
-	must(os.WriteFile(
-		"/sys/module/firmware_class/parameters/path",
-		[]byte("/system/lib/firmware"),
-		0,
-	))
-
-}
-
-// mustSyscall calls [log.Fatalln] if err is non-nil.
-func mustSyscall(action string, err error) {
-	if err != nil {
-		log.Fatalln("cannot "+action+":", err)
-	}
-}
-
-// must calls [log.Fatal] with err if it is non-nil.
-func must(err error) {
-	if err != nil {
-		log.Fatal(err)
-	}
 }

cmd/hakurei/command.go

@@ -13,10 +13,9 @@ import (
 	"time"
 	_ "unsafe" // for go:linkname
 
-	"hakurei.app/check"
 	"hakurei.app/command"
-	"hakurei.app/ext"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
@@ -90,9 +89,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagHomeDir  string
 			flagUserName string
 
-			flagSchedPolicy   string
-			flagSchedPriority int
-
 			flagPrivateRuntime, flagPrivateTmpdir bool
 
 			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
@@ -135,7 +131,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					log.Fatal(optionalErrorUnwrap(err))
 					return err
 				} else if progPath, err = check.NewAbs(p); err != nil {
-					log.Fatal(err)
+					log.Fatal(err.Error())
 					return err
 				}
 			}
@@ -154,7 +150,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				et |= hst.EPipeWire
 			}
 
-			config := hst.Config{
+			config := &hst.Config{
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
@@ -181,13 +177,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				},
 			}
 
-			if err := config.SchedPolicy.UnmarshalText(
-				[]byte(flagSchedPolicy),
-			); err != nil {
-				log.Fatal(err)
-			}
-			config.SchedPriority = ext.Int(flagSchedPriority)
-
 			// bind GPU stuff
 			if et&(hst.EX11|hst.EWayland) != 0 {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
@@ -225,7 +214,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					homeDir = passwd.HomeDir
 				}
 				if a, err := check.NewAbs(homeDir); err != nil {
-					log.Fatal(err)
+					log.Fatal(err.Error())
 					return err
 				} else {
 					config.Container.Home = a
@@ -245,11 +234,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					config.SessionBus = dbus.NewConfig(flagID, true, flagDBusMpris)
 				} else {
 					if f, err := os.Open(flagDBusConfigSession); err != nil {
-						log.Fatal(err)
+						log.Fatal(err.Error())
 					} else {
 						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
 						if err = f.Close(); err != nil {
-							log.Fatal(err)
+							log.Fatal(err.Error())
 						}
 					}
 				}
@@ -257,11 +246,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				// system bus proxy is optional
 				if flagDBusConfigSystem != "nil" {
 					if f, err := os.Open(flagDBusConfigSystem); err != nil {
-						log.Fatal(err)
+						log.Fatal(err.Error())
 					} else {
 						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
 						if err = f.Close(); err != nil {
-							log.Fatal(err)
+							log.Fatal(err.Error())
 						}
 					}
 				}
@@ -277,7 +266,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			outcome.Main(ctx, msg, &config, -1)
+			outcome.Main(ctx, msg, config, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
@@ -298,10 +287,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Container home directory").
 			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
-			Flag(&flagSchedPolicy, "policy", command.StringFlag(""),
-				"Scheduling policy to set for the container").
-			Flag(&flagSchedPriority, "priority", command.IntFlag(0),
-				"Scheduling priority to set for the container").
 			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
 				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
 			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),

cmd/hakurei/command_test.go

@@ -36,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 
 Flags:
   -X	Enable direct connection to X11
@@ -60,10 +60,6 @@ Flags:
     	Allow owning MPRIS D-Bus path, has no effect if custom config is available
   -pipewire
     	Enable connection to PipeWire via SecurityContext
-  -policy string
-    	Scheduling policy to set for the container
-  -priority int
-    	Scheduling priority to set for the container
   -private-runtime
     	Do not share XDG_RUNTIME_DIR between containers under the same identity
   -private-tmpdir

cmd/hakurei/json_test.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"
 
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestDecodeJSON(t *testing.T) {

cmd/hakurei/main.go

@@ -13,7 +13,6 @@ import (
 	"syscall"
 
 	"hakurei.app/container"
-	"hakurei.app/ext"
 	"hakurei.app/message"
 )
 
@@ -36,8 +35,8 @@ func main() {
 	msg := message.New(log.Default())
 
 	early := earlyHardeningErrs{
-		yamaLSM:  ext.SetPtracer(0),
+		yamaLSM:  container.SetPtracer(0),
-		dumpable: ext.SetDumpable(ext.SUID_DUMP_DISABLE),
+		dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
 	}
 
 	if os.Geteuid() == 0 {

cmd/hakurei/parse_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"

cmd/hakurei/print_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"

cmd/mbf/main.go

@@ -18,13 +18,12 @@ import (
 	"time"
 	"unique"
 
-	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/ext"
-	"hakurei.app/fhs"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
@@ -88,7 +87,7 @@ func main() {
 		}
 
 		if flagIdle {
-			pkg.SetSchedIdle = true
+			pkg.SchedPolicy = container.SCHED_IDLE
 		}
 
 		return
@@ -176,17 +175,6 @@ func main() {
 							fmt.Println("website     : " +
 								strings.TrimSuffix(meta.Website, "/"))
 						}
-						if len(meta.Dependencies) > 0 {
-							fmt.Print("depends on  :")
-							for _, d := range meta.Dependencies {
-								s := rosa.GetMetadata(d).Name
-								if version := rosa.Std.Version(d); version != rosa.Unversioned {
-									s += "-" + version
-								}
-								fmt.Print(" " + s)
-							}
-							fmt.Println()
-						}
 
 						const statusPrefix = "status      : "
 						if flagStatus {
@@ -272,7 +260,7 @@ func main() {
 				return errors.New("report requires 1 argument")
 			}
 
-			if ext.Isatty(int(w.Fd())) {
+			if container.Isatty(int(w.Fd())) {
 				return errors.New("output appears to be a terminal")
 			}
 			return rosa.WriteReport(msg, w, cache)
@@ -436,7 +424,6 @@ func main() {
 	{
 		var (
 			flagDump string
-			flagExport string
 		)
 		c.NewCommand(
 			"cure",
@@ -449,34 +436,10 @@ func main() {
 					return fmt.Errorf("unknown artifact %q", args[0])
 				} else if flagDump == "" {
 					pathname, _, err := cache.Cure(rosa.Std.Load(p))
-					if err != nil {
+					if err == nil {
-						return err
-					}
 						log.Println(pathname)
-
-					if flagExport != "" {
-						msg.Verbosef("exporting %s to %s...", args[0], flagExport)
-
-						var f *os.File
-						if f, err = os.OpenFile(
-							flagExport,
-							os.O_WRONLY|os.O_CREATE|os.O_EXCL,
-							0400,
-						); err != nil {
-							return err
-						} else if _, err = pkg.Flatten(
-							os.DirFS(pathname.String()),
-							".",
-							f,
-						); err != nil {
-							_ = f.Close()
-							return err
-						} else if err = f.Close(); err != nil {
-							return err
 					}
-					}
+					return err
-
-					return nil
 				} else {
 					f, err := os.OpenFile(
 						flagDump,
@@ -500,11 +463,6 @@ func main() {
 				&flagDump,
 				"dump", command.StringFlag(""),
 				"Write IR to specified pathname and terminate",
-			).
-			Flag(
-				&flagExport,
-				"export", command.StringFlag(""),
-				"Export cured artifact to specified pathname",
 			)
 	}
 
@@ -519,19 +477,17 @@ func main() {
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
-				presets := make([]rosa.PArtifact, len(args))
+				root := make([]pkg.Artifact, 0, 6+len(args))
-				for i, arg := range args {
+				for _, arg := range args {
 					p, ok := rosa.ResolveName(arg)
 					if !ok {
 						return fmt.Errorf("unknown artifact %q", arg)
 					}
-					presets[i] = p
+					root = append(root, rosa.Std.Load(p))
 				}
-				root := make(rosa.Collect, 0, 6+len(args))
-				root = rosa.Std.AppendPresets(root, presets...)
 
 				if flagWithToolchain {
-					musl, compilerRT, runtimes, clang := (rosa.Std - 1).NewLLVM()
+					musl, compilerRT, runtimes, clang := rosa.Std.NewLLVM()
 					root = append(root, musl, compilerRT, runtimes, clang)
 				} else {
 					root = append(root, rosa.Std.Load(rosa.Musl))
@@ -541,12 +497,6 @@ func main() {
 					rosa.Std.Load(rosa.Toybox),
 				)
 
-				if _, _, err := cache.Cure(&root); err == nil {
-					return errors.New("unreachable")
-				} else if !errors.Is(err, rosa.Collected{}) {
-					return err
-				}
-
 				type cureRes struct {
 					pathname *check.Absolute
 					checksum unique.Handle[pkg.Checksum]

