[op] Replace syscall package usage with golang.org/x/sys/unix in pkg/.

The syscall package has been deprecated in favor of golang.org/x/sys.

Note that syscall is still used in the following places:
- pkg/sentry/socket/hostinet/stack.go: some netlink related functionalities
  are not yet available in golang.org/x/sys.
- syscall.Stat_t is still used in some places because os.FileInfo.Sys() still
  returns it and not unix.Stat_t.

Updates #214

PiperOrigin-RevId: 360701387

5 files changed, 83 insertions, 79 deletions

diff --git a/pkg/seccomp/BUILD b/pkg/seccomp/BUILD
index e828894b0..201dd072f 100644
--- a/pkg/seccomp/BUILD
+++ b/pkg/seccomp/BUILD
@@ -11,7 +11,10 @@ go_binary(
         "seccomp_test_victim_arm64.go",
     ],
     nogo = False,
-    deps = [":seccomp"],
+    deps = [
+        ":seccomp",
+        "@org_golang_x_sys//unix:go_default_library",
+    ],
 )
 
 go_embed_data(
@@ -36,6 +39,7 @@ go_library(
         "//pkg/abi/linux",
         "//pkg/bpf",
         "//pkg/log",
+        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/pkg/seccomp/seccomp_test_victim.go b/pkg/seccomp/seccomp_test_victim.go
index 7f33e0d9e..a96b1e327 100644
--- a/pkg/seccomp/seccomp_test_victim.go
+++ b/pkg/seccomp/seccomp_test_victim.go
@@ -20,8 +20,8 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"syscall"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
 )
 
@@ -30,75 +30,75 @@ func main() {
 	flag.Parse()
 
