From 5853d7700ff606974fd801f143e7b9d55f3fc253 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Mon, 7 Jul 2025 14:41:47 +0900
Subject: [PATCH] container/seccomp: move bpf hashes

Filter programs are different across platforms. This representation is also much more readable.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/seccomp/hash_amd64_test.go | 22 ++++++++
 container/seccomp/hash_test.go       | 28 ++++++++++
 container/seccomp/libseccomp_test.go | 80 +++++-----------------------
 3 files changed, 63 insertions(+), 67 deletions(-)
 create mode 100644 container/seccomp/hash_amd64_test.go
 create mode 100644 container/seccomp/hash_test.go

diff --git a/container/seccomp/hash_amd64_test.go b/container/seccomp/hash_amd64_test.go
new file mode 100644
index 0000000..bc5f420
--- /dev/null
+++ b/container/seccomp/hash_amd64_test.go
@@ -0,0 +1,22 @@
+package seccomp_test
+
+import . "hakurei.app/container/seccomp"
+
+var bpfExpected = bpfLookup{
+	{AllowMultiarch | AllowCAN |
+		AllowBluetooth, PresetExt |
+		PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
+		PresetLinux32}: toHash(
+		"e99dd345e195413473d3cbee07b4ed57b908bfa89ea2072fe93482847f50b5b758da17e74ca2bbc00813de49a2b9bf834c024ed48850be69b68a9a4c5f53a9db"),
+
+	{0, 0}: toHash(
+		"95ec69d017733e072160e0da80fdebecdf27ae8166f5e2a731270c98ea2d2946cb5231029063668af215879155da21aca79b070e04c0ee9acdf58f55cfa815a5"),
+	{0, PresetExt}: toHash(
+		"dc7f2e1c5e829b79ebb7efc759150f54a83a75c8df6fee4dce5dadc4736c585d4deebfeb3c7969af3a077e90b77bb4741db05d90997c8659b95891206ac9952d"),
+	{0, PresetStrict}: toHash(
+		"e880298df2bd6751d0040fc21bc0ed4c00f95dc0d7ba506c244d8b8cf6866dba8ef4a33296f287b66cccc1d78e97026597f84cc7dec1573e148960fbd35cd735"),
+	{0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash(
+		"39871b93ffafc8b979fcedc0b0c37b9e03922f5b02748dc5c3c17c92527f6e022ede1f48bff59246ea452c0d1de54827808b1a6f84f32bbde1aa02ae30eedcfa"),
+	{0, PresetExt | PresetDenyDevel}: toHash(
+		"c698b081ff957afe17a6d94374537d37f2a63f6f9dd75da7546542407a9e32476ebda3312ba7785d7f618542bcfaf27ca27dcc2dddba852069d28bcfe8cad39a"),
+}
diff --git a/container/seccomp/hash_test.go b/container/seccomp/hash_test.go
new file mode 100644
index 0000000..1d31ac0
--- /dev/null
+++ b/container/seccomp/hash_test.go
@@ -0,0 +1,28 @@
+package seccomp_test
+
+import (
+	"encoding/hex"
+
+	"hakurei.app/container/seccomp"
+)
+
