sandbox/seccomp: resolve rules natively

This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>

hst/container.go

@@ -11,7 +11,9 @@ type (
 		Hostname string `json:"hostname,omitempty"`
 
 		// extra seccomp flags
-		Seccomp seccomp.FilterOpts `json:"seccomp"`
+		SeccompFlags seccomp.PrepareFlag `json:"seccomp_flags"`
+		// extra seccomp presets
+		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
 		// allow ptrace and friends
 		Devel bool `json:"devel,omitempty"`
 		// allow userns creation in container

hst/template.go

@@ -57,15 +57,16 @@ func Template() *Config {
 		Groups:   []string{"video", "dialout", "plugdev"},
 
 		Container: &ContainerConfig{
-			Hostname:   "localhost",
-			Devel:      true,
-			Userns:     true,
-			Net:        true,
-			Device:     true,
-			Seccomp:    seccomp.FilterMultiarch,
-			Tty:        true,
-			Multiarch:  true,
-			MapRealUID: true,
+			Hostname:       "localhost",
+			Devel:          true,
+			Userns:         true,
+			Net:            true,
+			Device:         true,
+			SeccompFlags:   seccomp.AllowMultiarch,
+			SeccompPresets: seccomp.PresetExt,
+			Tty:            true,
+			Multiarch:      true,
+			MapRealUID:     true,
 			// example API credentials pulled from Google Chrome
 			// DO NOT USE THESE IN A REAL BROWSER
 			Env: map[string]string{

hst/template_test.go

@@ -80,7 +80,8 @@ func TestTemplate(t *testing.T) {
 	],
 	"container": {
 		"hostname": "localhost",
-		"seccomp": 32,
+		"seccomp_flags": 1,
+		"seccomp_presets": 1,
 		"devel": true,
 		"userns": true,
 		"net": true,