container/comp: rename from bits

This package will also hold syscall lookup tables for seccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/autoroot_test.go

@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
@@ -23,14 +23,14 @@ func TestAutoRootOp(t *testing.T) {
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
 		}, stub.UniqueError(2), nil, nil},
 
 		{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -39,7 +39,7 @@ func TestAutoRootOp(t *testing.T) {
 
 		{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -60,7 +60,7 @@ func TestAutoRootOp(t *testing.T) {
 
 		{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -127,10 +127,10 @@ func TestAutoRootOp(t *testing.T) {
 	})
 
 	checkOpsBuilder(t, []opsBuilderTestCase{
-		{"pd", new(Ops).Root(check.MustAbs("/"), bits.BindWritable), Ops{
+		{"pd", new(Ops).Root(check.MustAbs("/"), comp.BindWritable), Ops{
 			&AutoRootOp{
 				Host:  check.MustAbs("/"),
-				Flags: bits.BindWritable,
+				Flags: comp.BindWritable,
 			},
 		}},
 	})
@@ -140,42 +140,42 @@ func TestAutoRootOp(t *testing.T) {
 
 		{"internal ne", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, &AutoRootOp{
 			Host:     check.MustAbs("/"),
-			Flags:    bits.BindWritable,
+			Flags:    comp.BindWritable,
 			resolved: []*BindMountOp{new(BindMountOp)},
 		}, true},
 
 		{"flags differs", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable | bits.BindDevice,
+			Flags: comp.BindWritable | comp.BindDevice,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, false},
 
 		{"host differs", &AutoRootOp{
 			Host:  check.MustAbs("/tmp/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, false},
 
 		{"equals", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, true},
 	})
 
 	checkOpMeta(t, []opMetaTestCase{
 		{"root", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}, "setting up", `auto root "/" flags 0x2`},
 	})
 }

container/bits/bits.go

@@ -1,13 +0,0 @@
-// Package bits contains constants for configuring the container.
-package bits
-
-const (
-	// BindOptional skips nonexistent host paths.
-	BindOptional = 1 << iota
-	// BindWritable mounts filesystem read-write.
-	BindWritable
-	// BindDevice allows access to devices (special files) on this filesystem.
-	BindDevice
-	// BindEnsure attempts to create the host path if it does not exist.
-	BindEnsure
-)

container/comp/bits.go

@@ -1,4 +1,16 @@
-package bits
+// Package comp contains constants from container packages without depending on cgo.
+package comp
+
+const (
+	// BindOptional skips nonexistent host paths.
+	BindOptional = 1 << iota
+	// BindWritable mounts filesystem read-write.
+	BindWritable
+	// BindDevice allows access to devices (special files) on this filesystem.
+	BindDevice
+	// BindEnsure attempts to create the host path if it does not exist.
+	BindEnsure
+)
 
 // FilterPreset specifies parts of the syscall filter preset to enable.
 type FilterPreset int

container/container.go

@@ -14,8 +14,8 @@ import (
 	. "syscall"
 	"time"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/message"
@@ -86,7 +86,7 @@ type (
 		// Extra seccomp flags.
 		SeccompFlags seccomp.ExportFlag
 		// Seccomp presets. Has no effect unless SeccompRules is zero-length.
-		SeccompPresets bits.FilterPreset
+		SeccompPresets comp.FilterPreset
 		// Do not load seccomp program.
 		SeccompDisable bool
 
@@ -174,7 +174,7 @@ func (p *Container) Start() error {
 	}
 
 	if !p.RetainSession {
-		p.SeccompPresets |= bits.PresetDenyTTY
+		p.SeccompPresets |= comp.PresetDenyTTY
 	}
 
 	if p.AdoptWaitDelay == 0 {

container/container_test.go

@@ -20,8 +20,8 @@ import (
 
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/vfs"
 	"hakurei.app/hst"
@@ -206,20 +206,20 @@ var containerTestCases = []struct {
 
 	rules   []seccomp.NativeRule
 	flags   seccomp.ExportFlag
-	presets bits.FilterPreset
+	presets comp.FilterPreset
 }{
 	{"minimal", true, false, false, true,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, bits.PresetStrict},
+		1000, 100, nil, 0, comp.PresetStrict},
 	{"allow", true, true, true, false,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, bits.PresetExt | bits.PresetDenyDevel},
+		1000, 100, nil, 0, comp.PresetExt | comp.PresetDenyDevel},
 	{"no filter", false, true, true, true,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, bits.PresetExt},
+		1000, 100, nil, 0, comp.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, bits.PresetExt},
+		1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, comp.PresetExt},
 
