container/std: relocate rule types

This enables its use in hst for #15.

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/container.go

@@ -85,7 +85,7 @@ type (
 		*Ops
 
 		// Seccomp system call filter rules.
-		SeccompRules []seccomp.NativeRule
+		SeccompRules []std.NativeRule
 		// Extra seccomp flags.
 		SeccompFlags seccomp.ExportFlag
 		// Seccomp presets. Has no effect unless SeccompRules is zero-length.
@@ -327,7 +327,7 @@ func (p *Container) Serve() error {
 		p.Dir = fhs.AbsRoot
 	}
 	if p.SeccompRules == nil {
-		p.SeccompRules = make([]seccomp.NativeRule, 0)
+		p.SeccompRules = make([]std.NativeRule, 0)
 	}
 
 	err := gob.NewEncoder(setup).Encode(&initParams{

container/container_test.go

@@ -204,7 +204,7 @@ var containerTestCases = []struct {
 	uid int
 	gid int
 
-	rules   []seccomp.NativeRule
+	rules   []std.NativeRule
 	flags   seccomp.ExportFlag
 	presets std.FilterPreset
 }{
@@ -219,7 +219,7 @@ var containerTestCases = []struct {
 		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
 
 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).

container/dispatcher.go

@@ -11,6 +11,7 @@ import (
 	"syscall"
 
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/message"
 )
 
@@ -62,7 +63,7 @@ type syscallDispatcher interface {
 	ensureFile(name string, perm, pperm os.FileMode) error
 
 	// seccompLoad provides [seccomp.Load].
-	seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error
+	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
 	// notify provides [signal.Notify].
 	notify(c chan<- os.Signal, sig ...os.Signal)
 	// start starts [os/exec.Cmd].
@@ -164,7 +165,7 @@ func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
 
-func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
 }
 func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) }

container/dispatcher_test.go

@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
@@ -456,7 +457,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 
-func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
 		stub.CheckArgReflect(k.Stub, "rules", rules, 0),

container/init_test.go

@@ -69,7 +69,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 32,
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -94,7 +94,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -122,7 +122,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -151,7 +151,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -181,7 +181,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -212,7 +212,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -244,7 +244,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -278,7 +278,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -314,7 +314,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -352,7 +352,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(nil, nil, std.BindDevice),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -390,7 +390,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -429,7 +429,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -468,7 +468,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -508,7 +508,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -549,7 +549,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -591,7 +591,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -634,7 +634,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -678,7 +678,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -723,7 +723,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -769,7 +769,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -824,7 +824,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -879,7 +879,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -935,7 +935,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -992,7 +992,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1051,7 +1051,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1111,7 +1111,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1172,7 +1172,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1234,7 +1234,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1297,7 +1297,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1361,7 +1361,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1426,7 +1426,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1492,7 +1492,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1566,7 +1566,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1673,7 +1673,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1781,7 +1781,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,
@@ -1891,7 +1891,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(13), nil),
@@ -2005,7 +2005,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(10), nil),
@@ -2103,7 +2103,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil),
@@ -2201,7 +2201,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil),
@@ -2292,7 +2292,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(5), nil),
@@ -2385,7 +2385,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(3), nil),
@@ -2485,7 +2485,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 47,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompDisable: true,
 					ParentPerm:     0750,
 				}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(1), nil),
@@ -2621,7 +2621,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Gid:            1 << 31,
 					Hostname:       "hakurei-check",
 					Ops:            new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
-					SeccompRules:   make([]seccomp.NativeRule, 0),
+					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
 					Privileged:     true,

container/seccomp/libseccomp.go

@@ -14,6 +14,8 @@ import (
 	"runtime/cgo"
 	"syscall"
 	"unsafe"
+
+	"hakurei.app/container/std"
 )
 
 // ErrInvalidRules is returned for a zero-length rules slice.
@@ -54,31 +56,12 @@ func (e *LibraryError) Is(err error) bool {
 }
 
 type (
-	// scmpUint is equivalent to [ScmpUint].
+	// scmpUint is equivalent to [std.ScmpUint].
 	scmpUint = C.uint
-	// ScmpUint is equivalent to C.uint.
+	// scmpInt is equivalent to [std.ScmpInt].
-	ScmpUint uint32
-	// scmpInt is equivalent to [ScmpInt].
 	scmpInt = C.int
-	// ScmpInt is equivalent to C.int.
-	ScmpInt int32
 
-	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
+	// syscallRule is equivalent to [std.NativeRule].
-	ScmpSyscall ScmpInt
-	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno ScmpInt
-
-	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
-	NativeRule struct {
-		// Syscall is the arch-dependent syscall number to act against.
-		Syscall ScmpSyscall
-		// Errno is the errno value to return when the condition is satisfied.
-		Errno ScmpErrno
-		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
-		Arg *ScmpArgCmp
-	}
-
-	// syscallRule is equivalent to [NativeRule].
 	syscallRule = C.struct_hakurei_syscall_rule
 )
 
@@ -115,9 +98,9 @@ func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) {
 	return cgo.Handle(f).Value().(cbAllocateBuffer)(len)
 }
 
-// makeFilter generates a bpf program from a slice of [NativeRule] and writes the resulting byte slice to p.
+// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p.
 // The filter is installed to the current process if p is nil.
-func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
+func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error {
 	if len(rules) == 0 {
 		return ErrInvalidRules
 	}
@@ -180,22 +163,26 @@ func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
 	return err
 }
 
