sandbox: invert seccomp ruleset defaults

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/sandbox/container.go

@@ -20,12 +20,20 @@ import (
 type HardeningFlags uintptr
 
 const (
-	FAllowUserns HardeningFlags = 1 << iota
+	FSyscallCompat HardeningFlags = 1 << iota
+	FAllowDevel
+	FAllowUserns
 	FAllowTTY
 	FAllowNet
 )
 
 func (flags HardeningFlags) seccomp(opts seccomp.SyscallOpts) seccomp.SyscallOpts {
+	if flags&FSyscallCompat == 0 {
+		opts |= seccomp.FlagExt
+	}
+	if flags&FAllowDevel == 0 {
+		opts |= seccomp.FlagDenyDevel
+	}
 	if flags&FAllowUserns == 0 {
 		opts |= seccomp.FlagDenyNS
 	}

internal/sandbox/container_test.go

@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/sandbox"
@@ -71,7 +70,6 @@ func TestContainer(t *testing.T) {
 				return exec.CommandContext(ctx, os.Args[0], "-test.v",
 					"-test.run=TestHelperInit", "--", "init")
 			}
-			container.Seccomp |= seccomp.FlagExt
 			container.Flags |= tc.flags
 			container.Stdout, container.Stderr = os.Stdout, os.Stderr
 			container.Ops = tc.ops