Check-in [854cb424a1]
Overview
Comment:Added seccomp support
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | seccomp
Files: files | file ages | folders
SHA1:854cb424a13ce941e180b2b87eb5fa625dca6514
User & Date: rkeene on 2020-03-31 15:44:21
Other Links: manifest | tags
Context
2020-03-31
16:18
Disable seccomp support by default and cleanup check-in: 9184a4f1b9 user: rkeene tags: seccomp
15:44
Added seccomp support check-in: 854cb424a1 user: rkeene tags: seccomp
14:33
Merged in trunk check-in: 2204669e3b user: rkeene tags: seccomp
Changes

Modified .fossil-settings/ignore-glob from [3d8734b3a3] to [dec4870937].

     1      1   filed
     2      2   filed.o
            3  +filed-mime-types.h.new
     3      4   filed-mime-types.h
            5  +filed.seccomp.h.new
            6  +filed.seccomp.h
     4      7   compiled

Modified Makefile from [8ce95f72a7] to [c0971efb30].

    12     12   vpath %.c $(srcdir)
    13     13   
    14     14   all: filed
    15     15   
    16     16   filed: filed.o
    17     17   	$(CC) $(CFLAGS) $(LDFLAGS) -o "$@" $^ $(LIBS)
    18     18   
    19         -filed.o: $(srcdir)/filed.c filed-mime-types.h
           19  +filed.o: $(srcdir)/filed.c filed-mime-types.h filed.seccomp.h
    20     20   
    21     21   filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types
    22     22   	'$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \
    23     23   		'$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new
    24     24   	mv filed-mime-types.h.new filed-mime-types.h
           25  +
           26  +filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter
           27  +	$(srcdir)/generate-seccomp-filter filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
           28  +	mv filed.seccomp.h.new filed.seccomp.h
    25     29   
    26     30   install: filed $(srcdir)/filed.1
    27     31   	test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1"
    28     32   	test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)"
    29     33   	cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/"
    30     34   	cp filed "$(DESTDIR)$(bindir)/"
    31     35   
    32     36   clean:
    33     37   	rm -f filed filed.o
    34         -	rm -f filed-mime-types.h.new
           38  +	rm -f filed-mime-types.h.new filed.seccomp.h.new
    35     39   
    36     40   distclean: clean
    37         -	rm -f filed-mime-types.h
           41  +	rm -f filed-mime-types.h filed.seccomp.h
    38     42   
    39     43   .PHONY: all install clean distclean

Modified filed.c from [05973c0b4a] to [61d8dcb4f5].

   806    806   	if (filed_sockettimeout_devnull_fd < 0) {
   807    807   		return(-1);
   808    808   	}
   809    809   
   810    810   	return(0);
   811    811   }
   812    812   #endif
          813  +
          814  +#include <linux/seccomp.h>
          815  +#include <linux/filter.h>
          816  +#include <linux/audit.h>
          817  +#include <sys/ptrace.h>
          818  +#include <stddef.h>
          819  +
          820  +static int filed_init_seccomp(void) {
          821  +	struct sock_fprog filter;
          822  +	struct sock_filter rules[] = {
          823  +#include "filed.seccomp.h"
          824  +	};
          825  +	int prctl_ret;
          826  +
          827  +	/* Do not allow any privilege changes beyond this point */
          828  + 	prctl_ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
          829  +	if (prctl_ret != 0) {
          830  +		return(-1);
          831  +	}
          832  +
          833  +	filter.len = sizeof(rules) / sizeof(*rules);
          834  +	filter.filter = rules;
          835  +
          836  +	prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter);
          837  +	if (prctl_ret != 0) {
          838  +		return(-1);
          839  +	}
          840  +
          841  +	return(0);
          842  +}
   813    843   
   814    844   /* Format time per RFC2616 */
   815    845   static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) {
   816    846   	struct tm timeinfo_tm, *timeinfo_tm_p;
   817    847   
   818    848   	timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm);
   819    849   	if (timeinfo_tm_p == NULL) {
................................................................................
  1911   1941   		if (setuid_ret != 0) {
  1912   1942   			perror("setuid");
  1913   1943   
  1914   1944   			return(1);
  1915   1945   		}
  1916   1946   	}
  1917   1947   
  1918         -	/* Do not allow any privilege changes beyond this point */
  1919         -	prctl(PR_SET_NO_NEW_PRIVS, 1);
  1920         -
  1921   1948   	/* Initialize */
  1922   1949   	init_ret = filed_init(cache_size);
  1923   1950   	if (init_ret != 0) {
  1924   1951   		perror("filed_init");
  1925   1952   
  1926   1953   		return(3);
  1927   1954   	}
................................................................................
  1937   1964   	/* Create socket termination thread */
  1938   1965   	init_ret = filed_sockettimeout_thread_init();
  1939   1966   	if (init_ret != 0) {
  1940   1967   		perror("filed_sockettimeout_thread_init");
  1941   1968   
  1942   1969   		return(7);
  1943   1970   	}
         1971  +
         1972  +	/* Initialize seccomp */
         1973  +	init_ret = filed_init_seccomp();
         1974  +	if (init_ret != 0) {
         1975  +		perror("filed_init_seccomp");
         1976  +
         1977  +		return(9);
         1978  +	}
  1944   1979   
  1945   1980   	/* Create worker threads */
  1946   1981   	init_ret = filed_worker_threads_init(fd, thread_count, &thread_options);
  1947   1982   	if (init_ret != 0) {
  1948   1983   		perror("filed_worker_threads_init");
  1949   1984   
  1950   1985   		return(5);

Added filed.seccomp version [4d1d628e0b].

            1  +set allowed_common {
            2  +	mmap munmap mprotect
            3  +	clone set_robust_list
            4  +	nanosleep
            5  +	open close read write sendfile lseek fcntl
            6  +	stat lstat fstat
            7  +	dup dup2
            8  +	futex rt_sigreturn
            9  +}
           10  +set allowed_i386 {
           11  +	socketcall
           12  +}
           13  +set allowed_x86_64 {
           14  +	accept
           15  +}
           16  +
           17  +i386 {
           18  +	if {$nr in $allowed_common} {
           19  +		return allow
           20  +	}
           21  +	if {$nr in $allowed_i386} {
           22  +		return allow
           23  +	}
           24  +
           25  +	return trap
           26  +}
           27  +
           28  +x86_64 {
           29  +	if {$nr in $allowed_common} {
           30  +		return allow
           31  +	}
           32  +	if {$nr in $allowed_x86_64} {
           33  +		return allow
           34  +	}
           35  +
           36  +	return trap
           37  +}

Added generate-seccomp-filter version [d01690fff9].

            1  +#! /usr/bin/env tclsh
            2  +
            3  +# ----
            4  +namespace eval ::seccomp_bpf {}
            5  +
            6  +if {![info exists ::seccomp_bpf::_handle_index]} {
            7  +	set ::seccomp_bpf::_handle_index -1
            8  +}
            9  +
           10  +if {![info exists ::seccomp_bpf::_platform_data(x86_64)]} {
           11  +	set ::seccomp_bpf::_platform_data(x86_64) {
           12  +#
           13  +# 64-bit system call numbers and entry vectors
           14  +#
           15  +# The format is:
           16  +# <number> <abi> <name> <entry point>
           17  +#
           18  +# The __x64_sys_*() stubs are created on-the-fly for sys_*() system calls
           19  +#
           20  +# The abi is "common", "64" or "x32" for this file.
           21  +#
           22  +0	common	read			__x64_sys_read
           23  +1	common	write			__x64_sys_write
           24  +2	common	open			__x64_sys_open
           25  +3	common	close			__x64_sys_close
           26  +4	common	stat			__x64_sys_newstat
           27  +5	common	fstat			__x64_sys_newfstat
           28  +6	common	lstat			__x64_sys_newlstat
           29  +7	common	poll			__x64_sys_poll
           30  +8	common	lseek			__x64_sys_lseek
           31  +9	common	mmap			__x64_sys_mmap
           32  +10	common	mprotect		__x64_sys_mprotect
           33  +11	common	munmap			__x64_sys_munmap
           34  +12	common	brk			__x64_sys_brk
           35  +13	64	rt_sigaction		__x64_sys_rt_sigaction
           36  +14	common	rt_sigprocmask		__x64_sys_rt_sigprocmask
           37  +15	64	rt_sigreturn		__x64_sys_rt_sigreturn/ptregs
           38  +16	64	ioctl			__x64_sys_ioctl
           39  +17	common	pread64			__x64_sys_pread64
           40  +18	common	pwrite64		__x64_sys_pwrite64
           41  +19	64	readv			__x64_sys_readv
           42  +20	64	writev			__x64_sys_writev
           43  +21	common	access			__x64_sys_access
           44  +22	common	pipe			__x64_sys_pipe
           45  +23	common	select			__x64_sys_select
           46  +24	common	sched_yield		__x64_sys_sched_yield
           47  +25	common	mremap			__x64_sys_mremap
           48  +26	common	msync			__x64_sys_msync
           49  +27	common	mincore			__x64_sys_mincore
           50  +28	common	madvise			__x64_sys_madvise
           51  +29	common	shmget			__x64_sys_shmget
           52  +30	common	shmat			__x64_sys_shmat
           53  +31	common	shmctl			__x64_sys_shmctl
           54  +32	common	dup			__x64_sys_dup
           55  +33	common	dup2			__x64_sys_dup2
           56  +34	common	pause			__x64_sys_pause
           57  +35	common	nanosleep		__x64_sys_nanosleep
           58  +36	common	getitimer		__x64_sys_getitimer
           59  +37	common	alarm			__x64_sys_alarm
           60  +38	common	setitimer		__x64_sys_setitimer
           61  +39	common	getpid			__x64_sys_getpid
           62  +40	common	sendfile		__x64_sys_sendfile64
           63  +41	common	socket			__x64_sys_socket
           64  +42	common	connect			__x64_sys_connect
           65  +43	common	accept			__x64_sys_accept
           66  +44	common	sendto			__x64_sys_sendto
           67  +45	64	recvfrom		__x64_sys_recvfrom
           68  +46	64	sendmsg			__x64_sys_sendmsg
           69  +47	64	recvmsg			__x64_sys_recvmsg
