sandbox/seccomp: resolve rules natively

This enables loading syscall filter policies from external cross-platform config files.

This also removes a significant amount of C code.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/instance/common/container.go

@@ -27,8 +27,9 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	}
 
 	container := &sandbox.Params{
-		Hostname: s.Hostname,
-		Seccomp:  s.Seccomp,
+		Hostname:       s.Hostname,
+		SeccompFlags:   s.SeccompFlags,
+		SeccompPresets: s.SeccompPresets,
 	}
 
 	{
@@ -37,7 +38,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	}
 
 	if s.Multiarch {
-		container.Seccomp |= seccomp.FilterMultiarch
+		container.SeccompFlags |= seccomp.AllowMultiarch
 	}
 
 	if s.Devel {

internal/app/internal/setuid/shim.go

@@ -163,7 +163,7 @@ func ShimMain() {
 		hlog.PrintBaseError(err, "cannot configure container:")
 	}
 
-	if err := seccomp.Load(seccomp.PresetCommon); err != nil {
+	if err := seccomp.Load(seccomp.PresetStrict, seccomp.AllowMultiarch); err != nil {
 		log.Fatalf("cannot load syscall filter: %v", err)
 	}
 

internal/output.go

@@ -3,7 +3,6 @@ package internal
 import (
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/sandbox"
-	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -11,7 +10,4 @@ func InstallFmsg(verbose bool) {
 	hlog.Store(verbose)
 	sandbox.SetOutput(hlog.Output{})
 	system.SetOutput(hlog.Output{})
-	if verbose {
-		seccomp.SetOutput(hlog.Verbose)
-	}
 }