virtio-devices, vmm: Move to the seccompiler crate

Fixes: #2929 Signed-off-by: Bo Chen <chen.bo@intel.com>
2024-06-30 23:12:36 +00:00 · 2021-08-16 20:40:11 -07:00 · 2021-08-16 20:40:11 -07:00 · 08ac3405f5
commit 08ac3405f5
parent c7f75f9d59
27 changed files with 693 additions and 677 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -204,7 +204,7 @@ dependencies = [
 "log",
 "net_util",
 "option_parser",
- "seccomp",
+ "seccompiler",
 "serde_json",
 "signal-hook",
 "test_infra",
@ -873,9 +873,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"

 [[package]]
-name = "seccomp"
+name = "seccompiler"
 version = "0.1.0"
-source = "git+https://github.com/firecracker-microvm/firecracker?tag=v0.24.5#cd36c699f3cb3d531289aadee26c45c1306edcfc"
+source = "git+https://github.com/rust-vmm/seccompiler#da5788d52f1ae8886d8ed4624199b7e9fa64ac04"
 dependencies = [
 "libc",
 ]
@ -1223,7 +1223,7 @@ dependencies = [
 "net_util",
 "pci",
 "rate_limiter",
- "seccomp",
+ "seccompiler",
 "serde",
 "serde_derive",
 "serde_json",
@ -1337,7 +1337,7 @@ dependencies = [
 "option_parser",
 "pci",
 "qcow",
- "seccomp",
+ "seccompiler",
 "serde",
 "serde_derive",
 "serde_json",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -22,7 +22,7 @@ hypervisor = { path = "hypervisor" }
 libc = "0.2.99"
 log = { version = "0.4.14", features = ["std"] }
 option_parser = { path = "option_parser" }
-seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" }
+seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
 serde_json = "1.0.66"
 signal-hook = "0.3.9"
 thiserror = "1.0.26"
--- a/src/main.rs
+++ b/src/main.rs
@ -12,7 +12,7 @@ use clap::{App, Arg, ArgGroup, ArgMatches};
 use libc::EFD_NONBLOCK;
 use log::LevelFilter;
 use option_parser::OptionParser;
-use seccomp::SeccompAction;
+use seccompiler::SeccompAction;
 use signal_hook::{
    consts::SIGSYS,
    iterator::{exfiltrator::WithRawSiginfo, SignalsInfo},
--- a/virtio-devices/Cargo.toml
+++ b/virtio-devices/Cargo.toml
@ -23,7 +23,7 @@ net_gen = { path = "../net_gen" }
 net_util = { path = "../net_util" }
 pci = { path = "../pci" }
 rate_limiter = { path = "../rate_limiter" }
-seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" }
+seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
 serde = "1.0.127"
 serde_derive = "1.0.127"
 serde_json = "1.0.66"
--- a/virtio-devices/src/balloon.rs
+++ b/virtio-devices/src/balloon.rs
@ -20,7 +20,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::GuestMemoryMmap;
 use crate::{VirtioInterrupt, VirtioInterruptType};
 use libc::EFD_NONBLOCK;
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::io;
 use std::mem::size_of;
 use std::os::unix::io::AsRawFd;
@ -466,7 +466,7 @@ impl VirtioDevice for Balloon {
        thread::Builder::new()
            .name(self.id.clone())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_balloon_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_balloon_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/block.rs
+++ b/virtio-devices/src/block.rs
@ -22,7 +22,7 @@ use block_util::{
    RequestType, VirtioBlockConfig,
 };
 use rate_limiter::{RateLimiter, TokenType};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::io;
 use std::num::Wrapping;
 use std::os::unix::io::AsRawFd;
@ -596,7 +596,7 @@ impl VirtioDevice for Block {
            thread::Builder::new()
                .name(format!("{}_q{}", self.id.clone(), i))
                .spawn(move || {
-                    if let Err(e) = SeccompFilter::apply(virtio_block_seccomp_filter) {
+                    if let Err(e) = apply_filter(&virtio_block_seccomp_filter) {
                        error!("Error applying seccomp filter: {:?}", e);
                    } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                        error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/console.rs
+++ b/virtio-devices/src/console.rs
@ -11,7 +11,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::GuestMemoryMmap;
 use crate::VirtioInterrupt;
 use libc::EFD_NONBLOCK;
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::cmp;
 use std::collections::VecDeque;
 use std::io;
@ -429,7 +429,7 @@ impl VirtioDevice for Console {
        thread::Builder::new()
            .name(self.id.clone())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_console_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_console_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/iommu.rs
+++ b/virtio-devices/src/iommu.rs
@ -11,7 +11,7 @@ use super::{
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::GuestMemoryMmap;
 use crate::{DmaRemapping, VirtioInterrupt, VirtioInterruptType};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::collections::BTreeMap;
 use std::fmt::{self, Display};
 use std::io;
@ -850,7 +850,7 @@ impl VirtioDevice for Iommu {
        thread::Builder::new()
            .name(self.id.clone())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_iommu_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_iommu_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/lib.rs
+++ b/virtio-devices/src/lib.rs
@ -92,7 +92,7 @@ pub enum ActivateError {
    /// Failed to reset vhost-user daemon.
    VhostUserReset(vhost_user::Error),
    /// Cannot create seccomp filter
-    CreateSeccompFilter(seccomp::SeccompError),
+    CreateSeccompFilter(seccompiler::Error),
    /// Cannot create rate limiter
    CreateRateLimiter(std::io::Error),
 }
@ -109,7 +109,7 @@ pub enum Error {
    VhostUserAddMemoryRegion(vhost_user::Error),
    SetShmRegionsNotSupported,
    NetQueuePair(::net_util::NetQueuePairError),
-    ApplySeccompFilter(seccomp::Error),
+    ApplySeccompFilter(seccompiler::Error),
 }

