From 54c0d6bf48fdfade3aaf7741ec3d3cbc302c8b82 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Wed, 5 Nov 2025 04:28:11 +0900 Subject: [PATCH] container/seccomp/pnr: define pseudo syscalls This eliminates the cgo dependency from syscall lookup. Signed-off-by: Ophestra --- container/seccomp/pnr.go | 267 ++++++++++++++++++ .../seccomp/syscall_extra_linux_amd64.go | 41 ++- .../seccomp/syscall_extra_linux_arm64.go | 48 ++-- 3 files changed, 305 insertions(+), 51 deletions(-) create mode 100644 container/seccomp/pnr.go diff --git a/container/seccomp/pnr.go b/container/seccomp/pnr.go new file mode 100644 index 0000000..4cc7398 --- /dev/null +++ b/container/seccomp/pnr.go @@ -0,0 +1,267 @@ +// Code generated from include/seccomp-syscalls.h; DO NOT EDIT. + +package seccomp + +/* + * pseudo syscall definitions + */ + +const ( + + /* socket syscalls */ + + __PNR_socket = -101 + __PNR_bind = -102 + __PNR_connect = -103 + __PNR_listen = -104 + __PNR_accept = -105 + __PNR_getsockname = -106 + __PNR_getpeername = -107 + __PNR_socketpair = -108 + __PNR_send = -109 + __PNR_recv = -110 + __PNR_sendto = -111 + __PNR_recvfrom = -112 + __PNR_shutdown = -113 + __PNR_setsockopt = -114 + __PNR_getsockopt = -115 + __PNR_sendmsg = -116 + __PNR_recvmsg = -117 + __PNR_accept4 = -118 + __PNR_recvmmsg = -119 + __PNR_sendmmsg = -120 + + /* ipc syscalls */ + + __PNR_semop = -201 + __PNR_semget = -202 + __PNR_semctl = -203 + __PNR_semtimedop = -204 + __PNR_msgsnd = -211 + __PNR_msgrcv = -212 + __PNR_msgget = -213 + __PNR_msgctl = -214 + __PNR_shmat = -221 + __PNR_shmdt = -222 + __PNR_shmget = -223 + __PNR_shmctl = -224 + + /* single syscalls */ + + __PNR_arch_prctl = -10001 + __PNR_bdflush = -10002 + __PNR_break = -10003 + __PNR_chown32 = -10004 + __PNR_epoll_ctl_old = -10005 + __PNR_epoll_wait_old = -10006 + __PNR_fadvise64_64 = -10007 + __PNR_fchown32 = -10008 + __PNR_fcntl64 = -10009 + __PNR_fstat64 = -10010 + __PNR_fstatat64 = -10011 + __PNR_fstatfs64 = -10012 + __PNR_ftime = -10013 + __PNR_ftruncate64 = -10014 + __PNR_getegid32 = -10015 + __PNR_geteuid32 = -10016 + __PNR_getgid32 = -10017 + __PNR_getgroups32 = -10018 + __PNR_getresgid32 = -10019 + __PNR_getresuid32 = -10020 + __PNR_getuid32 = -10021 + __PNR_gtty = -10022 + __PNR_idle = -10023 + __PNR_ipc = -10024 + __PNR_lchown32 = -10025 + __PNR__llseek = -10026 + __PNR_lock = -10027 + __PNR_lstat64 = -10028 + __PNR_mmap2 = -10029 + __PNR_mpx = -10030 + __PNR_newfstatat = -10031 + __PNR__newselect = -10032 + __PNR_nice = -10033 + __PNR_oldfstat = -10034 + __PNR_oldlstat = -10035 + __PNR_oldolduname = -10036 + __PNR_oldstat = -10037 + __PNR_olduname = -10038 + __PNR_prof = -10039 + __PNR_profil = -10040 + __PNR_readdir = -10041 + __PNR_security = -10042 + __PNR_sendfile64 = -10043 + __PNR_setfsgid32 = -10044 + __PNR_setfsuid32 = -10045 + __PNR_setgid32 = -10046 + __PNR_setgroups32 = -10047 + __PNR_setregid32 = -10048 + __PNR_setresgid32 = -10049 + __PNR_setresuid32 = -10050 + __PNR_setreuid32 = -10051 + __PNR_setuid32 = -10052 + __PNR_sgetmask = -10053 + __PNR_sigaction = -10054 + __PNR_signal = -10055 + __PNR_sigpending = -10056 + __PNR_sigprocmask = -10057 + __PNR_sigreturn = -10058 + __PNR_sigsuspend = -10059 + __PNR_socketcall = -10060 + __PNR_ssetmask = -10061 + __PNR_stat64 = -10062 + __PNR_statfs64 = -10063 + __PNR_stime = -10064 + __PNR_stty = -10065 + __PNR_truncate64 = -10066 + __PNR_tuxcall = -10067 + __PNR_ugetrlimit = -10068 + __PNR_ulimit = -10069 + __PNR_umount = -10070 + __PNR_vm86 = -10071 + __PNR_vm86old = -10072 + __PNR_waitpid = -10073 + __PNR_create_module = -10074 + __PNR_get_kernel_syms = -10075 + __PNR_get_thread_area = -10076 + __PNR_nfsservctl = -10077 + __PNR_query_module = -10078 + __PNR_set_thread_area = -10079 + __PNR__sysctl = -10080 + __PNR_uselib = -10081 + __PNR_vserver = -10082 + __PNR_arm_fadvise64_64 = -10083 + __PNR_arm_sync_file_range = -10084 + __PNR_pciconfig_iobase = -10086 + __PNR_pciconfig_read = -10087 + __PNR_pciconfig_write = -10088 + __PNR_sync_file_range2 = -10089 + __PNR_syscall = -10090 + __PNR_afs_syscall = -10091 + __PNR_fadvise64 = -10092 + __PNR_getpmsg = -10093 + __PNR_ioperm = -10094 + __PNR_iopl = -10095 + __PNR_migrate_pages = -10097 + __PNR_modify_ldt = -10098 + __PNR_putpmsg = -10099 + __PNR_sync_file_range = -10100 + __PNR_select = -10101 + __PNR_vfork = -10102 + __PNR_cachectl = -10103 + __PNR_cacheflush = -10104 + __PNR_sysmips = -10106 + __PNR_timerfd = -10107 + __PNR_time = -10108 + __PNR_getrandom = -10109 + __PNR_memfd_create = -10110 + __PNR_kexec_file_load = -10111 + __PNR_sysfs = -10145 + __PNR_oldwait4 = -10146 + __PNR_access = -10147 + __PNR_alarm = -10148 + __PNR_chmod = -10149 + __PNR_chown = -10150 + __PNR_creat = -10151 + __PNR_dup2 = -10152 + __PNR_epoll_create = -10153 + __PNR_epoll_wait = -10154 + __PNR_eventfd = -10155 + __PNR_fork = -10156 + __PNR_futimesat = -10157 + __PNR_getdents = -10158 + __PNR_getpgrp = -10159 + __PNR_inotify_init = -10160 + __PNR_lchown = -10161 + __PNR_link = -10162 + __PNR_lstat = -10163 + __PNR_mkdir = -10164 + __PNR_mknod = -10165 + __PNR_open = -10166 + __PNR_pause = -10167 + __PNR_pipe = -10168 + __PNR_poll = -10169 + __PNR_readlink = -10170 + __PNR_rename = -10171 + __PNR_rmdir = -10172 + __PNR_signalfd = -10173 + __PNR_stat = -10174 + __PNR_symlink = -10175 + __PNR_unlink = -10176 + __PNR_ustat = -10177 + __PNR_utime = -10178 + __PNR_utimes = -10179 + __PNR_getrlimit = -10180 + __PNR_mmap = -10181 + __PNR_breakpoint = -10182 + __PNR_set_tls = -10183 + __PNR_usr26 = -10184 + __PNR_usr32 = -10185 + __PNR_multiplexer = -10186 + __PNR_rtas = -10187 + __PNR_spu_create = -10188 + __PNR_spu_run = -10189 + __PNR_swapcontext = -10190 + __PNR_sys_debug_setcontext = -10191 + __PNR_switch_endian = -10191 + __PNR_get_mempolicy = -10192 + __PNR_move_pages = -10193 + __PNR_mbind = -10194 + __PNR_set_mempolicy = -10195 + __PNR_s390_runtime_instr = -10196 + __PNR_s390_pci_mmio_read = -10197 + __PNR_s390_pci_mmio_write = -10198 + __PNR_membarrier = -10199 + __PNR_userfaultfd = -10200 + __PNR_pkey_mprotect = -10201 + __PNR_pkey_alloc = -10202 + __PNR_pkey_free = -10203 + __PNR_get_tls = -10204 + __PNR_s390_guarded_storage = -10205 + __PNR_s390_sthyi = -10206 + __PNR_subpage_prot = -10207 + __PNR_statx = -10208 + __PNR_io_pgetevents = -10209 + __PNR_rseq = -10210 + __PNR_setrlimit = -10211 + __PNR_clock_adjtime64 = -10212 + __PNR_clock_getres_time64 = -10213 + __PNR_clock_gettime64 = -10214 + __PNR_clock_nanosleep_time64 = -10215 + __PNR_clock_settime64 = -10216 + __PNR_clone3 = -10217 + __PNR_fsconfig = -10218 + __PNR_fsmount = -10219 + __PNR_fsopen = -10220 + __PNR_fspick = -10221 + __PNR_futex_time64 = -10222 + __PNR_io_pgetevents_time64 = -10223 + __PNR_move_mount = -10224 + __PNR_mq_timedreceive_time64 = -10225 + __PNR_mq_timedsend_time64 = -10226 + __PNR_open_tree = -10227 + __PNR_pidfd_open = -10228 + __PNR_pidfd_send_signal = -10229 + __PNR_ppoll_time64 = -10230 + __PNR_pselect6_time64 = -10231 + __PNR_recvmmsg_time64 = -10232 + __PNR_rt_sigtimedwait_time64 = -10233 + __PNR_sched_rr_get_interval_time64 = -10234 + __PNR_semtimedop_time64 = -10235 + __PNR_timer_gettime64 = -10236 + __PNR_timer_settime64 = -10237 + __PNR_timerfd_gettime64 = -10238 + __PNR_timerfd_settime64 = -10239 + __PNR_utimensat_time64 = -10240 + __PNR_ppoll = -10241 + __PNR_renameat = -10242 + __PNR_riscv_flush_icache = -10243 + __PNR_memfd_secret = -10244 + __PNR_map_shadow_stack = -10245 + __PNR_fstat = -10246 + __PNR_atomic_barrier = -10247 + __PNR_atomic_cmpxchg_32 = -10248 + __PNR_getpagesize = -10249 + __PNR_riscv_hwprobe = -10250 + __PNR_uretprobe = -10251 +) diff --git a/container/seccomp/syscall_extra_linux_amd64.go b/container/seccomp/syscall_extra_linux_amd64.go index 75e84b6..8b78989 100644 --- a/container/seccomp/syscall_extra_linux_amd64.go +++ b/container/seccomp/syscall_extra_linux_amd64.go @@ -1,12 +1,5 @@ package seccomp -/* -#cgo linux pkg-config: --static libseccomp - -#include -*/ -import "C" - var syscallNumExtra = map[string]int{ "umount": SYS_UMOUNT, "subpage_prot": SYS_SUBPAGE_PROT, @@ -28,21 +21,21 @@ var syscallNumExtra = map[string]int{ } const ( - SYS_UMOUNT = C.__SNR_umount - SYS_SUBPAGE_PROT = C.__SNR_subpage_prot - SYS_SWITCH_ENDIAN = C.__SNR_switch_endian - SYS_VM86 = C.__SNR_vm86 - SYS_VM86OLD = C.__SNR_vm86old - SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64 - SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64 - SYS_CHOWN32 = C.__SNR_chown32 - SYS_FCHOWN32 = C.__SNR_fchown32 - SYS_LCHOWN32 = C.