diff --git a/flake.nix b/flake.nix
index 3da6136..717dea2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -184,6 +184,16 @@
                 exec cat ${docText} > options.md
               '';
             };
+
+          generateSyscallTable = pkgs.mkShell {
+            # this should be made cross-platform via nix
+            shellHook = ''
+              exec ${pkgs.perl}/bin/perl \
+                sandbox/seccomp/mksysnum_linux.pl \
+                ${pkgs.linuxHeaders}/include/asm/unistd_64.h > \
+                sandbox/seccomp/syscall_linux_amd64.go
+            '';
+          };
         }
       );
     };
diff --git a/sandbox/seccomp/mksysnum_linux.pl b/sandbox/seccomp/mksysnum_linux.pl
new file mode 100755
index 0000000..0df511c
--- /dev/null
+++ b/sandbox/seccomp/mksysnum_linux.pl
@@ -0,0 +1,68 @@
+#!/usr/bin/env perl
+# Copyright 2009 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+use strict;
+
+my $command = "mksysnum_linux.pl ". join(' ', @ARGV);
+
+print <<EOF;
+// $command
+// Code generated by the command above; DO NOT EDIT.
+
+package seccomp
+
+import . "syscall"
+
+var syscallNum = map[string]int{
+EOF
+
+my $offset = 0;
+
+sub fmt {
+	my ($name, $num) = @_;
+	if($num > 999){
+		# ignore deprecated syscalls that are no longer implemented
+		# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/uapi/asm-generic/unistd.h?id=refs/heads/master#n716
+		return;
+	}
+	(my $name_upper = $name) =~ y/a-z/A-Z/;
+	$num = $num + $offset;
+	if($num > 302){ # not wired in Go standard library
+	    print "	\"$name\": $num,\n";
+	}
+	else{
+	    print "	\"$name\": SYS_$name_upper,\n";
+	}
+}
+
+my $prev;
+open(GCC, "gcc -E -dD $ARGV[0] |") || die "can't run gcc";
+while(<GCC>){
+	if(/^#define __NR_Linux\s+([0-9]+)/){
+		# mips/mips64: extract offset
+		$offset = $1;
+	}
+	elsif(/^#define __NR_syscalls\s+/) {
+		# ignore redefinitions of __NR_syscalls
+	}
+	elsif(/^#define __NR_(\w+)\s+([0-9]+)/){
+		$prev = $2;
+		fmt($1, $2);
+	}
+	elsif(/^#define __NR3264_(\w+)\s+([0-9]+)/){
+		$prev = $2;
+		fmt($1, $2);
+	}
+	elsif(/^#define __NR_(\w+)\s+\(\w+\+\s*([0-9]+)\)/){
+		fmt($1, $prev+$2)
+	}
+	elsif(/^#define __NR_(\w+)\s+\(__NR_Linux \+ ([0-9]+)/){
+		fmt($1, $2);
+	}
+}
+
+print <<EOF;
+}
+EOF
diff --git a/sandbox/seccomp/seccomp.go b/sandbox/seccomp/seccomp.go
index f897ee5..c9a201e 100644
--- a/sandbox/seccomp/seccomp.go
+++ b/sandbox/seccomp/seccomp.go
@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"runtime"
 	"syscall"
+	"unsafe"
 )
 
 // LibraryError represents a libseccomp error.
@@ -114,3 +115,11 @@ func buildFilter(fd int, opts FilterOpts) error {
 	}
 	return err
 }
+
+// only used for testing
+func syscallResolveName(s string) (trap int) {
+	v := C.CString(s)
+	trap = int(C.seccomp_syscall_resolve_name(v))
+	C.free(unsafe.Pointer(v))
+	return
+}
diff --git a/sandbox/seccomp/syscall_linux_amd64.go b/sandbox/seccomp/syscall_linux_amd64.go
new file mode 100644
index 0000000..648639b
--- /dev/null
+++ b/sandbox/seccomp/syscall_linux_amd64.go
@@ -0,0 +1,384 @@
+// mksysnum_linux.pl /usr/include/asm/unistd_64.h
+// Code generated by the command above; DO NOT EDIT.