 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
@@ -228,7 +228,7 @@ var containerTestCases = []struct {
 		earlyMnt(
 			ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
 		),
-		9, 9, nil, 0, bits.PresetStrict},
+		9, 9, nil, 0, comp.PresetStrict},
 
 	{"dev", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
@@ -246,7 +246,7 @@ var containerTestCases = []struct {
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
-		1971, 100, nil, 0, bits.PresetStrict},
+		1971, 100, nil, 0, comp.PresetStrict},
 
 	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
@@ -263,7 +263,7 @@ var containerTestCases = []struct {
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
-		1971, 100, nil, 0, bits.PresetStrict},
+		1971, 100, nil, 0, comp.PresetStrict},
 
 	{"overlay", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -300,7 +300,7 @@ var containerTestCases = []struct {
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, bits.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
 
 	{"overlay ephemeral", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -324,7 +324,7 @@ var containerTestCases = []struct {
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, bits.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
 
 	{"overlay readonly", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -352,7 +352,7 @@ var containerTestCases = []struct {
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, bits.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
 }
 
 func TestContainer(t *testing.T) {
@@ -560,9 +560,9 @@ func TestContainerString(t *testing.T) {
 	c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
 	c.SeccompFlags |= seccomp.AllowMultiarch
 	c.SeccompRules = seccomp.Preset(
-		bits.PresetExt|bits.PresetDenyNS|bits.PresetDenyTTY,
+		comp.PresetExt|comp.PresetDenyNS|comp.PresetDenyTTY,
 		c.SeccompFlags)
-	c.SeccompPresets = bits.PresetStrict
+	c.SeccompPresets = comp.PresetStrict
 	want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf`
 	if got := c.String(); got != want {
 		t.Errorf("String: %s, want %s", got, want)

container/init_test.go

@@ -6,8 +6,8 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/stub"
 )
@@ -70,7 +70,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(79), nil),
@@ -95,7 +95,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(78), nil),
@@ -123,7 +123,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(76), nil),
@@ -152,7 +152,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(74), nil),
@@ -182,7 +182,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(72), nil),
@@ -213,7 +213,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(70), nil),
@@ -245,7 +245,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(68), nil),
@@ -279,7 +279,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(66), nil),
@@ -315,7 +315,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(64), nil),
@@ -351,9 +351,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(nil, nil, bits.BindDevice),
+					Ops:            new(Ops).Bind(nil, nil, comp.BindDevice),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(63), nil),
@@ -389,9 +389,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(62), nil),
@@ -428,9 +428,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(60), nil),
@@ -467,9 +467,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(59), nil),
@@ -507,9 +507,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(57), nil),
@@ -548,9 +548,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(55), nil),
@@ -590,9 +590,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(53), nil),
@@ -633,9 +633,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(51), nil),
@@ -677,9 +677,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(49), nil),
@@ -722,9 +722,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(47), nil),
@@ -768,9 +768,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(45), nil),
@@ -823,9 +823,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(43), nil),
@@ -878,9 +878,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(42), nil),
@@ -934,9 +934,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(40), nil),
@@ -991,9 +991,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(38), nil),
@@ -1050,9 +1050,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(36), nil),
@@ -1110,9 +1110,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(34), nil),
@@ -1171,9 +1171,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(32), nil),
@@ -1233,9 +1233,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(30), nil),
@@ -1296,9 +1296,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(28), nil),
@@ -1360,9 +1360,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(26), nil),
@@ -1425,9 +1425,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(24), nil),
@@ -1491,9 +1491,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(22), nil),
@@ -1565,9 +1565,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(20), nil),
@@ -1672,9 +1672,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(18), nil),
@@ -1780,9 +1780,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(16), nil),
@@ -1869,7 +1869,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
 				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
-				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{bits.FilterPreset(0xf)}}, nil, nil),
+				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
 				call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
 			},
@@ -1890,7 +1890,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 24,
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
@@ -2004,7 +2004,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 24,
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
@@ -2106,7 +2106,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 24,
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
@@ -2199,7 +2199,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 24,
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
@@ -2294,7 +2294,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 24,
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
@@ -2396,7 +2396,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 24,
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
@@ -2534,9 +2534,9 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
+					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")),
 					SeccompRules:   make([]seccomp.NativeRule, 0),
-					SeccompPresets: bits.PresetStrict,
+					SeccompPresets: comp.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
 				}, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(0), nil),
@@ -2623,7 +2623,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
 				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
-				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{bits.FilterPreset(0xf)}}, nil, nil),
+				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),
 				call("newFile", stub.ExpectArgs{uintptr(10), "extra file 0"}, (*os.File)(nil), nil),