cmd/pkgserver/main.go

@@ -0,0 +1,229 @@
+package main
+
+import (
+	"bytes"
+	"cmp"
+	"context"
+	"embed"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"path"
+	"slices"
+	"strings"
+	"syscall"
+
+	"hakurei.app/command"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+//go:generate sh -c "sass ui/static/dark.scss ui/static/dark.css && sass ui/static/light.scss ui/static/light.css && tsc ui/static/index.ts"
+//go:embed ui/*
+var content embed.FS
+
+func serveWebUI(w http.ResponseWriter, r *http.Request) {
+	fmt.Printf("serveWebUI: %s\n", r.URL.Path)
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("X-Frame-Options", "DENY")
+
+	http.ServeFileFS(w, r, content, "ui/index.html")
+}
+func serveStaticContent(w http.ResponseWriter, r *http.Request) {
+	fmt.Printf("serveStaticContent: %s\n", r.URL.Path)
+	switch r.URL.Path {
+	case "/static/style.css":
+		darkTheme := r.CookiesNamed("dark_theme")
+		if len(darkTheme) > 0 && darkTheme[0].Value == "true" {
+			http.ServeFileFS(w, r, content, "ui/static/dark.css")
+		} else {
+			http.ServeFileFS(w, r, content, "ui/static/light.css")
+		}
+		break
+	case "/favicon.ico":
+		http.ServeFileFS(w, r, content, "ui/static/favicon.ico")
+		break
+	case "/static/index.js":
+		http.ServeFileFS(w, r, content, "ui/static/index.js")
+		break
+	default:
+		http.NotFound(w, r)
+
+	}
+}
+func serveAPI(index *PackageIndex) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {}
+}
+
+func serveStatus(index *PackageIndex) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if index == nil {
+			http.Error(w, "index is nil", http.StatusInternalServerError)
+			return
+		}
+		base := path.Base(r.URL.Path)
+		name := strings.TrimSuffix(base, ".log")
+		p, ok := rosa.ResolveName(name)
+		if !ok {
+			http.NotFound(w, r)
+			return
+		}
+		m := rosa.GetMetadata(p)
+		pk, ok := index.names[m.Name]
+		if !ok {
+			http.NotFound(w, r)
+			return
+		}
+		if len(pk.status) > 0 {
+			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+			w.WriteHeader(http.StatusOK)
+			_, err := io.Copy(w, bytes.NewReader(pk.status))
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+			}
+		} else {
+			http.NotFound(w, r)
+		}
+	}
+}
+
+type SortOrders int
+
+const (
+	DeclarationAscending SortOrders = iota
+	DeclarationDescending
+	NameAscending
+	NameDescending
+	limitSortOrders
+)
+
+type PackageIndex struct {
+	sorts [limitSortOrders][rosa.PresetUnexportedStart]*PackageIndexEntry
+	names map[string]*PackageIndexEntry
+}
+
+type PackageIndexEntry struct {
+	Name        string `json:"name"`
+	Description string `json:"description"`
+	Website     string `json:"website"`
+	Version     string `json:"version"`
+	status      []byte
+}
+
+func createPackageIndex(cache *pkg.Cache, report *rosa.Report) (_ *PackageIndex, err error) {
+	index := new(PackageIndex)
+	index.names = make(map[string]*PackageIndexEntry, rosa.PresetUnexportedStart)
+	work := make([]PackageIndexEntry, rosa.PresetUnexportedStart)
+	defer report.HandleAccess(&err)()
+	for p := range rosa.PresetUnexportedStart {
+		m := rosa.GetMetadata(p)
+		v := rosa.Std.Version(p)
+		a := rosa.Std.Load(p)
+		id := cache.Ident(a)
+		st, n := report.ArtifactOf(id)
+		var status []byte
+		if n < 1 {
+			status = nil
+		} else {
+			status = st
+		}
+		log.Printf("Processing package %s...\n", m.Name)
+		entry := PackageIndexEntry{
+			Name:        m.Name,
+			Description: m.Description,
+			Website:     m.Website,
+			Version:     v,
+			status:      status,
+		}
+		work[p] = entry
+		index.names[m.Name] = &entry
+	}
+	for i, p := range work {
+		index.sorts[DeclarationAscending][i] = &p
+	}
+	slices.Reverse(work)
+	for i, p := range work {
+		index.sorts[DeclarationDescending][i] = &p
+	}
+	slices.SortFunc(work, func(a PackageIndexEntry, b PackageIndexEntry) int {
+		return cmp.Compare(a.Name, b.Name)
+	})
+	for i, p := range work {
+		index.sorts[NameAscending][i] = &p
+	}
+	slices.Reverse(work)
+	for i, p := range work {
+		index.sorts[NameDescending][i] = &p
+	}
+	return index, err
+}
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("pkgserver: ")
+
+	var (
+		flagBaseDir string
+		flagPort    int
+	)
+
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+	msg := message.New(log.Default())
+
+	c := command.New(os.Stderr, log.Printf, "pkgserver", func(args []string) error {
+		reportPath := args[0]
+		baseDir, err := check.NewAbs(flagBaseDir)
+		if err != nil {
+			return err
+		}
+		log.Println("baseDir:", baseDir)
+		cache, err := pkg.Open(ctx, msg, 0, baseDir)
+		if err != nil {
+			return err
+		}
+		report, err := rosa.OpenReport(reportPath)
+		if err != nil {
+			return err
+		}
+		log.Println("reportPath:", reportPath)
+		log.Println("indexing packages...")
+		index, err := createPackageIndex(cache, report)
+		if err != nil {
+			return err
+		}
+		log.Println("created package index")
+		http.HandleFunc("GET /{$}", serveWebUI)
+		http.HandleFunc("GET /favicon.ico", serveStaticContent)
+		http.HandleFunc("GET /static/", serveStaticContent)
+		http.HandleFunc("GET /api/", serveAPI(index))
+		http.HandleFunc("GET /api/status/", serveStatus(index))
+		log.Println("listening on", flagPort)
+		err = http.ListenAndServe(fmt.Sprintf(":%d", flagPort), nil)
+		if err != nil {
+			return err
+		}
+		return nil
+	}).Flag(
+		&flagBaseDir,
+		"b", command.StringFlag(""),
+		"base directory for cache",
+	).Flag(
+		&flagPort,
+		"p", command.IntFlag(8067),
+		"http listen port",
+	)
+	c.MustParse(os.Args[1:], func(e error) {
+		log.Fatal(e)
+	})
+
+}

cmd/pkgserver/ui/index.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <link rel="stylesheet" href="static/style.css">
+    <title>Hakurei PkgServer</title>
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
+    <script src="static/index.js"></script>
+</head>
+<body>
+<h1>Hakurei PkgServer</h1>
+
+<table id="pkg-list">
+    <tr><th>Status</th><th>Name</th><th>Version</th></tr>
+</table>
+<p>Showing entries <span id="entry-counter"></span>.</p>
+<span class="bottom-nav"><a href="javascript:prevPage()">&laquo; Previous</a> <span id="page-number">1</span> <a href="javascript:nextPage()">Next &raquo;</a></span>
+<span><label for="count">Entries per page:</label><select name="count" id="count">
+    <option value="10">10</option>
+    <option value="25">25</option>
+    <option value="50">50</option>
+    <option value="100">100</option>
+</select></span>
+</body>
+<footer>&copy; <a href="https://hakurei.app/">Hakurei</a>. Licensed under the MIT license.</footer>
+</html>

cmd/pkgserver/ui/static/dark.css

@@ -0,0 +1,6 @@
+@use 'common';
+html {
+  background-color: #2c2c2c;
+  color: ghostwhite; }
+
+/*# sourceMappingURL=dark.css.map */

cmd/pkgserver/ui/static/dark.css.map

@@ -0,0 +1,7 @@
+{
+"version": 3,
+"mappings": "AAAA,aAAa;AAEb,IAAK;EACH,gBAAgB,EAAE,OAAO;EACzB,KAAK,EAAE,UAAU",
+"sources": ["dark.scss"],
+"names": [],
+"file": "dark.css"
+}

cmd/pkgserver/ui/static/dark.scss

@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #2c2c2c;
+  color: ghostwhite;
+}

cmd/pkgserver/ui/static/index.js

@@ -0,0 +1,67 @@
+"use strict";
+var PackageEntry = /** @class */ (function () {
+    function PackageEntry() {
+    }
+    return PackageEntry;
+}());
+var State = /** @class */ (function () {
+    function State() {
+        this.entriesPerPage = 10;
+        this.currentPage = 1;
+        this.entryIndex = 0;
+        this.loadedEntries = [];
+    }
+    State.prototype.getEntriesPerPage = function () {
+        return this.entriesPerPage;
+    };
+    State.prototype.setEntriesPerPage = function (entriesPerPage) {
+        this.entriesPerPage = entriesPerPage;
+        this.updateRange();
+    };
+    State.prototype.getCurrentPage = function () {
+        return this.currentPage;
+    };
+    State.prototype.setCurrentPage = function (page) {
+        this.currentPage = page;
+        document.getElementById("page-number").innerText = String(this.currentPage);
+        this.updateRange();
+    };
+    State.prototype.getEntryIndex = function () {
+        return this.entryIndex;
+    };
+    State.prototype.setEntryIndex = function (entryIndex) {
+        this.entryIndex = entryIndex;
+        this.updateRange();
+    };
+    State.prototype.getLoadedEntries = function () {
+        return this.loadedEntries;
+    };
+    State.prototype.getMaxPage = function () {
+        return this.loadedEntries.length / this.entriesPerPage;
+    };
+    State.prototype.updateRange = function () {
+        var max = Math.min(this.entryIndex + this.entriesPerPage, this.loadedEntries.length);
+        document.getElementById("entry-counter").innerText = "".concat(this.entryIndex, "-").concat(max, " of ").concat(this.loadedEntries.length);
+    };
+    return State;
+}());
+var STATE;
+function prevPage() {
+    var current = STATE.getCurrentPage();
+    if (current > 1) {
+        STATE.setCurrentPage(STATE.getCurrentPage() - 1);
+    }
+}
+function nextPage() {
+    var current = STATE.getCurrentPage();
+    if (current < STATE.getMaxPage()) {
+        STATE.setCurrentPage(STATE.getCurrentPage() + 1);
+    }
+}
+document.addEventListener("DOMContentLoaded", function () {
+    STATE = new State();
+    STATE.updateRange();
+    document.getElementById("count").addEventListener("change", function (event) {
+        STATE.setEntriesPerPage(parseInt(event.target.value));
+    });
+});

cmd/pkgserver/ui/static/index.ts

@@ -0,0 +1,66 @@
+"use strict"
+
+class PackageEntry {
+
+}
+class State {
+    entriesPerPage: number = 10
+    currentPage: number = 1
+    entryIndex: number = 0
+    loadedEntries: PackageEntry[] = []
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.updateRange()
+    }
+    getCurrentPage(): number {
+        return this.currentPage
+    }
+    setCurrentPage(page: number) {
+        this.currentPage = page
+        document.getElementById("page-number").innerText = String(this.currentPage)
+        this.updateRange()
+    }
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updateRange()
+    }
+    getLoadedEntries(): PackageEntry[] {
+        return this.loadedEntries
+    }
+    getMaxPage(): number {
+        return this.loadedEntries.length / this.entriesPerPage
+    }
+    updateRange() {
+        let max = Math.min(this.entryIndex + this.entriesPerPage, this.loadedEntries.length)
+        document.getElementById("entry-counter").innerText = `${this.entryIndex}-${max} of ${this.loadedEntries.length}`
+    }
+}
+
+let STATE: State
+
+function prevPage() {
+    let current = STATE.getCurrentPage()
+    if (current > 1) {
+        STATE.setCurrentPage(STATE.getCurrentPage() - 1)
+    }
+}
+function nextPage() {
+    let current = STATE.getCurrentPage()
+    if (current < STATE.getMaxPage()) {
+        STATE.setCurrentPage(STATE.getCurrentPage() + 1)
+    }
+}
+
+document.addEventListener("DOMContentLoaded", () => {
+    STATE = new State()
+    STATE.updateRange()
+    document.getElementById("count").addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+})

cmd/pkgserver/ui/static/light.css

@@ -0,0 +1,6 @@
+@use 'common';
+html {
+  background-color: #d3d3d3;
+  color: black; }
+
+/*# sourceMappingURL=light.css.map */

cmd/pkgserver/ui/static/light.css.map

@@ -0,0 +1,7 @@
+{
+"version": 3,
+"mappings": "AAAA,aAAa;AAEb,IAAK;EACH,gBAAgB,EAAE,OAAO;EACzB,KAAK,EAAE,KAAK",
+"sources": ["light.scss"],
+"names": [],
+"file": "light.css"
+}

cmd/pkgserver/ui/static/light.scss

@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #d3d3d3;
+  color: black;
+}

cmd/sharefs/fuse.go

@@ -31,10 +31,10 @@ import (
 	"syscall"
 	"unsafe"
 