+
+package seccomp
+
+import . "syscall"
+
+var syscallNum = map[string]int{
+	"read":                    SYS_READ,
+	"write":                   SYS_WRITE,
+	"open":                    SYS_OPEN,
+	"close":                   SYS_CLOSE,
+	"stat":                    SYS_STAT,
+	"fstat":                   SYS_FSTAT,
+	"lstat":                   SYS_LSTAT,
+	"poll":                    SYS_POLL,
+	"lseek":                   SYS_LSEEK,
+	"mmap":                    SYS_MMAP,
+	"mprotect":                SYS_MPROTECT,
+	"munmap":                  SYS_MUNMAP,
+	"brk":                     SYS_BRK,
+	"rt_sigaction":            SYS_RT_SIGACTION,
+	"rt_sigprocmask":          SYS_RT_SIGPROCMASK,
+	"rt_sigreturn":            SYS_RT_SIGRETURN,
+	"ioctl":                   SYS_IOCTL,
+	"pread64":                 SYS_PREAD64,
+	"pwrite64":                SYS_PWRITE64,
+	"readv":                   SYS_READV,
+	"writev":                  SYS_WRITEV,
+	"access":                  SYS_ACCESS,
+	"pipe":                    SYS_PIPE,
+	"select":                  SYS_SELECT,
+	"sched_yield":             SYS_SCHED_YIELD,
+	"mremap":                  SYS_MREMAP,
+	"msync":                   SYS_MSYNC,
+	"mincore":                 SYS_MINCORE,
+	"madvise":                 SYS_MADVISE,
+	"shmget":                  SYS_SHMGET,
+	"shmat":                   SYS_SHMAT,
+	"shmctl":                  SYS_SHMCTL,
+	"dup":                     SYS_DUP,
+	"dup2":                    SYS_DUP2,
+	"pause":                   SYS_PAUSE,
+	"nanosleep":               SYS_NANOSLEEP,
+	"getitimer":               SYS_GETITIMER,
+	"alarm":                   SYS_ALARM,
+	"setitimer":               SYS_SETITIMER,
+	"getpid":                  SYS_GETPID,
+	"sendfile":                SYS_SENDFILE,
+	"socket":                  SYS_SOCKET,
+	"connect":                 SYS_CONNECT,
+	"accept":                  SYS_ACCEPT,
+	"sendto":                  SYS_SENDTO,
+	"recvfrom":                SYS_RECVFROM,
+	"sendmsg":                 SYS_SENDMSG,
+	"recvmsg":                 SYS_RECVMSG,
+	"shutdown":                SYS_SHUTDOWN,
+	"bind":                    SYS_BIND,
+	"listen":                  SYS_LISTEN,
+	"getsockname":             SYS_GETSOCKNAME,
+	"getpeername":             SYS_GETPEERNAME,
+	"socketpair":              SYS_SOCKETPAIR,
+	"setsockopt":              SYS_SETSOCKOPT,
+	"getsockopt":              SYS_GETSOCKOPT,
+	"clone":                   SYS_CLONE,
+	"fork":                    SYS_FORK,
+	"vfork":                   SYS_VFORK,
+	"execve":                  SYS_EXECVE,
+	"exit":                    SYS_EXIT,
+	"wait4":                   SYS_WAIT4,
+	"kill":                    SYS_KILL,
+	"uname":                   SYS_UNAME,
+	"semget":                  SYS_SEMGET,
+	"semop":                   SYS_SEMOP,
+	"semctl":                  SYS_SEMCTL,
+	"shmdt":                   SYS_SHMDT,
+	"msgget":                  SYS_MSGGET,
+	"msgsnd":                  SYS_MSGSND,
+	"msgrcv":                  SYS_MSGRCV,
+	"msgctl":                  SYS_MSGCTL,
+	"fcntl":                   SYS_FCNTL,
+	"flock":                   SYS_FLOCK,
+	"fsync":                   SYS_FSYNC,
+	"fdatasync":               SYS_FDATASYNC,
+	"truncate":                SYS_TRUNCATE,