container/initbind.go

@@ -6,8 +6,8 @@ import (
 	"os"
 	"syscall"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 )
 
 func init() { gob.Register(new(BindMountOp)) }
@@ -29,18 +29,18 @@ type BindMountOp struct {
 func (b *BindMountOp) Valid() bool {
 	return b != nil &&
 		b.Source != nil && b.Target != nil &&
-		b.Flags&(bits.BindOptional|bits.BindEnsure) != (bits.BindOptional|bits.BindEnsure)
+		b.Flags&(comp.BindOptional|comp.BindEnsure) != (comp.BindOptional|comp.BindEnsure)
 }
 
 func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
-	if b.Flags&bits.BindEnsure != 0 {
+	if b.Flags&comp.BindEnsure != 0 {
 		if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
 			return err
 		}
 	}
 
 	if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
-		if os.IsNotExist(err) && b.Flags&bits.BindOptional != 0 {
+		if os.IsNotExist(err) && b.Flags&comp.BindOptional != 0 {
 			// leave sourceFinal as nil
 			return nil
 		}
@@ -53,7 +53,7 @@ func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
 
 func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	if b.sourceFinal == nil {
-		if b.Flags&bits.BindOptional == 0 {
+		if b.Flags&comp.BindOptional == 0 {
 			// unreachable
 			return OpStateError("bind")
 		}
@@ -76,10 +76,10 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 
 	var flags uintptr = syscall.MS_REC
-	if b.Flags&bits.BindWritable == 0 {
+	if b.Flags&comp.BindWritable == 0 {
 		flags |= syscall.MS_RDONLY
 	}
-	if b.Flags&bits.BindDevice == 0 {
+	if b.Flags&comp.BindDevice == 0 {
 		flags |= syscall.MS_NODEV
 	}
 

container/initbind_test.go

@@ -6,8 +6,8 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/stub"
 )
 
@@ -25,7 +25,7 @@ func TestBindMountOp(t *testing.T) {
 		{"skip optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  bits.BindOptional,
+			Flags:  comp.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
 		}, nil, nil, nil},
@@ -33,7 +33,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  bits.BindOptional,
+			Flags:  comp.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
@@ -46,7 +46,7 @@ func TestBindMountOp(t *testing.T) {
 		{"ensureFile device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  comp.BindWritable | comp.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -57,7 +57,7 @@ func TestBindMountOp(t *testing.T) {
 		{"mkdirAll ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  bits.BindEnsure,
+			Flags:  comp.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
 		}, stub.UniqueError(4), nil, nil},
@@ -65,7 +65,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/usr/bin/"),
-			Flags:  bits.BindEnsure,
+			Flags:  comp.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
@@ -79,7 +79,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success device ro", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  bits.BindDevice,
+			Flags:  comp.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -92,7 +92,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  comp.BindWritable | comp.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -182,7 +182,7 @@ func TestBindMountOp(t *testing.T) {
 		{"zero", new(BindMountOp), false},
 		{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
 		{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
-		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: bits.BindOptional | bits.BindEnsure}, false},
+		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: comp.BindOptional | comp.BindEnsure}, false},
 		{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
 	})
 
@@ -217,7 +217,7 @@ func TestBindMountOp(t *testing.T) {
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
-			Flags:  bits.BindOptional,
+			Flags:  comp.BindOptional,
 		}, false},
 
 		{"source differs", &BindMountOp{
@@ -256,7 +256,7 @@ func TestBindMountOp(t *testing.T) {
 		{"hostdev", &BindMountOp{
 			Source: check.MustAbs("/dev/"),
 			Target: check.MustAbs("/dev/"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  comp.BindWritable | comp.BindDevice,
 		}, "mounting", `"/dev/" flags 0x6`},
 	})
 }

container/seccomp/hash_amd64_test.go

@@ -1,7 +1,7 @@
 package seccomp_test
 
 import (
-	. "hakurei.app/container/bits"
+	. "hakurei.app/container/comp"
 	. "hakurei.app/container/seccomp"
 )
 

container/seccomp/hash_arm64_test.go

@@ -1,7 +1,7 @@
 package seccomp_test
 
 import (
-	. "hakurei.app/container/bits"
+	. "hakurei.app/container/comp"
 	. "hakurei.app/container/seccomp"
 )
 

container/seccomp/hash_test.go

@@ -4,14 +4,14 @@ import (
 	"crypto/sha512"
 	"encoding/hex"
 