           70  +48	common	shutdown		__x64_sys_shutdown
           71  +49	common	bind			__x64_sys_bind
           72  +50	common	listen			__x64_sys_listen
           73  +51	common	getsockname		__x64_sys_getsockname
           74  +52	common	getpeername		__x64_sys_getpeername
           75  +53	common	socketpair		__x64_sys_socketpair
           76  +54	64	setsockopt		__x64_sys_setsockopt
           77  +55	64	getsockopt		__x64_sys_getsockopt
           78  +56	common	clone			__x64_sys_clone/ptregs
           79  +57	common	fork			__x64_sys_fork/ptregs
           80  +58	common	vfork			__x64_sys_vfork/ptregs
           81  +59	64	execve			__x64_sys_execve/ptregs
           82  +60	common	exit			__x64_sys_exit
           83  +61	common	wait4			__x64_sys_wait4
           84  +62	common	kill			__x64_sys_kill
           85  +63	common	uname			__x64_sys_newuname
           86  +64	common	semget			__x64_sys_semget
           87  +65	common	semop			__x64_sys_semop
           88  +66	common	semctl			__x64_sys_semctl
           89  +67	common	shmdt			__x64_sys_shmdt
           90  +68	common	msgget			__x64_sys_msgget
           91  +69	common	msgsnd			__x64_sys_msgsnd
           92  +70	common	msgrcv			__x64_sys_msgrcv
           93  +71	common	msgctl			__x64_sys_msgctl
           94  +72	common	fcntl			__x64_sys_fcntl
           95  +73	common	flock			__x64_sys_flock
           96  +74	common	fsync			__x64_sys_fsync
           97  +75	common	fdatasync		__x64_sys_fdatasync
           98  +76	common	truncate		__x64_sys_truncate
           99  +77	common	ftruncate		__x64_sys_ftruncate
          100  +78	common	getdents		__x64_sys_getdents
          101  +79	common	getcwd			__x64_sys_getcwd
          102  +80	common	chdir			__x64_sys_chdir
          103  +81	common	fchdir			__x64_sys_fchdir
          104  +82	common	rename			__x64_sys_rename
          105  +83	common	mkdir			__x64_sys_mkdir
          106  +84	common	rmdir			__x64_sys_rmdir
          107  +85	common	creat			__x64_sys_creat
          108  +86	common	link			__x64_sys_link
          109  +87	common	unlink			__x64_sys_unlink
          110  +88	common	symlink			__x64_sys_symlink
          111  +89	common	readlink		__x64_sys_readlink
          112  +90	common	chmod			__x64_sys_chmod
          113  +91	common	fchmod			__x64_sys_fchmod
          114  +92	common	chown			__x64_sys_chown
          115  +93	common	fchown			__x64_sys_fchown
          116  +94	common	lchown			__x64_sys_lchown
          117  +95	common	umask			__x64_sys_umask
          118  +96	common	gettimeofday		__x64_sys_gettimeofday
          119  +97	common	getrlimit		__x64_sys_getrlimit
          120  +98	common	getrusage		__x64_sys_getrusage
          121  +99	common	sysinfo			__x64_sys_sysinfo
          122  +100	common	times			__x64_sys_times
          123  +101	64	ptrace			__x64_sys_ptrace
          124  +102	common	getuid			__x64_sys_getuid
          125  +103	common	syslog			__x64_sys_syslog
          126  +104	common	getgid			__x64_sys_getgid
          127  +105	common	setuid			__x64_sys_setuid
          128  +106	common	setgid			__x64_sys_setgid
          129  +107	common	geteuid			__x64_sys_geteuid
          130  +108	common	getegid			__x64_sys_getegid
          131  +109	common	setpgid			__x64_sys_setpgid
          132  +110	common	getppid			__x64_sys_getppid
          133  +111	common	getpgrp			__x64_sys_getpgrp
          134  +112	common	setsid			__x64_sys_setsid
          135  +113	common	setreuid		__x64_sys_setreuid
          136  +114	common	setregid		__x64_sys_setregid
          137  +115	common	getgroups		__x64_sys_getgroups
          138  +116	common	setgroups		__x64_sys_setgroups
          139  +117	common	setresuid		__x64_sys_setresuid
          140  +118	common	getresuid		__x64_sys_getresuid
          141  +119	common	setresgid		__x64_sys_setresgid
          142  +120	common	getresgid		__x64_sys_getresgid
          143  +121	common	getpgid			__x64_sys_getpgid
          144  +122	common	setfsuid		__x64_sys_setfsuid
          145  +123	common	setfsgid		__x64_sys_setfsgid
          146  +124	common	getsid			__x64_sys_getsid
          147  +125	common	capget			__x64_sys_capget
          148  +126	common	capset			__x64_sys_capset
          149  +127	64	rt_sigpending		__x64_sys_rt_sigpending
          150  +128	64	rt_sigtimedwait		__x64_sys_rt_sigtimedwait
          151  +129	64	rt_sigqueueinfo		__x64_sys_rt_sigqueueinfo
          152  +130	common	rt_sigsuspend		__x64_sys_rt_sigsuspend
          153  +131	64	sigaltstack		__x64_sys_sigaltstack
          154  +132	common	utime			__x64_sys_utime
          155  +133	common	mknod			__x64_sys_mknod
          156  +134	64	uselib
          157  +135	common	personality		__x64_sys_personality
          158  +136	common	ustat			__x64_sys_ustat
          159  +137	common	statfs			__x64_sys_statfs
          160  +138	common	fstatfs			__x64_sys_fstatfs
          161  +139	common	sysfs			__x64_sys_sysfs
          162  +140	common	getpriority		__x64_sys_getpriority
          163  +141	common	setpriority		__x64_sys_setpriority
          164  +142	common	sched_setparam		__x64_sys_sched_setparam
          165  +143	common	sched_getparam		__x64_sys_sched_getparam
          166  +144	common	sched_setscheduler	__x64_sys_sched_setscheduler
          167  +145	common	sched_getscheduler	__x64_sys_sched_getscheduler
          168  +146	common	sched_get_priority_max	__x64_sys_sched_get_priority_max
          169  +147	common	sched_get_priority_min	__x64_sys_sched_get_priority_min
          170  +148	common	sched_rr_get_interval	__x64_sys_sched_rr_get_interval
          171  +149	common	mlock			__x64_sys_mlock
          172  +150	common	munlock			__x64_sys_munlock
          173  +151	common	mlockall		__x64_sys_mlockall
          174  +152	common	munlockall		__x64_sys_munlockall
          175  +153	common	vhangup			__x64_sys_vhangup
          176  +154	common	modify_ldt		__x64_sys_modify_ldt
          177  +155	common	pivot_root		__x64_sys_pivot_root
          178  +156	64	_sysctl			__x64_sys_sysctl
          179  +157	common	prctl			__x64_sys_prctl
          180  +158	common	arch_prctl		__x64_sys_arch_prctl
          181  +159	common	adjtimex		__x64_sys_adjtimex
          182  +160	common	setrlimit		__x64_sys_setrlimit
          183  +161	common	chroot			__x64_sys_chroot
          184  +162	common	sync			__x64_sys_sync
          185  +163	common	acct			__x64_sys_acct
          186  +164	common	settimeofday		__x64_sys_settimeofday
          187  +165	common	mount			__x64_sys_mount
          188  +166	common	umount2			__x64_sys_umount
          189  +167	common	swapon			__x64_sys_swapon
          190  +168	common	swapoff			__x64_sys_swapoff
          191  +169	common	reboot			__x64_sys_reboot
          192  +170	common	sethostname		__x64_sys_sethostname
          193  +171	common	setdomainname		__x64_sys_setdomainname
          194  +172	common	iopl			__x64_sys_iopl/ptregs
          195  +173	common	ioperm			__x64_sys_ioperm
          196  +174	64	create_module
          197  +175	common	init_module		__x64_sys_init_module
          198  +176	common	delete_module		__x64_sys_delete_module
          199  +177	64	get_kernel_syms
          200  +178	64	query_module
          201  +179	common	quotactl		__x64_sys_quotactl
          202  +180	64	nfsservctl
          203  +181	common	getpmsg
          204  +182	common	putpmsg
          205  +183	common	afs_syscall
          206  +184	common	tuxcall
          207  +185	common	security
          208  +186	common	gettid			__x64_sys_gettid
          209  +187	common	readahead		__x64_sys_readahead
          210  +188	common	setxattr		__x64_sys_setxattr
          211  +189	common	lsetxattr		__x64_sys_lsetxattr
          212  +190	common	fsetxattr		__x64_sys_fsetxattr
          213  +191	common	getxattr		__x64_sys_getxattr
          214  +192	common	lgetxattr		__x64_sys_lgetxattr
          215  +193	common	fgetxattr		__x64_sys_fgetxattr
          216  +194	common	listxattr		__x64_sys_listxattr
          217  +195	common	llistxattr		__x64_sys_llistxattr
          218  +196	common	flistxattr		__x64_sys_flistxattr
          219  +197	common	removexattr		__x64_sys_removexattr
          220  +198	common	lremovexattr		__x64_sys_lremovexattr
          221  +199	common	fremovexattr		__x64_sys_fremovexattr
          222  +200	common	tkill			__x64_sys_tkill
          223  +201	common	time			__x64_sys_time
          224  +202	common	futex			__x64_sys_futex
          225  +203	common	sched_setaffinity	__x64_sys_sched_setaffinity
          226  +204	common	sched_getaffinity	__x64_sys_sched_getaffinity
          227  +205	64	set_thread_area
          228  +206	64	io_setup		__x64_sys_io_setup
          229  +207	common	io_destroy		__x64_sys_io_destroy
          230  +208	common	io_getevents		__x64_sys_io_getevents
          231  +209	64	io_submit		__x64_sys_io_submit
          232  +210	common	io_cancel		__x64_sys_io_cancel
          233  +211	64	get_thread_area
          234  +212	common	lookup_dcookie		__x64_sys_lookup_dcookie
          235  +213	common	epoll_create		__x64_sys_epoll_create
          236  +214	64	epoll_ctl_old
          237  +215	64	epoll_wait_old
          238  +216	common	remap_file_pages	__x64_sys_remap_file_pages
          239  +217	common	getdents64		__x64_sys_getdents64
          240  +218	common	set_tid_address		__x64_sys_set_tid_address
          241  +219	common	restart_syscall		__x64_sys_restart_syscall
          242  +220	common	semtimedop		__x64_sys_semtimedop
          243  +221	common	fadvise64		__x64_sys_fadvise64
          244  +222	64	timer_create		__x64_sys_timer_create
          245  +223	common	timer_settime		__x64_sys_timer_settime
          246  +224	common	timer_gettime		__x64_sys_timer_gettime
          247  +225	common	timer_getoverrun	__x64_sys_timer_getoverrun
          248  +226	common	timer_delete		__x64_sys_timer_delete
          249  +227	common	clock_settime		__x64_sys_clock_settime
          250  +228	common	clock_gettime		__x64_sys_clock_gettime
          251  +229	common	clock_getres		__x64_sys_clock_getres
          252  +230	common	clock_nanosleep		__x64_sys_clock_nanosleep
          253  +231	common	exit_group		__x64_sys_exit_group
          254  +232	common	epoll_wait		__x64_sys_epoll_wait
