The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.

Add a couple of syscalls for the scheduler in the string parsing.

Signed-off-by: Alice Frosi <afrosi@redhat.com>

Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.

Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
  --security-opt=seccomp=/tmp/scmp_prof.json  \
  --annotation run.oci.seccomp.receiver=/tmp/seitan.sock  \
  -ti fedora   \
  sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol

Signed-off-by: Alice Frosi <afrosi@redhat.com>

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

As discussed with Alice -- 'reuse lint' passes now.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

...mostly.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Pseudorandom changes and progress around cooker and seitan:

- cooker:
  - rename matching functions, split match.c
  - fix up SELECT semantics
  - add some form of handling for all syscalls in the example
    (some stubs)
  - OP_CMP for all basic and compound types except for flags
  - link jumps to next block and next match
  - completed implementation of tags
  - gluten write
  - filter clean-ups, write filters (probably not working)

- seitan:
  - load gluten and source instructions and data from there

$ ./seitan-cooker cooker/example.hjson example.gluten example.bpf
Parsing block 0
 Parsing match 0: connect
  Found description for connect
   0: OP_NR: if syscall number is not 0, jump to next block
  Parsing match argument fd
   setting tag reference 'fd'
   tag 'fd' now refers to seccomp data at 0
  Parsing match argument addr
   allocating 128 at offset 0
   1: OP_LOAD: #0 < args[1] (size: 128)
   C#0: (INT) 1
   2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block
   C#4: (STRING:24) /var/run/pr-helper.sock
   3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block
   Linking match...
   Linking block...
    linked jump of instruction #0 to #4
    linked jump of instruction #2 to #4
    linked jump of instruction #3 to #4
Parsing block 1
 Parsing match 0: ioctl
  Found description for ioctl
   4: OP_NR: if syscall number is not 112, jump to next block
  Parsing match argument path
  Parsing match argument request
   C#28: (INT) 1074025674
   5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block
  Parsing match argument ifr
   allocating 40 at offset 128
   6: OP_LOAD: #128 < args[2] (size: 40)
   C#32: (STRING:5) tap0
   7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block
   C#37: (INT) 1
   8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block
   Linking match...
   Linking block...
    linked jump of instruction #4 to #9
    linked jump of instruction #5 to #9
    linked jump of instruction #7 to #9
    linked jump of instruction #8 to #9
Parsing block 2
 Parsing match 0: unshare
  Found description for unshare
   9: OP_NR: if syscall number is not 164, jump to next block
  Parsing match argument flags
   Linking match...
   Linking block...
    linked jump of instruction #9 to #10
Parsing block 3
 Parsing match 0: unshare
  Found description for unshare
   10: OP_NR: if syscall number is not 164, jump to next block
  Parsing match argument flags
   Linking match...
   Linking block...
    linked jump of instruction #10 to #11
Parsing block 4
 Parsing match 0: mknod
  Found description for mknod
   11: OP_NR: if syscall number is not 164, jump to next block
  Parsing match argument path
   allocating 1 at offset 168
   12: OP_LOAD: #168 < args[0] (size: 1)
   setting tag reference 'path'
   tag 'path' now refers to temporary data at 168
  Parsing match argument mode
  Parsing match argument major
  Parsing match argument minor
   setting tag reference 'minor'
   tag 'minor' now refers to seccomp data at 2
   Linking match...
   Linking block...
    linked jump of instruction #11 to #13

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Only tangentially related:

- make seitan C99 again, so that I can build cooker without warnings

- make Makefiles make use of the usual conventions about assigning
  directory paths in variables, drop numbers.h as requirement for
  cooker and make it convenient to run stand-alone Makefiles

- fix up nr_syscalls.sh to be POSIX, otherwise it will give syntax
  errors on my system

- define a single, common way to refer to offsets in gluten, and
  functions to use those offsets in a safe way. Immediates are gone:
  cooker will write any bit of "data" to the read-only section

- call const what has to be const

- define on-disk layout for gluten

- add OP_NR (to check syscall numbers), rename OP_COPY_ARGS to
  OP_LOAD (it loads _selected_ stuff from arguments)

As for cooker itself:

- drop ARG_ and arg_ prefixes from struct names, and similar

- add/rework functions to build OP_NR, OP_LOAD, OP_CMP, and to
  write constant data to gluten

- add parsing for "compound" arguments, but that's not completely
  hooked into evaluation for numeric arguments yet

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Integration of filter part in cooker. The filter requires the AUDIT_ARCH variable.