-	"hakurei.app/container/bits"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
 )
 
 type (
 	bpfPreset = struct {
 		seccomp.ExportFlag
-		bits.FilterPreset
+		comp.FilterPreset
 	}
 	bpfLookup map[bpfPreset][sha512.Size]byte
 )

container/seccomp/libseccomp_test.go

@@ -6,7 +6,7 @@ import (
 	"syscall"
 	"testing"
 
-	. "hakurei.app/container/bits"
+	. "hakurei.app/container/comp"
 	. "hakurei.app/container/seccomp"
 )
 

container/seccomp/presets.go

@@ -5,32 +5,32 @@ package seccomp
 import (
 	. "syscall"
 
-	"hakurei.app/container/bits"
+	"hakurei.app/container/comp"
 )
 
-func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) {
+func Preset(presets comp.FilterPreset, flags ExportFlag) (rules []NativeRule) {
 	allowedPersonality := PersonaLinux
-	if presets&bits.PresetLinux32 != 0 {
+	if presets&comp.PresetLinux32 != 0 {
 		allowedPersonality = PersonaLinux32
 	}
 	presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))
 
 	l := len(presetCommon)
-	if presets&bits.PresetDenyNS != 0 {
+	if presets&comp.PresetDenyNS != 0 {
 		l += len(presetNamespace)
 	}
-	if presets&bits.PresetDenyTTY != 0 {
+	if presets&comp.PresetDenyTTY != 0 {
 		l += len(presetTTY)
 	}
-	if presets&bits.PresetDenyDevel != 0 {
+	if presets&comp.PresetDenyDevel != 0 {
 		l += len(presetDevelFinal)
 	}
 	if flags&AllowMultiarch == 0 {
 		l += len(presetEmu)
 	}
-	if presets&bits.PresetExt != 0 {
+	if presets&comp.PresetExt != 0 {
 		l += len(presetCommonExt)
-		if presets&bits.PresetDenyNS != 0 {
+		if presets&comp.PresetDenyNS != 0 {
 			l += len(presetNamespaceExt)
 		}
 		if flags&AllowMultiarch == 0 {
@@ -40,21 +40,21 @@ func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) {
 
 	rules = make([]NativeRule, 0, l)
 	rules = append(rules, presetCommon...)
-	if presets&bits.PresetDenyNS != 0 {
+	if presets&comp.PresetDenyNS != 0 {
 		rules = append(rules, presetNamespace...)
 	}
-	if presets&bits.PresetDenyTTY != 0 {
+	if presets&comp.PresetDenyTTY != 0 {
 		rules = append(rules, presetTTY...)
 	}
-	if presets&bits.PresetDenyDevel != 0 {
+	if presets&comp.PresetDenyDevel != 0 {
 		rules = append(rules, presetDevelFinal...)
 	}
 	if flags&AllowMultiarch == 0 {
 		rules = append(rules, presetEmu...)
 	}
-	if presets&bits.PresetExt != 0 {
+	if presets&comp.PresetExt != 0 {
 		rules = append(rules, presetCommonExt...)
-		if presets&bits.PresetDenyNS != 0 {
+		if presets&comp.PresetDenyNS != 0 {
 			rules = append(rules, presetNamespaceExt...)
 		}
 		if flags&AllowMultiarch == 0 {

hst/fsbind.go

@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"strings"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 )
 
@@ -97,16 +97,16 @@ func (b *FSBind) Apply(z *ApplyState) {
 	}
 	var flags int
 	if b.Write {
-		flags |= bits.BindWritable
+		flags |= comp.BindWritable
 	}
 	if b.Device {
-		flags |= bits.BindDevice | bits.BindWritable
+		flags |= comp.BindDevice | comp.BindWritable
 	}
 	if b.Ensure {
-		flags |= bits.BindEnsure
+		flags |= comp.BindEnsure
 	}
 	if b.Optional {
-		flags |= bits.BindOptional
+		flags |= comp.BindOptional
 	}
 
 	switch {

hst/fsbind_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
+	"hakurei.app/container/comp"
 	"hakurei.app/hst"
 )
 