          255  +233	common	epoll_ctl		__x64_sys_epoll_ctl
          256  +234	common	tgkill			__x64_sys_tgkill
          257  +235	common	utimes			__x64_sys_utimes
          258  +236	64	vserver
          259  +237	common	mbind			__x64_sys_mbind
          260  +238	common	set_mempolicy		__x64_sys_set_mempolicy
          261  +239	common	get_mempolicy		__x64_sys_get_mempolicy
          262  +240	common	mq_open			__x64_sys_mq_open
          263  +241	common	mq_unlink		__x64_sys_mq_unlink
          264  +242	common	mq_timedsend		__x64_sys_mq_timedsend
          265  +243	common	mq_timedreceive		__x64_sys_mq_timedreceive
          266  +244	64	mq_notify		__x64_sys_mq_notify
          267  +245	common	mq_getsetattr		__x64_sys_mq_getsetattr
          268  +246	64	kexec_load		__x64_sys_kexec_load
          269  +247	64	waitid			__x64_sys_waitid
          270  +248	common	add_key			__x64_sys_add_key
          271  +249	common	request_key		__x64_sys_request_key
          272  +250	common	keyctl			__x64_sys_keyctl
          273  +251	common	ioprio_set		__x64_sys_ioprio_set
          274  +252	common	ioprio_get		__x64_sys_ioprio_get
          275  +253	common	inotify_init		__x64_sys_inotify_init
          276  +254	common	inotify_add_watch	__x64_sys_inotify_add_watch
          277  +255	common	inotify_rm_watch	__x64_sys_inotify_rm_watch
          278  +256	common	migrate_pages		__x64_sys_migrate_pages
          279  +257	common	openat			__x64_sys_openat
          280  +258	common	mkdirat			__x64_sys_mkdirat
          281  +259	common	mknodat			__x64_sys_mknodat
          282  +260	common	fchownat		__x64_sys_fchownat
          283  +261	common	futimesat		__x64_sys_futimesat
          284  +262	common	newfstatat		__x64_sys_newfstatat
          285  +263	common	unlinkat		__x64_sys_unlinkat
          286  +264	common	renameat		__x64_sys_renameat
          287  +265	common	linkat			__x64_sys_linkat
          288  +266	common	symlinkat		__x64_sys_symlinkat
          289  +267	common	readlinkat		__x64_sys_readlinkat
          290  +268	common	fchmodat		__x64_sys_fchmodat
          291  +269	common	faccessat		__x64_sys_faccessat
          292  +270	common	pselect6		__x64_sys_pselect6
          293  +271	common	ppoll			__x64_sys_ppoll
          294  +272	common	unshare			__x64_sys_unshare
          295  +273	64	set_robust_list		__x64_sys_set_robust_list
          296  +274	64	get_robust_list		__x64_sys_get_robust_list
          297  +275	common	splice			__x64_sys_splice
          298  +276	common	tee			__x64_sys_tee
          299  +277	common	sync_file_range		__x64_sys_sync_file_range
          300  +278	64	vmsplice		__x64_sys_vmsplice
          301  +279	64	move_pages		__x64_sys_move_pages
          302  +280	common	utimensat		__x64_sys_utimensat
          303  +281	common	epoll_pwait		__x64_sys_epoll_pwait
          304  +282	common	signalfd		__x64_sys_signalfd
          305  +283	common	timerfd_create		__x64_sys_timerfd_create
          306  +284	common	eventfd			__x64_sys_eventfd
          307  +285	common	fallocate		__x64_sys_fallocate
          308  +286	common	timerfd_settime		__x64_sys_timerfd_settime
          309  +287	common	timerfd_gettime		__x64_sys_timerfd_gettime
          310  +288	common	accept4			__x64_sys_accept4
          311  +289	common	signalfd4		__x64_sys_signalfd4
          312  +290	common	eventfd2		__x64_sys_eventfd2
          313  +291	common	epoll_create1		__x64_sys_epoll_create1
          314  +292	common	dup3			__x64_sys_dup3
          315  +293	common	pipe2			__x64_sys_pipe2
          316  +294	common	inotify_init1		__x64_sys_inotify_init1
          317  +295	64	preadv			__x64_sys_preadv
          318  +296	64	pwritev			__x64_sys_pwritev
          319  +297	64	rt_tgsigqueueinfo	__x64_sys_rt_tgsigqueueinfo
          320  +298	common	perf_event_open		__x64_sys_perf_event_open
          321  +299	64	recvmmsg		__x64_sys_recvmmsg
          322  +300	common	fanotify_init		__x64_sys_fanotify_init
          323  +301	common	fanotify_mark		__x64_sys_fanotify_mark
          324  +302	common	prlimit64		__x64_sys_prlimit64
          325  +303	common	name_to_handle_at	__x64_sys_name_to_handle_at
          326  +304	common	open_by_handle_at	__x64_sys_open_by_handle_at
          327  +305	common	clock_adjtime		__x64_sys_clock_adjtime
          328  +306	common	syncfs			__x64_sys_syncfs
          329  +307	64	sendmmsg		__x64_sys_sendmmsg
          330  +308	common	setns			__x64_sys_setns
          331  +309	common	getcpu			__x64_sys_getcpu
          332  +310	64	process_vm_readv	__x64_sys_process_vm_readv
          333  +311	64	process_vm_writev	__x64_sys_process_vm_writev
          334  +312	common	kcmp			__x64_sys_kcmp
          335  +313	common	finit_module		__x64_sys_finit_module
          336  +314	common	sched_setattr		__x64_sys_sched_setattr
          337  +315	common	sched_getattr		__x64_sys_sched_getattr
          338  +316	common	renameat2		__x64_sys_renameat2
          339  +317	common	seccomp			__x64_sys_seccomp
          340  +318	common	getrandom		__x64_sys_getrandom
          341  +319	common	memfd_create		__x64_sys_memfd_create
          342  +320	common	kexec_file_load		__x64_sys_kexec_file_load
          343  +321	common	bpf			__x64_sys_bpf
          344  +322	64	execveat		__x64_sys_execveat/ptregs
          345  +323	common	userfaultfd		__x64_sys_userfaultfd
          346  +324	common	membarrier		__x64_sys_membarrier
          347  +325	common	mlock2			__x64_sys_mlock2
          348  +326	common	copy_file_range		__x64_sys_copy_file_range
          349  +327	64	preadv2			__x64_sys_preadv2
          350  +328	64	pwritev2		__x64_sys_pwritev2
          351  +329	common	pkey_mprotect		__x64_sys_pkey_mprotect
          352  +330	common	pkey_alloc		__x64_sys_pkey_alloc
          353  +331	common	pkey_free		__x64_sys_pkey_free
          354  +332	common	statx			__x64_sys_statx
          355  +333	common	io_pgetevents		__x64_sys_io_pgetevents
          356  +334	common	rseq			__x64_sys_rseq
          357  +# don't use numbers 387 through 423, add new calls after the last
          358  +# 'common' entry
          359  +424	common	pidfd_send_signal	__x64_sys_pidfd_send_signal
          360  +425	common	io_uring_setup		__x64_sys_io_uring_setup
          361  +426	common	io_uring_enter		__x64_sys_io_uring_enter
          362  +427	common	io_uring_register	__x64_sys_io_uring_register
          363  +428	common	open_tree		__x64_sys_open_tree
          364  +429	common	move_mount		__x64_sys_move_mount
          365  +430	common	fsopen			__x64_sys_fsopen
          366  +431	common	fsconfig		__x64_sys_fsconfig
          367  +432	common	fsmount			__x64_sys_fsmount
          368  +433	common	fspick			__x64_sys_fspick
          369  +434	common	pidfd_open		__x64_sys_pidfd_open
          370  +435	common	clone3			__x64_sys_clone3/ptregs
          371  +
          372  +#
          373  +# x32-specific system call numbers start at 512 to avoid cache impact
          374  +# for native 64-bit operation. The __x32_compat_sys stubs are created
          375  +# on-the-fly for compat_sys_*() compatibility system calls if X86_X32
          376  +# is defined.
          377  +#
          378  +512	x32	rt_sigaction		__x32_compat_sys_rt_sigaction
          379  +513	x32	rt_sigreturn		sys32_x32_rt_sigreturn
          380  +514	x32	ioctl			__x32_compat_sys_ioctl
          381  +515	x32	readv			__x32_compat_sys_readv
          382  +516	x32	writev			__x32_compat_sys_writev
          383  +517	x32	recvfrom		__x32_compat_sys_recvfrom
          384  +518	x32	sendmsg			__x32_compat_sys_sendmsg
          385  +519	x32	recvmsg			__x32_compat_sys_recvmsg
          386  +520	x32	execve			__x32_compat_sys_execve/ptregs
          387  +521	x32	ptrace			__x32_compat_sys_ptrace
          388  +522	x32	rt_sigpending		__x32_compat_sys_rt_sigpending
          389  +523	x32	rt_sigtimedwait		__x32_compat_sys_rt_sigtimedwait_time64
          390  +524	x32	rt_sigqueueinfo		__x32_compat_sys_rt_sigqueueinfo
          391  +525	x32	sigaltstack		__x32_compat_sys_sigaltstack
          392  +526	x32	timer_create		__x32_compat_sys_timer_create
          393  +527	x32	mq_notify		__x32_compat_sys_mq_notify
          394  +528	x32	kexec_load		__x32_compat_sys_kexec_load
          395  +529	x32	waitid			__x32_compat_sys_waitid
          396  +530	x32	set_robust_list		__x32_compat_sys_set_robust_list
          397  +531	x32	get_robust_list		__x32_compat_sys_get_robust_list
          398  +532	x32	vmsplice		__x32_compat_sys_vmsplice
          399  +533	x32	move_pages		__x32_compat_sys_move_pages
          400  +534	x32	preadv			__x32_compat_sys_preadv64
          401  +535	x32	pwritev			__x32_compat_sys_pwritev64
          402  +536	x32	rt_tgsigqueueinfo	__x32_compat_sys_rt_tgsigqueueinfo
          403  +537	x32	recvmmsg		__x32_compat_sys_recvmmsg_time64
          404  +538	x32	sendmmsg		__x32_compat_sys_sendmmsg
          405  +539	x32	process_vm_readv	__x32_compat_sys_process_vm_readv
          406  +540	x32	process_vm_writev	__x32_compat_sys_process_vm_writev
          407  +541	x32	setsockopt		__x32_compat_sys_setsockopt
          408  +542	x32	getsockopt		__x32_compat_sys_getsockopt
          409  +543	x32	io_setup		__x32_compat_sys_io_setup
          410  +544	x32	io_submit		__x32_compat_sys_io_submit
          411  +545	x32	execveat		__x32_compat_sys_execveat/ptregs
          412  +546	x32	preadv2			__x32_compat_sys_preadv64v2
          413  +547	x32	pwritev2		__x32_compat_sys_pwritev64v2
          414  +	}
          415  +}
          416  +
          417  +if {![info exists ::seccomp_bpf::_platform_data(i386)]} {
          418  +	set ::seccomp_bpf::_platform_data(i386) {
          419  +#
          420  +# 32-bit system call numbers and entry vectors
          421  +#
          422  +# The format is:
          423  +# <number> <abi> <name> <entry point> <compat entry point>
          424  +#
          425  +# The __ia32_sys and __ia32_compat_sys stubs are created on-the-fly for
          426  +# sys_*() system calls and compat_sys_*() compat system calls if
          427  +# IA32_EMULATION is defined, and expect struct pt_regs *regs as their only
          428  +# parameter.
          429  +#
          430  +# The abi is always "i386" for this file.