+	"ftruncate":               SYS_FTRUNCATE,
+	"getdents":                SYS_GETDENTS,
+	"getcwd":                  SYS_GETCWD,
+	"chdir":                   SYS_CHDIR,
+	"fchdir":                  SYS_FCHDIR,
+	"rename":                  SYS_RENAME,
+	"mkdir":                   SYS_MKDIR,
+	"rmdir":                   SYS_RMDIR,
+	"creat":                   SYS_CREAT,
+	"link":                    SYS_LINK,
+	"unlink":                  SYS_UNLINK,
+	"symlink":                 SYS_SYMLINK,
+	"readlink":                SYS_READLINK,
+	"chmod":                   SYS_CHMOD,
+	"fchmod":                  SYS_FCHMOD,
+	"chown":                   SYS_CHOWN,
+	"fchown":                  SYS_FCHOWN,
+	"lchown":                  SYS_LCHOWN,
+	"umask":                   SYS_UMASK,
+	"gettimeofday":            SYS_GETTIMEOFDAY,
+	"getrlimit":               SYS_GETRLIMIT,
+	"getrusage":               SYS_GETRUSAGE,
+	"sysinfo":                 SYS_SYSINFO,
+	"times":                   SYS_TIMES,
+	"ptrace":                  SYS_PTRACE,
+	"getuid":                  SYS_GETUID,
+	"syslog":                  SYS_SYSLOG,
+	"getgid":                  SYS_GETGID,
+	"setuid":                  SYS_SETUID,
+	"setgid":                  SYS_SETGID,
+	"geteuid":                 SYS_GETEUID,
+	"getegid":                 SYS_GETEGID,
+	"setpgid":                 SYS_SETPGID,
+	"getppid":                 SYS_GETPPID,
+	"getpgrp":                 SYS_GETPGRP,
+	"setsid":                  SYS_SETSID,
+	"setreuid":                SYS_SETREUID,
+	"setregid":                SYS_SETREGID,
+	"getgroups":               SYS_GETGROUPS,
+	"setgroups":               SYS_SETGROUPS,
+	"setresuid":               SYS_SETRESUID,
+	"getresuid":               SYS_GETRESUID,
+	"setresgid":               SYS_SETRESGID,
+	"getresgid":               SYS_GETRESGID,
+	"getpgid":                 SYS_GETPGID,
+	"setfsuid":                SYS_SETFSUID,
+	"setfsgid":                SYS_SETFSGID,
+	"getsid":                  SYS_GETSID,
+	"capget":                  SYS_CAPGET,
+	"capset":                  SYS_CAPSET,
+	"rt_sigpending":           SYS_RT_SIGPENDING,
+	"rt_sigtimedwait":         SYS_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SYS_RT_SIGQUEUEINFO,
+	"rt_sigsuspend":           SYS_RT_SIGSUSPEND,
+	"sigaltstack":             SYS_SIGALTSTACK,
+	"utime":                   SYS_UTIME,
+	"mknod":                   SYS_MKNOD,
+	"uselib":                  SYS_USELIB,
+	"personality":             SYS_PERSONALITY,
+	"ustat":                   SYS_USTAT,
+	"statfs":                  SYS_STATFS,
+	"fstatfs":                 SYS_FSTATFS,
+	"sysfs":                   SYS_SYSFS,
+	"getpriority":             SYS_GETPRIORITY,
+	"setpriority":             SYS_SETPRIORITY,
+	"sched_setparam":          SYS_SCHED_SETPARAM,
+	"sched_getparam":          SYS_SCHED_GETPARAM,
+	"sched_setscheduler":      SYS_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SYS_SCHED_GETSCHEDULER,
+	"sched_get_priority_max":  SYS_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SYS_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SYS_SCHED_RR_GET_INTERVAL,
+	"mlock":                   SYS_MLOCK,
+	"munlock":                 SYS_MUNLOCK,
+	"mlockall":                SYS_MLOCKALL,
