bunpen: clone: place the clone flags behind an enum

pkgs/additional/bunpen/restrict/namespace.ha

@@ -19,24 +19,24 @@ export fn namespace_restrict(what: *resources) void = {
 
   // unshare as much as possible, by default:
   let what_to_unshare =
-    rtext::CLONE_NEWCGROUP |
+    rtext::clone_flag::NEWCGROUP |
-    rtext::CLONE_NEWIPC |
+    rtext::clone_flag::NEWIPC |
-    rtext::CLONE_NEWNET |
+    rtext::clone_flag::NEWNET |
-    rtext::CLONE_NEWNS |
+    rtext::clone_flag::NEWNS |
-    rtext::CLONE_NEWPID |
+    rtext::clone_flag::NEWPID |
-    rtext::CLONE_NEWUSER |
+    rtext::clone_flag::NEWUSER |
-    rtext::CLONE_NEWUTS
+    rtext::clone_flag::NEWUTS
   ;
   if (what.net) {
     log::println("[namespace] keeping net namespace");
-    what_to_unshare &= ~rtext::CLONE_NEWNET;
+    what_to_unshare &= ~rtext::clone_flag::NEWNET;
   };
   if (what.pid) {
     log::println("[namespace] keeping pid namespace");
-    what_to_unshare &= ~rtext::CLONE_NEWPID;
+    what_to_unshare &= ~rtext::clone_flag::NEWPID;
   };
 
-  log::printfln("[namespace] unshare {}", what_to_unshare);
+  log::printfln("[namespace] unshare {}", what_to_unshare: u64);
   rtext::unshare(what_to_unshare)!;
 
   // before mounting anything, set up the uids and gids in this namespace.

pkgs/additional/bunpen/rtext/unshare.ha

@@ -1,39 +1,43 @@
 // vim: set shiftwidth=2 :
 use rt;
 
-//// for use with `setns`, `unshare`, `clone` syscalls
+// for use with `setns`, `unshare`, `clone` syscalls
-// new time namespace. calling process is NOT moved into the namespace.
+export type clone_flag = enum u64 {
-export const CLONE_NEWTIME: u64 = 0x00000080;
+  // new time namespace. calling process is NOT moved into the namespace.
+  NEWTIME = 0x00000080,
 
-// new mount namespace.
+  // new mount namespace.
-// CLONE_NEWNS implies CLONE_FS.
+  // NEWNS implies FS.
-export const CLONE_NEWNS: u64 = 0x00020000;
+  NEWNS = 0x00020000,
 
-export const CLONE_NEWCGROUP: u64 = 0x02000000;
+  NEWCGROUP = 0x02000000,
 
-// new utsname namespace
+  // new utsname namespace
-export const CLONE_NEWUTS: u64 = 0x04000000;
+  NEWUTS = 0x04000000,
 
-// CLONE_NEWIPC implies CLONE_SYSVSEM.
+  // NEWIPC implies SYSVSEM.
-export const CLONE_NEWIPC: u64 = 0x08000000;
+  NEWIPC = 0x08000000,
 
-// CLONE_NEWUSER implies CLONE_THREAD and CLONE_FS.
+  // NEWUSER implies THREAD and FS.
-// calling process must NOT be multi-threaded.
+  // calling process must NOT be multi-threaded.
-export const CLONE_NEWUSER: u64 = 0x10000000;
+  NEWUSER = 0x10000000,
 
-// new process ID namespace. calling process is NOT moved into the namespace.
+  // new process ID namespace. calling process is NOT moved into the namespace.
-// the first new child spawned becomes pid 1 and has the role of init(1).
+  // the first new child spawned becomes pid 1 and has the role of init(1).
-// CLONE_NEWPID implies CLONE_THREAD.
+  // NEWPID implies THREAD.
-export const CLONE_NEWPID: u64 = 0x20000000;
+  NEWPID = 0x20000000,
 
-export const CLONE_NEWNET: u64 = 0x40000000;
+  NEWNET = 0x40000000,
 
-// additional CLONE flags in kernel, omitted until i need them.
+  // additional CLONE flags in kernel, omitted until i need them.
+};
+// union of `clone_flag`
+export type clone_flags = u64;
 
 // export fn setns(ns_fd: i32, nstype: i32) (rt::errno | u64) = {
 //   return syscall(rt::SYS_setns, ns_fd: u64, nstype: u64);
 // };
 
-export fn unshare(flags: u64) (rt::errno | u64) = {
+export fn unshare(flags: clone_flags) (rt::errno | u64) = {
   return syscall(rt::SYS_unshare, flags);
 };