-// Export generates a bpf program from a slice of [NativeRule].
+// Export generates a bpf program from a slice of [std.NativeRule].
 // Errors returned by libseccomp is wrapped in [LibraryError].
-func Export(rules []NativeRule, flags ExportFlag) (data []byte, err error) {
+func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) {
 	err = makeFilter(rules, flags, &data)
 	return
 }
 
-// Load generates a bpf program from a slice of [NativeRule] and enforces it on the current process.
+// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process.
 // Errors returned by libseccomp is wrapped in [LibraryError].
-func Load(rules []NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
+func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
 
 type (
 	// Comparison operators.
 	scmpCompare = C.enum_scmp_compare
-	// ScmpCompare is equivalent to enum scmp_compare;
+
-	ScmpCompare ScmpUint
+	// Argument datum.
+	scmpDatum = C.scmp_datum_t
+
+	// Argument / Value comparison definition.
+	scmpArgCmp = C.struct_scmp_arg_cmp
 )
 
 const (
@@ -219,29 +206,10 @@ const (
 	_SCMP_CMP_MAX = C._SCMP_CMP_MAX
 )
 
-type (
-	// Argument datum.
-	scmpDatum = C.scmp_datum_t
-	// ScmpDatum is equivalent to scmp_datum_t.
-	ScmpDatum uint64
-
-	// Argument / Value comparison definition.
-	scmpArgCmp = C.struct_scmp_arg_cmp
-	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
-	ScmpArgCmp struct {
-		// argument number, starting at 0
-		Arg ScmpUint
-		// the comparison op, e.g. SCMP_CMP_*
-		Op ScmpCompare
-
-		DatumA, DatumB ScmpDatum
-	}
-)
-
 const (
-	// PersonaLinux is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
+	// PersonaLinux is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
 	PersonaLinux = C.PER_LINUX
-	// PersonaLinux32 is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
+	// PersonaLinux32 is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
 	PersonaLinux32 = C.PER_LINUX32
 )
 

container/seccomp/std_test.go

@@ -24,13 +24,13 @@ func TestSyscallResolveName(t *testing.T) {
 }
 
 func TestRuleType(t *testing.T) {
-	assertKind[ScmpUint, scmpUint](t)
+	assertKind[std.ScmpUint, scmpUint](t)
-	assertKind[ScmpInt, scmpInt](t)
+	assertKind[std.ScmpInt, scmpInt](t)
 
-	assertSize[NativeRule, syscallRule](t)
+	assertSize[std.NativeRule, syscallRule](t)
-	assertKind[ScmpDatum, scmpDatum](t)
+	assertKind[std.ScmpDatum, scmpDatum](t)
-	assertKind[ScmpCompare, scmpCompare](t)
+	assertKind[std.ScmpCompare, scmpCompare](t)
-	assertSize[ScmpArgCmp, scmpArgCmp](t)
+	assertSize[std.ScmpArgCmp, scmpArgCmp](t)
 }
 
 // assertSize asserts that native and equivalent are of the same size.

container/std/seccomp.go

@@ -0,0 +1,38 @@
+package std
+
+type (
+	// ScmpUint is equivalent to C.uint.
+	ScmpUint uint32
+	// ScmpInt is equivalent to C.int.
+	ScmpInt int32
+
+	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
+	ScmpSyscall ScmpInt
+	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
+	ScmpErrno ScmpInt
+
+	// ScmpCompare is equivalent to enum scmp_compare;
+	ScmpCompare ScmpUint
+	// ScmpDatum is equivalent to scmp_datum_t.
+	ScmpDatum uint64
+
+	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
+	ScmpArgCmp struct {
+		// argument number, starting at 0
+		Arg ScmpUint
+		// the comparison op, e.g. SCMP_CMP_*
+		Op ScmpCompare
+
+		DatumA, DatumB ScmpDatum
+	}
+
+	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
+	NativeRule struct {
+		// Syscall is the arch-dependent syscall number to act against.
+		Syscall ScmpSyscall
+		// Errno is the errno value to return when the condition is satisfied.
+		Errno ScmpErrno
+		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
+		Arg *ScmpArgCmp
+	}
+)

internal/outcome/dispatcher.go

@@ -13,6 +13,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/internal"
 	"hakurei.app/message"
 	"hakurei.app/system/dbus"
@@ -86,7 +87,7 @@ type syscallDispatcher interface {
 	containerWait(z *container.Container) error
 
 	// seccompLoad provides [seccomp.Load].
-	seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error
+	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
 
 	// mustHsuPath provides [internal.MustHsuPath].
 	mustHsuPath() *check.Absolute
@@ -151,7 +152,7 @@ func (direct) containerStart(z *container.Container) error { return z.Start() }
 func (direct) containerServe(z *container.Container) error { return z.Serve() }
 func (direct) containerWait(z *container.Container) error  { return z.Wait() }
 
-func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
 }
 

internal/outcome/dispatcher_test.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
 	"hakurei.app/message"
@@ -435,7 +436,7 @@ func (k *kstub) containerWait(z *container.Container) error {
 	return k.expectCheckContainer(k.Expects("containerWait"), z)
 }
 
-func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
 		stub.CheckArgReflect(k.Stub, "rules", rules, 0),
@@ -722,6 +723,6 @@ func (panicDispatcher) fatalf(string, ...any)                               { pa
 func (panicDispatcher) notifyContext(context.Context, ...os.Signal) (context.Context, context.CancelFunc) {
 	panic("unreachable")
 }
-func (panicDispatcher) seccompLoad([]seccomp.NativeRule, seccomp.ExportFlag) error {
+func (panicDispatcher) seccompLoad([]std.NativeRule, seccomp.ExportFlag) error {
 	panic("unreachable")
 }