@@ -24,7 +24,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/dev"),
 			Target: m("/dev"),
-			Flags:  bits.BindWritable | bits.BindDevice | bits.BindOptional,
+			Flags:  comp.BindWritable | comp.BindDevice | comp.BindOptional,
 		}}, m("/dev"), ms("/mnt/dev"),
 			"d+/mnt/dev:/dev"},
 
@@ -36,7 +36,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/dev"),
 			Target: m("/dev"),
-			Flags:  bits.BindWritable | bits.BindDevice | bits.BindEnsure,
+			Flags:  comp.BindWritable | comp.BindDevice | comp.BindEnsure,
 		}}, m("/dev"), ms("/mnt/dev"),
 			"d-/mnt/dev:/dev"},
 
@@ -48,7 +48,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/dev"),
 			Target: m("/dev"),
-			Flags:  bits.BindWritable | bits.BindDevice,
+			Flags:  comp.BindWritable | comp.BindDevice,
 		}}, m("/dev"), ms("/mnt/dev"),
 			"d*/mnt/dev:/dev"},
 
@@ -59,7 +59,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/tmp"),
 			Target: m("/tmp"),
-			Flags:  bits.BindWritable,
+			Flags:  comp.BindWritable,
 		}}, m("/tmp"), ms("/mnt/tmp"),
 			"w*/mnt/tmp:/tmp"},
 
@@ -98,7 +98,7 @@ func TestFSBind(t *testing.T) {
 			Special: true,
 		}, true, container.Ops{&container.AutoRootOp{
 			Host:  m("/"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}}, m("/"), ms("/"), "autoroot:w"},
 
 		{"autoroot silly", &hst.FSBind{
@@ -108,7 +108,7 @@ func TestFSBind(t *testing.T) {
 			Special: true,
 		}, true, container.Ops{&container.AutoRootOp{
 			Host:  m("/etc"),
-			Flags: bits.BindWritable,
+			Flags: comp.BindWritable,
 		}}, m("/"), ms("/etc"), "autoroot:w:/etc"},
 