          431  +#
          432  +0	i386	restart_syscall		sys_restart_syscall		__ia32_sys_restart_syscall
          433  +1	i386	exit			sys_exit			__ia32_sys_exit
          434  +2	i386	fork			sys_fork			__ia32_sys_fork
          435  +3	i386	read			sys_read			__ia32_sys_read
          436  +4	i386	write			sys_write			__ia32_sys_write
          437  +5	i386	open			sys_open			__ia32_compat_sys_open
          438  +6	i386	close			sys_close			__ia32_sys_close
          439  +7	i386	waitpid			sys_waitpid			__ia32_sys_waitpid
          440  +8	i386	creat			sys_creat			__ia32_sys_creat
          441  +9	i386	link			sys_link			__ia32_sys_link
          442  +10	i386	unlink			sys_unlink			__ia32_sys_unlink
          443  +11	i386	execve			sys_execve			__ia32_compat_sys_execve
          444  +12	i386	chdir			sys_chdir			__ia32_sys_chdir
          445  +13	i386	time			sys_time32			__ia32_sys_time32
          446  +14	i386	mknod			sys_mknod			__ia32_sys_mknod
          447  +15	i386	chmod			sys_chmod			__ia32_sys_chmod
          448  +16	i386	lchown			sys_lchown16			__ia32_sys_lchown16
          449  +17	i386	break
          450  +18	i386	oldstat			sys_stat			__ia32_sys_stat
          451  +19	i386	lseek			sys_lseek			__ia32_compat_sys_lseek
          452  +20	i386	getpid			sys_getpid			__ia32_sys_getpid
          453  +21	i386	mount			sys_mount			__ia32_compat_sys_mount
          454  +22	i386	umount			sys_oldumount			__ia32_sys_oldumount
          455  +23	i386	setuid			sys_setuid16			__ia32_sys_setuid16
          456  +24	i386	getuid			sys_getuid16			__ia32_sys_getuid16
          457  +25	i386	stime			sys_stime32			__ia32_sys_stime32
          458  +26	i386	ptrace			sys_ptrace			__ia32_compat_sys_ptrace
          459  +27	i386	alarm			sys_alarm			__ia32_sys_alarm
          460  +28	i386	oldfstat		sys_fstat			__ia32_sys_fstat
          461  +29	i386	pause			sys_pause			__ia32_sys_pause
          462  +30	i386	utime			sys_utime32			__ia32_sys_utime32
          463  +31	i386	stty
          464  +32	i386	gtty
          465  +33	i386	access			sys_access			__ia32_sys_access
          466  +34	i386	nice			sys_nice			__ia32_sys_nice
          467  +35	i386	ftime
          468  +36	i386	sync			sys_sync			__ia32_sys_sync
          469  +37	i386	kill			sys_kill			__ia32_sys_kill
          470  +38	i386	rename			sys_rename			__ia32_sys_rename
          471  +39	i386	mkdir			sys_mkdir			__ia32_sys_mkdir
          472  +40	i386	rmdir			sys_rmdir			__ia32_sys_rmdir
          473  +41	i386	dup			sys_dup				__ia32_sys_dup
          474  +42	i386	pipe			sys_pipe			__ia32_sys_pipe
          475  +43	i386	times			sys_times			__ia32_compat_sys_times
          476  +44	i386	prof
          477  +45	i386	brk			sys_brk				__ia32_sys_brk
          478  +46	i386	setgid			sys_setgid16			__ia32_sys_setgid16
          479  +47	i386	getgid			sys_getgid16			__ia32_sys_getgid16
          480  +48	i386	signal			sys_signal			__ia32_sys_signal
          481  +49	i386	geteuid			sys_geteuid16			__ia32_sys_geteuid16
          482  +50	i386	getegid			sys_getegid16			__ia32_sys_getegid16
          483  +51	i386	acct			sys_acct			__ia32_sys_acct
          484  +52	i386	umount2			sys_umount			__ia32_sys_umount
          485  +53	i386	lock
          486  +54	i386	ioctl			sys_ioctl			__ia32_compat_sys_ioctl
          487  +55	i386	fcntl			sys_fcntl			__ia32_compat_sys_fcntl64
          488  +56	i386	mpx
          489  +57	i386	setpgid			sys_setpgid			__ia32_sys_setpgid
          490  +58	i386	ulimit
          491  +59	i386	oldolduname		sys_olduname			__ia32_sys_olduname
          492  +60	i386	umask			sys_umask			__ia32_sys_umask
          493  +61	i386	chroot			sys_chroot			__ia32_sys_chroot
          494  +62	i386	ustat			sys_ustat			__ia32_compat_sys_ustat
          495  +63	i386	dup2			sys_dup2			__ia32_sys_dup2
          496  +64	i386	getppid			sys_getppid			__ia32_sys_getppid
          497  +65	i386	getpgrp			sys_getpgrp			__ia32_sys_getpgrp
          498  +66	i386	setsid			sys_setsid			__ia32_sys_setsid
          499  +67	i386	sigaction		sys_sigaction			__ia32_compat_sys_sigaction
          500  +68	i386	sgetmask		sys_sgetmask			__ia32_sys_sgetmask
          501  +69	i386	ssetmask		sys_ssetmask			__ia32_sys_ssetmask
          502  +70	i386	setreuid		sys_setreuid16			__ia32_sys_setreuid16
          503  +71	i386	setregid		sys_setregid16			__ia32_sys_setregid16
          504  +72	i386	sigsuspend		sys_sigsuspend			__ia32_sys_sigsuspend
          505  +73	i386	sigpending		sys_sigpending			__ia32_compat_sys_sigpending
          506  +74	i386	sethostname		sys_sethostname			__ia32_sys_sethostname
          507  +75	i386	setrlimit		sys_setrlimit			__ia32_compat_sys_setrlimit
          508  +76	i386	getrlimit		sys_old_getrlimit		__ia32_compat_sys_old_getrlimit
          509  +77	i386	getrusage		sys_getrusage			__ia32_compat_sys_getrusage
          510  +78	i386	gettimeofday		sys_gettimeofday		__ia32_compat_sys_gettimeofday
          511  +79	i386	settimeofday		sys_settimeofday		__ia32_compat_sys_settimeofday
          512  +80	i386	getgroups		sys_getgroups16			__ia32_sys_getgroups16
          513  +81	i386	setgroups		sys_setgroups16			__ia32_sys_setgroups16
          514  +82	i386	select			sys_old_select			__ia32_compat_sys_old_select
          515  +83	i386	symlink			sys_symlink			__ia32_sys_symlink
          516  +84	i386	oldlstat		sys_lstat			__ia32_sys_lstat
          517  +85	i386	readlink		sys_readlink			__ia32_sys_readlink
          518  +86	i386	uselib			sys_uselib			__ia32_sys_uselib
          519  +87	i386	swapon			sys_swapon			__ia32_sys_swapon
          520  +88	i386	reboot			sys_reboot			__ia32_sys_reboot
          521  +89	i386	readdir			sys_old_readdir			__ia32_compat_sys_old_readdir
          522  +90	i386	mmap			sys_old_mmap			__ia32_compat_sys_x86_mmap
          523  +91	i386	munmap			sys_munmap			__ia32_sys_munmap
          524  +92	i386	truncate		sys_truncate			__ia32_compat_sys_truncate
          525  +93	i386	ftruncate		sys_ftruncate			__ia32_compat_sys_ftruncate
          526  +94	i386	fchmod			sys_fchmod			__ia32_sys_fchmod
          527  +95	i386	fchown			sys_fchown16			__ia32_sys_fchown16
          528  +96	i386	getpriority		sys_getpriority			__ia32_sys_getpriority
          529  +97	i386	setpriority		sys_setpriority			__ia32_sys_setpriority
          530  +98	i386	profil
          531  +99	i386	statfs			sys_statfs			__ia32_compat_sys_statfs
          532  +100	i386	fstatfs			sys_fstatfs			__ia32_compat_sys_fstatfs
          533  +101	i386	ioperm			sys_ioperm			__ia32_sys_ioperm
          534  +102	i386	socketcall		sys_socketcall			__ia32_compat_sys_socketcall
          535  +103	i386	syslog			sys_syslog			__ia32_sys_syslog
          536  +104	i386	setitimer		sys_setitimer			__ia32_compat_sys_setitimer
          537  +105	i386	getitimer		sys_getitimer			__ia32_compat_sys_getitimer
          538  +106	i386	stat			sys_newstat			__ia32_compat_sys_newstat
          539  +107	i386	lstat			sys_newlstat			__ia32_compat_sys_newlstat
          540  +108	i386	fstat			sys_newfstat			__ia32_compat_sys_newfstat
          541  +109	i386	olduname		sys_uname			__ia32_sys_uname
          542  +110	i386	iopl			sys_iopl			__ia32_sys_iopl
          543  +111	i386	vhangup			sys_vhangup			__ia32_sys_vhangup
          544  +112	i386	idle
          545  +113	i386	vm86old			sys_vm86old			__ia32_sys_ni_syscall
          546  +114	i386	wait4			sys_wait4			__ia32_compat_sys_wait4
          547  +115	i386	swapoff			sys_swapoff			__ia32_sys_swapoff
          548  +116	i386	sysinfo			sys_sysinfo			__ia32_compat_sys_sysinfo
          549  +117	i386	ipc			sys_ipc				__ia32_compat_sys_ipc
          550  +118	i386	fsync			sys_fsync			__ia32_sys_fsync
          551  +119	i386	sigreturn		sys_sigreturn			__ia32_compat_sys_sigreturn
          552  +120	i386	clone			sys_clone			__ia32_compat_sys_x86_clone
          553  +121	i386	setdomainname		sys_setdomainname		__ia32_sys_setdomainname
          554  +122	i386	uname			sys_newuname			__ia32_sys_newuname
          555  +123	i386	modify_ldt		sys_modify_ldt			__ia32_sys_modify_ldt
          556  +124	i386	adjtimex		sys_adjtimex_time32			__ia32_sys_adjtimex_time32
          557  +125	i386	mprotect		sys_mprotect			__ia32_sys_mprotect
          558  +126	i386	sigprocmask		sys_sigprocmask			__ia32_compat_sys_sigprocmask
          559  +127	i386	create_module
          560  +128	i386	init_module		sys_init_module			__ia32_sys_init_module
          561  +129	i386	delete_module		sys_delete_module		__ia32_sys_delete_module
          562  +130	i386	get_kernel_syms
          563  +131	i386	quotactl		sys_quotactl			__ia32_compat_sys_quotactl32
          564  +132	i386	getpgid			sys_getpgid			__ia32_sys_getpgid
          565  +133	i386	fchdir			sys_fchdir			__ia32_sys_fchdir
          566  +134	i386	bdflush			sys_bdflush			__ia32_sys_bdflush
          567  +135	i386	sysfs			sys_sysfs			__ia32_sys_sysfs
          568  +136	i386	personality		sys_personality			__ia32_sys_personality
          569  +137	i386	afs_syscall
          570  +138	i386	setfsuid		sys_setfsuid16			__ia32_sys_setfsuid16
          571  +139	i386	setfsgid		sys_setfsgid16			__ia32_sys_setfsgid16
          572  +140	i386	_llseek			sys_llseek			__ia32_sys_llseek
          573  +141	i386	getdents		sys_getdents			__ia32_compat_sys_getdents
          574  +142	i386	_newselect		sys_select			__ia32_compat_sys_select
          575  +143	i386	flock			sys_flock			__ia32_sys_flock
          576  +144	i386	msync			sys_msync			__ia32_sys_msync
          577  +145	i386	readv			sys_readv			__ia32_compat_sys_readv
          578  +146	i386	writev			sys_writev			__ia32_compat_sys_writev
          579  +147	i386	getsid			sys_getsid			__ia32_sys_getsid
          580  +148	i386	fdatasync		sys_fdatasync			__ia32_sys_fdatasync
          581  +149	i386	_sysctl			sys_sysctl			__ia32_compat_sys_sysctl
          582  +150	i386	mlock			sys_mlock			__ia32_sys_mlock
          583  +151	i386	munlock			sys_munlock			__ia32_sys_munlock