 #[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq)]
--- a/virtio-devices/src/mem.rs
+++ b/virtio-devices/src/mem.rs
@ -23,7 +23,7 @@ use crate::{GuestMemoryMmap, GuestRegionMmap};
 use crate::{VirtioInterrupt, VirtioInterruptType};
 use anyhow::anyhow;
 use libc::EFD_NONBLOCK;
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::collections::BTreeMap;
 use std::io;
 use std::mem::size_of;
@ -961,7 +961,7 @@ impl VirtioDevice for Mem {
        thread::Builder::new()
            .name(self.id.clone())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_mem_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_mem_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/net.rs
+++ b/virtio-devices/src/net.rs
@ -20,7 +20,7 @@ use net_util::{
    virtio_features_to_tap_offload, MacAddr, NetCounters, NetQueuePair, OpenTapError, RxVirtio,
    Tap, TapError, TxVirtio, VirtioNetConfig,
 };
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::net::Ipv4Addr;
 use std::num::Wrapping;
 use std::os::unix::io::{AsRawFd, RawFd};
@ -576,7 +576,7 @@ impl VirtioDevice for Net {
            thread::Builder::new()
                .name(format!("{}_ctrl", self.id))
                .spawn(move || {
-                    if let Err(e) = SeccompFilter::apply(virtio_net_ctl_seccomp_filter) {
+                    if let Err(e) = apply_filter(&virtio_net_ctl_seccomp_filter) {
                        error!("Error applying seccomp filter: {:?}", e);
                    } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
                        error!("Error running worker: {:?}", e);
@ -659,7 +659,7 @@ impl VirtioDevice for Net {
            thread::Builder::new()
                .name(format!("{}_qp{}", self.id.clone(), i))
                .spawn(move || {
-                    if let Err(e) = SeccompFilter::apply(virtio_net_seccomp_filter) {
+                    if let Err(e) = apply_filter(&virtio_net_seccomp_filter) {
                        error!("Error applying seccomp filter: {:?}", e);
                    } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                        error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/pmem.rs
+++ b/virtio-devices/src/pmem.rs
@ -15,7 +15,7 @@ use super::{
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::{GuestMemoryMmap, MmapRegion};
 use crate::{VirtioInterrupt, VirtioInterruptType};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::fmt::{self, Display};
 use std::fs::File;
 use std::io;
@ -397,7 +397,7 @@ impl VirtioDevice for Pmem {
            thread::Builder::new()
                .name(self.id.clone())
                .spawn(move || {
-                    if let Err(e) = SeccompFilter::apply(virtio_pmem_seccomp_filter) {
+                    if let Err(e) = apply_filter(&virtio_pmem_seccomp_filter) {
                        error!("Error applying seccomp filter: {:?}", e);
                    } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                        error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/rng.rs
+++ b/virtio-devices/src/rng.rs
@ -11,7 +11,7 @@ use super::{
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::GuestMemoryMmap;
 use crate::{VirtioInterrupt, VirtioInterruptType};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::fs::File;
 use std::io;
 use std::os::unix::io::AsRawFd;
@ -243,7 +243,7 @@ impl VirtioDevice for Rng {
            thread::Builder::new()
                .name(self.id.clone())
                .spawn(move || {
-                    if let Err(e) = SeccompFilter::apply(virtio_rng_seccomp_filter) {
+                    if let Err(e) = apply_filter(&virtio_rng_seccomp_filter) {
                        error!("Error applying seccomp filter: {:?}", e);
                    } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                        error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/seccomp_filters.rs
+++ b/virtio-devices/src/seccomp_filters.rs
@ -4,10 +4,9 @@
 //
 // SPDX-License-Identifier: Apache-2.0