-	"hakurei.app/check"
 	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
-	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/helper/proc"
 	"hakurei.app/internal/info"

cmd/sharefs/fuse_test.go

@@ -6,7 +6,7 @@ import (
 	"reflect"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func TestParseOpts(t *testing.T) {

container/autoetc.go

@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"fmt"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 )
 
 func init() { gob.Register(new(AutoEtcOp)) }

container/autoetc_test.go

@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestAutoEtcOp(t *testing.T) {

container/autoroot.go

@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"fmt"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 	"hakurei.app/message"
 )
 

container/autoroot_test.go

@@ -5,9 +5,9 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 	"hakurei.app/container/std"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 

container/capability.go

@@ -3,8 +3,6 @@ package container
 import (
 	"syscall"
 	"unsafe"
-
-	"hakurei.app/ext"
 )
 
 const (
@@ -53,15 +51,15 @@ func capset(hdrp *capHeader, datap *[2]capData) error {
 
 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
 func capBoundingSetDrop(cap uintptr) error {
-	return ext.Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
+	return Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
 }
 
 // capAmbientClearAll clears the ambient capability set of the calling thread.
 func capAmbientClearAll() error {
-	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
+	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
 }
 
 // capAmbientRaise adds to the ambient capability set of the calling thread.
 func capAmbientRaise(cap uintptr) error {
-	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
+	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
 }

container/check/absolute_test.go

@@ -11,12 +11,12 @@ import (
 	"testing"
 	_ "unsafe" // for go:linkname
 
-	. "hakurei.app/check"
+	. "hakurei.app/container/check"
 )
 
 // unsafeAbs returns check.Absolute on any string value.
 //
-//go:linkname unsafeAbs hakurei.app/check.unsafeAbs
+//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
 func unsafeAbs(pathname string) *Absolute
 
 func TestAbsoluteError(t *testing.T) {

container/check/overlay_test.go

@@ -3,7 +3,7 @@ package check_test
 import (
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func TestEscapeOverlayDataSegment(t *testing.T) {

container/container.go

@@ -16,11 +16,10 @@ import (
 	. "syscall"
 	"time"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/ext"
-	"hakurei.app/fhs"
 	"hakurei.app/message"
 )
 
@@ -39,13 +38,9 @@ type (
 	Container struct {
 		// Whether the container init should stay alive after its parent terminates.
 		AllowOrphan bool
-		// Whether to set SchedPolicy and SchedPriority via sched_setscheduler(2).
+		// Scheduling policy to set via sched_setscheduler(2). The zero value
-		SetScheduler bool
+		// skips this call. Supported policies are [SCHED_BATCH], [SCHED_IDLE].
-		// Scheduling policy to set via sched_setscheduler(2).
+		SchedPolicy int
-		SchedPolicy ext.SchedPolicy
-		// Scheduling priority to set via sched_setscheduler(2). The zero value
-		// implies the minimum value supported by the current SchedPolicy.
-		SchedPriority ext.Int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container, with
@@ -186,24 +181,31 @@ var (
 	closeOnExecErr  error
 )
 
-// ensureCloseOnExec ensures all currently open file descriptors have the
+// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
-// syscall.FD_CLOEXEC flag set.
+// This is only ran once as it is intended to handle files left open by the parent, and any file opened
-//
+// on this side should already have syscall.FD_CLOEXEC set.
-// This is only ran once as it is intended to handle files left open by the
-// parent, and any file opened on this side should already have
-// syscall.FD_CLOEXEC set.
 func ensureCloseOnExec() error {
-	closeOnExecOnce.Do(func() { closeOnExecErr = doCloseOnExec() })
+	closeOnExecOnce.Do(func() {
+		const fdPrefixPath = "/proc/self/fd/"
+
+		var entries []os.DirEntry
+		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
+			return
+		}
+
+		var fd int
+		for _, ent := range entries {
+			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
+				break // not reached
+			}
+			CloseOnExec(fd)
+		}
+	})
 
 	if closeOnExecErr == nil {
 		return nil
 	}
-	return &StartError{
+	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
-		Fatal:       true,
-		Step:        "set FD_CLOEXEC on all open files",
-		Err:         closeOnExecErr,
-		Passthrough: true,
-	}
 }
 
 // Start starts the container init. The init process blocks until Serve is called.
@@ -371,38 +373,16 @@ func (p *Container) Start() error {
 
 			// sched_setscheduler: thread-directed but acts on all processes
 			// created from the calling thread
-			if p.SetScheduler {
+			if p.SchedPolicy > 0 {
-				if p.SchedPolicy < 0 || p.SchedPolicy > ext.SCHED_LAST {
+				p.msg.Verbosef("setting scheduling policy %d", p.SchedPolicy)
-					return &StartError{
-						Fatal: false,
-						Step:  "set scheduling policy",
-						Err:   EINVAL,
-					}
-				}
-
-				var param schedParam
-				if priority, err := p.SchedPolicy.GetPriorityMin(); err != nil {
-					return &StartError{
-						Fatal: true,
-						Step:  "get minimum priority",
-						Err:   err,
-					}
-				} else {
-					param.priority = max(priority, p.SchedPriority)
-				}
-
-				p.msg.Verbosef(
-					"setting scheduling policy %s priority %d",
-					p.SchedPolicy, param.priority,
-				)
 				if err := schedSetscheduler(
 					0, // calling thread
 					p.SchedPolicy,
-					&param,
+					&schedParam{0},
 				); err != nil {
 					return &StartError{
 						Fatal: true,
-						Step:  "set scheduling policy",
+						Step:  "enforce landlock ruleset",
 						Err:   err,
 					}
 				}

container/container_test.go

@@ -18,17 +18,16 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/ext"
+	"hakurei.app/container/vfs"
-	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
-	"hakurei.app/vfs"
 )
 
 // Note: this package requires cgo, which is unavailable in the Go playground.
@@ -259,7 +258,7 @@ var containerTestCases = []struct {
 		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []std.NativeRule{{Syscall: ext.SyscallNum(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
 
 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).

container/dispatcher.go

@@ -3,7 +3,6 @@ package container
 import (
 	"io"
 	"io/fs"
-	"net"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -13,8 +12,6 @@ import (
 
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/ext"
-	"hakurei.app/internal/netlink"
 	"hakurei.app/message"
 )
 
@@ -144,8 +141,8 @@ func (k direct) new(f func(k syscallDispatcher)) { go f(k) }
 
 func (direct) lockOSThread() { runtime.LockOSThread() }
 
-func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
+func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
-func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
+func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
 func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
 
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
@@ -153,7 +150,7 @@ func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(h
 func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
-func (direct) isatty(fd int) bool                              { return ext.Isatty(fd) }
+func (direct) isatty(fd int) bool                              { return Isatty(fd) }
 func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
 	return Receive(key, e, fdp)
 }
@@ -170,47 +167,7 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
-func (direct) mustLoopback(msg message.Msg) {
+func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
-	var lo int
-	if ifi, err := net.InterfaceByName("lo"); err != nil {
-		msg.GetLogger().Fatalln(err)
-	} else {
-		lo = ifi.Index
-	}
-
-	c, err := netlink.DialRoute()
-	if err != nil {
-		msg.GetLogger().Fatalln(err)
-	}
-
-	must := func(err error) {
-		if err == nil {
-			return
-		}
-		if closeErr := c.Close(); closeErr != nil {
-			msg.Verbosef("cannot close RTNETLINK: %v", closeErr)
-		}
-
-		switch err.(type) {
-		case *os.SyscallError:
-			msg.GetLogger().Fatalf("cannot %v", err)
-
-		case syscall.Errno:
-			msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
-
-		default:
-			msg.GetLogger().Fatalf("RTNETLINK answers with malformed message")
-		}
-	}
-	must(c.SendNewaddrLo(uint32(lo)))
-	must(c.SendIfInfomsg(syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
-		Family: syscall.AF_UNSPEC,
-		Index:  int32(lo),
-		Flags:  syscall.IFF_UP,
-		Change: syscall.IFF_UP,
-	}))
-	must(c.Close())
-}
 
 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)

container/dispatcher_test.go

@@ -18,7 +18,7 @@ import (
 
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 

container/errors.go

@@ -5,9 +5,9 @@ import (
 	"os"
 	"syscall"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
+	"hakurei.app/container/vfs"
 	"hakurei.app/message"
-	"hakurei.app/vfs"
 )
 
 // messageFromError returns a printable error message for a supported concrete type.

container/errors_test.go

@@ -8,9 +8,9 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
-	"hakurei.app/vfs"
+	"hakurei.app/container/vfs"
 )
 
 func TestMessageFromError(t *testing.T) {

container/executable.go

@@ -0,0 +1,37 @@
+package container
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"sync"
+
+	"hakurei.app/message"
+)
+
+var (
+	executable     string
+	executableOnce sync.Once
+)
+
+func copyExecutable(msg message.Msg) {
+	if name, err := os.Executable(); err != nil {
+		m := fmt.Sprintf("cannot read executable path: %v", err)
+		if msg != nil {
+			msg.BeforeExit()
+			msg.GetLogger().Fatal(m)
+		} else {
+			log.Fatal(m)
+		}
+	} else {
+		executable = name
+	}
+}
+
+// MustExecutable calls [os.Executable] and terminates the process on error.
+//
+// Deprecated: This is no longer used and will be removed in 0.4.
+func MustExecutable(msg message.Msg) string {
+	executableOnce.Do(func() { copyExecutable(msg) })
+	return executable
+}

container/executable_test.go

@@ -0,0 +1,18 @@
+package container_test
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/message"
+)
+
+func TestExecutable(t *testing.T) {
+	t.Parallel()
+	for i := 0; i < 16; i++ {
+		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
+			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
+		}
+	}
+}

container/fhs/abs.go

@@ -3,14 +3,14 @@ package fhs
 import (
 	_ "unsafe" // for go:linkname
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 /* constants in this file bypass abs check, be extremely careful when changing them! */
 
 // unsafeAbs returns check.Absolute on any string value.
 //
-//go:linkname unsafeAbs hakurei.app/check.unsafeAbs
+//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
 func unsafeAbs(pathname string) *check.Absolute
 
 var (

container/init.go

@@ -15,9 +15,8 @@ import (
 	. "syscall"
 	"time"
 
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
-	"hakurei.app/ext"
-	"hakurei.app/fhs"
 	"hakurei.app/message"
 )
 
@@ -179,7 +178,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	// write uid/gid map here so parent does not need to set dumpable
-	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
+	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/uid_map",
@@ -197,7 +196,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
+	if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err)
 	}
 