+type (
+	bpfPreset = struct {
+		seccomp.ExportFlag
+		seccomp.FilterPreset
+	}
+	bpfLookup map[bpfPreset][]byte
+)
+
+func toHash(s string) []byte {
+	if len(s) != 128 {
+		panic("bad sha512 string length")
+	}
+	if v, err := hex.DecodeString(s); err != nil {
+		panic(err.Error())
+	} else if len(v) != 64 {
+		panic("unreachable")
+	} else {
+		return v
+	}
+}
diff --git a/container/seccomp/libseccomp_test.go b/container/seccomp/libseccomp_test.go
index 4e18934..8135b59 100644
--- a/container/seccomp/libseccomp_test.go
+++ b/container/seccomp/libseccomp_test.go
@@ -14,81 +14,27 @@ import (
 func TestExport(t *testing.T) {
 	testCases := []struct {
 		name    string
-		presets FilterPreset
 		flags   ExportFlag
-		want    []byte
+		presets FilterPreset
 		wantErr bool
 	}{
-		{"compat", 0, 0, []byte{
-			0x95, 0xec, 0x69, 0xd0, 0x17, 0x73, 0x3e, 0x07,
-			0x21, 0x60, 0xe0, 0xda, 0x80, 0xfd, 0xeb, 0xec,
-			0xdf, 0x27, 0xae, 0x81, 0x66, 0xf5, 0xe2, 0xa7,
-			0x31, 0x27, 0x0c, 0x98, 0xea, 0x2d, 0x29, 0x46,
-			0xcb, 0x52, 0x31, 0x02, 0x90, 0x63, 0x66, 0x8a,
-			0xf2, 0x15, 0x87, 0x91, 0x55, 0xda, 0x21, 0xac,
-			0xa7, 0x9b, 0x07, 0x0e, 0x04, 0xc0, 0xee, 0x9a,
-			0xcd, 0xf5, 0x8f, 0x55, 0xcf, 0xa8, 0x15, 0xa5,
-		}, false},
-		{"base", PresetExt, 0, []byte{
-			0xdc, 0x7f, 0x2e, 0x1c, 0x5e, 0x82, 0x9b, 0x79,
-			0xeb, 0xb7, 0xef, 0xc7, 0x59, 0x15, 0x0f, 0x54,
-			0xa8, 0x3a, 0x75, 0xc8, 0xdf, 0x6f, 0xee, 0x4d,
-			0xce, 0x5d, 0xad, 0xc4, 0x73, 0x6c, 0x58, 0x5d,
-			0x4d, 0xee, 0xbf, 0xeb, 0x3c, 0x79, 0x69, 0xaf,
-			0x3a, 0x07, 0x7e, 0x90, 0xb7, 0x7b, 0xb4, 0x74,
-			0x1d, 0xb0, 0x5d, 0x90, 0x99, 0x7c, 0x86, 0x59,
-			0xb9, 0x58, 0x91, 0x20, 0x6a, 0xc9, 0x95, 0x2d,
-		}, false},
-		{"everything", PresetExt |
+		{"everything", AllowMultiarch | AllowCAN |
+			AllowBluetooth, PresetExt |
 			PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
-			PresetLinux32, AllowMultiarch | AllowCAN |
-			AllowBluetooth, []byte{
-			0xe9, 0x9d, 0xd3, 0x45, 0xe1, 0x95, 0x41, 0x34,
-			0x73, 0xd3, 0xcb, 0xee, 0x07, 0xb4, 0xed, 0x57,
-			0xb9, 0x08, 0xbf, 0xa8, 0x9e, 0xa2, 0x07, 0x2f,
-			0xe9, 0x34, 0x82, 0x84, 0x7f, 0x50, 0xb5, 0xb7,
-			0x58, 0xda, 0x17, 0xe7, 0x4c, 0xa2, 0xbb, 0xc0,
-			0x08, 0x13, 0xde, 0x49, 0xa2, 0xb9, 0xbf, 0x83,
-			0x4c, 0x02, 0x4e, 0xd4, 0x88, 0x50, 0xbe, 0x69,
-			0xb6, 0x8a, 0x9a, 0x4c, 0x5f, 0x53, 0xa9, 0xdb,
-		}, false},
-		{"strict", PresetStrict, 0, []byte{