-use seccomp::{
-    allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen,
-    SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule,
-    SyscallRuleSet,
+use seccompiler::{
+    BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
+    SeccompCondition as Cond, SeccompFilter, SeccompRule,
 };
 use std::convert::TryInto;

@ -30,12 +29,11 @@ pub enum Thread {
 /// Shorthand for chaining `SeccompCondition`s with the `and` operator  in a `SeccompRule`.
 /// The rule will take the `Allow` action if _all_ the conditions are true.
 ///
-/// [`Allow`]: enum.SeccompAction.html
 /// [`SeccompCondition`]: struct.SeccompCondition.html
 /// [`SeccompRule`]: struct.SeccompRule.html
 macro_rules! and {
-    ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow));
-    ($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow))
+    ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap());
+    ($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap())
 }

 /// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
@ -62,388 +60,388 @@ const TUNSETOFFLOAD: u64 = 0x4004_54d0;

 fn create_virtio_iommu_ioctl_seccomp_rule() -> Vec<SeccompRule> {
    or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
    ]
 }

 fn create_virtio_mem_ioctl_seccomp_rule() -> Vec<SeccompRule> {
    or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA).unwrap()],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA).unwrap()],
    ]
 }

-fn virtio_balloon_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_balloon_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_fallocate),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_fallocate, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_block_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_block_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_fallocate),
-        allow_syscall(libc::SYS_fdatasync),
-        allow_syscall(libc::SYS_fsync),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_fallocate, vec![]),
+        (libc::SYS_fdatasync, vec![]),
+        (libc::SYS_fsync, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_ftruncate),
+        (libc::SYS_ftruncate, vec![]),
        #[cfg(target_arch = "aarch64")]
        // The definition of libc::SYS_ftruncate is missing on AArch64.
        // Use a hard-code number instead.
-        allow_syscall(46),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(SYS_IO_URING_ENTER),
-        allow_syscall(libc::SYS_lseek),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_openat),
-        allow_syscall(libc::SYS_prctl),
-        allow_syscall(libc::SYS_pread64),
-        allow_syscall(libc::SYS_preadv),
-        allow_syscall(libc::SYS_pwritev),
-        allow_syscall(libc::SYS_pwrite64),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sched_getaffinity),
-        allow_syscall(libc::SYS_set_robust_list),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_timerfd_settime),
-        allow_syscall(libc::SYS_write),
+        (46, vec![]),
+        (libc::SYS_futex, vec![]),
+        (SYS_IO_URING_ENTER, vec![]),
+        (libc::SYS_lseek, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_openat, vec![]),
+        (libc::SYS_prctl, vec![]),
+        (libc::SYS_pread64, vec![]),
+        (libc::SYS_preadv, vec![]),
+        (libc::SYS_pwritev, vec![]),
+        (libc::SYS_pwrite64, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sched_getaffinity, vec![]),
+        (libc::SYS_set_robust_list, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_timerfd_settime, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_console_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_console_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_prctl),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sched_getaffinity),
-        allow_syscall(libc::SYS_set_robust_list),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sched_getaffinity, vec![]),
+        (libc::SYS_set_robust_list, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_iommu_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_iommu_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall_if(libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_ioctl, create_virtio_iommu_ioctl_seccomp_rule()),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_mem_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_mem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_fallocate),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall_if(libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_fallocate, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_ioctl, create_virtio_mem_ioctl_seccomp_rule()),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_net_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_net_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_openat),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_readv),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_timerfd_settime),
-        allow_syscall(libc::SYS_write),
-        allow_syscall(libc::SYS_writev),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_openat, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_readv, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_timerfd_settime, vec![]),
+        (libc::SYS_write, vec![]),
+        (libc::SYS_writev, vec![]),
    ]
 }

-fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
-    Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?],])
+fn create_virtio_net_ctl_ioctl_seccomp_rule() -> Vec<SeccompRule> {
+    or![and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD).unwrap()],]
 }

-fn virtio_net_ctl_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
-    Ok(vec![
-        allow_syscall(libc::SYS_brk),
-        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
-        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall_if(libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()?),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
-    ])
-}
-
-fn virtio_pmem_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_fsync),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_ioctl, create_virtio_net_ctl_ioctl_seccomp_rule()),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_rng_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_pmem_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_prctl),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sched_getaffinity),
-        allow_syscall(libc::SYS_set_robust_list),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_fsync, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_vhost_fs_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_rng_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_connect),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_nanosleep),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_recvmsg),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sendmsg),
-        allow_syscall(libc::SYS_sendto),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_socket),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sched_getaffinity, vec![]),
+        (libc::SYS_set_robust_list, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_vhost_net_ctl_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_vhost_fs_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_connect, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_nanosleep, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_recvmsg, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sendmsg, vec![]),
+        (libc::SYS_sendto, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_socket, vec![]),
+        (libc::SYS_write, vec![]),
+    ]
+}
+
+fn virtio_vhost_net_ctl_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
+    vec![
+        (libc::SYS_brk, vec![]),
+        #[cfg(feature = "mshv")]
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
+        #[cfg(target_arch = "x86_64")]
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

 fn create_vsock_ioctl_seccomp_rule() -> Vec<SeccompRule> {
-    or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO,).unwrap()],]
+    or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO,).unwrap()],]
 }

-fn virtio_vsock_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_vsock_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_accept4),
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_accept4, vec![]),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_connect),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_connect, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall_if(libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_recvfrom),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_socket),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_ioctl, create_vsock_ioctl_seccomp_rule()),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_recvfrom, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_socket, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn virtio_watchdog_thread_rules() -> Vec<SyscallRuleSet> {
+fn virtio_watchdog_thread_rules() -> Vec<(i64, Vec<SeccompRule>)> {
    vec![
-        allow_syscall(libc::SYS_brk),
+        (libc::SYS_brk, vec![]),
        #[cfg(feature = "mshv")]
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_prctl),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sched_getaffinity),
-        allow_syscall(libc::SYS_set_robust_list),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_timerfd_settime),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_prctl, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sched_getaffinity, vec![]),
+        (libc::SYS_set_robust_list, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_timerfd_settime, vec![]),
+        (libc::SYS_write, vec![]),
    ]
 }

-fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
+fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
    let rules = match thread_type {
        Thread::VirtioBalloon => virtio_balloon_thread_rules(),
        Thread::VirtioBlock => virtio_block_thread_rules(),
@ -451,7 +449,7 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::VirtioIommu => virtio_iommu_thread_rules(),
        Thread::VirtioMem => virtio_mem_thread_rules(),
        Thread::VirtioNet => virtio_net_thread_rules(),
-        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
+        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
        Thread::VirtioPmem => virtio_pmem_thread_rules(),
        Thread::VirtioRng => virtio_rng_thread_rules(),
        Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
@ -460,10 +458,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
    };