@@ -291,7 +290,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 
 	{
 		var fd int
-		if err := ext.IgnoringEINTR(func() (err error) {
+		if err := IgnoringEINTR(func() (err error) {
 			fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {

container/init_test.go

@@ -7,10 +7,10 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestInitEntrypoint(t *testing.T) {

container/initbind.go

@@ -6,7 +6,7 @@ import (
 	"os"
 	"syscall"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 	"hakurei.app/container/std"
 )
 

container/initbind_test.go

@@ -6,9 +6,9 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 	"hakurei.app/container/std"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestBindMountOp(t *testing.T) {

container/initdaemon.go

@@ -12,8 +12,8 @@ import (
 	"syscall"
 	"time"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 )
 
 func init() { gob.Register(new(DaemonOp)) }

container/initdaemon_test.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 

container/initdev.go

@@ -6,8 +6,8 @@ import (
 	"path"
 	. "syscall"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 )
 
 func init() { gob.Register(new(MountDevOp)) }

container/initdev_test.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestMountDevOp(t *testing.T) {

container/initmkdir.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func init() { gob.Register(new(MkdirOp)) }

container/initmkdir_test.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestMkdirOp(t *testing.T) {

container/initoverlay.go

@@ -6,8 +6,8 @@ import (
 	"slices"
 	"strings"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 )
 
 const (

container/initoverlay_test.go

@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestMountOverlayOp(t *testing.T) {

container/initplace.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"syscall"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
 )
 
 const (

container/initplace_test.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestTmpfileOp(t *testing.T) {

container/initproc.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	. "syscall"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func init() { gob.Register(new(MountProcOp)) }

container/initproc_test.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestMountProcOp(t *testing.T) {

container/initremount.go

@@ -4,7 +4,7 @@ import (
 	"encoding/gob"
 	"fmt"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func init() { gob.Register(new(RemountOp)) }

container/initremount_test.go

@@ -4,8 +4,8 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestRemountOp(t *testing.T) {

container/initsymlink.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"path"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func init() { gob.Register(new(SymlinkOp)) }

container/initsymlink_test.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestSymlinkOp(t *testing.T) {

container/inittmpfs.go

@@ -8,7 +8,7 @@ import (
 	"strconv"
 	. "syscall"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
 )
 
 func init() { gob.Register(new(MountTmpfsOp)) }

container/inittmpfs_test.go

@@ -5,8 +5,8 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestMountTmpfsOp(t *testing.T) {

container/landlock.go

@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"unsafe"
 
-	"hakurei.app/ext"
+	"hakurei.app/container/std"
 )
 
 // include/uapi/linux/landlock.h
@@ -223,7 +223,7 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	}
 
 	rulesetFd, _, errno := syscall.Syscall(
-		ext.SYS_LANDLOCK_CREATE_RULESET,
+		std.SYS_LANDLOCK_CREATE_RULESET,
 		pointer, size,
 		flags,
 	)
@@ -247,7 +247,7 @@ func LandlockGetABI() (int, error) {
 // LandlockRestrictSelf applies a loaded ruleset to the calling thread.
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
-		ext.SYS_LANDLOCK_RESTRICT_SELF,
+		std.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),
 		flags,
 		0,

container/mount.go

@@ -6,9 +6,8 @@ import (
 	"os"
 	. "syscall"
 
-	"hakurei.app/ext"
+	"hakurei.app/container/vfs"
 	"hakurei.app/message"
-	"hakurei.app/vfs"
 )
 
 /*
@@ -116,7 +115,7 @@ func (p *procPaths) remount(msg message.Msg, target string, flags uintptr) error
 	var targetKFinal string
 	{
 		var destFd int
-		if err := ext.IgnoringEINTR(func() (err error) {
+		if err := IgnoringEINTR(func() (err error) {
 			destFd, err = p.k.open(targetFinal, O_PATH|O_CLOEXEC, 0)
 			return
 		}); err != nil {

container/mount_test.go

@@ -5,8 +5,8 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
-	"hakurei.app/vfs"
+	"hakurei.app/container/vfs"
 )
 
 func TestBindMount(t *testing.T) {

container/netlink.go

@@ -0,0 +1,269 @@
+package container
+
+import (
+	"encoding/binary"
+	"errors"
+	"net"
+	"os"
+	. "syscall"
+	"unsafe"
+
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+// rtnetlink represents a NETLINK_ROUTE socket.
+type rtnetlink struct {
+	// Sent as part of rtnetlink messages.
+	pid uint32
+	// AF_NETLINK socket.
+	fd int
+	// Whether the socket is open.
+	ok bool
+	// Message sequence number.
+	seq uint32
+}
+
+// open creates the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) open() (err error) {
+	if s.ok || s.fd < 0 {
+		return os.ErrInvalid
+	}
+
+	s.pid = uint32(Getpid())
+	if s.fd, err = Socket(
+		AF_NETLINK,
+		SOCK_RAW|SOCK_CLOEXEC,
+		NETLINK_ROUTE,
+	); err != nil {
+		return os.NewSyscallError("socket", err)
+	} else if err = Bind(s.fd, &SockaddrNetlink{
+		Family: AF_NETLINK,
+		Pid:    s.pid,
+	}); err != nil {
+		_ = s.close()
+		return os.NewSyscallError("bind", err)
+	} else {
+		s.ok = true
+		return nil
+	}
+}
+
+// close closes the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) close() error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	s.ok = false
+	err := Close(s.fd)
+	s.fd = -1
+	return err
+}
+
+// roundtrip sends a netlink message and handles the reply.
+func (s *rtnetlink) roundtrip(data []byte) error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	defer func() { s.seq++ }()
+
+	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
+		Family: AF_NETLINK,
+	}); err != nil {
+		return os.NewSyscallError("sendto", err)
+	}
+	buf := make([]byte, Getpagesize())
+
+done:
+	for {
+		p := buf
+		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
+			return os.NewSyscallError("recvfrom", err)
+		} else if n < NLMSG_HDRLEN {
+			return errors.ErrUnsupported
+		} else {
+			p = p[:n]
+		}
+
+		if msgs, err := ParseNetlinkMessage(p); err != nil {
+			return err
+		} else {
+			for _, m := range msgs {
+				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
+					return errors.ErrUnsupported
+				}
+				if m.Header.Type == NLMSG_DONE {
+					break done
+				}
+				if m.Header.Type == NLMSG_ERROR {
+					if len(m.Data) >= 4 {
+						errno := Errno(-std.Int(binary.NativeEndian.Uint32(m.Data)))
+						if errno == 0 {
+							return nil
+						}
+						return errno
+					}
+					return errors.ErrUnsupported
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
+func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
+	err := s.roundtrip(data)
+	if err == nil {
+		return
+	}
+	if closeErr := Close(s.fd); closeErr != nil {
+		msg.Verbosef("cannot close: %v", err)
+	}
+
+	switch err.(type) {
+	case *os.SyscallError:
+		msg.GetLogger().Fatalf("cannot %v", err)
+
+	case Errno:
+		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+	default:
+		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
+	}
+}
+
+// newaddrLo represents a RTM_NEWADDR message with two addresses.
+type newaddrLo struct {
+	header NlMsghdr
+	data   IfAddrmsg
+
+	r0 RtAttr
+	a0 [4]byte // in_addr
+	r1 RtAttr
+	a1 [4]byte // in_addr
+}
+
+// sizeofNewaddrLo is the expected size of newaddrLo.
+const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
+
+// newaddrLo returns the address of a populated newaddrLo.
+func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
+	return &newaddrLo{NlMsghdr{
+		Len:   sizeofNewaddrLo,
+		Type:  RTM_NEWADDR,
+		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfAddrmsg{
+		Family:    AF_INET,
+		Prefixlen: 8,
+		Flags:     IFA_F_PERMANENT,
+		Scope:     RT_SCOPE_HOST,
+		Index:     uint32(lo),
+	}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
+		Type: IFA_LOCAL,
+	}, [4]byte{127, 0, 0, 1}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
+		Type: IFA_ADDRESS,
+	}, [4]byte{127, 0, 0, 1}}
+}
+
+func (msg *newaddrLo) toWireFormat() []byte {
+	var buf [sizeofNewaddrLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	buf[17] = msg.data.Prefixlen
+	buf[18] = msg.data.Flags
+	buf[19] = msg.data.Scope
+	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+
+	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
+	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
+	copy(buf[28:32], msg.a0[:])
+	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
+	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
+	copy(buf[36:40], msg.a1[:])
+
+	return buf[:]
+}
+
+// newlinkLo represents a RTM_NEWLINK message.
+type newlinkLo struct {
+	header NlMsghdr
+	data   IfInfomsg
+}
+
+// sizeofNewlinkLo is the expected size of newlinkLo.
+const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
+
+// newlinkLo returns the address of a populated newlinkLo.
+func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
+	return &newlinkLo{NlMsghdr{
+		Len:   sizeofNewlinkLo,
+		Type:  RTM_NEWLINK,
+		Flags: NLM_F_REQUEST | NLM_F_ACK,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfInfomsg{
+		Family: AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  IFF_UP,
+		Change: IFF_UP,
+	}}
+}
+
+func (msg *newlinkLo) toWireFormat() []byte {
+	var buf [sizeofNewlinkLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
+	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
+	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
+
+	return buf[:]
+}
+
+// mustLoopback creates the loopback address and brings the lo interface up.
+// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
+// user-facing error message if RTNETLINK behaves unexpectedly.
+func mustLoopback(msg message.Msg) {
+	log := msg.GetLogger()
+
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		log.Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	var s rtnetlink
+	if err := s.open(); err != nil {
+		log.Fatalln(err)
+	}
+	defer func() {
+		if err := s.close(); err != nil {
+			msg.Verbosef("cannot close netlink: %v", err)
+		}
+	}()
+
+	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
+	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
+}

container/netlink_test.go

@@ -0,0 +1,72 @@
+package container
+
+import (
+	"testing"
+	"unsafe"
+)
+
+func TestSizeof(t *testing.T) {
+	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
+		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
+	}
+
+	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
+		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
+	}
+}
+
+func TestRtnetlinkMessage(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  interface{ toWireFormat() []byte }
+		want []byte
+	}{
+		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
+			/* Len   */ 0x28, 0, 0, 0,
+			/* Type  */ 0x14, 0,
+			/* Flags */ 5, 6,
+			/* Seq   */ 0, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family    */ 2,
+			/* Prefixlen */ 8,
+			/* Flags     */ 0x80,
+			/* Scope     */ 0xfe,
+			/* Index     */ 1, 0, 0, 0,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 2, 0,
+			/* in_addr */ 127, 0, 0, 1,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 1, 0,
+			/* in_addr */ 127, 0, 0, 1,
+		}},
+
+		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
+			/* Len   */ 0x20, 0, 0, 0,
+			/* Type  */ 0x10, 0,
+			/* Flags */ 5, 0,
+			/* Seq   */ 1, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family */ 0,
+			/* pad    */ 0,
+			/* Type   */ 0, 0,
+			/* Index  */ 1, 0, 0, 0,
+			/* Flags  */ 1, 0, 0, 0,
+			/* Change */ 1, 0, 0, 0,
+		}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
+				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}

container/path.go

@@ -9,8 +9,8 @@ import (
 	"strings"
 	"syscall"
 
-	"hakurei.app/fhs"
+	"hakurei.app/container/fhs"
-	"hakurei.app/vfs"
+	"hakurei.app/container/vfs"
 )
 
 const (

container/path_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 	"unsafe"
 
