sandbox/seccomp: resolve rules natively

This enables loading syscall filter policies from external cross-platform config files. This also removes a significant amount of C code. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-01 20:23:33 +09:00
parent 1fb453dffe
commit 1a8840bebc
27 changed files with 709 additions and 619 deletions
--- a/cmd/planterette/app.go
+++ b/cmd/planterette/app.go
@@ -115,10 +115,10 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 		},
 	}
 	if app.Multiarch {
-		config.Container.Seccomp |= seccomp.FilterMultiarch
+		config.Container.SeccompFlags |= seccomp.AllowMultiarch
 	}
 	if app.Bluetooth {
-		config.Container.Seccomp |= seccomp.FilterBluetooth
+		config.Container.SeccompFlags |= seccomp.AllowBluetooth
 	}
 	return config
 }
--- a/cmd/planterette/with.go
+++ b/cmd/planterette/with.go
@@ -43,11 +43,11 @@ func withNixDaemon(
 		Identity: app.Identity,

 		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name) + "-" + action,
-			Userns:   true, // nix sandbox requires userns
-			Net:      net,
-			Seccomp:  seccomp.FilterMultiarch,
-			Tty:      dropShell,
+			Hostname:     formatHostname(app.Name) + "-" + action,
+			Userns:       true, // nix sandbox requires userns
+			Net:          net,
+			SeccompFlags: seccomp.AllowMultiarch,
+			Tty:          dropShell,
 			Filesystem: []*hst.FilesystemConfig{
 				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
 			},
@@ -85,9 +85,9 @@ func withCacheDir(
 		Identity: app.Identity,

 		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name) + "-" + action,
-			Seccomp:  seccomp.FilterMultiarch,
-			Tty:      dropShell,
+			Hostname:     formatHostname(app.Name) + "-" + action,
+			SeccompFlags: seccomp.AllowMultiarch,
+			Tty:          dropShell,
 			Filesystem: []*hst.FilesystemConfig{
 				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
 				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},