diff --git a/container/seccomp/presets.go b/container/seccomp/presets.go
index b03907f..f329759 100644
--- a/container/seccomp/presets.go
+++ b/container/seccomp/presets.go
@@ -68,121 +68,121 @@ func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
 var (
 	presetCommon = []NativeRule{
 		/* Block dmesg */
-		{SNR_SYSLOG, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SYSLOG, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Useless old syscall */
-		{SNR_USELIB, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_USELIB, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Don't allow disabling accounting */
-		{SNR_ACCT, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_ACCT, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Don't allow reading current quota use */
-		{SNR_QUOTACTL, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_QUOTACTL, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* Don't allow access to the kernel keyring */
-		{SNR_ADD_KEY, ScmpErrno(EPERM), nil},
-		{SNR_KEYCTL, ScmpErrno(EPERM), nil},
-		{SNR_REQUEST_KEY, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_ADD_KEY, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_KEYCTL, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_REQUEST_KEY, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* Scary VM/NUMA ops */
-		{SNR_MOVE_PAGES, ScmpErrno(EPERM), nil},
-		{SNR_MBIND, ScmpErrno(EPERM), nil},
-		{SNR_GET_MEMPOLICY, ScmpErrno(EPERM), nil},
-		{SNR_SET_MEMPOLICY, ScmpErrno(EPERM), nil},
-		{SNR_MIGRATE_PAGES, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MOVE_PAGES, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_MBIND, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_GET_MEMPOLICY, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SET_MEMPOLICY, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_MIGRATE_PAGES, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	/* hakurei: project-specific extensions */
 	presetCommonExt = []NativeRule{
 		/* system calls for changing the system clock */
-		{SNR_ADJTIMEX, ScmpErrno(EPERM), nil},
-		{SNR_CLOCK_ADJTIME, ScmpErrno(EPERM), nil},
-		{SNR_CLOCK_ADJTIME64, ScmpErrno(EPERM), nil},
-		{SNR_CLOCK_SETTIME, ScmpErrno(EPERM), nil},
-		{SNR_CLOCK_SETTIME64, ScmpErrno(EPERM), nil},
-		{SNR_SETTIMEOFDAY, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_ADJTIMEX, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CLOCK_ADJTIME, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CLOCK_ADJTIME64, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CLOCK_SETTIME, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CLOCK_SETTIME64, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETTIMEOFDAY, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* loading and unloading of kernel modules */
-		{SNR_DELETE_MODULE, ScmpErrno(EPERM), nil},
-		{SNR_FINIT_MODULE, ScmpErrno(EPERM), nil},
-		{SNR_INIT_MODULE, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_DELETE_MODULE, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_FINIT_MODULE, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_INIT_MODULE, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* system calls for rebooting and reboot preparation */
-		{SNR_KEXEC_FILE_LOAD, ScmpErrno(EPERM), nil},
-		{SNR_KEXEC_LOAD, ScmpErrno(EPERM), nil},
-		{SNR_REBOOT, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_KEXEC_FILE_LOAD, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_KEXEC_LOAD, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_REBOOT, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* system calls for enabling/disabling swap devices */
-		{SNR_SWAPOFF, ScmpErrno(EPERM), nil},
-		{SNR_SWAPON, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SWAPOFF, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SWAPON, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	presetNamespace = []NativeRule{
 		/* Don't allow subnamespace setups: */
-		{SNR_UNSHARE, ScmpErrno(EPERM), nil},
-		{SNR_SETNS, ScmpErrno(EPERM), nil},
-		{SNR_MOUNT, ScmpErrno(EPERM), nil},
-		{SNR_UMOUNT, ScmpErrno(EPERM), nil},
-		{SNR_UMOUNT2, ScmpErrno(EPERM), nil},
-		{SNR_PIVOT_ROOT, ScmpErrno(EPERM), nil},
-		{SNR_CHROOT, ScmpErrno(EPERM), nil},
-		{SNR_CLONE, ScmpErrno(EPERM),
-			&ScmpArgCmp{cloneArg, SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER}},
+		{Syscall: SNR_UNSHARE, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETNS, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_MOUNT, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_UMOUNT, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_UMOUNT2, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_PIVOT_ROOT, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CHROOT, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CLONE, Errno: ScmpErrno(EPERM),
+			Arg: &ScmpArgCmp{Arg: cloneArg, Op: SCMP_CMP_MASKED_EQ, DatumA: CLONE_NEWUSER, DatumB: CLONE_NEWUSER}},
 