-			0xe8, 0x80, 0x29, 0x8d, 0xf2, 0xbd, 0x67, 0x51,
-			0xd0, 0x04, 0x0f, 0xc2, 0x1b, 0xc0, 0xed, 0x4c,
-			0x00, 0xf9, 0x5d, 0xc0, 0xd7, 0xba, 0x50, 0x6c,
-			0x24, 0x4d, 0x8b, 0x8c, 0xf6, 0x86, 0x6d, 0xba,
-			0x8e, 0xf4, 0xa3, 0x32, 0x96, 0xf2, 0x87, 0xb6,
-			0x6c, 0xcc, 0xc1, 0xd7, 0x8e, 0x97, 0x02, 0x65,
-			0x97, 0xf8, 0x4c, 0xc7, 0xde, 0xc1, 0x57, 0x3e,
-			0x14, 0x89, 0x60, 0xfb, 0xd3, 0x5c, 0xd7, 0x35,
-		}, false},
-		{"strict compat", 0 |
-			PresetDenyNS | PresetDenyTTY | PresetDenyDevel, 0, []byte{
-			0x39, 0x87, 0x1b, 0x93, 0xff, 0xaf, 0xc8, 0xb9,
-			0x79, 0xfc, 0xed, 0xc0, 0xb0, 0xc3, 0x7b, 0x9e,
-			0x03, 0x92, 0x2f, 0x5b, 0x02, 0x74, 0x8d, 0xc5,
-			0xc3, 0xc1, 0x7c, 0x92, 0x52, 0x7f, 0x6e, 0x02,
-			0x2e, 0xde, 0x1f, 0x48, 0xbf, 0xf5, 0x92, 0x46,
-			0xea, 0x45, 0x2c, 0x0d, 0x1d, 0xe5, 0x48, 0x27,
-			0x80, 0x8b, 0x1a, 0x6f, 0x84, 0xf3, 0x2b, 0xbd,
-			0xe1, 0xaa, 0x02, 0xae, 0x30, 0xee, 0xdc, 0xfa,
-		}, false},
-		{"hakurei default", PresetExt | PresetDenyDevel, 0, []byte{
-			0xc6, 0x98, 0xb0, 0x81, 0xff, 0x95, 0x7a, 0xfe,
-			0x17, 0xa6, 0xd9, 0x43, 0x74, 0x53, 0x7d, 0x37,
-			0xf2, 0xa6, 0x3f, 0x6f, 0x9d, 0xd7, 0x5d, 0xa7,
-			0x54, 0x65, 0x42, 0x40, 0x7a, 0x9e, 0x32, 0x47,
-			0x6e, 0xbd, 0xa3, 0x31, 0x2b, 0xa7, 0x78, 0x5d,
-			0x7f, 0x61, 0x85, 0x42, 0xbc, 0xfa, 0xf2, 0x7c,
-			0xa2, 0x7d, 0xcc, 0x2d, 0xdd, 0xba, 0x85, 0x20,
-			0x69, 0xd2, 0x8b, 0xcf, 0xe8, 0xca, 0xd3, 0x9a,
-		}, false},
+			PresetLinux32, false},
+
+		{"compat", 0, 0, false},
+		{"base", 0, PresetExt, false},
+		{"strict", 0, PresetStrict, false},
+		{"strict compat", 0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel, false},
+		{"hakurei default", 0, PresetExt | PresetDenyDevel, false},
 	}
 
 	buf := make([]byte, 8)
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			e := New(Preset(tc.presets, tc.flags), tc.flags)
+			want := bpfExpected[bpfPreset{tc.flags, tc.presets}]
 			digest := sha512.New()
 
 			if _, err := io.CopyBuffer(digest, e, buf); (err != nil) != tc.wantErr {
@@ -98,9 +44,9 @@ func TestExport(t *testing.T) {
 			if err := e.Close(); err != nil {
 				t.Errorf("Close: error = %v", err)
 			}
-			if got := digest.Sum(nil); !slices.Equal(got, tc.want) {
+			if got := digest.Sum(nil); !slices.Equal(got, want) {
 				t.Fatalf("Export() hash = %x, want %x",
-					got, tc.want)
+					got, want)
 				return
 			}
 		})