fst: include syscall filter configuration

This value is passed through to shim.

Signed-off-by: Ophestra <cat@gensokyo.uk>

fst/config.go

@@ -31,6 +31,8 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
+	// seccomp syscall filter configuration
+	Syscall *SyscallConfig `json:"syscall"`
 	// extra acl entries to append
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 
@@ -45,6 +47,14 @@ type ConfinementConfig struct {
 	Enablements system.Enablements `json:"enablements"`
 }
 
+type SyscallConfig struct {
+	DenyDevel bool `json:"deny_devel"`
+	Multiarch bool `json:"multiarch"`
+	Linux32   bool `json:"linux32"`
+	Can       bool `json:"can"`
+	Bluetooth bool `json:"bluetooth"`
+}
+
 type ExtraPermConfig struct {
 	Ensure  bool   `json:"ensure,omitempty"`
 	Path    string `json:"path"`