          584  +152	i386	mlockall		sys_mlockall			__ia32_sys_mlockall
          585  +153	i386	munlockall		sys_munlockall			__ia32_sys_munlockall
          586  +154	i386	sched_setparam		sys_sched_setparam		__ia32_sys_sched_setparam
          587  +155	i386	sched_getparam		sys_sched_getparam		__ia32_sys_sched_getparam
          588  +156	i386	sched_setscheduler	sys_sched_setscheduler		__ia32_sys_sched_setscheduler
          589  +157	i386	sched_getscheduler	sys_sched_getscheduler		__ia32_sys_sched_getscheduler
          590  +158	i386	sched_yield		sys_sched_yield			__ia32_sys_sched_yield
          591  +159	i386	sched_get_priority_max	sys_sched_get_priority_max	__ia32_sys_sched_get_priority_max
          592  +160	i386	sched_get_priority_min	sys_sched_get_priority_min	__ia32_sys_sched_get_priority_min
          593  +161	i386	sched_rr_get_interval	sys_sched_rr_get_interval_time32	__ia32_sys_sched_rr_get_interval_time32
          594  +162	i386	nanosleep		sys_nanosleep_time32		__ia32_sys_nanosleep_time32
          595  +163	i386	mremap			sys_mremap			__ia32_sys_mremap
          596  +164	i386	setresuid		sys_setresuid16			__ia32_sys_setresuid16
          597  +165	i386	getresuid		sys_getresuid16			__ia32_sys_getresuid16
          598  +166	i386	vm86			sys_vm86			__ia32_sys_ni_syscall
          599  +167	i386	query_module
          600  +168	i386	poll			sys_poll			__ia32_sys_poll
          601  +169	i386	nfsservctl
          602  +170	i386	setresgid		sys_setresgid16			__ia32_sys_setresgid16
          603  +171	i386	getresgid		sys_getresgid16			__ia32_sys_getresgid16
          604  +172	i386	prctl			sys_prctl			__ia32_sys_prctl
          605  +173	i386	rt_sigreturn		sys_rt_sigreturn		__ia32_compat_sys_rt_sigreturn
          606  +174	i386	rt_sigaction		sys_rt_sigaction		__ia32_compat_sys_rt_sigaction
          607  +175	i386	rt_sigprocmask		sys_rt_sigprocmask		__ia32_compat_sys_rt_sigprocmask
          608  +176	i386	rt_sigpending		sys_rt_sigpending		__ia32_compat_sys_rt_sigpending
          609  +177	i386	rt_sigtimedwait		sys_rt_sigtimedwait_time32	__ia32_compat_sys_rt_sigtimedwait_time32
          610  +178	i386	rt_sigqueueinfo		sys_rt_sigqueueinfo		__ia32_compat_sys_rt_sigqueueinfo
          611  +179	i386	rt_sigsuspend		sys_rt_sigsuspend		__ia32_compat_sys_rt_sigsuspend
          612  +180	i386	pread64			sys_pread64			__ia32_compat_sys_x86_pread
          613  +181	i386	pwrite64		sys_pwrite64			__ia32_compat_sys_x86_pwrite
          614  +182	i386	chown			sys_chown16			__ia32_sys_chown16
          615  +183	i386	getcwd			sys_getcwd			__ia32_sys_getcwd
          616  +184	i386	capget			sys_capget			__ia32_sys_capget
          617  +185	i386	capset			sys_capset			__ia32_sys_capset
          618  +186	i386	sigaltstack		sys_sigaltstack			__ia32_compat_sys_sigaltstack
          619  +187	i386	sendfile		sys_sendfile			__ia32_compat_sys_sendfile
          620  +188	i386	getpmsg
          621  +189	i386	putpmsg
          622  +190	i386	vfork			sys_vfork			__ia32_sys_vfork
          623  +191	i386	ugetrlimit		sys_getrlimit			__ia32_compat_sys_getrlimit
          624  +192	i386	mmap2			sys_mmap_pgoff			__ia32_sys_mmap_pgoff
          625  +193	i386	truncate64		sys_truncate64			__ia32_compat_sys_x86_truncate64
          626  +194	i386	ftruncate64		sys_ftruncate64			__ia32_compat_sys_x86_ftruncate64
          627  +195	i386	stat64			sys_stat64			__ia32_compat_sys_x86_stat64
          628  +196	i386	lstat64			sys_lstat64			__ia32_compat_sys_x86_lstat64
          629  +197	i386	fstat64			sys_fstat64			__ia32_compat_sys_x86_fstat64
          630  +198	i386	lchown32		sys_lchown			__ia32_sys_lchown
          631  +199	i386	getuid32		sys_getuid			__ia32_sys_getuid
          632  +200	i386	getgid32		sys_getgid			__ia32_sys_getgid
          633  +201	i386	geteuid32		sys_geteuid			__ia32_sys_geteuid
          634  +202	i386	getegid32		sys_getegid			__ia32_sys_getegid
          635  +203	i386	setreuid32		sys_setreuid			__ia32_sys_setreuid
          636  +204	i386	setregid32		sys_setregid			__ia32_sys_setregid
          637  +205	i386	getgroups32		sys_getgroups			__ia32_sys_getgroups
          638  +206	i386	setgroups32		sys_setgroups			__ia32_sys_setgroups
          639  +207	i386	fchown32		sys_fchown			__ia32_sys_fchown
          640  +208	i386	setresuid32		sys_setresuid			__ia32_sys_setresuid
          641  +209	i386	getresuid32		sys_getresuid			__ia32_sys_getresuid
          642  +210	i386	setresgid32		sys_setresgid			__ia32_sys_setresgid
          643  +211	i386	getresgid32		sys_getresgid			__ia32_sys_getresgid
          644  +212	i386	chown32			sys_chown			__ia32_sys_chown
          645  +213	i386	setuid32		sys_setuid			__ia32_sys_setuid
          646  +214	i386	setgid32		sys_setgid			__ia32_sys_setgid
          647  +215	i386	setfsuid32		sys_setfsuid			__ia32_sys_setfsuid
          648  +216	i386	setfsgid32		sys_setfsgid			__ia32_sys_setfsgid
          649  +217	i386	pivot_root		sys_pivot_root			__ia32_sys_pivot_root
          650  +218	i386	mincore			sys_mincore			__ia32_sys_mincore
          651  +219	i386	madvise			sys_madvise			__ia32_sys_madvise
          652  +220	i386	getdents64		sys_getdents64			__ia32_sys_getdents64
          653  +221	i386	fcntl64			sys_fcntl64			__ia32_compat_sys_fcntl64
          654  +# 222 is unused
          655  +# 223 is unused
          656  +224	i386	gettid			sys_gettid			__ia32_sys_gettid
          657  +225	i386	readahead		sys_readahead			__ia32_compat_sys_x86_readahead
          658  +226	i386	setxattr		sys_setxattr			__ia32_sys_setxattr
          659  +227	i386	lsetxattr		sys_lsetxattr			__ia32_sys_lsetxattr
          660  +228	i386	fsetxattr		sys_fsetxattr			__ia32_sys_fsetxattr
          661  +229	i386	getxattr		sys_getxattr			__ia32_sys_getxattr
          662  +230	i386	lgetxattr		sys_lgetxattr			__ia32_sys_lgetxattr
          663  +231	i386	fgetxattr		sys_fgetxattr			__ia32_sys_fgetxattr
          664  +232	i386	listxattr		sys_listxattr			__ia32_sys_listxattr
          665  +233	i386	llistxattr		sys_llistxattr			__ia32_sys_llistxattr
          666  +234	i386	flistxattr		sys_flistxattr			__ia32_sys_flistxattr
          667  +235	i386	removexattr		sys_removexattr			__ia32_sys_removexattr
          668  +236	i386	lremovexattr		sys_lremovexattr		__ia32_sys_lremovexattr
          669  +237	i386	fremovexattr		sys_fremovexattr		__ia32_sys_fremovexattr
          670  +238	i386	tkill			sys_tkill			__ia32_sys_tkill
          671  +239	i386	sendfile64		sys_sendfile64			__ia32_sys_sendfile64
          672  +240	i386	futex			sys_futex_time32		__ia32_sys_futex_time32
          673  +241	i386	sched_setaffinity	sys_sched_setaffinity		__ia32_compat_sys_sched_setaffinity
          674  +242	i386	sched_getaffinity	sys_sched_getaffinity		__ia32_compat_sys_sched_getaffinity
          675  +243	i386	set_thread_area		sys_set_thread_area		__ia32_sys_set_thread_area
          676  +244	i386	get_thread_area		sys_get_thread_area		__ia32_sys_get_thread_area
          677  +245	i386	io_setup		sys_io_setup			__ia32_compat_sys_io_setup
          678  +246	i386	io_destroy		sys_io_destroy			__ia32_sys_io_destroy
          679  +247	i386	io_getevents		sys_io_getevents_time32		__ia32_sys_io_getevents_time32
          680  +248	i386	io_submit		sys_io_submit			__ia32_compat_sys_io_submit
          681  +249	i386	io_cancel		sys_io_cancel			__ia32_sys_io_cancel
          682  +250	i386	fadvise64		sys_fadvise64			__ia32_compat_sys_x86_fadvise64
          683  +# 251 is available for reuse (was briefly sys_set_zone_reclaim)
          684  +252	i386	exit_group		sys_exit_group			__ia32_sys_exit_group
          685  +253	i386	lookup_dcookie		sys_lookup_dcookie		__ia32_compat_sys_lookup_dcookie
          686  +254	i386	epoll_create		sys_epoll_create		__ia32_sys_epoll_create
          687  +255	i386	epoll_ctl		sys_epoll_ctl			__ia32_sys_epoll_ctl
          688  +256	i386	epoll_wait		sys_epoll_wait			__ia32_sys_epoll_wait
          689  +257	i386	remap_file_pages	sys_remap_file_pages		__ia32_sys_remap_file_pages
          690  +258	i386	set_tid_address		sys_set_tid_address		__ia32_sys_set_tid_address
          691  +259	i386	timer_create		sys_timer_create		__ia32_compat_sys_timer_create
          692  +260	i386	timer_settime		sys_timer_settime32		__ia32_sys_timer_settime32
          693  +261	i386	timer_gettime		sys_timer_gettime32		__ia32_sys_timer_gettime32
          694  +262	i386	timer_getoverrun	sys_timer_getoverrun		__ia32_sys_timer_getoverrun
          695  +263	i386	timer_delete		sys_timer_delete		__ia32_sys_timer_delete
          696  +264	i386	clock_settime		sys_clock_settime32		__ia32_sys_clock_settime32
          697  +265	i386	clock_gettime		sys_clock_gettime32		__ia32_sys_clock_gettime32
          698  +266	i386	clock_getres		sys_clock_getres_time32		__ia32_sys_clock_getres_time32
          699  +267	i386	clock_nanosleep		sys_clock_nanosleep_time32	__ia32_sys_clock_nanosleep_time32
          700  +268	i386	statfs64		sys_statfs64			__ia32_compat_sys_statfs64
          701  +269	i386	fstatfs64		sys_fstatfs64			__ia32_compat_sys_fstatfs64
          702  +270	i386	tgkill			sys_tgkill			__ia32_sys_tgkill
          703  +271	i386	utimes			sys_utimes_time32		__ia32_sys_utimes_time32
          704  +272	i386	fadvise64_64		sys_fadvise64_64		__ia32_compat_sys_x86_fadvise64_64
          705  +273	i386	vserver
          706  +274	i386	mbind			sys_mbind			__ia32_sys_mbind
          707  +275	i386	get_mempolicy		sys_get_mempolicy		__ia32_compat_sys_get_mempolicy
          708  +276	i386	set_mempolicy		sys_set_mempolicy		__ia32_sys_set_mempolicy
          709  +277	i386	mq_open			sys_mq_open			__ia32_compat_sys_mq_open
          710  +278	i386	mq_unlink		sys_mq_unlink			__ia32_sys_mq_unlink
          711  +279	i386	mq_timedsend		sys_mq_timedsend_time32		__ia32_sys_mq_timedsend_time32
          712  +280	i386	mq_timedreceive		sys_mq_timedreceive_time32	__ia32_sys_mq_timedreceive_time32
          713  +281	i386	mq_notify		sys_mq_notify			__ia32_compat_sys_mq_notify