 		/* seccomp can't look into clone3()'s struct clone_args to check whether
 		 * the flags are OK, so we have no choice but to block clone3().
 		 * Return ENOSYS so user-space will fall back to clone().
 		 * (CVE-2021-41133; see also https://github.com/moby/moby/commit/9f6b562d)
 		 */
-		{SNR_CLONE3, ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_CLONE3, Errno: ScmpErrno(ENOSYS), Arg: nil},
 
 		/* New mount manipulation APIs can also change our VFS. There's no
 		 * legitimate reason to do these in the sandbox, so block all of them
 		 * rather than thinking about which ones might be dangerous.
 		 * (CVE-2021-41133) */
-		{SNR_OPEN_TREE, ScmpErrno(ENOSYS), nil},
-		{SNR_MOVE_MOUNT, ScmpErrno(ENOSYS), nil},
-		{SNR_FSOPEN, ScmpErrno(ENOSYS), nil},
-		{SNR_FSCONFIG, ScmpErrno(ENOSYS), nil},
-		{SNR_FSMOUNT, ScmpErrno(ENOSYS), nil},
-		{SNR_FSPICK, ScmpErrno(ENOSYS), nil},
-		{SNR_MOUNT_SETATTR, ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_OPEN_TREE, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_MOVE_MOUNT, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_FSOPEN, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_FSCONFIG, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_FSMOUNT, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_FSPICK, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_MOUNT_SETATTR, Errno: ScmpErrno(ENOSYS), Arg: nil},
 	}
 
 	/* hakurei: project-specific extensions */
 	presetNamespaceExt = []NativeRule{
 		/* changing file ownership */
-		{SNR_CHOWN, ScmpErrno(EPERM), nil},
-		{SNR_CHOWN32, ScmpErrno(EPERM), nil},
-		{SNR_FCHOWN, ScmpErrno(EPERM), nil},
-		{SNR_FCHOWN32, ScmpErrno(EPERM), nil},
-		{SNR_FCHOWNAT, ScmpErrno(EPERM), nil},
-		{SNR_LCHOWN, ScmpErrno(EPERM), nil},
-		{SNR_LCHOWN32, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_CHOWN, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_CHOWN32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_FCHOWN, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_FCHOWN32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_FCHOWNAT, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_LCHOWN, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_LCHOWN32, Errno: ScmpErrno(EPERM), Arg: nil},
 