 		{"autoetc", &hst.FSBind{

internal/app/app_test.go

@@ -17,8 +17,8 @@ import (
 	"time"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
@@ -98,24 +98,24 @@ func TestApp(t *testing.T) {
 					"XDG_SESSION_TYPE=tty",
 				},
 				Ops: new(container.Ops).
-					Root(m("/"), bits.BindWritable).
+					Root(m("/"), comp.BindWritable).
 					Proc(m("/proc/")).
 					Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 					DevWritable(m("/dev/"), true).
 					Tmpfs(m("/dev/shm"), 0, 01777).
 					Tmpfs(m("/run/user/"), 4096, 0755).
-					Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), bits.BindWritable).
+					Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), comp.BindWritable).
-					Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), bits.BindWritable).
+					Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), comp.BindWritable).
 					Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 					Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
-					Bind(m("/dev/kvm"), m("/dev/kvm"), bits.BindWritable|bits.BindDevice|bits.BindOptional).
+					Bind(m("/dev/kvm"), m("/dev/kvm"), comp.BindWritable|comp.BindDevice|comp.BindOptional).
 					Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
 					Tmpfs(m("/run/user/1971"), 8192, 0755).
 					Tmpfs(m("/run/nscd"), 8192, 0755).
 					Tmpfs(m("/run/dbus"), 8192, 0755).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Remount(m("/"), syscall.MS_RDONLY),
-				SeccompPresets: bits.PresetExt | bits.PresetDenyDevel,
+				SeccompPresets: comp.PresetExt | comp.PresetDenyDevel,
 				HostNet:        true,
 				HostAbstract:   true,
 				RetainSession:  true,
@@ -271,14 +271,14 @@ func TestApp(t *testing.T) {
 					"XDG_SESSION_TYPE=wayland",
 				},
 				Ops: new(container.Ops).
-					Root(m("/"), bits.BindWritable).
+					Root(m("/"), comp.BindWritable).
 					Proc(m("/proc/")).
 					Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 					DevWritable(m("/dev/"), true).
 					Tmpfs(m("/dev/shm"), 0, 01777).
 					Tmpfs(m("/run/user/"), 4096, 0755).
-					Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), bits.BindWritable).
+					Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), comp.BindWritable).
-					Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), bits.BindWritable).
+					Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), comp.BindWritable).
 					Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 					Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 					Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
@@ -286,15 +286,15 @@ func TestApp(t *testing.T) {
 					Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 					Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
 					Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
-					Bind(m("/dev/dri"), m("/dev/dri"), bits.BindWritable|bits.BindDevice|bits.BindOptional).
+					Bind(m("/dev/dri"), m("/dev/dri"), comp.BindWritable|comp.BindDevice|comp.BindOptional).
-					Bind(m("/dev/kvm"), m("/dev/kvm"), bits.BindWritable|bits.BindDevice|bits.BindOptional).
+					Bind(m("/dev/kvm"), m("/dev/kvm"), comp.BindWritable|comp.BindDevice|comp.BindOptional).
 					Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
 					Tmpfs(m("/run/user/1971"), 8192, 0755).
 					Tmpfs(m("/run/nscd"), 8192, 0755).
 					Tmpfs(m("/run/dbus"), 8192, 0755).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Remount(m("/"), syscall.MS_RDONLY),
-				SeccompPresets: bits.PresetExt | bits.PresetDenyDevel,
+				SeccompPresets: comp.PresetExt | comp.PresetDenyDevel,
 				HostNet:        true,
 				HostAbstract:   true,
 				RetainSession:  true,
@@ -428,8 +428,8 @@ func TestApp(t *testing.T) {
 					DevWritable(m("/dev/"), true).
 					Tmpfs(m("/dev/shm"), 0, 01777).
 					Tmpfs(m("/run/user/"), 4096, 0755).
-					Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), bits.BindWritable).
+					Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), comp.BindWritable).
-					Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), bits.BindWritable).
+					Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), comp.BindWritable).
 					Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 					Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
 					Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
@@ -441,18 +441,18 @@ func TestApp(t *testing.T) {
 					Bind(m("/usr/bin/"), m("/usr/bin/"), 0).
 					Bind(m("/nix/store"), m("/nix/store"), 0).
 					Bind(m("/run/current-system"), m("/run/current-system"), 0).
-					Bind(m("/sys/block"), m("/sys/block"), bits.BindOptional).
+					Bind(m("/sys/block"), m("/sys/block"), comp.BindOptional).
-					Bind(m("/sys/bus"), m("/sys/bus"), bits.BindOptional).
+					Bind(m("/sys/bus"), m("/sys/bus"), comp.BindOptional).
-					Bind(m("/sys/class"), m("/sys/class"), bits.BindOptional).
+					Bind(m("/sys/class"), m("/sys/class"), comp.BindOptional).
-					Bind(m("/sys/dev"), m("/sys/dev"), bits.BindOptional).
+					Bind(m("/sys/dev"), m("/sys/dev"), comp.BindOptional).
-					Bind(m("/sys/devices"), m("/sys/devices"), bits.BindOptional).
+					Bind(m("/sys/devices"), m("/sys/devices"), comp.BindOptional).
 					Bind(m("/run/opengl-driver"), m("/run/opengl-driver"), 0).
-					Bind(m("/dev/dri"), m("/dev/dri"), bits.BindDevice|bits.BindWritable|bits.BindOptional).
+					Bind(m("/dev/dri"), m("/dev/dri"), comp.BindDevice|comp.BindWritable|comp.BindOptional).
 					Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
-					Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), bits.BindWritable|bits.BindEnsure).
+					Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), comp.BindWritable|comp.BindEnsure).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Remount(m("/"), syscall.MS_RDONLY),
-				SeccompPresets: bits.PresetExt | bits.PresetDenyTTY | bits.PresetDenyDevel,
+				SeccompPresets: comp.PresetExt | comp.PresetDenyTTY | comp.PresetDenyDevel,
 				HostNet:        true,
 				ForwardCancel:  true,
 			},

internal/app/shim.go

@@ -14,7 +14,7 @@ import (
 	"time"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/message"
@@ -176,7 +176,7 @@ func ShimMain() {
 	}
 
 	if err := seccomp.Load(
-		seccomp.Preset(bits.PresetStrict, seccomp.AllowMultiarch),
+		seccomp.Preset(comp.PresetStrict, seccomp.AllowMultiarch),
 		seccomp.AllowMultiarch,
 	); err != nil {
 		log.Fatalf("cannot load syscall filter: %v", err)

internal/app/spcontainer.go

@@ -11,8 +11,8 @@ import (
 	"syscall"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
@@ -75,16 +75,16 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
 	}
 
