std: relocate seccomp lookup tables

This should enable resolving NativeRule in hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/landlock.go

@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"unsafe"
 
-	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 )
 
 // include/uapi/linux/landlock.h
@@ -212,7 +212,7 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 		size = unsafe.Sizeof(*rulesetAttr)
 	}
 
-	rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
 	fd = int(rulesetFd)
 	err = errno
 
@@ -231,7 +231,7 @@ func LandlockGetABI() (int, error) {
 }
 
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
-	r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
 	if r != 0 {
 		return errno
 	}

container/seccomp/libseccomp.go

@@ -227,9 +227,10 @@ const (
 
 // syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
 // This function is only for testing the lookup tables and included here for convenience.
-func syscallResolveName(s string) (trap int) {
+func syscallResolveName(s string) (trap int, ok bool) {
 	v := C.CString(s)
 	trap = int(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
+	ok = trap != C.__NR_SCMP_ERROR
 	return
 }

container/seccomp/presets.go

@@ -5,32 +5,32 @@ package seccomp
 import (
 	. "syscall"
 
-	"hakurei.app/container/std"
+	. "hakurei.app/container/std"
 )
 
-func Preset(presets std.FilterPreset, flags ExportFlag) (rules []NativeRule) {
+func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
 	allowedPersonality := PersonaLinux
-	if presets&std.PresetLinux32 != 0 {
+	if presets&PresetLinux32 != 0 {
 		allowedPersonality = PersonaLinux32
 	}
 	presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))
 
 	l := len(presetCommon)
-	if presets&std.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		l += len(presetNamespace)
 	}
-	if presets&std.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		l += len(presetTTY)
 	}
-	if presets&std.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		l += len(presetDevelFinal)
 	}
 	if flags&AllowMultiarch == 0 {
 		l += len(presetEmu)
 	}
-	if presets&std.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		l += len(presetCommonExt)
-		if presets&std.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			l += len(presetNamespaceExt)
 		}
 		if flags&AllowMultiarch == 0 {
@@ -40,21 +40,21 @@ func Preset(presets std.FilterPreset, flags ExportFlag) (rules []NativeRule) {
 
 	rules = make([]NativeRule, 0, l)
 	rules = append(rules, presetCommon...)
-	if presets&std.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		rules = append(rules, presetNamespace...)
 	}
-	if presets&std.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		rules = append(rules, presetTTY...)
 	}
-	if presets&std.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		rules = append(rules, presetDevelFinal...)
 	}
 	if flags&AllowMultiarch == 0 {
 		rules = append(rules, presetEmu...)
 	}
-	if presets&std.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		rules = append(rules, presetCommonExt...)
-		if presets&std.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			rules = append(rules, presetNamespaceExt...)
 		}
 		if flags&AllowMultiarch == 0 {

container/seccomp/syscall_test.go

@@ -2,21 +2,21 @@ package seccomp
 
 import (
 	"testing"
+
+	"hakurei.app/container/std"
 )
 
 func TestSyscallResolveName(t *testing.T) {
 	t.Parallel()
 
-	for name, want := range Syscalls() {
+	for name, want := range std.Syscalls() {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			if got := syscallResolveName(name); got != want {
+			// this checks the std implementation against libseccomp.
+			if got, ok := syscallResolveName(name); !ok || got != want {
 				t.Errorf("syscallResolveName(%q) = %d, want %d", name, got, want)
 			}
-			if got, ok := SyscallResolveName(name); !ok || got != want {
-				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
-			}
 		})
 	}
 }

container/std/mksysnum_linux.pl

@@ -17,7 +17,7 @@ print <<EOF;
 // $command
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 

container/std/pnr.go

@@ -1,6 +1,6 @@
 // Code generated from include/seccomp-syscalls.h; DO NOT EDIT.
 
-package seccomp
+package std
 
 /*
  * pseudo syscall definitions

container/std/syscall.go

@@ -1,4 +1,4 @@
-package seccomp
+package std
 
 import "iter"
 

container/std/syscall_extra_linux_amd64.go

@@ -1,4 +1,4 @@
-package seccomp
+package std
 
 var syscallNumExtra = map[string]int{
 	"umount":          SYS_UMOUNT,

container/std/syscall_extra_linux_arm64.go

@@ -1,4 +1,4 @@
-package seccomp
+package std
 
 import "syscall"
 

container/std/syscall_linux_amd64.go

@@ -1,7 +1,7 @@
 // mksysnum_linux.pl /usr/include/asm/unistd_64.h
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 

container/std/syscall_linux_arm64.go

@@ -1,7 +1,7 @@
 // mksysnum_linux.pl /usr/include/asm/unistd_64.h
 // Code generated by the command above; DO NOT EDIT.
 
-package seccomp
+package std
 
 import . "syscall"
 

container/std/syscall_test.go

@@ -0,0 +1,21 @@
+package std_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if got, ok := std.SyscallResolveName(name); !ok || got != want {
+				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}