sandbox/seccomp: prepare -> export

Export makes a lot more sense, and also matches the libseccomp function. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-07-02 00:32:48 +09:00 · 2025-07-02 00:32:48 +09:00 · 26b7afc890
commit 26b7afc890
parent d5532aade0
9 changed files with 34 additions and 34 deletions
--- a/hst/container.go
+++ b/hst/container.go
@ -11,7 +11,7 @@ type (
 		Hostname string `json:"hostname,omitempty"`

 		// extra seccomp flags
-		SeccompFlags seccomp.PrepareFlag `json:"seccomp_flags"`
+		SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
 		// extra seccomp presets
 		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
 		// allow ptrace and friends
--- a/sandbox/container.go
+++ b/sandbox/container.go
@ -95,7 +95,7 @@ type (
 		// Sequential container setup ops.
 		*Ops
 		// Extra seccomp flags.
-		SeccompFlags seccomp.PrepareFlag
+		SeccompFlags seccomp.ExportFlag
 		// Extra seccomp presets.
 		SeccompPresets seccomp.FilterPreset
 		// Permission bits of newly created parent directories.
--- a/sandbox/seccomp/libseccomp-helper.c
+++ b/sandbox/seccomp/libseccomp-helper.c
@ -9,10 +9,10 @@

 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))

-int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
+int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
                              uint32_t multiarch,
                              struct hakurei_syscall_rule *rules,
-                               size_t rules_sz, hakurei_prepare_flag flags) {
+                              size_t rules_sz, hakurei_export_flag flags) {
  int i;
  int last_allowed_family;
  int disallowed;
@ -23,7 +23,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
  /* Blocklist all but unix, inet, inet6 and netlink */
  struct {
    int family;
-    hakurei_prepare_flag flags_mask;
+    hakurei_export_flag flags_mask;
  } socket_family_allowlist[] = {
      /* NOTE: Keep in numerical order */
      {AF_UNSPEC, 0},
@ -31,8 +31,8 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
      {AF_INET, 0},
      {AF_INET6, 0},
      {AF_NETLINK, 0},
-      {AF_CAN, HAKUREI_PREPARE_CAN},
-      {AF_BLUETOOTH, HAKUREI_PREPARE_BLUETOOTH},
+      {AF_CAN, HAKUREI_EXPORT_CAN},
+      {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
  };

  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
@ -56,7 +56,7 @@ int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
      goto out;
    }

-    if (flags & HAKUREI_PREPARE_MULTIARCH && multiarch != 0) {
+    if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
      *ret_p = seccomp_arch_add(ctx, multiarch);
      if (*ret_p < 0 && *ret_p != -EEXIST) {
        res = 3;
--- a/sandbox/seccomp/libseccomp-helper.h
+++ b/sandbox/seccomp/libseccomp-helper.h
@ -7,10 +7,10 @@
 #endif

 typedef enum {
-  HAKUREI_PREPARE_MULTIARCH = 1 << 0,
-  HAKUREI_PREPARE_CAN = 1 << 1,
-  HAKUREI_PREPARE_BLUETOOTH = 1 << 2,
-} hakurei_prepare_flag;
+  HAKUREI_EXPORT_MULTIARCH = 1 << 0,
+  HAKUREI_EXPORT_CAN = 1 << 1,
+  HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
+} hakurei_export_flag;

 struct hakurei_syscall_rule {
  int syscall;
@ -18,7 +18,7 @@ struct hakurei_syscall_rule {
  struct scmp_arg_cmp *arg;
 };

-int32_t hakurei_prepare_filter(int *ret_p, int fd, uint32_t arch,
+int32_t hakurei_export_filter(int *ret_p, int fd, uint32_t arch,
                              uint32_t multiarch,
                              struct hakurei_syscall_rule *rules,
-                               size_t rules_sz, hakurei_prepare_flag flags);
+                              size_t rules_sz, hakurei_export_flag flags);
--- a/sandbox/seccomp/libseccomp.go
+++ b/sandbox/seccomp/libseccomp.go
@ -64,15 +64,15 @@ type NativeRule struct {
 	Arg *ScmpArgCmp
 }