+	"munlockall":              SYS_MUNLOCKALL,
+	"vhangup":                 SYS_VHANGUP,
+	"modify_ldt":              SYS_MODIFY_LDT,
+	"pivot_root":              SYS_PIVOT_ROOT,
+	"_sysctl":                 SYS__SYSCTL,
+	"prctl":                   SYS_PRCTL,
+	"arch_prctl":              SYS_ARCH_PRCTL,
+	"adjtimex":                SYS_ADJTIMEX,
+	"setrlimit":               SYS_SETRLIMIT,
+	"chroot":                  SYS_CHROOT,
+	"sync":                    SYS_SYNC,
+	"acct":                    SYS_ACCT,
+	"settimeofday":            SYS_SETTIMEOFDAY,
+	"mount":                   SYS_MOUNT,
+	"umount2":                 SYS_UMOUNT2,
+	"swapon":                  SYS_SWAPON,
+	"swapoff":                 SYS_SWAPOFF,
+	"reboot":                  SYS_REBOOT,
+	"sethostname":             SYS_SETHOSTNAME,
+	"setdomainname":           SYS_SETDOMAINNAME,
+	"iopl":                    SYS_IOPL,
+	"ioperm":                  SYS_IOPERM,
+	"create_module":           SYS_CREATE_MODULE,
+	"init_module":             SYS_INIT_MODULE,
+	"delete_module":           SYS_DELETE_MODULE,
+	"get_kernel_syms":         SYS_GET_KERNEL_SYMS,
+	"query_module":            SYS_QUERY_MODULE,
+	"quotactl":                SYS_QUOTACTL,
+	"nfsservctl":              SYS_NFSSERVCTL,
+	"getpmsg":                 SYS_GETPMSG,
+	"putpmsg":                 SYS_PUTPMSG,
+	"afs_syscall":             SYS_AFS_SYSCALL,
+	"tuxcall":                 SYS_TUXCALL,
+	"security":                SYS_SECURITY,
+	"gettid":                  SYS_GETTID,
+	"readahead":               SYS_READAHEAD,
+	"setxattr":                SYS_SETXATTR,
+	"lsetxattr":               SYS_LSETXATTR,
+	"fsetxattr":               SYS_FSETXATTR,
+	"getxattr":                SYS_GETXATTR,
+	"lgetxattr":               SYS_LGETXATTR,
+	"fgetxattr":               SYS_FGETXATTR,
+	"listxattr":               SYS_LISTXATTR,
+	"llistxattr":              SYS_LLISTXATTR,
+	"flistxattr":              SYS_FLISTXATTR,
+	"removexattr":             SYS_REMOVEXATTR,
+	"lremovexattr":            SYS_LREMOVEXATTR,
+	"fremovexattr":            SYS_FREMOVEXATTR,
+	"tkill":                   SYS_TKILL,
+	"time":                    SYS_TIME,
+	"futex":                   SYS_FUTEX,
+	"sched_setaffinity":       SYS_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SYS_SCHED_GETAFFINITY,
+	"set_thread_area":         SYS_SET_THREAD_AREA,
+	"io_setup":                SYS_IO_SETUP,
+	"io_destroy":              SYS_IO_DESTROY,
+	"io_getevents":            SYS_IO_GETEVENTS,
+	"io_submit":               SYS_IO_SUBMIT,
+	"io_cancel":               SYS_IO_CANCEL,
+	"get_thread_area":         SYS_GET_THREAD_AREA,
+	"lookup_dcookie":          SYS_LOOKUP_DCOOKIE,
+	"epoll_create":            SYS_EPOLL_CREATE,
+	"epoll_ctl_old":           SYS_EPOLL_CTL_OLD,
+	"epoll_wait_old":          SYS_EPOLL_WAIT_OLD,
+	"remap_file_pages":        SYS_REMAP_FILE_PAGES,
+	"getdents64":              SYS_GETDENTS64,
+	"set_tid_address":         SYS_SET_TID_ADDRESS,
+	"restart_syscall":         SYS_RESTART_SYSCALL,
+	"semtimedop":              SYS_SEMTIMEDOP,
+	"fadvise64":               SYS_FADVISE64,
+	"timer_create":            SYS_TIMER_CREATE,
+	"timer_settime":           SYS_TIMER_SETTIME,