-	"hakurei.app/check"
+	"hakurei.app/container/check"
-	"hakurei.app/vfs"
+	"hakurei.app/container/vfs"
 )
 
 func TestToSysroot(t *testing.T) {

container/seccomp/libseccomp.go

@@ -16,7 +16,6 @@ import (
 	"unsafe"
 
 	"hakurei.app/container/std"
-	"hakurei.app/ext"
 )
 
 // ErrInvalidRules is returned for a zero-length rules slice.
@@ -220,9 +219,9 @@ const (
 
 // syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
 // This function is only for testing the lookup tables and included here for convenience.
-func syscallResolveName(s string) (num ext.SyscallNum, ok bool) {
+func syscallResolveName(s string) (num std.ScmpSyscall, ok bool) {
 	v := C.CString(s)
-	num = ext.SyscallNum(C.seccomp_syscall_resolve_name(v))
+	num = std.ScmpSyscall(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
 	ok = num != C.__NR_SCMP_ERROR
 	return

container/seccomp/presets.go

@@ -6,7 +6,6 @@ import (
 	. "syscall"
 
 	. "hakurei.app/container/std"
-	. "hakurei.app/ext"
 )
 
 func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {

container/seccomp/std_test.go

@@ -6,13 +6,12 @@ import (
 	"unsafe"
 
 	"hakurei.app/container/std"
-	"hakurei.app/ext"
 )
 
 func TestSyscallResolveName(t *testing.T) {
 	t.Parallel()
 
-	for name, want := range ext.Syscalls() {
+	for name, want := range std.Syscalls() {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
@@ -25,10 +24,8 @@ func TestSyscallResolveName(t *testing.T) {
 }
 
 func TestRuleType(t *testing.T) {
-	assertKind[ext.Uint, scmpUint](t)
+	assertKind[std.Uint, scmpUint](t)
-	assertOverflow(t, ext.Uint(ext.MaxUint))
+	assertKind[std.Int, scmpInt](t)
-	assertKind[ext.Int, scmpInt](t)
-	assertOverflow(t, ext.Int(ext.MaxInt))
 
 	assertSize[std.NativeRule, syscallRule](t)
 	assertKind[std.ScmpDatum, scmpDatum](t)
@@ -64,14 +61,3 @@ func assertKind[native, equivalent any](t *testing.T) {
 		t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind())
 	}
 }
-
-// assertOverflow asserts that incrementing m overflows.
-func assertOverflow[T ~int32 | ~uint32](t *testing.T, m T) {
-	t.Helper()
-
-	old := m
-	m++
-	if m > old {
-		t.Fatalf("unexpected value %#x", m)
-	}
-}

container/std/mksysnum_linux.pl

@@ -19,11 +19,11 @@ print <<EOF;
 // $command
 // Code generated by the command above; DO NOT EDIT.
 
-package ext
+package std
 
 import . "syscall"
 
-var syscallNum = map[string]SyscallNum{
+var syscallNum = map[string]ScmpSyscall{
 EOF
 
 my $offset = 0;
@@ -45,7 +45,7 @@ sub fmt {
 		print "	\"$name\": SNR_$name_upper,\n";
 	}
 	elsif($state == 1){
-		print " SNR_$name_upper SyscallNum = SYS_$name_upper\n";
+		print " SNR_$name_upper ScmpSyscall = SYS_$name_upper\n";
 	}
 	else{
 		return;

container/std/pnr.go

@@ -1,6 +1,6 @@
 // Code generated from include/seccomp-syscalls.h; DO NOT EDIT.
 
-package ext
+package std
 
 /*
  * pseudo syscall definitions

container/std/seccomp.go

@@ -1,20 +1,34 @@
 package std
 
-import "hakurei.app/ext"
+import (
+	"encoding/json"
+	"strconv"
+)
 
 type (
+	// ScmpUint is equivalent to C.uint.
+	//
+	// Deprecated: This type has been renamed to Uint and will be removed in 0.4.
+	ScmpUint = Uint
+	// ScmpInt is equivalent to C.int.
+	//
+	// Deprecated: This type has been renamed to Int and will be removed in 0.4.
+	ScmpInt = Int
+
+	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
+	ScmpSyscall Int
 	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno = ext.Int
+	ScmpErrno Int
 
 	// ScmpCompare is equivalent to enum scmp_compare;
-	ScmpCompare = ext.Uint
+	ScmpCompare Uint
 	// ScmpDatum is equivalent to scmp_datum_t.
-	ScmpDatum = uint64
+	ScmpDatum uint64
 
 	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
 	ScmpArgCmp struct {
 		// argument number, starting at 0
-		Arg ext.Uint `json:"arg"`
+		Arg Uint `json:"arg"`
 		// the comparison op, e.g. SCMP_CMP_*
 		Op ScmpCompare `json:"op"`
 
@@ -25,10 +39,42 @@ type (
 	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
 	NativeRule struct {
 		// Syscall is the arch-dependent syscall number to act against.
-		Syscall ext.SyscallNum `json:"syscall"`
+		Syscall ScmpSyscall `json:"syscall"`
 		// Errno is the errno value to return when the condition is satisfied.
 		Errno ScmpErrno `json:"errno"`
 		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
 		Arg *ScmpArgCmp `json:"arg,omitempty"`
 	}
 )
+
+// MarshalJSON resolves the name of [ScmpSyscall] and encodes it as a [json] string.
+// If such a name does not exist, the syscall number is encoded instead.
+func (num *ScmpSyscall) MarshalJSON() ([]byte, error) {
+	n := *num
+	for name, cur := range Syscalls() {
+		if cur == n {
+			return json.Marshal(name)
+		}
+	}
+	return json.Marshal(n)
+}
+
+// SyscallNameError is returned when trying to unmarshal an invalid syscall name into [ScmpSyscall].
+type SyscallNameError string
+
+func (e SyscallNameError) Error() string { return "invalid syscall name " + strconv.Quote(string(e)) }
+
+// UnmarshalJSON looks up the syscall number corresponding to name encoded in data
+// by calling [SyscallResolveName].
+func (num *ScmpSyscall) UnmarshalJSON(data []byte) error {
+	var name string
+	if err := json.Unmarshal(data, &name); err != nil {
+		return err
+	}
+	if n, ok := SyscallResolveName(name); !ok {
+		return SyscallNameError(name)
+	} else {
+		*num = n
+		return nil
+	}
+}

container/std/seccomp_test.go

@@ -1,4 +1,4 @@
-package ext_test
+package std_test
 
 import (
 	"encoding/json"
@@ -7,39 +7,39 @@ import (
 	"reflect"
 	"testing"
 
-	"hakurei.app/ext"
+	"hakurei.app/container/std"
 )
 
-func TestSyscall(t *testing.T) {
+func TestScmpSyscall(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
 		name string
 		data string
-		want ext.SyscallNum
+		want std.ScmpSyscall
 		err  error
 	}{
-		{"epoll_create1", `"epoll_create1"`, ext.SNR_EPOLL_CREATE1, nil},
+		{"epoll_create1", `"epoll_create1"`, std.SNR_EPOLL_CREATE1, nil},
-		{"clone3", `"clone3"`, ext.SNR_CLONE3, nil},
+		{"clone3", `"clone3"`, std.SNR_CLONE3, nil},
 
 		{"oob", `-2147483647`, -math.MaxInt32,
 			&json.UnmarshalTypeError{Value: "number", Type: reflect.TypeFor[string](), Offset: 11}},
 		{"name", `"nonexistent_syscall"`, -math.MaxInt32,
-			ext.SyscallNameError("nonexistent_syscall")},
+			std.SyscallNameError("nonexistent_syscall")},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
 			t.Run("decode", func(t *testing.T) {
-				var got ext.SyscallNum
+				var got std.ScmpSyscall
 				if err := json.Unmarshal([]byte(tc.data), &got); !reflect.DeepEqual(err, tc.err) {
 					t.Fatalf("Unmarshal: error = %#v, want %#v", err, tc.err)
 				} else if err == nil && got != tc.want {
 					t.Errorf("Unmarshal: %v, want %v", got, tc.want)
 				}
 			})
-			if errors.As(tc.err, new(ext.SyscallNameError)) {
+			if errors.As(tc.err, new(std.SyscallNameError)) {
 				return
 			}
 
@@ -55,22 +55,8 @@ func TestSyscall(t *testing.T) {
 
 	t.Run("error", func(t *testing.T) {
 		const want = `invalid syscall name "\x00"`
-		if got := ext.SyscallNameError("\x00").Error(); got != want {
+		if got := std.SyscallNameError("\x00").Error(); got != want {
 			t.Fatalf("Error: %q, want %q", got, want)
 		}
 	})
 }
-
-func TestSyscallResolveName(t *testing.T) {
-	t.Parallel()
-
-	for name, want := range ext.Syscalls() {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			if got, ok := ext.SyscallResolveName(name); !ok || got != want {
-				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
-			}
-		})
-	}
-}

container/std/syscall.go

@@ -0,0 +1,28 @@
+package std
+
+import "iter"
+
+// Syscalls returns an iterator over all wired syscalls.
+func Syscalls() iter.Seq2[string, ScmpSyscall] {
+	return func(yield func(string, ScmpSyscall) bool) {
+		for name, num := range syscallNum {
+			if !yield(name, num) {
+				return
+			}
+		}
+		for name, num := range syscallNumExtra {
+			if !yield(name, num) {
+				return
+			}
+		}
+	}
+}
+
+// SyscallResolveName resolves a syscall number from its string representation.
+func SyscallResolveName(name string) (num ScmpSyscall, ok bool) {
+	if num, ok = syscallNum[name]; ok {
+		return
+	}
+	num, ok = syscallNumExtra[name]
+	return
+}

container/std/syscall_extra_linux_386.go

@@ -0,0 +1,13 @@
+package std
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"kexec_file_load": SNR_KEXEC_FILE_LOAD,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+}
+
+const (
+	SNR_KEXEC_FILE_LOAD ScmpSyscall = __PNR_kexec_file_load
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+)

container/std/syscall_extra_linux_amd64.go

@@ -0,0 +1,41 @@
+package std
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"umount":          SNR_UMOUNT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+}
+
+const (
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+)

container/std/syscall_extra_linux_arm64.go

@@ -0,0 +1,55 @@
+package std
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          ScmpSyscall = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_CHOWN           ScmpSyscall = __PNR_chown
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+)

container/std/syscall_extra_linux_riscv64.go

@@ -0,0 +1,55 @@
+package std
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          ScmpSyscall = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_CHOWN           ScmpSyscall = __PNR_chown
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+)