-    SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap)
+    SeccompFilter::new(
+        rules.into_iter().collect(),
+        SeccompAction::Trap,
+        SeccompAction::Allow,
+        std::env::consts::ARCH.try_into().unwrap(),
+    )
 }

-fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
+fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
    let rules = match thread_type {
        Thread::VirtioBalloon => virtio_balloon_thread_rules(),
        Thread::VirtioBlock => virtio_block_thread_rules(),
@ -471,7 +474,7 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::VirtioIommu => virtio_iommu_thread_rules(),
        Thread::VirtioMem => virtio_mem_thread_rules(),
        Thread::VirtioNet => virtio_net_thread_rules(),
-        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules()?,
+        Thread::VirtioNetCtl => virtio_net_ctl_thread_rules(),
        Thread::VirtioPmem => virtio_pmem_thread_rules(),
        Thread::VirtioRng => virtio_rng_thread_rules(),
        Thread::VirtioVhostFs => virtio_vhost_fs_thread_rules(),
@ -480,21 +483,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::VirtioWatchdog => virtio_watchdog_thread_rules(),
    };

-    SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log)
+    SeccompFilter::new(
+        rules.into_iter().collect(),
+        SeccompAction::Log,
+        SeccompAction::Allow,
+        std::env::consts::ARCH.try_into().unwrap(),
+    )
 }