+	"timer_gettime":           SYS_TIMER_GETTIME,
+	"timer_getoverrun":        SYS_TIMER_GETOVERRUN,
+	"timer_delete":            SYS_TIMER_DELETE,
+	"clock_settime":           SYS_CLOCK_SETTIME,
+	"clock_gettime":           SYS_CLOCK_GETTIME,
+	"clock_getres":            SYS_CLOCK_GETRES,
+	"clock_nanosleep":         SYS_CLOCK_NANOSLEEP,
+	"exit_group":              SYS_EXIT_GROUP,
+	"epoll_wait":              SYS_EPOLL_WAIT,
+	"epoll_ctl":               SYS_EPOLL_CTL,
+	"tgkill":                  SYS_TGKILL,
+	"utimes":                  SYS_UTIMES,
+	"vserver":                 SYS_VSERVER,
+	"mbind":                   SYS_MBIND,
+	"set_mempolicy":           SYS_SET_MEMPOLICY,
+	"get_mempolicy":           SYS_GET_MEMPOLICY,
+	"mq_open":                 SYS_MQ_OPEN,
+	"mq_unlink":               SYS_MQ_UNLINK,
+	"mq_timedsend":            SYS_MQ_TIMEDSEND,
+	"mq_timedreceive":         SYS_MQ_TIMEDRECEIVE,
+	"mq_notify":               SYS_MQ_NOTIFY,
+	"mq_getsetattr":           SYS_MQ_GETSETATTR,
+	"kexec_load":              SYS_KEXEC_LOAD,
+	"waitid":                  SYS_WAITID,
+	"add_key":                 SYS_ADD_KEY,
+	"request_key":             SYS_REQUEST_KEY,
+	"keyctl":                  SYS_KEYCTL,
+	"ioprio_set":              SYS_IOPRIO_SET,
+	"ioprio_get":              SYS_IOPRIO_GET,
+	"inotify_init":            SYS_INOTIFY_INIT,
+	"inotify_add_watch":       SYS_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SYS_INOTIFY_RM_WATCH,
+	"migrate_pages":           SYS_MIGRATE_PAGES,
+	"openat":                  SYS_OPENAT,
+	"mkdirat":                 SYS_MKDIRAT,
+	"mknodat":                 SYS_MKNODAT,
+	"fchownat":                SYS_FCHOWNAT,
+	"futimesat":               SYS_FUTIMESAT,
+	"newfstatat":              SYS_NEWFSTATAT,
+	"unlinkat":                SYS_UNLINKAT,
+	"renameat":                SYS_RENAMEAT,
+	"linkat":                  SYS_LINKAT,
+	"symlinkat":               SYS_SYMLINKAT,
+	"readlinkat":              SYS_READLINKAT,
+	"fchmodat":                SYS_FCHMODAT,
+	"faccessat":               SYS_FACCESSAT,
+	"pselect6":                SYS_PSELECT6,
+	"ppoll":                   SYS_PPOLL,
+	"unshare":                 SYS_UNSHARE,
+	"set_robust_list":         SYS_SET_ROBUST_LIST,
+	"get_robust_list":         SYS_GET_ROBUST_LIST,
+	"splice":                  SYS_SPLICE,
+	"tee":                     SYS_TEE,
+	"sync_file_range":         SYS_SYNC_FILE_RANGE,
+	"vmsplice":                SYS_VMSPLICE,
+	"move_pages":              SYS_MOVE_PAGES,
+	"utimensat":               SYS_UTIMENSAT,
+	"epoll_pwait":             SYS_EPOLL_PWAIT,
+	"signalfd":                SYS_SIGNALFD,
+	"timerfd_create":          SYS_TIMERFD_CREATE,
+	"eventfd":                 SYS_EVENTFD,
+	"fallocate":               SYS_FALLOCATE,
+	"timerfd_settime":         SYS_TIMERFD_SETTIME,
+	"timerfd_gettime":         SYS_TIMERFD_GETTIME,
+	"accept4":                 SYS_ACCEPT4,
+	"signalfd4":               SYS_SIGNALFD4,
+	"eventfd2":                SYS_EVENTFD2,
+	"epoll_create1":           SYS_EPOLL_CREATE1,
+	"dup3":                    SYS_DUP3,
+	"pipe2":                   SYS_PIPE2,
+	"inotify_init1":           SYS_INOTIFY_INIT1,
+	"preadv":                  SYS_PREADV,
+	"pwritev":                 SYS_PWRITEV,
