From becaf8b6d7151971907ff65f338afa038f021c92 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 5 Nov 2025 04:48:05 +0900
Subject: [PATCH] std: relocate seccomp lookup tables

This should enable resolving NativeRule in hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/landlock.go                         |  6 ++---
 container/seccomp/libseccomp.go               |  3 ++-
 container/seccomp/presets.go                  | 26 +++++++++----------
 ...sh_amd64_test.go => presets_amd64_test.go} |  0
 ...sh_arm64_test.go => presets_arm64_test.go} |  0
 .../seccomp/{hash_test.go => presets_test.go} |  0
 container/seccomp/syscall_test.go             | 10 +++----
 container/{seccomp => std}/mksysnum_linux.pl  |  2 +-
 container/{seccomp => std}/pnr.go             |  2 +-
 container/{seccomp => std}/syscall.go         |  2 +-
 .../syscall_extra_linux_amd64.go              |  2 +-
 .../syscall_extra_linux_arm64.go              |  2 +-
 .../{seccomp => std}/syscall_linux_amd64.go   |  2 +-
 .../{seccomp => std}/syscall_linux_arm64.go   |  2 +-
 container/std/syscall_test.go                 | 21 +++++++++++++++
 15 files changed, 51 insertions(+), 29 deletions(-)
 rename container/seccomp/{hash_amd64_test.go => presets_amd64_test.go} (100%)
 rename container/seccomp/{hash_arm64_test.go => presets_arm64_test.go} (100%)
 rename container/seccomp/{hash_test.go => presets_test.go} (100%)
 rename container/{seccomp => std}/mksysnum_linux.pl (99%)
 rename container/{seccomp => std}/pnr.go (99%)
 rename container/{seccomp => std}/syscall.go (97%)
 rename container/{seccomp => std}/syscall_extra_linux_amd64.go (98%)
 rename container/{seccomp => std}/syscall_extra_linux_arm64.go (99%)
 rename container/{seccomp => std}/syscall_linux_amd64.go (99%)
 rename container/{seccomp => std}/syscall_linux_arm64.go (99%)
 create mode 100644 container/std/syscall_test.go

diff --git a/container/landlock.go b/container/landlock.go
index 7f7461e..63d0381 100644
--- a/container/landlock.go
+++ b/container/landlock.go
@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"unsafe"
 
-	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 )
 
 // include/uapi/linux/landlock.h
@@ -212,7 +212,7 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 		size = unsafe.Sizeof(*rulesetAttr)
 	}
 
-	rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
 	fd = int(rulesetFd)
 	err = errno
 
@@ -231,7 +231,7 @@ func LandlockGetABI() (int, error) {
 }
 
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
-	r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
 	if r != 0 {
 		return errno
 	}
diff --git a/container/seccomp/libseccomp.go b/container/seccomp/libseccomp.go
index 2044a66..c408b7b 100644
--- a/container/seccomp/libseccomp.go
+++ b/container/seccomp/libseccomp.go
@@ -227,9 +227,10 @@ const (
 
 // syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
 // This function is only for testing the lookup tables and included here for convenience.
-func syscallResolveName(s string) (trap int) {
+func syscallResolveName(s string) (trap int, ok bool) {
 	v := C.CString(s)
 	trap = int(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
+	ok = trap != C.__NR_SCMP_ERROR
 	return
 }
diff --git a/container/seccomp/presets.go b/container/seccomp/presets.go
index 8e9eaeb..f16bc82 100644
--- a/container/seccomp/presets.go
+++ b/container/seccomp/presets.go
@@ -5,32 +5,32 @@ package seccomp
 import (
 	. "syscall"
 
-	"hakurei.app/container/std"
+	. "hakurei.app/container/std"
 )
 
-func Preset(presets std.FilterPreset, flags ExportFlag) (rules []NativeRule) {
+func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
 	allowedPersonality := PersonaLinux
-	if presets&std.PresetLinux32 != 0 {
+	if presets&PresetLinux32 != 0 {
 		allowedPersonality = PersonaLinux32
 	}
 	presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))
 
 	l := len(presetCommon)
-	if presets&std.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		l += len(presetNamespace)
 	}
-	if presets&std.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		l += len(presetTTY)
 	}
-	if presets&std.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		l += len(presetDevelFinal)
 	}
 	if flags&AllowMultiarch == 0 {
 		l += len(presetEmu)
 	}
-	if presets&std.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		l += len(presetCommonExt)
-		if presets&std.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			l += len(presetNamespaceExt)
 		}
 		if flags&AllowMultiarch == 0 {
@@ -40,21 +40,21 @@ func Preset(presets std.FilterPreset, flags ExportFlag) (rules []NativeRule) {
 