container/std/syscall_linux_amd64.go

@@ -0,0 +1,837 @@
+// mksysnum_linux.pl /usr/include/asm/unistd_64.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"open":                    SNR_OPEN,
+	"close":                   SNR_CLOSE,
+	"stat":                    SNR_STAT,
+	"fstat":                   SNR_FSTAT,
+	"lstat":                   SNR_LSTAT,
+	"poll":                    SNR_POLL,
+	"lseek":                   SNR_LSEEK,
+	"mmap":                    SNR_MMAP,
+	"mprotect":                SNR_MPROTECT,
+	"munmap":                  SNR_MUNMAP,
+	"brk":                     SNR_BRK,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"ioctl":                   SNR_IOCTL,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"access":                  SNR_ACCESS,
+	"pipe":                    SNR_PIPE,
+	"select":                  SNR_SELECT,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"mremap":                  SNR_MREMAP,
+	"msync":                   SNR_MSYNC,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"shmget":                  SNR_SHMGET,
+	"shmat":                   SNR_SHMAT,
+	"shmctl":                  SNR_SHMCTL,
+	"dup":                     SNR_DUP,
+	"dup2":                    SNR_DUP2,
+	"pause":                   SNR_PAUSE,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"alarm":                   SNR_ALARM,
+	"setitimer":               SNR_SETITIMER,
+	"getpid":                  SNR_GETPID,
+	"sendfile":                SNR_SENDFILE,
+	"socket":                  SNR_SOCKET,
+	"connect":                 SNR_CONNECT,
+	"accept":                  SNR_ACCEPT,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"shutdown":                SNR_SHUTDOWN,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"socketpair":              SNR_SOCKETPAIR,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"clone":                   SNR_CLONE,
+	"fork":                    SNR_FORK,
+	"vfork":                   SNR_VFORK,
+	"execve":                  SNR_EXECVE,
+	"exit":                    SNR_EXIT,
+	"wait4":                   SNR_WAIT4,
+	"kill":                    SNR_KILL,
+	"uname":                   SNR_UNAME,
+	"semget":                  SNR_SEMGET,
+	"semop":                   SNR_SEMOP,
+	"semctl":                  SNR_SEMCTL,
+	"shmdt":                   SNR_SHMDT,
+	"msgget":                  SNR_MSGGET,
+	"msgsnd":                  SNR_MSGSND,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgctl":                  SNR_MSGCTL,
+	"fcntl":                   SNR_FCNTL,
+	"flock":                   SNR_FLOCK,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"getdents":                SNR_GETDENTS,
+	"getcwd":                  SNR_GETCWD,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"rename":                  SNR_RENAME,
+	"mkdir":                   SNR_MKDIR,
+	"rmdir":                   SNR_RMDIR,
+	"creat":                   SNR_CREAT,
+	"link":                    SNR_LINK,
+	"unlink":                  SNR_UNLINK,
+	"symlink":                 SNR_SYMLINK,
+	"readlink":                SNR_READLINK,
+	"chmod":                   SNR_CHMOD,
+	"fchmod":                  SNR_FCHMOD,
+	"chown":                   SNR_CHOWN,
+	"fchown":                  SNR_FCHOWN,
+	"lchown":                  SNR_LCHOWN,
+	"umask":                   SNR_UMASK,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"getrlimit":               SNR_GETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"sysinfo":                 SNR_SYSINFO,
+	"times":                   SNR_TIMES,
+	"ptrace":                  SNR_PTRACE,
+	"getuid":                  SNR_GETUID,
+	"syslog":                  SNR_SYSLOG,
+	"getgid":                  SNR_GETGID,
+	"setuid":                  SNR_SETUID,
+	"setgid":                  SNR_SETGID,
+	"geteuid":                 SNR_GETEUID,
+	"getegid":                 SNR_GETEGID,
+	"setpgid":                 SNR_SETPGID,
+	"getppid":                 SNR_GETPPID,
+	"getpgrp":                 SNR_GETPGRP,
+	"setsid":                  SNR_SETSID,
+	"setreuid":                SNR_SETREUID,
+	"setregid":                SNR_SETREGID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"getpgid":                 SNR_GETPGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"getsid":                  SNR_GETSID,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"utime":                   SNR_UTIME,
+	"mknod":                   SNR_MKNOD,
+	"uselib":                  SNR_USELIB,
+	"personality":             SNR_PERSONALITY,
+	"ustat":                   SNR_USTAT,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"sysfs":                   SNR_SYSFS,
+	"getpriority":             SNR_GETPRIORITY,
+	"setpriority":             SNR_SETPRIORITY,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"vhangup":                 SNR_VHANGUP,
+	"modify_ldt":              SNR_MODIFY_LDT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"_sysctl":                 SNR__SYSCTL,
+	"prctl":                   SNR_PRCTL,
+	"arch_prctl":              SNR_ARCH_PRCTL,
+	"adjtimex":                SNR_ADJTIMEX,
+	"setrlimit":               SNR_SETRLIMIT,
+	"chroot":                  SNR_CHROOT,
+	"sync":                    SNR_SYNC,
+	"acct":                    SNR_ACCT,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"mount":                   SNR_MOUNT,
+	"umount2":                 SNR_UMOUNT2,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"reboot":                  SNR_REBOOT,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"iopl":                    SNR_IOPL,
+	"ioperm":                  SNR_IOPERM,
+	"create_module":           SNR_CREATE_MODULE,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"get_kernel_syms":         SNR_GET_KERNEL_SYMS,
+	"query_module":            SNR_QUERY_MODULE,
+	"quotactl":                SNR_QUOTACTL,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"getpmsg":                 SNR_GETPMSG,
+	"putpmsg":                 SNR_PUTPMSG,
+	"afs_syscall":             SNR_AFS_SYSCALL,
+	"tuxcall":                 SNR_TUXCALL,
+	"security":                SNR_SECURITY,
+	"gettid":                  SNR_GETTID,
+	"readahead":               SNR_READAHEAD,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"tkill":                   SNR_TKILL,
+	"time":                    SNR_TIME,
+	"futex":                   SNR_FUTEX,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"set_thread_area":         SNR_SET_THREAD_AREA,
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"get_thread_area":         SNR_GET_THREAD_AREA,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"epoll_create":            SNR_EPOLL_CREATE,
+	"epoll_ctl_old":           SNR_EPOLL_CTL_OLD,
+	"epoll_wait_old":          SNR_EPOLL_WAIT_OLD,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"getdents64":              SNR_GETDENTS64,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"fadvise64":               SNR_FADVISE64,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"exit_group":              SNR_EXIT_GROUP,
+	"epoll_wait":              SNR_EPOLL_WAIT,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"tgkill":                  SNR_TGKILL,
+	"utimes":                  SNR_UTIMES,
+	"vserver":                 SNR_VSERVER,
+	"mbind":                   SNR_MBIND,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"waitid":                  SNR_WAITID,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"inotify_init":            SNR_INOTIFY_INIT,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"openat":                  SNR_OPENAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"mknodat":                 SNR_MKNODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"futimesat":               SNR_FUTIMESAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"renameat":                SNR_RENAMEAT,
+	"linkat":                  SNR_LINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"readlinkat":              SNR_READLINKAT,
+	"fchmodat":                SNR_FCHMODAT,
+	"faccessat":               SNR_FACCESSAT,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"unshare":                 SNR_UNSHARE,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"vmsplice":                SNR_VMSPLICE,
+	"move_pages":              SNR_MOVE_PAGES,
+	"utimensat":               SNR_UTIMENSAT,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"signalfd":                SNR_SIGNALFD,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"eventfd":                 SNR_EVENTFD,
+	"fallocate":               SNR_FALLOCATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"accept4":                 SNR_ACCEPT4,
+	"signalfd4":               SNR_SIGNALFD4,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"dup3":                    SNR_DUP3,
+	"pipe2":                   SNR_PIPE2,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"recvmmsg":                SNR_RECVMMSG,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"prlimit64":               SNR_PRLIMIT64,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"setns":                   SNR_SETNS,
+	"getcpu":                  SNR_GETCPU,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"uretprobe":               SNR_URETPROBE,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+}
+
+const (
+	SYS_NAME_TO_HANDLE_AT       = 303
+	SYS_OPEN_BY_HANDLE_AT       = 304
+	SYS_CLOCK_ADJTIME           = 305
+	SYS_SYNCFS                  = 306
+	SYS_SENDMMSG                = 307
+	SYS_SETNS                   = 308
+	SYS_GETCPU                  = 309
+	SYS_PROCESS_VM_READV        = 310
+	SYS_PROCESS_VM_WRITEV       = 311
+	SYS_KCMP                    = 312
+	SYS_FINIT_MODULE            = 313
+	SYS_SCHED_SETATTR           = 314
+	SYS_SCHED_GETATTR           = 315
+	SYS_RENAMEAT2               = 316
+	SYS_SECCOMP                 = 317
+	SYS_GETRANDOM               = 318
+	SYS_MEMFD_CREATE            = 319
+	SYS_KEXEC_FILE_LOAD         = 320
+	SYS_BPF                     = 321
+	SYS_EXECVEAT                = 322
+	SYS_USERFAULTFD             = 323
+	SYS_MEMBARRIER              = 324
+	SYS_MLOCK2                  = 325
+	SYS_COPY_FILE_RANGE         = 326
+	SYS_PREADV2                 = 327
+	SYS_PWRITEV2                = 328
+	SYS_PKEY_MPROTECT           = 329
+	SYS_PKEY_ALLOC              = 330
+	SYS_PKEY_FREE               = 331
+	SYS_STATX                   = 332
+	SYS_IO_PGETEVENTS           = 333
+	SYS_RSEQ                    = 334
+	SYS_URETPROBE               = 335
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+)
+
+const (
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_OPEN                    ScmpSyscall = SYS_OPEN
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_STAT                    ScmpSyscall = SYS_STAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_LSTAT                   ScmpSyscall = SYS_LSTAT
+	SNR_POLL                    ScmpSyscall = SYS_POLL
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_ACCESS                  ScmpSyscall = SYS_ACCESS
+	SNR_PIPE                    ScmpSyscall = SYS_PIPE
+	SNR_SELECT                  ScmpSyscall = SYS_SELECT
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP2                    ScmpSyscall = SYS_DUP2
+	SNR_PAUSE                   ScmpSyscall = SYS_PAUSE
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_ALARM                   ScmpSyscall = SYS_ALARM
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_FORK                    ScmpSyscall = SYS_FORK
+	SNR_VFORK                   ScmpSyscall = SYS_VFORK
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_GETDENTS                ScmpSyscall = SYS_GETDENTS
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_RENAME                  ScmpSyscall = SYS_RENAME
+	SNR_MKDIR                   ScmpSyscall = SYS_MKDIR
+	SNR_RMDIR                   ScmpSyscall = SYS_RMDIR
+	SNR_CREAT                   ScmpSyscall = SYS_CREAT
+	SNR_LINK                    ScmpSyscall = SYS_LINK
+	SNR_UNLINK                  ScmpSyscall = SYS_UNLINK
+	SNR_SYMLINK                 ScmpSyscall = SYS_SYMLINK
+	SNR_READLINK                ScmpSyscall = SYS_READLINK
+	SNR_CHMOD                   ScmpSyscall = SYS_CHMOD
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_CHOWN                   ScmpSyscall = SYS_CHOWN
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_LCHOWN                  ScmpSyscall = SYS_LCHOWN
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETPGRP                 ScmpSyscall = SYS_GETPGRP
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_UTIME                   ScmpSyscall = SYS_UTIME
+	SNR_MKNOD                   ScmpSyscall = SYS_MKNOD
+	SNR_USELIB                  ScmpSyscall = SYS_USELIB
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_USTAT                   ScmpSyscall = SYS_USTAT
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_SYSFS                   ScmpSyscall = SYS_SYSFS
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_MODIFY_LDT              ScmpSyscall = SYS_MODIFY_LDT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR__SYSCTL                 ScmpSyscall = SYS__SYSCTL
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_ARCH_PRCTL              ScmpSyscall = SYS_ARCH_PRCTL
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_IOPL                    ScmpSyscall = SYS_IOPL
+	SNR_IOPERM                  ScmpSyscall = SYS_IOPERM
+	SNR_CREATE_MODULE           ScmpSyscall = SYS_CREATE_MODULE
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_GET_KERNEL_SYMS         ScmpSyscall = SYS_GET_KERNEL_SYMS
+	SNR_QUERY_MODULE            ScmpSyscall = SYS_QUERY_MODULE
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_GETPMSG                 ScmpSyscall = SYS_GETPMSG
+	SNR_PUTPMSG                 ScmpSyscall = SYS_PUTPMSG
+	SNR_AFS_SYSCALL             ScmpSyscall = SYS_AFS_SYSCALL
+	SNR_TUXCALL                 ScmpSyscall = SYS_TUXCALL
+	SNR_SECURITY                ScmpSyscall = SYS_SECURITY
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TIME                    ScmpSyscall = SYS_TIME
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SET_THREAD_AREA         ScmpSyscall = SYS_SET_THREAD_AREA
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_GET_THREAD_AREA         ScmpSyscall = SYS_GET_THREAD_AREA
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EPOLL_CREATE            ScmpSyscall = SYS_EPOLL_CREATE
+	SNR_EPOLL_CTL_OLD           ScmpSyscall = SYS_EPOLL_CTL_OLD
+	SNR_EPOLL_WAIT_OLD          ScmpSyscall = SYS_EPOLL_WAIT_OLD
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_EPOLL_WAIT              ScmpSyscall = SYS_EPOLL_WAIT
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_UTIMES                  ScmpSyscall = SYS_UTIMES
+	SNR_VSERVER                 ScmpSyscall = SYS_VSERVER
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_INOTIFY_INIT            ScmpSyscall = SYS_INOTIFY_INIT
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FUTIMESAT               ScmpSyscall = SYS_FUTIMESAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_RENAMEAT                ScmpSyscall = SYS_RENAMEAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_SIGNALFD                ScmpSyscall = SYS_SIGNALFD
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_EVENTFD                 ScmpSyscall = SYS_EVENTFD
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_URETPROBE               ScmpSyscall = SYS_URETPROBE
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+)