 	if state.Container.Flags&hst.FSeccompCompat == 0 {
-		state.params.SeccompPresets |= bits.PresetExt
+		state.params.SeccompPresets |= comp.PresetExt
 	}
 	if state.Container.Flags&hst.FDevel == 0 {
-		state.params.SeccompPresets |= bits.PresetDenyDevel
+		state.params.SeccompPresets |= comp.PresetDenyDevel
 	}
 	if state.Container.Flags&hst.FUserns == 0 {
-		state.params.SeccompPresets |= bits.PresetDenyNS
+		state.params.SeccompPresets |= comp.PresetDenyNS
 	}
 	if state.Container.Flags&hst.FTty == 0 {
-		state.params.SeccompPresets |= bits.PresetDenyTTY
+		state.params.SeccompPresets |= comp.PresetDenyTTY
 	}
 
 	if state.Container.Flags&hst.FMapRealUID != 0 {
@@ -112,7 +112,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
 	if state.Container.Flags&hst.FDevice == 0 {
 		state.params.DevWritable(fhs.AbsDev, true)
 	} else {
-		state.params.Bind(fhs.AbsDev, fhs.AbsDev, bits.BindWritable|bits.BindDevice)
+		state.params.Bind(fhs.AbsDev, fhs.AbsDev, comp.BindWritable|comp.BindDevice)
 	}
 	// /dev is mounted readonly later on, this prevents /dev/shm from going readonly with it
 	state.params.Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777)

internal/app/spcontainer_test.go

@@ -8,8 +8,8 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/stub"
@@ -65,11 +65,11 @@ func TestSpParamsOp(t *testing.T) {
 			HostAbstract:   true,
 			Path:           config.Container.Path,
 			Args:           []string{config.Container.Path.String()},
-			SeccompPresets: bits.PresetExt | bits.PresetDenyDevel | bits.PresetDenyNS | bits.PresetDenyTTY,
+			SeccompPresets: comp.PresetExt | comp.PresetDenyDevel | comp.PresetDenyNS | comp.PresetDenyTTY,
 			Uid:            1000,
 			Gid:            100,
 			Ops: new(container.Ops).
-				Root(m("/var/lib/hakurei/base/org.debian"), bits.BindWritable).
+				Root(m("/var/lib/hakurei/base/org.debian"), comp.BindWritable).
 				Proc(fhs.AbsProc).Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 				DevWritable(fhs.AbsDev, true).
 				Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777),
@@ -107,9 +107,9 @@ func TestSpParamsOp(t *testing.T) {
 			Uid:           1000,
 			Gid:           100,
 			Ops: new(container.Ops).
-				Root(m("/var/lib/hakurei/base/org.debian"), bits.BindWritable).
+				Root(m("/var/lib/hakurei/base/org.debian"), comp.BindWritable).
 				Proc(fhs.AbsProc).Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
-				Bind(fhs.AbsDev, fhs.AbsDev, bits.BindWritable|bits.BindDevice).
+				Bind(fhs.AbsDev, fhs.AbsDev, comp.BindWritable|comp.BindDevice).
 				Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777),
 		}, paramsWantEnv(config, map[string]string{
 			"TERM": "xterm",
@@ -425,8 +425,8 @@ func TestSpFilesystemOp(t *testing.T) {
 				Bind(
 					fhs.AbsVarLib.Append("hakurei/u0/org.chromium.Chromium"),
 					check.MustAbs("/data/data/org.chromium.Chromium"),
-					bits.BindWritable|bits.BindEnsure).
+					comp.BindWritable|comp.BindEnsure).
-				Bind(fhs.AbsDev.Append("dri"), fhs.AbsDev.Append("dri"), bits.BindDevice|bits.BindWritable|bits.BindOptional).
+				Bind(fhs.AbsDev.Append("dri"), fhs.AbsDev.Append("dri"), comp.BindDevice|comp.BindWritable|comp.BindOptional).
 				Remount(fhs.AbsRoot, syscall.MS_RDONLY),
 		}, nil, nil},
 	})

internal/app/spruntime.go

@@ -3,8 +3,8 @@ package app
 import (
 	"encoding/gob"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/system"
@@ -111,7 +111,7 @@ func (s *spRuntimeOp) toContainer(state *outcomeStateParams) error {
 	state.params.Tmpfs(fhs.AbsRunUser, 1<<12, 0755)
 	if state.Container.Flags&hst.FShareRuntime != 0 {
 		_, runtimeDirInst := s.commonPaths(state.outcomeState)
-		state.params.Bind(runtimeDirInst, state.runtimeDir, bits.BindWritable)
+		state.params.Bind(runtimeDirInst, state.runtimeDir, comp.BindWritable)
 	} else {
 		state.params.Mkdir(state.runtimeDir, 0700)
 	}