 /// Generate a BPF program based on the seccomp_action value
 pub fn get_seccomp_filter(
    seccomp_action: &SeccompAction,
    thread_type: Thread,
-) -> Result<BpfProgram, SeccompError> {
+) -> Result<BpfProgram, Error> {
    match seccomp_action {
        SeccompAction::Allow => Ok(vec![]),
        SeccompAction::Log => get_seccomp_filter_log(thread_type)
            .and_then(|filter| filter.try_into())
-            .map_err(SeccompError::SeccompFilter),
+            .map_err(Error::Backend),
        _ => get_seccomp_filter_trap(thread_type)
            .and_then(|filter| filter.try_into())
-            .map_err(SeccompError::SeccompFilter),
+            .map_err(Error::Backend),
    }
 }
--- a/virtio-devices/src/vhost_user/fs.rs
+++ b/virtio-devices/src/vhost_user/fs.rs
@ -11,7 +11,7 @@ use crate::{
 };
 use crate::{GuestMemoryMmap, GuestRegionMmap, MmapRegion};
 use libc::{self, c_void, off64_t, pread64, pwrite64};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::io;
 use std::os::unix::io::AsRawFd;
 use std::result;
@ -556,7 +556,7 @@ impl VirtioDevice for Fs {
        thread::Builder::new()
            .name(self.id.to_string())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_vhost_fs_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_vhost_fs_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running vhost-user-fs worker: {:?}", e);
--- a/virtio-devices/src/vhost_user/net.rs
+++ b/virtio-devices/src/vhost_user/net.rs
@ -11,7 +11,7 @@ use crate::{
 };
 use crate::{GuestMemoryMmap, GuestRegionMmap};
 use net_util::{build_net_config_space, CtrlQueue, MacAddr, VirtioNetConfig};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::os::unix::io::AsRawFd;
 use std::result;
 use std::sync::atomic::AtomicBool;
@ -339,7 +339,7 @@ impl VirtioDevice for Net {
            thread::Builder::new()
                .name(format!("{}_ctrl", self.id))
                .spawn(move || {
-                    if let Err(e) = SeccompFilter::apply(virtio_vhost_net_ctl_seccomp_filter) {
+                    if let Err(e) = apply_filter(&virtio_vhost_net_ctl_seccomp_filter) {
                        error!("Error applying seccomp filter: {:?}", e);
                    } else if let Err(e) = ctrl_handler.run_ctrl(paused, paused_sync.unwrap()) {
                        error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/vsock/device.rs
+++ b/virtio-devices/src/vsock/device.rs
@ -38,7 +38,7 @@ use crate::{
    VIRTIO_F_IN_ORDER, VIRTIO_F_IOMMU_PLATFORM, VIRTIO_F_VERSION_1,
 };
 use byteorder::{ByteOrder, LittleEndian};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::io;
 use std::os::unix::io::AsRawFd;
 use std::path::PathBuf;
@ -441,7 +441,7 @@ where
        thread::Builder::new()
            .name(self.id.clone())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_vsock_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_vsock_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running worker: {:?}", e);
--- a/virtio-devices/src/vsock/mod.rs
+++ b/virtio-devices/src/vsock/mod.rs
@ -274,7 +274,7 @@ mod tests {
                    PathBuf::from("/test/sock"),
                    TestBackend::new(),
                    false,
-                    seccomp::SeccompAction::Trap,
+                    seccompiler::SeccompAction::Trap,
                )
                .unwrap(),
            }
--- a/virtio-devices/src/watchdog.rs
+++ b/virtio-devices/src/watchdog.rs
@ -14,7 +14,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::GuestMemoryMmap;
 use crate::{VirtioInterrupt, VirtioInterruptType};
 use anyhow::anyhow;
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use std::fs::File;
 use std::io::{self, Read};
 use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
@ -325,7 +325,7 @@ impl VirtioDevice for Watchdog {
        thread::Builder::new()
            .name(self.id.clone())
            .spawn(move || {
-                if let Err(e) = SeccompFilter::apply(virtio_watchdog_seccomp_filter) {
+                if let Err(e) = apply_filter(&virtio_watchdog_seccomp_filter) {
                    error!("Error applying seccomp filter: {:?}", e);
                } else if let Err(e) = handler.run(paused, paused_sync.unwrap()) {
                    error!("Error running worker: {:?}", e);
--- a/vmm/Cargo.toml
+++ b/vmm/Cargo.toml
@ -35,7 +35,7 @@ net_util = { path = "../net_util" }
 option_parser = { path = "../option_parser" }
 pci = { path = "../pci" }
 qcow = { path = "../qcow" }
-seccomp = { git = "https://github.com/firecracker-microvm/firecracker", tag = "v0.24.5" }
+seccompiler = { git = "https://github.com/rust-vmm/seccompiler"}
 serde = { version = "1.0.127", features = ["rc"] }
 serde_derive = "1.0.127"
 serde_json = "1.0.66"
--- a/vmm/src/api/http.rs
+++ b/vmm/src/api/http.rs
@ -8,7 +8,7 @@ use crate::api::{ApiError, ApiRequest, VmAction};
 use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::{Error, Result};
 use micro_http::{Body, HttpServer, MediaType, Method, Request, Response, StatusCode, Version};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use serde_json::Error as SerdeError;
 use std::collections::HashMap;
 use std::fs::File;
@ -276,7 +276,7 @@ fn start_http_thread(
        .name("http-server".to_string())
        .spawn(move || {
            // Apply seccomp filter for API thread.
-            SeccompFilter::apply(api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
+            apply_filter(&api_seccomp_filter).map_err(Error::ApplySeccompFilter)?;

            server.start_server().unwrap();
            loop {
--- a/vmm/src/api/mod.rs
+++ b/vmm/src/api/mod.rs
@ -117,10 +117,10 @@ pub enum ApiError {
    VmRemoveDevice(VmError),

    /// Cannot create seccomp filter
-    CreateSeccompFilter(seccomp::SeccompError),
+    CreateSeccompFilter(seccompiler::Error),

    /// Cannot apply seccomp filter
-    ApplySeccompFilter(seccomp::Error),
+    ApplySeccompFilter(seccompiler::Error),

    /// The disk could not be added to the VM.
    VmAddDisk(VmError),
--- a/vmm/src/cpu.rs
+++ b/vmm/src/cpu.rs
@ -32,7 +32,7 @@ use hypervisor::kvm::kvm_bindings;
 use hypervisor::CpuId;
 use hypervisor::{vm::VmmOps, CpuState, HypervisorCpuError, VmExit};
 use libc::{c_void, siginfo_t};
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 #[cfg(feature = "acpi")]
 use std::collections::BTreeMap;
 use std::os::unix::thread::JoinHandleExt;
@ -88,10 +88,10 @@ pub enum Error {
    DesiredVCpuCountExceedsMax,