 	rules = make([]NativeRule, 0, l)
 	rules = append(rules, presetCommon...)
-	if presets&std.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		rules = append(rules, presetNamespace...)
 	}
-	if presets&std.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		rules = append(rules, presetTTY...)
 	}
-	if presets&std.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		rules = append(rules, presetDevelFinal...)
 	}
 	if flags&AllowMultiarch == 0 {
 		rules = append(rules, presetEmu...)
 	}
-	if presets&std.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		rules = append(rules, presetCommonExt...)
-		if presets&std.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			rules = append(rules, presetNamespaceExt...)
 		}
 		if flags&AllowMultiarch == 0 {
diff --git a/container/seccomp/hash_amd64_test.go b/container/seccomp/presets_amd64_test.go
similarity index 100%
rename from container/seccomp/hash_amd64_test.go
rename to container/seccomp/presets_amd64_test.go
diff --git a/container/seccomp/hash_arm64_test.go b/container/seccomp/presets_arm64_test.go
similarity index 100%
rename from container/seccomp/hash_arm64_test.go
rename to container/seccomp/presets_arm64_test.go
diff --git a/container/seccomp/hash_test.go b/container/seccomp/presets_test.go
similarity index 100%
rename from container/seccomp/hash_test.go
rename to container/seccomp/presets_test.go
diff --git a/container/seccomp/syscall_test.go b/container/seccomp/syscall_test.go
index e385a12..57a7326 100644
--- a/container/seccomp/syscall_test.go
+++ b/container/seccomp/syscall_test.go
@@ -2,21 +2,21 @@ package seccomp
 
 import (
 	"testing"
+
+	"hakurei.app/container/std"
 )
 
 func TestSyscallResolveName(t *testing.T) {
 	t.Parallel()
 
-	for name, want := range Syscalls() {
+	for name, want := range std.Syscalls() {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			if got := syscallResolveName(name); got != want {
+			// this checks the std implementation against libseccomp.
+			if got, ok := syscallResolveName(name); !ok || got != want {
 				t.Errorf("syscallResolveName(%q) = %d, want %d", name, got, want)
 			}
-			if got, ok := SyscallResolveName(name); !ok || got != want {
-				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
-			}
 		})
 	}
 }
diff --git a/container/seccomp/mksysnum_linux.pl b/container/std/mksysnum_linux.pl
similarity index 99%
rename from container/seccomp/mksysnum_linux.pl
rename to container/std/mksysnum_linux.pl
index 2dbd12f..0dee69d 100755
--- a/container/seccomp/mksysnum_linux.pl
+++ b/container/std/mksysnum_linux.pl
@@ -17,7 +17,7 @@ print <<EOF;
 // $command
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 
diff --git a/container/seccomp/pnr.go b/container/std/pnr.go
similarity index 99%
rename from container/seccomp/pnr.go
rename to container/std/pnr.go
index 4cc7398..1fa20ec 100644
--- a/container/seccomp/pnr.go
+++ b/container/std/pnr.go
@@ -1,6 +1,6 @@
 // Code generated from include/seccomp-syscalls.h; DO NOT EDIT.
 
-package seccomp
+package std
 
 /*
  * pseudo syscall definitions
diff --git a/container/seccomp/syscall.go b/container/std/syscall.go
similarity index 97%
rename from container/seccomp/syscall.go
rename to container/std/syscall.go
index 36a988a..ff8d396 100644
--- a/container/seccomp/syscall.go
+++ b/container/std/syscall.go
@@ -1,4 +1,4 @@
-package seccomp
+package std
 
 import "iter"
 
diff --git a/container/seccomp/syscall_extra_linux_amd64.go b/container/std/syscall_extra_linux_amd64.go
similarity index 98%
rename from container/seccomp/syscall_extra_linux_amd64.go
rename to container/std/syscall_extra_linux_amd64.go
index 8b78989..5f8d483 100644
--- a/container/seccomp/syscall_extra_linux_amd64.go
+++ b/container/std/syscall_extra_linux_amd64.go
@@ -1,4 +1,4 @@
-package seccomp
+package std
 
 var syscallNumExtra = map[string]int{
 	"umount":          SYS_UMOUNT,
diff --git a/container/seccomp/syscall_extra_linux_arm64.go b/container/std/syscall_extra_linux_arm64.go
similarity index 99%
rename from container/seccomp/syscall_extra_linux_arm64.go
rename to container/std/syscall_extra_linux_arm64.go
index 62d8ff1..d21af8e 100644
--- a/container/seccomp/syscall_extra_linux_arm64.go
+++ b/container/std/syscall_extra_linux_arm64.go
@@ -1,4 +1,4 @@
-package seccomp
+package std
 
 import "syscall"
 
diff --git a/container/seccomp/syscall_linux_amd64.go b/container/std/syscall_linux_amd64.go
similarity index 99%
rename from container/seccomp/syscall_linux_amd64.go
rename to container/std/syscall_linux_amd64.go
index 28dbcb4..183c99f 100644
--- a/container/seccomp/syscall_linux_amd64.go
+++ b/container/std/syscall_linux_amd64.go
@@ -1,7 +1,7 @@
 // mksysnum_linux.pl /usr/include/asm/unistd_64.h
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 
diff --git a/container/seccomp/syscall_linux_arm64.go b/container/std/syscall_linux_arm64.go
similarity index 99%
rename from container/seccomp/syscall_linux_arm64.go
rename to container/std/syscall_linux_arm64.go
index 9790ad6..223da39 100644
--- a/container/seccomp/syscall_linux_arm64.go
+++ b/container/std/syscall_linux_arm64.go
@@ -1,7 +1,7 @@
 // mksysnum_linux.pl /usr/include/asm/unistd_64.h
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 
diff --git a/container/std/syscall_test.go b/container/std/syscall_test.go
new file mode 100644
index 0000000..b82cc46
--- /dev/null
+++ b/container/std/syscall_test.go
@@ -0,0 +1,21 @@
+package std_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if got, ok := std.SyscallResolveName(name); !ok || got != want {
+				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}