          714  +282	i386	mq_getsetattr		sys_mq_getsetattr		__ia32_compat_sys_mq_getsetattr
          715  +283	i386	kexec_load		sys_kexec_load			__ia32_compat_sys_kexec_load
          716  +284	i386	waitid			sys_waitid			__ia32_compat_sys_waitid
          717  +# 285 sys_setaltroot
          718  +286	i386	add_key			sys_add_key			__ia32_sys_add_key
          719  +287	i386	request_key		sys_request_key			__ia32_sys_request_key
          720  +288	i386	keyctl			sys_keyctl			__ia32_compat_sys_keyctl
          721  +289	i386	ioprio_set		sys_ioprio_set			__ia32_sys_ioprio_set
          722  +290	i386	ioprio_get		sys_ioprio_get			__ia32_sys_ioprio_get
          723  +291	i386	inotify_init		sys_inotify_init		__ia32_sys_inotify_init
          724  +292	i386	inotify_add_watch	sys_inotify_add_watch		__ia32_sys_inotify_add_watch
          725  +293	i386	inotify_rm_watch	sys_inotify_rm_watch		__ia32_sys_inotify_rm_watch
          726  +294	i386	migrate_pages		sys_migrate_pages		__ia32_sys_migrate_pages
          727  +295	i386	openat			sys_openat			__ia32_compat_sys_openat
          728  +296	i386	mkdirat			sys_mkdirat			__ia32_sys_mkdirat
          729  +297	i386	mknodat			sys_mknodat			__ia32_sys_mknodat
          730  +298	i386	fchownat		sys_fchownat			__ia32_sys_fchownat
          731  +299	i386	futimesat		sys_futimesat_time32		__ia32_sys_futimesat_time32
          732  +300	i386	fstatat64		sys_fstatat64			__ia32_compat_sys_x86_fstatat
          733  +301	i386	unlinkat		sys_unlinkat			__ia32_sys_unlinkat
          734  +302	i386	renameat		sys_renameat			__ia32_sys_renameat
          735  +303	i386	linkat			sys_linkat			__ia32_sys_linkat
          736  +304	i386	symlinkat		sys_symlinkat			__ia32_sys_symlinkat
          737  +305	i386	readlinkat		sys_readlinkat			__ia32_sys_readlinkat
          738  +306	i386	fchmodat		sys_fchmodat			__ia32_sys_fchmodat
          739  +307	i386	faccessat		sys_faccessat			__ia32_sys_faccessat
          740  +308	i386	pselect6		sys_pselect6_time32		__ia32_compat_sys_pselect6_time32
          741  +309	i386	ppoll			sys_ppoll_time32		__ia32_compat_sys_ppoll_time32
          742  +310	i386	unshare			sys_unshare			__ia32_sys_unshare
          743  +311	i386	set_robust_list		sys_set_robust_list		__ia32_compat_sys_set_robust_list
          744  +312	i386	get_robust_list		sys_get_robust_list		__ia32_compat_sys_get_robust_list
          745  +313	i386	splice			sys_splice			__ia32_sys_splice
          746  +314	i386	sync_file_range		sys_sync_file_range		__ia32_compat_sys_x86_sync_file_range
          747  +315	i386	tee			sys_tee				__ia32_sys_tee
          748  +316	i386	vmsplice		sys_vmsplice			__ia32_compat_sys_vmsplice
          749  +317	i386	move_pages		sys_move_pages			__ia32_compat_sys_move_pages
          750  +318	i386	getcpu			sys_getcpu			__ia32_sys_getcpu
          751  +319	i386	epoll_pwait		sys_epoll_pwait			__ia32_sys_epoll_pwait
          752  +320	i386	utimensat		sys_utimensat_time32		__ia32_sys_utimensat_time32
          753  +321	i386	signalfd		sys_signalfd			__ia32_compat_sys_signalfd
          754  +322	i386	timerfd_create		sys_timerfd_create		__ia32_sys_timerfd_create
          755  +323	i386	eventfd			sys_eventfd			__ia32_sys_eventfd
          756  +324	i386	fallocate		sys_fallocate			__ia32_compat_sys_x86_fallocate
          757  +325	i386	timerfd_settime		sys_timerfd_settime32		__ia32_sys_timerfd_settime32
          758  +326	i386	timerfd_gettime		sys_timerfd_gettime32		__ia32_sys_timerfd_gettime32
          759  +327	i386	signalfd4		sys_signalfd4			__ia32_compat_sys_signalfd4
          760  +328	i386	eventfd2		sys_eventfd2			__ia32_sys_eventfd2
          761  +329	i386	epoll_create1		sys_epoll_create1		__ia32_sys_epoll_create1
          762  +330	i386	dup3			sys_dup3			__ia32_sys_dup3
          763  +331	i386	pipe2			sys_pipe2			__ia32_sys_pipe2
          764  +332	i386	inotify_init1		sys_inotify_init1		__ia32_sys_inotify_init1
          765  +333	i386	preadv			sys_preadv			__ia32_compat_sys_preadv
          766  +334	i386	pwritev			sys_pwritev			__ia32_compat_sys_pwritev
          767  +335	i386	rt_tgsigqueueinfo	sys_rt_tgsigqueueinfo		__ia32_compat_sys_rt_tgsigqueueinfo
          768  +336	i386	perf_event_open		sys_perf_event_open		__ia32_sys_perf_event_open
          769  +337	i386	recvmmsg		sys_recvmmsg_time32		__ia32_compat_sys_recvmmsg_time32
          770  +338	i386	fanotify_init		sys_fanotify_init		__ia32_sys_fanotify_init
          771  +339	i386	fanotify_mark		sys_fanotify_mark		__ia32_compat_sys_fanotify_mark
          772  +340	i386	prlimit64		sys_prlimit64			__ia32_sys_prlimit64
          773  +341	i386	name_to_handle_at	sys_name_to_handle_at		__ia32_sys_name_to_handle_at
          774  +342	i386	open_by_handle_at	sys_open_by_handle_at		__ia32_compat_sys_open_by_handle_at
          775  +343	i386	clock_adjtime		sys_clock_adjtime32		__ia32_sys_clock_adjtime32
          776  +344	i386	syncfs			sys_syncfs			__ia32_sys_syncfs
          777  +345	i386	sendmmsg		sys_sendmmsg			__ia32_compat_sys_sendmmsg
          778  +346	i386	setns			sys_setns			__ia32_sys_setns
          779  +347	i386	process_vm_readv	sys_process_vm_readv		__ia32_compat_sys_process_vm_readv
          780  +348	i386	process_vm_writev	sys_process_vm_writev		__ia32_compat_sys_process_vm_writev
          781  +349	i386	kcmp			sys_kcmp			__ia32_sys_kcmp
          782  +350	i386	finit_module		sys_finit_module		__ia32_sys_finit_module
          783  +351	i386	sched_setattr		sys_sched_setattr		__ia32_sys_sched_setattr
          784  +352	i386	sched_getattr		sys_sched_getattr		__ia32_sys_sched_getattr
          785  +353	i386	renameat2		sys_renameat2			__ia32_sys_renameat2
          786  +354	i386	seccomp			sys_seccomp			__ia32_sys_seccomp
          787  +355	i386	getrandom		sys_getrandom			__ia32_sys_getrandom
          788  +356	i386	memfd_create		sys_memfd_create		__ia32_sys_memfd_create
          789  +357	i386	bpf			sys_bpf				__ia32_sys_bpf
          790  +358	i386	execveat		sys_execveat			__ia32_compat_sys_execveat
          791  +359	i386	socket			sys_socket			__ia32_sys_socket
          792  +360	i386	socketpair		sys_socketpair			__ia32_sys_socketpair
          793  +361	i386	bind			sys_bind			__ia32_sys_bind
          794  +362	i386	connect			sys_connect			__ia32_sys_connect
          795  +363	i386	listen			sys_listen			__ia32_sys_listen
          796  +364	i386	accept4			sys_accept4			__ia32_sys_accept4
          797  +365	i386	getsockopt		sys_getsockopt			__ia32_compat_sys_getsockopt
          798  +366	i386	setsockopt		sys_setsockopt			__ia32_compat_sys_setsockopt
          799  +367	i386	getsockname		sys_getsockname			__ia32_sys_getsockname
          800  +368	i386	getpeername		sys_getpeername			__ia32_sys_getpeername
          801  +369	i386	sendto			sys_sendto			__ia32_sys_sendto
          802  +370	i386	sendmsg			sys_sendmsg			__ia32_compat_sys_sendmsg
          803  +371	i386	recvfrom		sys_recvfrom			__ia32_compat_sys_recvfrom
          804  +372	i386	recvmsg			sys_recvmsg			__ia32_compat_sys_recvmsg
          805  +373	i386	shutdown		sys_shutdown			__ia32_sys_shutdown
          806  +374	i386	userfaultfd		sys_userfaultfd			__ia32_sys_userfaultfd
          807  +375	i386	membarrier		sys_membarrier			__ia32_sys_membarrier
          808  +376	i386	mlock2			sys_mlock2			__ia32_sys_mlock2
          809  +377	i386	copy_file_range		sys_copy_file_range		__ia32_sys_copy_file_range
          810  +378	i386	preadv2			sys_preadv2			__ia32_compat_sys_preadv2
          811  +379	i386	pwritev2		sys_pwritev2			__ia32_compat_sys_pwritev2
          812  +380	i386	pkey_mprotect		sys_pkey_mprotect		__ia32_sys_pkey_mprotect
          813  +381	i386	pkey_alloc		sys_pkey_alloc			__ia32_sys_pkey_alloc
          814  +382	i386	pkey_free		sys_pkey_free			__ia32_sys_pkey_free
          815  +383	i386	statx			sys_statx			__ia32_sys_statx
          816  +384	i386	arch_prctl		sys_arch_prctl			__ia32_compat_sys_arch_prctl
          817  +385	i386	io_pgetevents		sys_io_pgetevents_time32	__ia32_compat_sys_io_pgetevents
          818  +386	i386	rseq			sys_rseq			__ia32_sys_rseq
          819  +393	i386	semget			sys_semget    			__ia32_sys_semget
          820  +394	i386	semctl			sys_semctl    			__ia32_compat_sys_semctl
          821  +395	i386	shmget			sys_shmget    			__ia32_sys_shmget
          822  +396	i386	shmctl			sys_shmctl    			__ia32_compat_sys_shmctl
          823  +397	i386	shmat			sys_shmat     			__ia32_compat_sys_shmat
          824  +398	i386	shmdt			sys_shmdt     			__ia32_sys_shmdt
          825  +399	i386	msgget			sys_msgget    			__ia32_sys_msgget
          826  +400	i386	msgsnd			sys_msgsnd    			__ia32_compat_sys_msgsnd
          827  +401	i386	msgrcv			sys_msgrcv    			__ia32_compat_sys_msgrcv
          828  +402	i386	msgctl			sys_msgctl    			__ia32_compat_sys_msgctl
          829  +403	i386	clock_gettime64		sys_clock_gettime		__ia32_sys_clock_gettime
          830  +404	i386	clock_settime64		sys_clock_settime		__ia32_sys_clock_settime
          831  +405	i386	clock_adjtime64		sys_clock_adjtime		__ia32_sys_clock_adjtime
          832  +406	i386	clock_getres_time64	sys_clock_getres		__ia32_sys_clock_getres
          833  +407	i386	clock_nanosleep_time64	sys_clock_nanosleep		__ia32_sys_clock_nanosleep
          834  +408	i386	timer_gettime64		sys_timer_gettime		__ia32_sys_timer_gettime
          835  +409	i386	timer_settime64		sys_timer_settime		__ia32_sys_timer_settime
          836  +410	i386	timerfd_gettime64	sys_timerfd_gettime		__ia32_sys_timerfd_gettime
          837  +411	i386	timerfd_settime64	sys_timerfd_settime		__ia32_sys_timerfd_settime
          838  +412	i386	utimensat_time64	sys_utimensat			__ia32_sys_utimensat
          839  +413	i386	pselect6_time64		sys_pselect6			__ia32_compat_sys_pselect6_time64
          840  +414	i386	ppoll_time64		sys_ppoll			__ia32_compat_sys_ppoll_time64
          841  +416	i386	io_pgetevents_time64	sys_io_pgetevents		__ia32_sys_io_pgetevents
          842  +417	i386	recvmmsg_time64		sys_recvmmsg			__ia32_compat_sys_recvmmsg_time64