internal/app/spruntime_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
@@ -41,7 +41,7 @@ func TestSpRuntimeOp(t *testing.T) {
 		}, &container.Params{
 			Ops: new(container.Ops).
 				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
-				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable),
+				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
 			"XDG_SESSION_CLASS": "user",
@@ -68,7 +68,7 @@ func TestSpRuntimeOp(t *testing.T) {
 		}, &container.Params{
 			Ops: new(container.Ops).
 				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
-				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable),
+				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
 			"XDG_SESSION_CLASS": "user",
@@ -95,7 +95,7 @@ func TestSpRuntimeOp(t *testing.T) {
 		}, &container.Params{
 			Ops: new(container.Ops).
 				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
-				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable),
+				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
 			"XDG_SESSION_CLASS": "user",
@@ -118,7 +118,7 @@ func TestSpRuntimeOp(t *testing.T) {
 		}, &container.Params{
 			Ops: new(container.Ops).
 				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
-				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable),
+				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
 			"XDG_SESSION_CLASS": "user",

internal/app/sptmpdir.go

@@ -3,8 +3,8 @@ package app
 import (
 	"encoding/gob"
 
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/system"
@@ -30,7 +30,7 @@ func (s spTmpdirOp) toSystem(state *outcomeStateSys) error {
 func (s spTmpdirOp) toContainer(state *outcomeStateParams) error {
 	if state.Container.Flags&hst.FShareTmpdir != 0 {
 		_, tmpdirInst := s.commonPaths(state.outcomeState)
-		state.params.Bind(tmpdirInst, fhs.AbsTmp, bits.BindWritable)
+		state.params.Bind(tmpdirInst, fhs.AbsTmp, comp.BindWritable)
 	} else {
 		state.params.Tmpfs(fhs.AbsTmp, 0, 01777)
 	}

internal/app/sptmpdir_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
@@ -28,7 +28,7 @@ func TestSpTmpdirOp(t *testing.T) {
 			// this op configures the container state and does not make calls during toContainer
 		}, &container.Params{
 			Ops: new(container.Ops).
-				Bind(m("/proc/nonexistent/tmp/hakurei.0/tmpdir/9"), fhs.AbsTmp, bits.BindWritable),
+				Bind(m("/proc/nonexistent/tmp/hakurei.0/tmpdir/9"), fhs.AbsTmp, comp.BindWritable),
 		}, nil, nil},
 	})
 }

ldd/exec.go

@@ -9,8 +9,8 @@ import (
 	"time"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/message"
@@ -40,7 +40,7 @@ func Exec(ctx context.Context, msg message.Msg, p string) ([]*Entry, error) {
 	z := container.NewCommand(c, msg, toolPath, lddName, p)
 	z.Hostname = "hakurei-" + lddName
 	z.SeccompFlags |= seccomp.AllowMultiarch
-	z.SeccompPresets |= bits.PresetStrict
+	z.SeccompPresets |= comp.PresetStrict
 	stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
 	z.Stdout = stdout
 	z.Stderr = stderr

system/dbus/proc.go

@@ -9,8 +9,8 @@ import (
 	"syscall"
 
 	"hakurei.app/container"
-	"hakurei.app/container/bits"
 	"hakurei.app/container/check"
+	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/helper"
 	"hakurei.app/ldd"
@@ -65,7 +65,7 @@ func (p *Proxy) Start() error {
 			p.final, true,
 			argF, func(z *container.Container) {
 				z.SeccompFlags |= seccomp.AllowMultiarch
-				z.SeccompPresets |= bits.PresetStrict
+				z.SeccompPresets |= comp.PresetStrict
 				z.Hostname = "hakurei-dbus"
 				if p.output != nil {
 					z.Stdout, z.Stderr = p.output, p.output
@@ -114,7 +114,7 @@ func (p *Proxy) Start() error {
 				check.SortAbs(sockDirPaths)
 				sockDirPaths = check.CompactAbs(sockDirPaths)
 				for _, name := range sockDirPaths {
-					z.Bind(name, name, bits.BindWritable)
+					z.Bind(name, name, comp.BindWritable)
 				}
 
 				// xdg-dbus-proxy bin path