From e335d99c6b9b21a3b24f5f055b92fb1f3406a773 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Thu, 19 Feb 2026 14:30:31 +0900
Subject: [PATCH] internal/pkg: export seccomp presets

This is useful for external tooling providing an execArtifact-like environment.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/pkg/exec.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go
index bb0c7ba..7b1d7f3 100644
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -365,6 +365,10 @@ func scanVerbose(
 	}
 }
 
+// SeccompPresets is the [seccomp] presets used by exec artifacts.
+const SeccompPresets = std.PresetStrict &
+	^(std.PresetDenyNS | std.PresetDenyDevel)
+
 // cure is like Cure but allows optional host net namespace. This is used for
 // the [KnownChecksum] variant where networking is allowed.
 func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
@@ -388,8 +392,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 
 	z := container.New(ctx, f.GetMessage())
 	z.WaitDelay = execWaitDelay
-	z.SeccompPresets |= std.PresetStrict &
-		^(std.PresetDenyNS | std.PresetDenyDevel)
+	z.SeccompPresets = SeccompPresets
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.ParentPerm = 0700
 	z.HostNet = hostNet