          843  +418	i386	mq_timedsend_time64	sys_mq_timedsend		__ia32_sys_mq_timedsend
          844  +419	i386	mq_timedreceive_time64	sys_mq_timedreceive		__ia32_sys_mq_timedreceive
          845  +420	i386	semtimedop_time64	sys_semtimedop			__ia32_sys_semtimedop
          846  +421	i386	rt_sigtimedwait_time64	sys_rt_sigtimedwait		__ia32_compat_sys_rt_sigtimedwait_time64
          847  +422	i386	futex_time64		sys_futex			__ia32_sys_futex
          848  +423	i386	sched_rr_get_interval_time64	sys_sched_rr_get_interval	__ia32_sys_sched_rr_get_interval
          849  +424	i386	pidfd_send_signal	sys_pidfd_send_signal		__ia32_sys_pidfd_send_signal
          850  +425	i386	io_uring_setup		sys_io_uring_setup		__ia32_sys_io_uring_setup
          851  +426	i386	io_uring_enter		sys_io_uring_enter		__ia32_sys_io_uring_enter
          852  +427	i386	io_uring_register	sys_io_uring_register		__ia32_sys_io_uring_register
          853  +428	i386	open_tree		sys_open_tree			__ia32_sys_open_tree
          854  +429	i386	move_mount		sys_move_mount			__ia32_sys_move_mount
          855  +430	i386	fsopen			sys_fsopen			__ia32_sys_fsopen
          856  +431	i386	fsconfig		sys_fsconfig			__ia32_sys_fsconfig
          857  +432	i386	fsmount			sys_fsmount			__ia32_sys_fsmount
          858  +433	i386	fspick			sys_fspick			__ia32_sys_fspick
          859  +434	i386	pidfd_open		sys_pidfd_open			__ia32_sys_pidfd_open
          860  +435	i386	clone3			sys_clone3			__ia32_sys_clone3
          861  +	}
          862  +}
          863  +
          864  +proc ::seccomp_bpf::_loadSystemCallTable {platform data} {
          865  +	if {[info exists ::seccomp_bpf::_systemCallTableLookup_${platform}_]} {
          866  +		return
          867  +	}
          868  +
          869  +	foreach line [split $data "\n"] {
          870  +		set line [regsub {#.*$} $line ""]
          871  +		set line [string trim $line]
          872  +		if {$line eq ""} {
          873  +			continue
          874  +		}
          875  +
          876  +		if {![string is list -strict $line]} {
          877  +			continue
          878  +		}
          879  +
          880  +		set name [lindex $line 2]
          881  +		set id   [lindex $line 0]
          882  +
          883  +		lappend "::seccomp_bpf::_systemCallTableLookup_${platform}_($name)" $id
          884  +		lappend "::seccomp_bpf::_systemCallReverseTableLookup_${platform}_($id)" $name
          885  +	}
          886  +}
          887  +
          888  +proc ::seccomp_bpf::init_platform {handle platform {data ""}} {
          889  +	if {$data eq ""} {
          890  +		set data $::seccomp_bpf::_platform_data($platform)
          891  +	}
          892  +	
          893  +	::seccomp_bpf::_loadSystemCallTable $platform $data
          894  +	lappend ::seccomp_bpf::_platforms($handle) $platform
          895  +}
          896  +
          897  +proc ::seccomp_bpf::uninit_platform {platform} {
          898  +	foreach handle [array names ::seccomp_bpf::_platforms] {
          899  +		foreach checkPlatform $::seccomp_bpf::_platforms($handle) {
          900  +			if {$checkPlatform eq $platform} {
          901  +				return false
          902  +			}
          903  +		}
          904  +	}
          905  +
          906  +	unset -nocomplain ::seccomp_bpf::_systemCallTableLookup_${platform}_
          907  +	unset -nocomplain ::seccomp_bpf::_systemCallReverseTableLookup_${platform}_
          908  +
          909  +	return true
          910  +}
          911  +
          912  +proc ::seccomp_bpf::new {} {
          913  +	incr ::seccomp_bpf::_handle_index
          914  +	set handle "::seccomp_bpf::handle${::seccomp_bpf::_handle_index}"
          915  +
          916  +	return $handle
          917  +}
          918  +
          919  +proc ::seccomp_bpf::delete {handle} {
          920  +	unset ::seccomp_bpf::_platforms($handle)
          921  +	unset ::seccomp_bpf::_platform_code($handle)
          922  +	unset ::seccomp_bpf::_variables($handle)
          923  +}
          924  +
          925  +proc ::seccomp_bpf::_is_host_variable {var} {
          926  +	switch -glob -- $var {
          927  +		{$nr} - {$arch} - {$args(*)} {
          928  +			return true
          929  +		}
          930  +	}
          931  +
          932  +	return false
          933  +}
          934  +
          935  +proc ::seccomp_bpf::_is_compiler_variable {var} {
          936  +	if {[_is_host_variable $var]} {
          937  +		return false
          938  +	}
          939  +
          940  +	if {[string index $var 0] eq {$}} {
          941  +		return true
          942  +	}
          943  +
          944  +	return false
          945  +}
          946  +
          947  +proc ::seccomp_bpf::_get_compiler_variable {handle var {default ""}} {
          948  +	set varName [string range $var 1 end]
          949  +
          950  +	set value $default
          951  +	catch {
          952  +		set value [dict get $::seccomp_bpf::_variables($handle) $varName]
          953  +	}
          954  +
          955  +	return $value
          956  +}
          957  +
          958  +proc ::seccomp_bpf::_load_var {var} {
          959  +	set output [list]
          960  +
          961  +	switch -glob -- $var {
          962  +		{$nr} {
          963  +			lappend output "BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))),"
          964  +		}
          965  +		{$arch} {
          966  +			lappend output "BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))),"
          967  +		}
          968  +		{$args(*)} {
          969  +			set idx [lindex [split $var ()] 1]
          970  +			lappend output "BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, args\[$idx\]))),"
          971  +		}
          972  +		default {
          973  +			# Compare two immediate values
          974  +			lappend output "BPF_STMT(BPF_LD | BPF_W | BPF_IMM, $var),"
          975  +		}
          976  +	}
          977  +
          978  +	return $output
          979  +}
          980  +
          981  +proc ::seccomp_bpf::_invert_op_direction {op} {
          982  +	switch -exact -- $op {
          983  +		">" { set op "<" }
          984  +		"<" { set op ">" }
          985  +		">=" { set op "<=" }
          986  +		"<=" { set op ">=" }
          987  +	}
          988  +
          989  +	return $op
          990  +}
          991  +proc ::seccomp_bpf::_parse_if {handle platform condition truelabel falselabel endlabel} {
          992  +	set a [lindex $condition 0]
          993  +	set b [lindex $condition 2]
          994  +	set op [lindex $condition 1]
          995  +	set postCompareOutput [list]
          996  +	set output [list]
          997  +
          998  +	if {$a eq $b} {
          999  +		if {$op in {== eq}} {
         1000  +			return [list "BPF_STMT(BPF_JMP, @@${truelabel}@@), /* if ($condition) always true */"]
         1001  +		} elseif {$op in {!= ne}} {
         1002  +			return [list "BPF_STMT(BPF_JMP, @@${falselabel}@@), /* if ($condition) always false */"]
         1003  +		}
         1004  +	}
         1005  +
         1006  +	set compareAgainst "K"
         1007  +	if {![_is_host_variable $a]} {
         1008  +		if {[_is_host_variable $b]} {
         1009  +			set x $a
         1010  +			set a $b
         1011  +			set b $a
         1012  +
         1013  +			set op [_invert_op_direction $op]
         1014  +		}
         1015  +	}
         1016  +
         1017  +	if {[_is_host_variable $b]} {
         1018  +		lappend output {*}[::seccomp_bpf::_load_var $b]
         1019  +		lappend output {BPF_STMT(BPF_ST, 0),}
         1020  +		lappend output {BPF_STMT(BPF_LDX | BPF_W | BPF_MEM, 0),}
         1021  +		set compareAgainst "X"
         1022  +		set b 0
         1023  +	} elseif {[_is_compiler_variable $b]} {
         1024  +		set b [_get_compiler_variable $handle $b]
         1025  +	}
         1026  +
         1027  +	lappend output {*}[::seccomp_bpf::_load_var $a]
         1028  +
         1029  +	switch -glob -- $a {
         1030  +		{$nr} {
         1031  +			set syscall_ids [list]
         1032  +			foreach syscall $b {
         1033  +				lappend syscall_ids {*}[set ::seccomp_bpf::_systemCallTableLookup_${platform}_($syscall)]
         1034  +			}
         1035  +			set b $syscall_ids
         1036  +
         1037  +			if {[llength $b] > 1} {
         1038  +				if {$op in {eq ==}} {
         1039  +					set op "in"
         1040  +				} elseif {$op in {ne !=}} {
         1041  +					set op "ni"
         1042  +				}
         1043  +			}
         1044  +		}
         1045  +		{$arch} {
         1046  +			set b "AUDIT_ARCH_[string toupper $b]"
         1047  +		}
         1048  +	}
         1049  +
         1050  +	switch -exact $op {
         1051  +		"==" - "eq" {
         1052  +			lappend output "BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_${compareAgainst}, $b, @@${truelabel}@@, @@${falselabel}@@),"
         1053  +		}
         1054  +		"!=" - "ne" {
         1055  +			lappend output "BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_${compareAgainst}, $b, @@${falselabel}@@, @@${truelabel}@@),"
         1056  +		}
         1057  +		"in" {
         1058  +			foreach item $b {
         1059  +				lappend output "BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_${compareAgainst}, $item, @@${truelabel}@@, 0),"
         1060  +			}
         1061  +			lappend output "BPF_STMT(BPF_JMP, @@${falselabel}@@),"
         1062  +		}
         1063  +		"ni" {
         1064  +			foreach item $b {
         1065  +				lappend output "BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_${compareAgainst}, $item, @@${falselabel}@@, 0),"
         1066  +			}
         1067  +			lappend output "BPF_STMT(BPF_JMP, @@${truelabel}@@),"
         1068  +		}
         1069  +		">" {
         1070  +			lappend output "BPF_JUMP(BPF_JMP | BPF_JGT | BPF_${compareAgainst}, $b, @@${truelabel}@@, @@${falselabel}@@),"
         1071  +		}
         1072  +		">=" {