 		/* system calls for changing user ID and group ID credentials */
-		{SNR_SETGID, ScmpErrno(EPERM), nil},
-		{SNR_SETGID32, ScmpErrno(EPERM), nil},
-		{SNR_SETGROUPS, ScmpErrno(EPERM), nil},
-		{SNR_SETGROUPS32, ScmpErrno(EPERM), nil},
-		{SNR_SETREGID, ScmpErrno(EPERM), nil},
-		{SNR_SETREGID32, ScmpErrno(EPERM), nil},
-		{SNR_SETRESGID, ScmpErrno(EPERM), nil},
-		{SNR_SETRESGID32, ScmpErrno(EPERM), nil},
-		{SNR_SETRESUID, ScmpErrno(EPERM), nil},
-		{SNR_SETRESUID32, ScmpErrno(EPERM), nil},
-		{SNR_SETREUID, ScmpErrno(EPERM), nil},
-		{SNR_SETREUID32, ScmpErrno(EPERM), nil},
-		{SNR_SETUID, ScmpErrno(EPERM), nil},
-		{SNR_SETUID32, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_SETGID, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETGID32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETGROUPS, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETGROUPS32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETREGID, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETREGID32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETRESGID, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETRESGID32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETRESUID, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETRESUID32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETREUID, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETREUID32, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETUID, Errno: ScmpErrno(EPERM), Arg: nil},
+		{Syscall: SNR_SETUID32, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	presetTTY = []NativeRule{
 		/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
-		{SNR_IOCTL, ScmpErrno(EPERM),
-			&ScmpArgCmp{1, SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, TIOCSTI}},
+		{Syscall: SNR_IOCTL, Errno: ScmpErrno(EPERM),
+			Arg: &ScmpArgCmp{Arg: 1, Op: SCMP_CMP_MASKED_EQ, DatumA: 0xFFFFFFFF, DatumB: TIOCSTI}},
 		/* In the unlikely event that the controlling tty is a Linux virtual
 		 * console (/dev/tty2 or similar), copy/paste operations have an effect
 		 * similar to TIOCSTI (CVE-2023-28100) */
-		{SNR_IOCTL, ScmpErrno(EPERM),
-			&ScmpArgCmp{1, SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, TIOCLINUX}},
+		{Syscall: SNR_IOCTL, Errno: ScmpErrno(EPERM),
+			Arg: &ScmpArgCmp{Arg: 1, Op: SCMP_CMP_MASKED_EQ, DatumA: 0xFFFFFFFF, DatumB: TIOCLINUX}},
 	}
 
 	presetEmu = []NativeRule{
@@ -190,15 +190,15 @@ var (
 		 * so it's disabled as a hardening measure.
 		 * However, it is required to run old 16-bit applications
 		 * as well as some Wine patches, so it's allowed in multiarch. */
-		{SNR_MODIFY_LDT, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_MODIFY_LDT, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 
 	/* hakurei: project-specific extensions */
 	presetEmuExt = []NativeRule{
-		{SNR_SUBPAGE_PROT, ScmpErrno(ENOSYS), nil},
-		{SNR_SWITCH_ENDIAN, ScmpErrno(ENOSYS), nil},
-		{SNR_VM86, ScmpErrno(ENOSYS), nil},
-		{SNR_VM86OLD, ScmpErrno(ENOSYS), nil},
+		{Syscall: SNR_SUBPAGE_PROT, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_SWITCH_ENDIAN, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_VM86, Errno: ScmpErrno(ENOSYS), Arg: nil},
+		{Syscall: SNR_VM86OLD, Errno: ScmpErrno(ENOSYS), Arg: nil},
 	}
 )
 
@@ -206,11 +206,11 @@ func presetDevel(allowedPersonality ScmpDatum) []NativeRule {
 	return []NativeRule{
 		/* Profiling operations; we expect these to be done by tools from outside
 		 * the sandbox.  In particular perf has been the source of many CVEs. */
-		{SNR_PERF_EVENT_OPEN, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_PERF_EVENT_OPEN, Errno: ScmpErrno(EPERM), Arg: nil},
 		/* Don't allow you to switch to bsd emulation or whatnot */
-		{SNR_PERSONALITY, ScmpErrno(EPERM),
-			&ScmpArgCmp{0, SCMP_CMP_NE, allowedPersonality, 0}},
+		{Syscall: SNR_PERSONALITY, Errno: ScmpErrno(EPERM),
+			Arg: &ScmpArgCmp{Arg: 0, Op: SCMP_CMP_NE, DatumA: allowedPersonality}},
 
-		{SNR_PTRACE, ScmpErrno(EPERM), nil},
+		{Syscall: SNR_PTRACE, Errno: ScmpErrno(EPERM), Arg: nil},
 	}
 }