hst/config: remove seccomp bit fields

These serve little purpose and are not friendly for use from other languages.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/print_test.go

@@ -259,8 +259,6 @@ App
     "container": {
       "hostname": "localhost",
       "wait_delay": -1,
-      "seccomp_flags": 1,
-      "seccomp_presets": 1,
       "seccomp_compat": true,
       "devel": true,
       "userns": true,
@@ -415,8 +413,6 @@ App
   "container": {
     "hostname": "localhost",
     "wait_delay": -1,
-    "seccomp_flags": 1,
-    "seccomp_presets": 1,
     "seccomp_compat": true,
     "devel": true,
     "userns": true,
@@ -625,8 +621,6 @@ func Test_printPs(t *testing.T) {
       "container": {
         "hostname": "localhost",
         "wait_delay": -1,
-        "seccomp_flags": 1,
-        "seccomp_presets": 1,
         "seccomp_compat": true,
         "devel": true,
         "userns": true,

cmd/hpkg/app.go

@@ -6,7 +6,6 @@ import (
 	"os"
 
 	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/system/dbus"
 )
@@ -92,6 +91,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 			Device:       app.Device,
 			Tty:          app.Tty || flagDropShell,
 			MapRealUID:   app.MapRealUID,
+			Multiarch:    app.Multiarch,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
@@ -113,12 +113,6 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 	}
-	if app.Multiarch {
-		config.Container.SeccompFlags |= seccomp.AllowMultiarch
-	}
-	if app.Bluetooth {
-		config.Container.SeccompFlags |= seccomp.AllowBluetooth
-	}
 	return config
 }
 

cmd/hpkg/with.go

@@ -6,7 +6,6 @@ import (
 	"strings"
 
 	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 )
 
@@ -43,11 +42,11 @@ func withNixDaemon(
 		Identity: app.Identity,
 
 		Container: &hst.ContainerConfig{
-			Hostname:     formatHostname(app.Name) + "-" + action,
+			Hostname:  formatHostname(app.Name) + "-" + action,
-			Userns:       true, // nix sandbox requires userns
+			Userns:    true, // nix sandbox requires userns
-			HostNet:      net,
+			HostNet:   net,
-			SeccompFlags: seccomp.AllowMultiarch,
+			Multiarch: true,
-			Tty:          dropShell,
+			Tty:       dropShell,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
@@ -83,9 +82,9 @@ func withCacheDir(
 		Identity: app.Identity,
 
 		Container: &hst.ContainerConfig{
-			Hostname:     formatHostname(app.Name) + "-" + action,
+			Hostname:  formatHostname(app.Name) + "-" + action,
-			SeccompFlags: seccomp.AllowMultiarch,
+			Multiarch: true,
-			Tty:          dropShell,
+			Tty:       dropShell,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},

hst/config.go

@@ -4,7 +4,6 @@ import (
 	"time"
 
 	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
 	"hakurei.app/system/dbus"
 )
 
@@ -66,10 +65,6 @@ type (
 		// a negative value causes the container to be terminated immediately on cancellation
 		WaitDelay time.Duration `json:"wait_delay,omitempty"`
 
-		// extra seccomp flags
-		SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
-		// extra seccomp presets
-		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
 		// disable project-specific filter extensions
 		SeccompCompat bool `json:"seccomp_compat,omitempty"`
 		// allow ptrace and friends

hst/hst.go

@@ -7,7 +7,6 @@ import (
 	"os"
 
 	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
 	"hakurei.app/system/dbus"
 )
 
@@ -106,19 +105,17 @@ func Template() *Config {
 		Groups:   []string{"video", "dialout", "plugdev"},
 
 		Container: &ContainerConfig{
-			Hostname:       "localhost",
+			Hostname:      "localhost",
-			Devel:          true,
+			Devel:         true,
-			Userns:         true,
+			Userns:        true,
-			HostNet:        true,
+			HostNet:       true,
-			HostAbstract:   true,
+			HostAbstract:  true,
-			Device:         true,
+			Device:        true,
-			WaitDelay:      -1,
+			WaitDelay:     -1,
-			SeccompFlags:   seccomp.AllowMultiarch,
+			SeccompCompat: true,
-			SeccompPresets: seccomp.PresetExt,
+			Tty:           true,
-			SeccompCompat:  true,
+			Multiarch:     true,
-			Tty:            true,
+			MapRealUID:    true,
-			Multiarch:      true,
-			MapRealUID:     true,
 			// example API credentials pulled from Google Chrome
 			// DO NOT USE THESE IN A REAL BROWSER
 			Env: map[string]string{

hst/hst_test.go

@@ -166,8 +166,6 @@ func TestTemplate(t *testing.T) {
 	"container": {
 		"hostname": "localhost",
 		"wait_delay": -1,
-		"seccomp_flags": 1,
-		"seccomp_presets": 1,
 		"seccomp_compat": true,
 		"devel": true,
 		"userns": true,

internal/app/container.go

@@ -32,12 +32,10 @@ func newContainer(
 	}
 
 	params := &container.Params{
-		Hostname:       s.Hostname,
+		Hostname:      s.Hostname,
-		SeccompFlags:   s.SeccompFlags,
+		RetainSession: s.Tty,
-		SeccompPresets: s.SeccompPresets,
+		HostNet:       s.HostNet,
-		RetainSession:  s.Tty,
+		HostAbstract:  s.HostAbstract,
-		HostNet:        s.HostNet,
-		HostAbstract:   s.HostAbstract,
 
 		// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
 		// this behaviour is implemented in the shim