helper/bwrap: integrate seccomp into helper interface

This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>

fst/config.go

@@ -31,8 +31,6 @@ type ConfinementConfig struct {
 	Outer string `json:"home"`
 	// bwrap sandbox confinement configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
-	// seccomp syscall filter configuration
-	Syscall *SyscallConfig `json:"syscall"`
 	// extra acl entries to append
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 
@@ -47,14 +45,6 @@ type ConfinementConfig struct {
 	Enablements system.Enablements `json:"enablements"`
 }
 
-type SyscallConfig struct {
-	DenyDevel bool `json:"deny_devel"`
-	Multiarch bool `json:"multiarch"`
-	Linux32   bool `json:"linux32"`
-	Can       bool `json:"can"`
-	Bluetooth bool `json:"bluetooth"`
-}
-
 type ExtraPermConfig struct {
 	Ensure  bool   `json:"ensure,omitempty"`
 	Path    string `json:"path"`

fst/sandbox.go

@@ -22,6 +22,8 @@ type SandboxConfig struct {
 	Net bool `json:"net,omitempty"`
 	// share all devices
 	Dev bool `json:"dev,omitempty"`
+	// seccomp syscall filter policy
+	Syscall *bwrap.SyscallPolicy `json:"syscall"`
 	// do not run in new session
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// map target user uid to privileged user uid in the user namespace
@@ -50,6 +52,10 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 		return nil, errors.New("nil sandbox config")
 	}
 
+	if s.Syscall == nil {
+		fmsg.VPrintln("syscall filter not configured, PROCEED WITH CAUTION")
+	}
+
 	var uid int
 	if !s.MapRealUID {
 		uid = 65534
@@ -69,6 +75,7 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 		so this capacity should eliminate copies for most setups */
 		Filesystem: make([]bwrap.FSBuilder, 0, 256),
 
+		Syscall:       s.Syscall,
 		NewSession:    !s.NoNewSession,
 		DieWithParent: true,
 		AsInit:        true,