container/std/syscall_linux_arm64.go

@@ -0,0 +1,703 @@
+// mksysnum_linux.pl /usr/include/asm/unistd_64.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"getcwd":                  SNR_GETCWD,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"dup":                     SNR_DUP,
+	"dup3":                    SNR_DUP3,
+	"fcntl":                   SNR_FCNTL,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"ioctl":                   SNR_IOCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"flock":                   SNR_FLOCK,
+	"mknodat":                 SNR_MKNODAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"linkat":                  SNR_LINKAT,
+	"renameat":                SNR_RENAMEAT,
+	"umount2":                 SNR_UMOUNT2,
+	"mount":                   SNR_MOUNT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"fallocate":               SNR_FALLOCATE,
+	"faccessat":               SNR_FACCESSAT,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"chroot":                  SNR_CHROOT,
+	"fchmod":                  SNR_FCHMOD,
+	"fchmodat":                SNR_FCHMODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"fchown":                  SNR_FCHOWN,
+	"openat":                  SNR_OPENAT,
+	"close":                   SNR_CLOSE,
+	"vhangup":                 SNR_VHANGUP,
+	"pipe2":                   SNR_PIPE2,
+	"quotactl":                SNR_QUOTACTL,
+	"getdents64":              SNR_GETDENTS64,
+	"lseek":                   SNR_LSEEK,
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"sendfile":                SNR_SENDFILE,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"signalfd4":               SNR_SIGNALFD4,
+	"vmsplice":                SNR_VMSPLICE,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"readlinkat":              SNR_READLINKAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"fstat":                   SNR_FSTAT,
+	"sync":                    SNR_SYNC,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"utimensat":               SNR_UTIMENSAT,
+	"acct":                    SNR_ACCT,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"personality":             SNR_PERSONALITY,
+	"exit":                    SNR_EXIT,
+	"exit_group":              SNR_EXIT_GROUP,
+	"waitid":                  SNR_WAITID,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"unshare":                 SNR_UNSHARE,
+	"futex":                   SNR_FUTEX,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"setitimer":               SNR_SETITIMER,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"syslog":                  SNR_SYSLOG,
+	"ptrace":                  SNR_PTRACE,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"kill":                    SNR_KILL,
+	"tkill":                   SNR_TKILL,
+	"tgkill":                  SNR_TGKILL,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"setpriority":             SNR_SETPRIORITY,
+	"getpriority":             SNR_GETPRIORITY,
+	"reboot":                  SNR_REBOOT,
+	"setregid":                SNR_SETREGID,
+	"setgid":                  SNR_SETGID,
+	"setreuid":                SNR_SETREUID,
+	"setuid":                  SNR_SETUID,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"times":                   SNR_TIMES,
+	"setpgid":                 SNR_SETPGID,
+	"getpgid":                 SNR_GETPGID,
+	"getsid":                  SNR_GETSID,
+	"setsid":                  SNR_SETSID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"uname":                   SNR_UNAME,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"getrlimit":               SNR_GETRLIMIT,
+	"setrlimit":               SNR_SETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"umask":                   SNR_UMASK,
+	"prctl":                   SNR_PRCTL,
+	"getcpu":                  SNR_GETCPU,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"adjtimex":                SNR_ADJTIMEX,
+	"getpid":                  SNR_GETPID,
+	"getppid":                 SNR_GETPPID,
+	"getuid":                  SNR_GETUID,
+	"geteuid":                 SNR_GETEUID,
+	"getgid":                  SNR_GETGID,
+	"getegid":                 SNR_GETEGID,
+	"gettid":                  SNR_GETTID,
+	"sysinfo":                 SNR_SYSINFO,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"msgget":                  SNR_MSGGET,
+	"msgctl":                  SNR_MSGCTL,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgsnd":                  SNR_MSGSND,
+	"semget":                  SNR_SEMGET,
+	"semctl":                  SNR_SEMCTL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"semop":                   SNR_SEMOP,
+	"shmget":                  SNR_SHMGET,
+	"shmctl":                  SNR_SHMCTL,
+	"shmat":                   SNR_SHMAT,
+	"shmdt":                   SNR_SHMDT,
+	"socket":                  SNR_SOCKET,
+	"socketpair":              SNR_SOCKETPAIR,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"accept":                  SNR_ACCEPT,
+	"connect":                 SNR_CONNECT,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"shutdown":                SNR_SHUTDOWN,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"readahead":               SNR_READAHEAD,
+	"brk":                     SNR_BRK,
+	"munmap":                  SNR_MUNMAP,
+	"mremap":                  SNR_MREMAP,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"clone":                   SNR_CLONE,
+	"execve":                  SNR_EXECVE,
+	"mmap":                    SNR_MMAP,
+	"fadvise64":               SNR_FADVISE64,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"mprotect":                SNR_MPROTECT,
+	"msync":                   SNR_MSYNC,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"mbind":                   SNR_MBIND,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"move_pages":              SNR_MOVE_PAGES,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"accept4":                 SNR_ACCEPT4,
+	"recvmmsg":                SNR_RECVMMSG,
+	"wait4":                   SNR_WAIT4,
+	"prlimit64":               SNR_PRLIMIT64,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"setns":                   SNR_SETNS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+}
+
+const (
+	SYS_USERFAULTFD             = 282
+	SYS_MEMBARRIER              = 283
+	SYS_MLOCK2                  = 284
+	SYS_COPY_FILE_RANGE         = 285
+	SYS_PREADV2                 = 286
+	SYS_PWRITEV2                = 287
+	SYS_PKEY_MPROTECT           = 288
+	SYS_PKEY_ALLOC              = 289
+	SYS_PKEY_FREE               = 290
+	SYS_STATX                   = 291
+	SYS_IO_PGETEVENTS           = 292
+	SYS_RSEQ                    = 293
+	SYS_KEXEC_FILE_LOAD         = 294
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+)
+
+const (
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_RENAMEAT                ScmpSyscall = SYS_RENAMEAT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+)