         1073  +			lappend output "BPF_JUMP(BPF_JMP | BPF_JGE | BPF_${compareAgainst}, $b, @@${truelabel}@@, @@${falselabel}@@),"
         1074  +		}
         1075  +		"<" {
         1076  +			lappend output "BPF_JUMP(BPF_JMP | BPF_JGE | BPF_${compareAgainst}, $b, @@${falselabel}@@, @@${truelabel}@@),"
         1077  +		}
         1078  +		"<=" {
         1079  +			lappend output "BPF_JUMP(BPF_JMP | BPF_JGT | BPF_${compareAgainst}, $b, @@${falselabel}@@, @@${truelabel}@@),"
         1080  +		}
         1081  +		default {
         1082  +			return -code error "unimplemented: $op"
         1083  +		}
         1084  +	}
         1085  +
         1086  +	if {[llength $postCompareOutput] > 0} {
         1087  +		lappend output {*}$postCompareOutput
         1088  +	}
         1089  +
         1090  +	if {[llength $output] == 0} {
         1091  +		return [list]
         1092  +	}
         1093  +
         1094  +	set line0 [lindex $output 0]
         1095  +	set line0 "$line0 /* if ($condition) ... */"
         1096  +	set output [lreplace $output 0 0 $line0]
         1097  +
         1098  +	return $output
         1099  +}
         1100  +
         1101  +proc ::seccomp_bpf::_fix_labels {code} {
         1102  +	set line_number 0
         1103  +
         1104  +	array set labels [list]
         1105  +
         1106  +	# Eliminate pointless jumps
         1107  +	for {set idx 0} {$idx < [llength $code]} {incr idx} {
         1108  +		set line [lindex $code $idx]
         1109  +		if {[string match "BPF_STMT(BPF_JMP, @@*@@),*" $line]} {
         1110  +			regexp {^BPF_STMT\(BPF_JMP, (.*)\),.*$} $line -> jump_label
         1111  +
         1112  +			set nextlines [list]
         1113  +			for {set subidx [expr {$idx + 1}]} {$subidx < [llength $code]} {incr subidx} {
         1114  +				set nextline [lindex $code $subidx]
         1115  +				if {![string match "@@*@@" $nextline]} {
         1116  +					break
         1117  +				}
         1118  +				lappend nextlines $nextline
         1119  +			}
         1120  +
         1121  +			if {$jump_label in $nextlines} {
         1122  +				set code [lreplace $code $idx $idx]
         1123  +				incr idx -1
         1124  +				continue
         1125  +			}
         1126  +		}
         1127  +	}
         1128  +
         1129  +	foreach line $code {
         1130  +		if {[string match "@@*@@" $line]} {
         1131  +			set labels($line) $line_number
         1132  +			continue
         1133  +		}
         1134  +		incr line_number
         1135  +	}
         1136  +
         1137  +	set output [list]
         1138  +	foreach line $code {
         1139  +		if {[string match "@@*@@" $line]} {
         1140  +			continue
         1141  +		}
         1142  +
         1143  +		foreach {label jump_line_number} [array get labels] {
         1144  +			incr jump_line_number -1
         1145  +
         1146  +			# The kernel will forbid backwards jumps, so ensure we
         1147  +			# do not emit them
         1148  +			if {$jump_line_number < 0} {
         1149  +				unset labels($label)
         1150  +				continue
         1151  +			}
         1152  +
         1153  +			set labels($label) $jump_line_number
         1154  +		}
         1155  +		set line [string map [array get labels] $line]
         1156  +
         1157  +		lappend output $line
         1158  +	}
         1159  +
         1160  +	return $output
         1161  +}
         1162  +
         1163  +proc ::seccomp_bpf::_eval {handle platform code {label ""}} {
         1164  +	set output [list]
         1165  +
         1166  +	if {$label ne ""} {
         1167  +		lappend output "@@${label}@@"
         1168  +	}
         1169  +
         1170  +	if {$code eq ""} {
         1171  +		return [list]
         1172  +	}
         1173  +
         1174  +	set if_idx -1
         1175  +	for {set idx 0} {$idx < [llength $code]} {incr idx} {
         1176  +		set word [lindex $code $idx]
         1177  +		switch -exact -- $word {
         1178  +			"if" {
         1179  +				incr if_idx
         1180  +
         1181  +				set condition [lindex $code [incr idx]]
         1182  +				set code_true [lindex $code [incr idx]]
         1183  +				set check_else [lindex $code [expr {$idx + 1}]]
         1184  +				if {$check_else eq "else"} {
         1185  +					incr idx
         1186  +					set code_false [lindex $code [incr idx]]
         1187  +				} else {
         1188  +					set code_false ""
         1189  +				}
         1190  +
         1191  +				set label_end ${label}.if_end.${if_idx}
         1192  +				set label_true ${label}.if_true.${if_idx}
         1193  +				set label_false ${label}.if_false.${if_idx}
         1194  +
         1195  +				if {$code_true eq ""} {
         1196  +					set label_true $label_end
         1197  +				}
         1198  +
         1199  +				if {$code_false eq ""} {
         1200  +					set label_false $label_end
         1201  +				}
         1202  +
         1203  +				if {$label_true != $label_end || $label_false != $label_end} {
         1204  +					lappend output {*}[::seccomp_bpf::_parse_if $handle $platform $condition $label_true $label_false $label_end]
         1205  +				}
         1206  +				if {$code_true ne ""} {
         1207  +					lappend output {*}[::seccomp_bpf::_eval $handle $platform $code_true $label_true]
         1208  +				}
         1209  +				if {$code_false ne ""} {
         1210  +					lappend output {*}[::seccomp_bpf::_eval $handle $platform $code_false $label_false]
         1211  +				}
         1212  +				lappend output "@@${label}.if_end.${if_idx}@@"
         1213  +			}
         1214  +			"return" {
         1215  +				set retcode [lindex $code [incr idx]]
         1216  +
         1217  +				switch -exact $retcode {
         1218  +					"allow" {
         1219  +						lappend output {BPF_STMT(BPF_RET, SECCOMP_RET_ALLOW),}
         1220  +					}
         1221  +					"trap" {
         1222  +						lappend output {BPF_STMT(BPF_RET, SECCOMP_RET_TRAP),}
         1223  +					}
         1224  +					"kill" {
         1225  +						lappend output {BPF_STMT(BPF_RET, SECCOMP_RET_KILL),}
         1226  +					}
         1227  +					"errno" {
         1228  +						set retcode_errno [lindex $code [incr idx]]
         1229  +						lappend output "BPF_STMT(BPF_RET, SECCOMP_RET_ERRNO | $retcode_errno),"
         1230  +					}
         1231  +				}
         1232  +			}
         1233  +			default {
         1234  +				return -code error "Unknown: $word"
         1235  +			}
         1236  +		}
         1237  +	}
         1238  +
         1239  +	return $output
         1240  +}
         1241  +
         1242  +proc ::seccomp_bpf::generate {handle} {
         1243  +	set output [list]
         1244  +	lappend output {BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* Load architecture */}
         1245  +	foreach platform $::seccomp_bpf::_platforms($handle) {
         1246  +		set platform_id "AUDIT_ARCH_[string toupper $platform]"
         1247  +
         1248  +		lappend output "BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, $platform_id, @@platform_${platform}@@, 0),"
         1249  +	}
         1250  +	lappend output {*}[::seccomp_bpf::_eval $handle $platform "return trap"]
         1251  +
         1252  +	foreach platform $::seccomp_bpf::_platforms($handle) {
         1253  +		if {![dict exists $::seccomp_bpf::_platform_code($handle) $platform]} {
         1254  +			error "The platform $platform must have code defined for it."
         1255  +		}
         1256  +
         1257  +		set code [dict get $::seccomp_bpf::_platform_code($handle) $platform]
         1258  +
         1259  +		lappend output {*}[::seccomp_bpf::_eval $handle $platform $code "platform_$platform"]
         1260  +	}
         1261  +
         1262  +	set output [_fix_labels $output]
         1263  +
         1264  +	return [join $output "\n"]
         1265  +}
         1266  +
         1267  +proc ::seccomp_bpf::code {handle platform code} {
         1268  +	dict set ::seccomp_bpf::_platform_code($handle) $platform $code
         1269  +}
         1270  +
         1271  +proc ::seccomp_bpf::set_variable {handle variable value} {
         1272  +	dict set ::seccomp_bpf::_variables($handle) $variable $value
         1273  +}
         1274  +# ----
         1275  +
         1276  +set handle [::seccomp_bpf::new]
         1277  +
         1278  +if {[llength $argv] == 0} {
         1279  +	puts stderr "Usage: generate-seccomp-filter <filter-file> \[<platformName> <platformSyscallTable> \[<platformName> <platformSyscallTable>\]...\]"
         1280  +	exit 1
         1281  +}
         1282  +
         1283  +set seccompFile [lindex $argv 0]
         1284  +set argv [lrange $argv 1 end]
         1285  +foreach {platform file} $argv {
         1286  +	if {$file eq ""} {
         1287  +		set data ""
         1288  +	} else {
         1289  +		set data [read [open $file]]
         1290  +	}
         1291  +	::seccomp_bpf::init_platform $handle $platform $data
         1292  +}
         1293  +
         1294  +set seccompData [read [open $seccompFile]]
         1295  +
         1296  +for {set idx 0} {$idx < [llength $seccompData]} {incr idx} {
         1297  +	set platformOrCommand [lindex $seccompData $idx]
         1298  +	switch -exact $platformOrCommand {
         1299  +		"set" {
         1300  +			incr idx
         1301  +			set variable [lindex $seccompData $idx]
         1302  +			incr idx
         1303  +			set value [lindex $seccompData $idx]
         1304  +			::seccomp_bpf::set_variable $handle $variable $value
         1305  +		}
         1306  +		default {
         1307  +			set platform $platformOrCommand
         1308  +
         1309  +			incr idx
         1310  +			set code [lindex $seccompData $idx]
         1311  +
         1312  +			::seccomp_bpf::code $handle $platform $code
         1313  +		}
         1314  +	}
         1315  +}
         1316  +
         1317  +puts [::seccomp_bpf::generate $handle]
         1318  +
         1319  +exit 0