diff --git a/container/seccomp/libseccomp.go b/container/seccomp/libseccomp.go index 345586b..c355029 100644 --- a/container/seccomp/libseccomp.go +++ b/container/seccomp/libseccomp.go @@ -54,10 +54,19 @@ func (e *LibraryError) Is(err error) bool { } type ( + // scmpUint is equivalent to [ScmpUint]. + scmpUint = C.uint + // ScmpUint is equivalent to C.uint. + ScmpUint uint32 + // scmpInt is equivalent to [ScmpInt]. + scmpInt = C.int + // ScmpInt is equivalent to C.int. + ScmpInt int32 + // ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall]. - ScmpSyscall C.int + ScmpSyscall ScmpInt // ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno]. - ScmpErrno C.int + ScmpErrno ScmpInt // A NativeRule specifies an arch-specific action taken by seccomp under certain conditions. NativeRule struct { @@ -182,9 +191,12 @@ func Export(rules []NativeRule, flags ExportFlag) (data []byte, err error) { // Errors returned by libseccomp is wrapped in [LibraryError]. func Load(rules []NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) } -// ScmpCompare is the equivalent of scmp_compare; -// Comparison operators -type ScmpCompare = C.enum_scmp_compare +type ( + // Comparison operators. + scmpCompare = C.enum_scmp_compare + // ScmpCompare is equivalent to enum scmp_compare; + ScmpCompare ScmpUint +) const ( _SCMP_CMP_MIN = C._SCMP_CMP_MIN @@ -210,17 +222,15 @@ const ( type ( // Argument datum. scmpDatum = C.scmp_datum_t - // ScmpDatum is equivalent to scmp_datum_t. ScmpDatum uint64 // Argument / Value comparison definition. scmpArgCmp = C.struct_scmp_arg_cmp - // ScmpArgCmp is equivalent to struct scmp_arg_cmp. ScmpArgCmp struct { // argument number, starting at 0 - Arg C.uint + Arg ScmpUint // the comparison op, e.g. SCMP_CMP_* Op ScmpCompare diff --git a/container/seccomp/syscall_test.go b/container/seccomp/syscall_test.go index 151f632..98076cf 100644 --- a/container/seccomp/syscall_test.go +++ b/container/seccomp/syscall_test.go @@ -23,17 +23,41 @@ func TestSyscallResolveName(t *testing.T) { } } -func TestRuleSize(t *testing.T) { +func TestRuleType(t *testing.T) { + assertKind[ScmpUint, scmpUint](t) + assertKind[ScmpInt, scmpInt](t) + assertSize[NativeRule, syscallRule](t) - assertSize[ScmpDatum, scmpDatum](t) + assertKind[ScmpDatum, scmpDatum](t) + assertKind[ScmpCompare, scmpCompare](t) assertSize[ScmpArgCmp, scmpArgCmp](t) } // assertSize asserts that native and equivalent are of the same size. func assertSize[native, equivalent any](t *testing.T) { - got := unsafe.Sizeof(*new(native)) - want := unsafe.Sizeof(*new(equivalent)) + t.Helper() + + got, want := unsafe.Sizeof(*new(native)), unsafe.Sizeof(*new(equivalent)) if got != want { t.Fatalf("%s: %d, want %d", reflect.TypeFor[native]().Name(), got, want) } } + +// assertKind asserts that native and equivalent are of the same kind. +func assertKind[native, equivalent any](t *testing.T) { + t.Helper() + + assertSize[native, equivalent](t) + nativeType, equivalentType := reflect.TypeFor[native](), reflect.TypeFor[equivalent]() + got, want := nativeType.Kind(), equivalentType.Kind() + + if got == reflect.Invalid || want == reflect.Invalid { + t.Fatalf("%s: invalid call to assertKind", nativeType.Name()) + } + if got == reflect.Struct { + t.Fatalf("%s: struct is unsupported by assertKind", nativeType.Name()) + } + if got != want { + t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind()) + } +}