From b65aba94467e9d8f3400c3e3de5f403e82bc99e7 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Wed, 5 Nov 2025 05:04:56 +0900 Subject: [PATCH] container/seccomp: alias libseccomp types This enables tests to refer to these types and check its size. Signed-off-by: Ophestra --- container/seccomp/libseccomp.go | 60 ++++++++++++++++++------------- container/seccomp/syscall_test.go | 17 +++++++++ 2 files changed, 52 insertions(+), 25 deletions(-) diff --git a/container/seccomp/libseccomp.go b/container/seccomp/libseccomp.go index c408b7b..345586b 100644 --- a/container/seccomp/libseccomp.go +++ b/container/seccomp/libseccomp.go @@ -55,21 +55,25 @@ func (e *LibraryError) Is(err error) bool { type ( // ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall]. - ScmpSyscall = C.int + ScmpSyscall C.int // ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno]. - ScmpErrno = C.int + ScmpErrno C.int + + // A NativeRule specifies an arch-specific action taken by seccomp under certain conditions. + NativeRule struct { + // Syscall is the arch-dependent syscall number to act against. + Syscall ScmpSyscall + // Errno is the errno value to return when the condition is satisfied. + Errno ScmpErrno + // Arg is the optional struct scmp_arg_cmp passed to libseccomp. + Arg *ScmpArgCmp + } + + // syscallRule is equivalent to [NativeRule]. + syscallRule = C.struct_hakurei_syscall_rule ) -// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions. -type NativeRule struct { - // Syscall is the arch-dependent syscall number to act against. - Syscall ScmpSyscall - // Errno is the errno value to return when the condition is satisfied. - Errno ScmpErrno - // Arg is the optional struct scmp_arg_cmp passed to libseccomp. - Arg *ScmpArgCmp -} - +// ExportFlag configures filter behaviour that are not implemented as rules. type ExportFlag = C.hakurei_export_flag const ( @@ -152,7 +156,7 @@ func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error { res, err := C.hakurei_scmp_make_filter( &ret, C.uintptr_t(allocateP), arch, multiarch, - (*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])), + (*syscallRule)(unsafe.Pointer(&rules[0])), C.size_t(len(rules)), flags, ) @@ -203,20 +207,26 @@ const ( _SCMP_CMP_MAX = C._SCMP_CMP_MAX ) -// ScmpDatum is the equivalent of scmp_datum_t; -// Argument datum -type ScmpDatum uint64 +type ( + // Argument datum. + scmpDatum = C.scmp_datum_t -// ScmpArgCmp is the equivalent of struct scmp_arg_cmp; -// Argument / Value comparison definition -type ScmpArgCmp struct { - // argument number, starting at 0 - Arg C.uint - // the comparison op, e.g. SCMP_CMP_* - Op ScmpCompare + // ScmpDatum is equivalent to scmp_datum_t. + ScmpDatum uint64 - DatumA, DatumB ScmpDatum -} + // Argument / Value comparison definition. + scmpArgCmp = C.struct_scmp_arg_cmp + + // ScmpArgCmp is equivalent to struct scmp_arg_cmp. + ScmpArgCmp struct { + // argument number, starting at 0 + Arg C.uint + // the comparison op, e.g. SCMP_CMP_* + Op ScmpCompare + + DatumA, DatumB ScmpDatum + } +) const ( // PersonaLinux is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY. diff --git a/container/seccomp/syscall_test.go b/container/seccomp/syscall_test.go index 57a7326..151f632 100644 --- a/container/seccomp/syscall_test.go +++ b/container/seccomp/syscall_test.go @@ -1,7 +1,9 @@ package seccomp import ( + "reflect" "testing" + "unsafe" "hakurei.app/container/std" ) @@ -20,3 +22,18 @@ func TestSyscallResolveName(t *testing.T) { }) } } + +func TestRuleSize(t *testing.T) { + assertSize[NativeRule, syscallRule](t) + assertSize[ScmpDatum, scmpDatum](t) + assertSize[ScmpArgCmp, scmpArgCmp](t) +} + +// assertSize asserts that native and equivalent are of the same size. +func assertSize[native, equivalent any](t *testing.T) { + got := unsafe.Sizeof(*new(native)) + want := unsafe.Sizeof(*new(equivalent)) + if got != want { + t.Fatalf("%s: %d, want %d", reflect.TypeFor[native]().Name(), got, want) + } +}