 	syscalls := seccomp.SyscallRules{
-		syscall.SYS_ACCEPT:          {},
-		syscall.SYS_BIND:            {},
-		syscall.SYS_BRK:             {},
-		syscall.SYS_CLOCK_GETTIME:   {},
-		syscall.SYS_CLONE:           {},
-		syscall.SYS_CLOSE:           {},
-		syscall.SYS_DUP:             {},
-		syscall.SYS_DUP3:            {},
-		syscall.SYS_EPOLL_CREATE1:   {},
-		syscall.SYS_EPOLL_CTL:       {},
-		syscall.SYS_EPOLL_PWAIT:     {},
-		syscall.SYS_EXIT:            {},
-		syscall.SYS_EXIT_GROUP:      {},
-		syscall.SYS_FALLOCATE:       {},
-		syscall.SYS_FCHMOD:          {},
-		syscall.SYS_FCNTL:           {},
-		syscall.SYS_FSTAT:           {},
-		syscall.SYS_FSYNC:           {},
-		syscall.SYS_FTRUNCATE:       {},
-		syscall.SYS_FUTEX:           {},
-		syscall.SYS_GETDENTS64:      {},
-		syscall.SYS_GETPEERNAME:     {},
-		syscall.SYS_GETPID:          {},
-		syscall.SYS_GETSOCKNAME:     {},
-		syscall.SYS_GETSOCKOPT:      {},
-		syscall.SYS_GETTID:          {},
-		syscall.SYS_GETTIMEOFDAY:    {},
-		syscall.SYS_LISTEN:          {},
-		syscall.SYS_LSEEK:           {},
-		syscall.SYS_MADVISE:         {},
-		syscall.SYS_MINCORE:         {},
-		syscall.SYS_MMAP:            {},
-		syscall.SYS_MPROTECT:        {},
-		syscall.SYS_MUNLOCK:         {},
-		syscall.SYS_MUNMAP:          {},
-		syscall.SYS_NANOSLEEP:       {},
-		syscall.SYS_PPOLL:           {},
-		syscall.SYS_PREAD64:         {},
-		syscall.SYS_PSELECT6:        {},
-		syscall.SYS_PWRITE64:        {},
-		syscall.SYS_READ:            {},
-		syscall.SYS_READLINKAT:      {},
-		syscall.SYS_READV:           {},
-		syscall.SYS_RECVMSG:         {},
-		syscall.SYS_RENAMEAT:        {},
-		syscall.SYS_RESTART_SYSCALL: {},
-		syscall.SYS_RT_SIGACTION:    {},
-		syscall.SYS_RT_SIGPROCMASK:  {},
-		syscall.SYS_RT_SIGRETURN:    {},
-		syscall.SYS_SCHED_YIELD:     {},
-		syscall.SYS_SENDMSG:         {},
-		syscall.SYS_SETITIMER:       {},
-		syscall.SYS_SET_ROBUST_LIST: {},
-		syscall.SYS_SETSOCKOPT:      {},
-		syscall.SYS_SHUTDOWN:        {},
-		syscall.SYS_SIGALTSTACK:     {},
-		syscall.SYS_SOCKET:          {},
-		syscall.SYS_SYNC_FILE_RANGE: {},
-		syscall.SYS_TGKILL:          {},
-		syscall.SYS_UTIMENSAT:       {},
-		syscall.SYS_WRITE:           {},
-		syscall.SYS_WRITEV:          {},
+		unix.SYS_ACCEPT:          {},
+		unix.SYS_BIND:            {},
+		unix.SYS_BRK:             {},
+		unix.SYS_CLOCK_GETTIME:   {},
+		unix.SYS_CLONE:           {},
+		unix.SYS_CLOSE:           {},
+		unix.SYS_DUP:             {},
+		unix.SYS_DUP3:            {},
+		unix.SYS_EPOLL_CREATE1:   {},
+		unix.SYS_EPOLL_CTL:       {},
+		unix.SYS_EPOLL_PWAIT:     {},
+		unix.SYS_EXIT:            {},
+		unix.SYS_EXIT_GROUP:      {},
+		unix.SYS_FALLOCATE:       {},
+		unix.SYS_FCHMOD:          {},
+		unix.SYS_FCNTL:           {},
+		unix.SYS_FSTAT:           {},
+		unix.SYS_FSYNC:           {},
+		unix.SYS_FTRUNCATE:       {},
+		unix.SYS_FUTEX:           {},
+		unix.SYS_GETDENTS64:      {},
+		unix.SYS_GETPEERNAME:     {},
+		unix.SYS_GETPID:          {},
+		unix.SYS_GETSOCKNAME:     {},
+		unix.SYS_GETSOCKOPT:      {},
+		unix.SYS_GETTID:          {},
+		unix.SYS_GETTIMEOFDAY:    {},
+		unix.SYS_LISTEN:          {},
+		unix.SYS_LSEEK:           {},
+		unix.SYS_MADVISE:         {},
+		unix.SYS_MINCORE:         {},
+		unix.SYS_MMAP:            {},
+		unix.SYS_MPROTECT:        {},
+		unix.SYS_MUNLOCK:         {},
+		unix.SYS_MUNMAP:          {},
+		unix.SYS_NANOSLEEP:       {},
+		unix.SYS_PPOLL:           {},
+		unix.SYS_PREAD64:         {},
+		unix.SYS_PSELECT6:        {},
+		unix.SYS_PWRITE64:        {},
+		unix.SYS_READ:            {},
+		unix.SYS_READLINKAT:      {},
+		unix.SYS_READV:           {},
+		unix.SYS_RECVMSG:         {},
+		unix.SYS_RENAMEAT:        {},
+		unix.SYS_RESTART_SYSCALL: {},
+		unix.SYS_RT_SIGACTION:    {},
+		unix.SYS_RT_SIGPROCMASK:  {},
+		unix.SYS_RT_SIGRETURN:    {},
+		unix.SYS_SCHED_YIELD:     {},
+		unix.SYS_SENDMSG:         {},
+		unix.SYS_SETITIMER:       {},
+		unix.SYS_SET_ROBUST_LIST: {},
+		unix.SYS_SETSOCKOPT:      {},
+		unix.SYS_SHUTDOWN:        {},
+		unix.SYS_SIGALTSTACK:     {},
+		unix.SYS_SOCKET:          {},
+		unix.SYS_SYNC_FILE_RANGE: {},
+		unix.SYS_TGKILL:          {},
+		unix.SYS_UTIMENSAT:       {},
+		unix.SYS_WRITE:           {},
+		unix.SYS_WRITEV:          {},
 	}
 
 	arch_syscalls(syscalls)
 
 	die := *dieFlag
 	if !die {
-		syscalls[syscall.SYS_OPENAT] = []seccomp.Rule{
+		syscalls[unix.SYS_OPENAT] = []seccomp.Rule{
 			{
 				seccomp.EqualTo(10),
 			},
@@ -111,6 +111,6 @@ func main() {
 	}
 	fmt.Printf("Filters installed\n")
 