-type PrepareFlag = C.hakurei_prepare_flag
+type ExportFlag = C.hakurei_export_flag

 const (
 	// AllowMultiarch allows multiarch/emulation.
-	AllowMultiarch PrepareFlag = C.HAKUREI_PREPARE_MULTIARCH
+	AllowMultiarch ExportFlag = C.HAKUREI_EXPORT_MULTIARCH
 	// AllowCAN allows AF_CAN.
-	AllowCAN PrepareFlag = C.HAKUREI_PREPARE_CAN
+	AllowCAN ExportFlag = C.HAKUREI_EXPORT_CAN
 	// AllowBluetooth allows AF_BLUETOOTH.
-	AllowBluetooth PrepareFlag = C.HAKUREI_PREPARE_BLUETOOTH
+	AllowBluetooth ExportFlag = C.HAKUREI_EXPORT_BLUETOOTH
 )

 var resPrefix = [...]string{
@ -86,8 +86,8 @@ var resPrefix = [...]string{
 	7: "seccomp_load failed",
 }

-// Prepare streams filter contents to fd, or installs it to the current process if fd < 0.
-func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error {
+// Export streams filter contents to fd, or installs it to the current process if fd < 0.
+func Export(fd int, rules []NativeRule, flags ExportFlag) error {
 	if len(rules) == 0 {
 		return ErrInvalidRules
 	}
@ -119,7 +119,7 @@ func Prepare(fd int, rules []NativeRule, flags PrepareFlag) error {
 			rulesPinner.Pin(rule.Arg)
 		}
 	}
-	res, err := C.hakurei_prepare_filter(
+	res, err := C.hakurei_export_filter(
 		&ret, C.int(fd),
 		arch, multiarch,
 		(*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])),
--- a/sandbox/seccomp/libseccomp_test.go
+++ b/sandbox/seccomp/libseccomp_test.go
@ -15,7 +15,7 @@ func TestExport(t *testing.T) {
 	testCases := []struct {
 		name    string
 		presets FilterPreset
-		flags   PrepareFlag
+		flags   ExportFlag
 		want    []byte
 		wantErr bool
 	}{
--- a/sandbox/seccomp/presets.go
+++ b/sandbox/seccomp/presets.go
@ -21,7 +21,7 @@ const (
 	PresetLinux32
 )

-func Preset(presets FilterPreset, flags PrepareFlag) (rules []NativeRule) {
+func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
 	allowedPersonality := PER_LINUX
 	if presets&PresetLinux32 != 0 {
 		allowedPersonality = PER_LINUX32
--- a/sandbox/seccomp/proc.go
+++ b/sandbox/seccomp/proc.go
@ -13,10 +13,10 @@ const (
 )

 // New returns an inactive Encoder instance.
-func New(rules []NativeRule, flags PrepareFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }
+func New(rules []NativeRule, flags ExportFlag) *Encoder { return &Encoder{newExporter(rules, flags)} }

 // Load loads a filter into the kernel.
-func Load(rules []NativeRule, flags PrepareFlag) error { return Prepare(-1, rules, flags) }
+func Load(rules []NativeRule, flags ExportFlag) error { return Export(-1, rules, flags) }

 /*
 An Encoder writes a BPF program to an output stream.
@ -46,14 +46,14 @@ func (e *Encoder) Close() error {
 }

 // NewFile returns an instance of exporter implementing [proc.File].
-func NewFile(rules []NativeRule, flags PrepareFlag) proc.File {
+func NewFile(rules []NativeRule, flags ExportFlag) proc.File {
 	return &File{rules: rules, flags: flags}
 }

 // File implements [proc.File] and provides access to the read end of exporter pipe.
 type File struct {
 	rules []NativeRule
-	flags PrepareFlag
+	flags ExportFlag
 	proc.BaseFile
 }

--- a/sandbox/seccomp/seccomp.go
+++ b/sandbox/seccomp/seccomp.go
@ -9,7 +9,7 @@ import (

 type exporter struct {
 	rules []NativeRule
-	flags PrepareFlag
+	flags ExportFlag
 	r, w  *os.File

 	prepareOnce sync.Once
@ -30,7 +30,7 @@ func (e *exporter) prepare() error {

 		ec := make(chan error, 1)
 		go func(fd uintptr) {
-			ec <- Prepare(int(fd), e.rules, e.flags)
+			ec <- Export(int(fd), e.rules, e.flags)
 			close(ec)
 			_ = e.closeWrite()
 			runtime.KeepAlive(e.w)
@ -55,6 +55,6 @@ func (e *exporter) closeWrite() error {
 	return e.closeErr
 }

-func newExporter(rules []NativeRule, flags PrepareFlag) *exporter {
+func newExporter(rules []NativeRule, flags ExportFlag) *exporter {
 	return &exporter{rules: rules, flags: flags}
 }