__SNR_lchown32 - SYS_SETGID32 = C.__SNR_setgid32 - SYS_SETGROUPS32 = C.__SNR_setgroups32 - SYS_SETREGID32 = C.__SNR_setregid32 - SYS_SETRESGID32 = C.__SNR_setresgid32 - SYS_SETRESUID32 = C.__SNR_setresuid32 - SYS_SETREUID32 = C.__SNR_setreuid32 - SYS_SETUID32 = C.__SNR_setuid32 + SYS_UMOUNT = __PNR_umount + SYS_SUBPAGE_PROT = __PNR_subpage_prot + SYS_SWITCH_ENDIAN = __PNR_switch_endian + SYS_VM86 = __PNR_vm86 + SYS_VM86OLD = __PNR_vm86old + SYS_CLOCK_ADJTIME64 = __PNR_clock_adjtime64 + SYS_CLOCK_SETTIME64 = __PNR_clock_settime64 + SYS_CHOWN32 = __PNR_chown32 + SYS_FCHOWN32 = __PNR_fchown32 + SYS_LCHOWN32 = __PNR_lchown32 + SYS_SETGID32 = __PNR_setgid32 + SYS_SETGROUPS32 = __PNR_setgroups32 + SYS_SETREGID32 = __PNR_setregid32 + SYS_SETRESGID32 = __PNR_setresgid32 + SYS_SETRESUID32 = __PNR_setresuid32 + SYS_SETREUID32 = __PNR_setreuid32 + SYS_SETUID32 = __PNR_setuid32 ) diff --git a/container/seccomp/syscall_extra_linux_arm64.go b/container/seccomp/syscall_extra_linux_arm64.go index 65ea954..62d8ff1 100644 --- a/container/seccomp/syscall_extra_linux_arm64.go +++ b/container/seccomp/syscall_extra_linux_arm64.go @@ -1,11 +1,5 @@ package seccomp -/* -#cgo linux pkg-config: --static libseccomp - -#include -*/ -import "C" import "syscall" const ( @@ -37,25 +31,25 @@ var syscallNumExtra = map[string]int{ } const ( - SYS_USELIB = C.__SNR_uselib - SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64 - SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64 - SYS_UMOUNT = C.__SNR_umount - SYS_CHOWN = C.__SNR_chown - SYS_CHOWN32 = C.__SNR_chown32 - SYS_FCHOWN32 = C.__SNR_fchown32 - SYS_LCHOWN = C.__SNR_lchown - SYS_LCHOWN32 = C.__SNR_lchown32 - SYS_SETGID32 = C.__SNR_setgid32 - SYS_SETGROUPS32 = C.__SNR_setgroups32 - SYS_SETREGID32 = C.__SNR_setregid32 - SYS_SETRESGID32 = C.__SNR_setresgid32 - SYS_SETRESUID32 = C.__SNR_setresuid32 - SYS_SETREUID32 = C.__SNR_setreuid32 - SYS_SETUID32 = C.__SNR_setuid32 - SYS_MODIFY_LDT = C.__SNR_modify_ldt - SYS_SUBPAGE_PROT = C.__SNR_subpage_prot - SYS_SWITCH_ENDIAN = C.__SNR_switch_endian - SYS_VM86 = C.__SNR_vm86 - SYS_VM86OLD = C.__SNR_vm86old + SYS_USELIB = __PNR_uselib + SYS_CLOCK_ADJTIME64 = __PNR_clock_adjtime64 + SYS_CLOCK_SETTIME64 = __PNR_clock_settime64 + SYS_UMOUNT = __PNR_umount + SYS_CHOWN = __PNR_chown + SYS_CHOWN32 = __PNR_chown32 + SYS_FCHOWN32 = __PNR_fchown32 + SYS_LCHOWN = __PNR_lchown + SYS_LCHOWN32 = __PNR_lchown32 + SYS_SETGID32 = __PNR_setgid32 + SYS_SETGROUPS32 = __PNR_setgroups32 + SYS_SETREGID32 = __PNR_setregid32 + SYS_SETRESGID32 = __PNR_setresgid32 + SYS_SETRESUID32 = __PNR_setresuid32 + SYS_SETREUID32 = __PNR_setreuid32 + SYS_SETUID32 = __PNR_setuid32 + SYS_MODIFY_LDT = __PNR_modify_ldt + SYS_SUBPAGE_PROT = __PNR_subpage_prot + SYS_SWITCH_ENDIAN = __PNR_switch_endian + SYS_VM86 = __PNR_vm86 + SYS_VM86OLD = __PNR_vm86old )