-	syscall.RawSyscall(syscall.SYS_OPENAT, 10, 0, 0)
+	unix.RawSyscall(unix.SYS_OPENAT, 10, 0, 0)
 	fmt.Printf("Syscall was allowed!!!\n")
 }
diff --git a/pkg/seccomp/seccomp_test_victim_amd64.go b/pkg/seccomp/seccomp_test_victim_amd64.go
index 5dfc68e25..efb8604ec 100644
--- a/pkg/seccomp/seccomp_test_victim_amd64.go
+++ b/pkg/seccomp/seccomp_test_victim_amd64.go
@@ -20,13 +20,13 @@
 package main
 
 import (
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
-	"syscall"
 )
 
 func arch_syscalls(syscalls seccomp.SyscallRules) {
-	syscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{}
-	syscalls[syscall.SYS_EPOLL_WAIT] = []seccomp.Rule{}
-	syscalls[syscall.SYS_NEWFSTATAT] = []seccomp.Rule{}
-	syscalls[syscall.SYS_OPEN] = []seccomp.Rule{}
+	syscalls[unix.SYS_ARCH_PRCTL] = []seccomp.Rule{}
+	syscalls[unix.SYS_EPOLL_WAIT] = []seccomp.Rule{}
+	syscalls[unix.SYS_NEWFSTATAT] = []seccomp.Rule{}
+	syscalls[unix.SYS_OPEN] = []seccomp.Rule{}
 }
diff --git a/pkg/seccomp/seccomp_test_victim_arm64.go b/pkg/seccomp/seccomp_test_victim_arm64.go
index 5184d8ac4..97cb5f5fe 100644
--- a/pkg/seccomp/seccomp_test_victim_arm64.go
+++ b/pkg/seccomp/seccomp_test_victim_arm64.go
@@ -20,10 +20,10 @@
 package main
 
 import (
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/seccomp"
-	"syscall"
 )
 
 func arch_syscalls(syscalls seccomp.SyscallRules) {
-	syscalls[syscall.SYS_FSTATAT] = []seccomp.Rule{}
+	syscalls[unix.SYS_FSTATAT] = []seccomp.Rule{}
 }
diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go
index f7e986589..7202591df 100644
--- a/pkg/seccomp/seccomp_unsafe.go
+++ b/pkg/seccomp/seccomp_unsafe.go
@@ -15,9 +15,9 @@
 package seccomp
 
 import (
-	"syscall"
 	"unsafe"
 
+	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 )
 
@@ -26,9 +26,9 @@ import (
 // This is safe to call from an afterFork context.
 //
 //go:nosplit
-func SetFilter(instrs []linux.BPFInstruction) syscall.Errno {
+func SetFilter(instrs []linux.BPFInstruction) unix.Errno {
 	// PR_SET_NO_NEW_PRIVS is required in order to enable seccomp. See seccomp(2) for details.
-	if _, _, errno := syscall.RawSyscall6(syscall.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
+	if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
 		return errno
 	}
 
@@ -44,7 +44,7 @@ func isKillProcessAvailable() (bool, error) {
 	if errno := seccomp(linux.SECCOMP_GET_ACTION_AVAIL, 0, unsafe.Pointer(&action)); errno != 0 {
 		// EINVAL: SECCOMP_GET_ACTION_AVAIL not in this kernel yet.
 		// EOPNOTSUPP: SECCOMP_RET_KILL_PROCESS not supported.
-		if errno == syscall.EINVAL || errno == syscall.EOPNOTSUPP {
+		if errno == unix.EINVAL || errno == unix.EOPNOTSUPP {
 			return false, nil
 		}
 		return false, errno
@@ -55,8 +55,8 @@ func isKillProcessAvailable() (bool, error) {
 // seccomp calls seccomp(2). This is safe to call from an afterFork context.
 //
 //go:nosplit
-func seccomp(op, flags uint32, ptr unsafe.Pointer) syscall.Errno {
-	if _, _, errno := syscall.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr)); errno != 0 {
+func seccomp(op, flags uint32, ptr unsafe.Pointer) unix.Errno {
+	if _, _, errno := unix.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr)); errno != 0 {
 		return errno
 	}
 	return 0