sec_seccomp_init :: () {
    #if !SECCOMP_ENABLED {
        log_error("SECCOMP IS DISABLED!");
        if !is_dev_machine() then exit(99);
        return;
    }

    new_context := context;
    new_context.logger = my_logger;

    push_context,defer_pop new_context;


    SECCOMP_TEMPLATE :: "had_error |= seccomp_rule_add(ctx, .ALLOW, .%);";

    #if SECCOMP_ARMED {
        ctx := seccomp_init(.KILL_PROCESS);
    } else {
        ctx := seccomp_init(.LOG);
    }
    defer seccomp_release(ctx);
    if !ctx { log_error("Init failed"); exit(1); }

    had_error := false;

    #insert -> string {
        buf: String_Builder;
        for SECCOMP_ALLOWED_SYSCALLS {
            template := tprint(SECCOMP_TEMPLATE, it);
            append(*buf, template);
        }
        s := builder_to_string(*buf);
        return s;
    }

    had_error |= seccomp_rule_add(ctx, .ALLOW, .EXIT);
    had_error |= seccomp_rule_add(ctx, .ALLOW, .EXIT_GROUP);

    if had_error {
        log_error("Could not add rules.");
        exit(1);
    }

    if seccomp_load(ctx) < 0 {
        log_error("Could not load context into kernel");
        exit(1);
    }

    #if SECCOMP_ARMED then log("is armed."); else log("is in log mode! NOT ARMED!");
}


#scope_file


/** Copy pasta from dev/syscalls.py */
SECCOMP_ALLOWED_SYSCALLS :: string.[
    "READ",
    "FSTAT",
    "CLOSE",
    "MADVISE",
    "RT_SIGRETURN",
    "WRITE",
    "FUTEX",
    "EPOLL_WAIT",
    "RECVFROM",
    "ACCEPT",
    "SENDTO",
    "MMAP",
    "MUNMAP",
    "EPOLL_CTL",
    "EXIT_GROUP",
    "FCNTL",
    "OPENAT",
    "LSEEK",
];


my_logger :: #bake_arguments base_logger(prefix="Seccomp");