+	"rt_tgsigqueueinfo":       SYS_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SYS_PERF_EVENT_OPEN,
+	"recvmmsg":                SYS_RECVMMSG,
+	"fanotify_init":           SYS_FANOTIFY_INIT,
+	"fanotify_mark":           SYS_FANOTIFY_MARK,
+	"prlimit64":               SYS_PRLIMIT64,
+	"name_to_handle_at":       303,
+	"open_by_handle_at":       304,
+	"clock_adjtime":           305,
+	"syncfs":                  306,
+	"sendmmsg":                307,
+	"setns":                   308,
+	"getcpu":                  309,
+	"process_vm_readv":        310,
+	"process_vm_writev":       311,
+	"kcmp":                    312,
+	"finit_module":            313,
+	"sched_setattr":           314,
+	"sched_getattr":           315,
+	"renameat2":               316,
+	"seccomp":                 317,
+	"getrandom":               318,
+	"memfd_create":            319,
+	"kexec_file_load":         320,
+	"bpf":                     321,
+	"execveat":                322,
+	"userfaultfd":             323,
+	"membarrier":              324,
+	"mlock2":                  325,
+	"copy_file_range":         326,
+	"preadv2":                 327,
+	"pwritev2":                328,
+	"pkey_mprotect":           329,
+	"pkey_alloc":              330,
+	"pkey_free":               331,
+	"statx":                   332,
+	"io_pgetevents":           333,
+	"rseq":                    334,
+	"uretprobe":               335,
+	"pidfd_send_signal":       424,
+	"io_uring_setup":          425,
+	"io_uring_enter":          426,
+	"io_uring_register":       427,
+	"open_tree":               428,
+	"move_mount":              429,
+	"fsopen":                  430,
+	"fsconfig":                431,
+	"fsmount":                 432,
+	"fspick":                  433,
+	"pidfd_open":              434,
+	"clone3":                  435,
+	"close_range":             436,
+	"openat2":                 437,
+	"pidfd_getfd":             438,
+	"faccessat2":              439,
+	"process_madvise":         440,
+	"epoll_pwait2":            441,
+	"mount_setattr":           442,
+	"quotactl_fd":             443,
+	"landlock_create_ruleset": 444,
+	"landlock_add_rule":       445,
+	"landlock_restrict_self":  446,
+	"memfd_secret":            447,
+	"process_mrelease":        448,
+	"futex_waitv":             449,
+	"set_mempolicy_home_node": 450,
+	"cachestat":               451,
+	"fchmodat2":               452,
+	"map_shadow_stack":        453,
+	"futex_wake":              454,
+	"futex_wait":              455,
+	"futex_requeue":           456,
+	"statmount":               457,
+	"listmount":               458,
+	"lsm_get_self_attr":       459,
+	"lsm_set_self_attr":       460,
+	"lsm_list_modules":        461,
+	"mseal":                   462,
+}
diff --git a/sandbox/seccomp/syscall_test.go b/sandbox/seccomp/syscall_test.go
new file mode 100644
index 0000000..81f470a
--- /dev/null
+++ b/sandbox/seccomp/syscall_test.go
@@ -0,0 +1,16 @@
+package seccomp
+
+import (
+	"testing"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	for name, want := range syscallNum {
+		t.Run(name, func(t *testing.T) {
+			if got := syscallResolveName(name); got != want {
+				t.Errorf("syscallResolveName(%q) = %d, want %d",
+					name, got, want)
+			}
+		})
+	}
+}