container/std/syscall_linux_riscv64.go

@@ -0,0 +1,719 @@
+// mksysnum_linux.pl /usr/include/riscv64-linux-gnu/asm/unistd.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"getcwd":                  SNR_GETCWD,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"dup":                     SNR_DUP,
+	"dup3":                    SNR_DUP3,
+	"fcntl":                   SNR_FCNTL,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"ioctl":                   SNR_IOCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"flock":                   SNR_FLOCK,
+	"mknodat":                 SNR_MKNODAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"linkat":                  SNR_LINKAT,
+	"umount2":                 SNR_UMOUNT2,
+	"mount":                   SNR_MOUNT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"fallocate":               SNR_FALLOCATE,
+	"faccessat":               SNR_FACCESSAT,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"chroot":                  SNR_CHROOT,
+	"fchmod":                  SNR_FCHMOD,
+	"fchmodat":                SNR_FCHMODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"fchown":                  SNR_FCHOWN,
+	"openat":                  SNR_OPENAT,
+	"close":                   SNR_CLOSE,
+	"vhangup":                 SNR_VHANGUP,
+	"pipe2":                   SNR_PIPE2,
+	"quotactl":                SNR_QUOTACTL,
+	"getdents64":              SNR_GETDENTS64,
+	"lseek":                   SNR_LSEEK,
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"sendfile":                SNR_SENDFILE,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"signalfd4":               SNR_SIGNALFD4,
+	"vmsplice":                SNR_VMSPLICE,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"readlinkat":              SNR_READLINKAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"fstat":                   SNR_FSTAT,
+	"sync":                    SNR_SYNC,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"utimensat":               SNR_UTIMENSAT,
+	"acct":                    SNR_ACCT,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"personality":             SNR_PERSONALITY,
+	"exit":                    SNR_EXIT,
+	"exit_group":              SNR_EXIT_GROUP,
+	"waitid":                  SNR_WAITID,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"unshare":                 SNR_UNSHARE,
+	"futex":                   SNR_FUTEX,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"setitimer":               SNR_SETITIMER,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"syslog":                  SNR_SYSLOG,
+	"ptrace":                  SNR_PTRACE,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"kill":                    SNR_KILL,
+	"tkill":                   SNR_TKILL,
+	"tgkill":                  SNR_TGKILL,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"setpriority":             SNR_SETPRIORITY,
+	"getpriority":             SNR_GETPRIORITY,
+	"reboot":                  SNR_REBOOT,
+	"setregid":                SNR_SETREGID,
+	"setgid":                  SNR_SETGID,
+	"setreuid":                SNR_SETREUID,
+	"setuid":                  SNR_SETUID,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"times":                   SNR_TIMES,
+	"setpgid":                 SNR_SETPGID,
+	"getpgid":                 SNR_GETPGID,
+	"getsid":                  SNR_GETSID,
+	"setsid":                  SNR_SETSID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"uname":                   SNR_UNAME,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"getrlimit":               SNR_GETRLIMIT,
+	"setrlimit":               SNR_SETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"umask":                   SNR_UMASK,
+	"prctl":                   SNR_PRCTL,
+	"getcpu":                  SNR_GETCPU,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"adjtimex":                SNR_ADJTIMEX,
+	"getpid":                  SNR_GETPID,
+	"getppid":                 SNR_GETPPID,
+	"getuid":                  SNR_GETUID,
+	"geteuid":                 SNR_GETEUID,
+	"getgid":                  SNR_GETGID,
+	"getegid":                 SNR_GETEGID,
+	"gettid":                  SNR_GETTID,
+	"sysinfo":                 SNR_SYSINFO,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"msgget":                  SNR_MSGGET,
+	"msgctl":                  SNR_MSGCTL,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgsnd":                  SNR_MSGSND,
+	"semget":                  SNR_SEMGET,
+	"semctl":                  SNR_SEMCTL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"semop":                   SNR_SEMOP,
+	"shmget":                  SNR_SHMGET,
+	"shmctl":                  SNR_SHMCTL,
+	"shmat":                   SNR_SHMAT,
+	"shmdt":                   SNR_SHMDT,
+	"socket":                  SNR_SOCKET,
+	"socketpair":              SNR_SOCKETPAIR,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"accept":                  SNR_ACCEPT,
+	"connect":                 SNR_CONNECT,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"shutdown":                SNR_SHUTDOWN,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"readahead":               SNR_READAHEAD,
+	"brk":                     SNR_BRK,
+	"munmap":                  SNR_MUNMAP,
+	"mremap":                  SNR_MREMAP,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"clone":                   SNR_CLONE,
+	"execve":                  SNR_EXECVE,
+	"mmap":                    SNR_MMAP,
+	"fadvise64":               SNR_FADVISE64,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"mprotect":                SNR_MPROTECT,
+	"msync":                   SNR_MSYNC,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"mbind":                   SNR_MBIND,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"move_pages":              SNR_MOVE_PAGES,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"accept4":                 SNR_ACCEPT4,
+	"recvmmsg":                SNR_RECVMMSG,
+	"wait4":                   SNR_WAIT4,
+	"prlimit64":               SNR_PRLIMIT64,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"setns":                   SNR_SETNS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+	"setxattrat":              SNR_SETXATTRAT,
+	"getxattrat":              SNR_GETXATTRAT,
+	"listxattrat":             SNR_LISTXATTRAT,
+	"removexattrat":           SNR_REMOVEXATTRAT,
+}
+
+const (
+	SYS_USERFAULTFD             = 282
+	SYS_MEMBARRIER              = 283
+	SYS_MLOCK2                  = 284
+	SYS_COPY_FILE_RANGE         = 285
+	SYS_PREADV2                 = 286
+	SYS_PWRITEV2                = 287
+	SYS_PKEY_MPROTECT           = 288
+	SYS_PKEY_ALLOC              = 289
+	SYS_PKEY_FREE               = 290
+	SYS_STATX                   = 291
+	SYS_IO_PGETEVENTS           = 292
+	SYS_RSEQ                    = 293
+	SYS_KEXEC_FILE_LOAD         = 294
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+	SYS_SETXATTRAT              = 463
+	SYS_GETXATTRAT              = 464
+	SYS_LISTXATTRAT             = 465
+	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+)
+
+const (
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+	SNR_SETXATTRAT              ScmpSyscall = SYS_SETXATTRAT
+	SNR_GETXATTRAT              ScmpSyscall = SYS_GETXATTRAT
+	SNR_LISTXATTRAT             ScmpSyscall = SYS_LISTXATTRAT
+	SNR_REMOVEXATTRAT           ScmpSyscall = SYS_REMOVEXATTRAT
+	SNR_OPEN_TREE_ATTR          ScmpSyscall = SYS_OPEN_TREE_ATTR
+	SNR_FILE_GETATTR            ScmpSyscall = SYS_FILE_GETATTR
+	SNR_FILE_SETATTR            ScmpSyscall = SYS_FILE_SETATTR
+)

container/std/syscall_test.go

@@ -0,0 +1,21 @@
+package std_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if got, ok := std.SyscallResolveName(name); !ok || got != want {
+				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}

container/std/types.go

@@ -0,0 +1,8 @@
+package std
+
+type (
+	// Uint is equivalent to C.uint.
+	Uint uint32
+	// Int is equivalent to C.int.
+	Int int32
+)

container/stub/call_test.go

@@ -4,7 +4,7 @@ import (
 	"reflect"
 	"testing"
 
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestCallError(t *testing.T) {

container/stub/errors.go

@@ -9,14 +9,11 @@ var (
 	ErrCheck = errors.New("one or more arguments did not match")
 )
 
-// UniqueError is an error that only equivalates to another [UniqueError] with
+// UniqueError is an error that only equivalates to other [UniqueError] with the same magic value.
-// the same magic value.
 type UniqueError uintptr
 
 func (e UniqueError) Error() string {
-	return "unique error " +
+	return "unique error " + strconv.FormatUint(uint64(e), 10) + " injected by the test suite"
-		strconv.FormatUint(uint64(e), 10) +
-		" injected by the test suite"
 }
 
 func (e UniqueError) Is(target error) bool {

container/stub/errors_test.go

@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 func TestUniqueError(t *testing.T) {

container/stub/exit_test.go

@@ -4,12 +4,12 @@ import (
 	"testing"
 	_ "unsafe" // for go:linkname
 
-	"hakurei.app/internal/stub"
+	"hakurei.app/container/stub"
 )
 
 // Made available here to check panic recovery behaviour.
 //
-//go:linkname handleExitNew hakurei.app/internal/stub.handleExitNew
+//go:linkname handleExitNew hakurei.app/container/stub.handleExitNew
 func handleExitNew(t testing.TB)
 
 // overrideTFailNow overrides the Fail and FailNow method.

container/stub/stub.go

@@ -1,5 +1,5 @@
-// Package stub provides function call level stubbing and validation for library
+// Package stub provides function call level stubbing and validation
-// functions that are impossible to check otherwise.
+// for library functions that are impossible to check otherwise.
 package stub
 
 import (

container/syscall.go

@@ -4,18 +4,61 @@ import (
 	. "syscall"
 	"unsafe"
 
-	"hakurei.app/ext"
+	"hakurei.app/container/std"
 )
 
-// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
+// Prctl manipulates various aspects of the behavior of the calling thread or process.
-func SetNoNewPrivs() error {
+func Prctl(op, arg2, arg3 uintptr) error {
-	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
+	r, _, errno := Syscall(SYS_PRCTL, op, arg2, arg3)
+	if r < 0 {
+		return errno
+	}
+	return nil
 }
 
+// SetPtracer allows processes to ptrace(2) the calling process.
+func SetPtracer(pid uintptr) error { return Prctl(PR_SET_PTRACER, pid, 0) }
+
+// linux/sched/coredump.h
+const (
+	SUID_DUMP_DISABLE = iota
+	SUID_DUMP_USER
+)
+
+// SetDumpable sets the "dumpable" attribute of the calling process.
+func SetDumpable(dumpable uintptr) error { return Prctl(PR_SET_DUMPABLE, dumpable, 0) }
+
+// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
+func SetNoNewPrivs() error { return Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) }
+
+// Isatty tests whether a file descriptor refers to a terminal.
+func Isatty(fd int) bool {
+	var buf [8]byte
+	r, _, _ := Syscall(
+		SYS_IOCTL,
+		uintptr(fd),
+		TIOCGWINSZ,
+		uintptr(unsafe.Pointer(&buf[0])),
+	)
+	return r == 0
+}
+
+// include/uapi/linux/sched.h
+const (
+	SCHED_NORMAL = iota
+	SCHED_FIFO
+	SCHED_RR
+	SCHED_BATCH
+	_ // SCHED_ISO: reserved but not implemented yet
+	SCHED_IDLE
+	SCHED_DEADLINE
+	SCHED_EXT
+)
+
 // schedParam is equivalent to struct sched_param from include/linux/sched.h.
 type schedParam struct {
 	// sched_priority
-	priority ext.Int
+	priority std.Int
 }
 
 // schedSetscheduler sets both the scheduling policy and parameters for the
@@ -31,14 +74,30 @@ type schedParam struct {
 // this if you do not have something similar in place!
 //
 // [very subtle to use correctly]: https://www.openwall.com/lists/musl/2016/03/01/4
-func schedSetscheduler(tid int, policy ext.SchedPolicy, param *schedParam) error {
+func schedSetscheduler(tid, policy int, param *schedParam) error {
-	if _, _, errno := Syscall(
+	if r, _, errno := Syscall(
 		SYS_SCHED_SETSCHEDULER,
 		uintptr(tid),
 		uintptr(policy),
 		uintptr(unsafe.Pointer(param)),
-	); errno != 0 {
+	); r < 0 {
 		return errno
 	}
 	return nil
 }
+
+// IgnoringEINTR makes a function call and repeats it if it returns an
+// EINTR error. This appears to be required even though we install all
+// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.
+// Also #20400 and #36644 are issues in which a signal handler is
+// installed without setting SA_RESTART. None of these are the common case,
+// but there are enough of them that it seems that we can't avoid
+// an EINTR loop.
+func IgnoringEINTR(fn func() error) error {
+	for {
+		err := fn()
+		if err != EINTR {
+			return err
+		}
+	}
+}

container/syscall_close_range.go

@@ -1,11 +0,0 @@
-//go:build close_range
-
-package container
-
-import "hakurei.app/ext"
-
-// doCloseOnExec implements ensureCloseOnExec by calling CloseRange with
-// CLOSE_RANGE_CLOEXEC.
-func doCloseOnExec() error {
-	return ext.CloseRange(0, ext.MaxUint, ext.CLOSE_RANGE_CLOEXEC)
-}

container/syscall_range_proc.go

@@ -1,28 +0,0 @@
-//go:build !close_range
-
-package container
-
-import (
-	"os"
-	"strconv"
-	"syscall"
-
-	"hakurei.app/fhs"
-)
-
-// doCloseOnExec implements ensureCloseOnExec by ranging over proc_pid_fd(5).
-func doCloseOnExec() error {
-	entries, err := os.ReadDir(fhs.ProcSelf + "fd/")
-	if err != nil {
-		return err
-	}
-
-	var fd int
-	for _, ent := range entries {
-		if fd, err = strconv.Atoi(ent.Name()); err != nil {
-			return err // not reached
-		}
-		syscall.CloseOnExec(fd)
-	}
-	return nil
-}