    /// Cannot create seccomp filter
-    CreateSeccompFilter(seccomp::SeccompError),
+    CreateSeccompFilter(seccompiler::Error),

    /// Cannot apply seccomp filter
-    ApplySeccompFilter(seccomp::Error),
+    ApplySeccompFilter(seccompiler::Error),

    /// Error starting vCPU after restore
    StartRestoreVcpu(anyhow::Error),
@ -725,7 +725,7 @@ impl CpuManager {
                .spawn(move || {
                    // Apply seccomp filter for vcpu thread.
                    if let Err(e) =
-                        SeccompFilter::apply(vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
+                        apply_filter(&vcpu_seccomp_filter).map_err(Error::ApplySeccompFilter)
                    {
                        error!("Error applying seccomp filter: {:?}", e);
                        return;
--- a/vmm/src/device_manager.rs
+++ b/vmm/src/device_manager.rs
@ -66,7 +66,7 @@ use pci::{
    DeviceRelocation, PciBarRegionType, PciBus, PciConfigIo, PciConfigMmio, PciDevice, PciRoot,
    VfioUserPciDevice, VfioUserPciDeviceError,
 };
-use seccomp::SeccompAction;
+use seccompiler::SeccompAction;
 use std::collections::HashMap;
 use std::convert::TryInto;
 use std::fs::{read_link, File, OpenOptions};
--- a/vmm/src/lib.rs
+++ b/vmm/src/lib.rs
@ -28,7 +28,7 @@ use crate::seccomp_filters::{get_seccomp_filter, Thread};
 use crate::vm::{Error as VmError, Vm, VmState};
 use anyhow::anyhow;
 use libc::EFD_NONBLOCK;
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use serde::ser::{Serialize, SerializeStruct, Serializer};
 use std::fs::File;
 use std::io;
@ -121,11 +121,11 @@ pub enum Error {

    /// Cannot create seccomp filter
    #[error("Error creating seccomp filter: {0}")]
-    CreateSeccompFilter(seccomp::SeccompError),
+    CreateSeccompFilter(seccompiler::Error),

    /// Cannot apply seccomp filter
    #[error("Error applying seccomp filter: {0}")]
-    ApplySeccompFilter(seccomp::Error),
+    ApplySeccompFilter(seccompiler::Error),

    /// Error activating virtio devices
    #[error("Error activating virtio devices: {0:?}")]
@ -263,7 +263,7 @@ pub fn start_vmm_thread(
        .name("vmm".to_string())
        .spawn(move || {
            // Apply seccomp filter for VMM thread.
-            SeccompFilter::apply(vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;
+            apply_filter(&vmm_seccomp_filter).map_err(Error::ApplySeccompFilter)?;

            let mut vmm = Vmm::new(
                vmm_version.to_string(),
--- a/vmm/src/seccomp_filters.rs
+++ b/vmm/src/seccomp_filters.rs
@ -4,10 +4,9 @@
 //
 // SPDX-License-Identifier: Apache-2.0

-use seccomp::{
-    allow_syscall, allow_syscall_if, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen,
-    SeccompCmpOp::Eq, SeccompCondition as Cond, SeccompError, SeccompFilter, SeccompRule,
-    SyscallRuleSet,
+use seccompiler::{
+    BackendError, BpfProgram, Error, SeccompAction, SeccompCmpArgLen as ArgLen, SeccompCmpOp::Eq,
+    SeccompCondition as Cond, SeccompFilter, SeccompRule,
 };
 use std::convert::TryInto;

@ -21,12 +20,11 @@ pub enum Thread {
 /// Shorthand for chaining `SeccompCondition`s with the `and` operator  in a `SeccompRule`.
 /// The rule will take the `Allow` action if _all_ the conditions are true.
 ///
-/// [`Allow`]: enum.SeccompAction.html
 /// [`SeccompCondition`]: struct.SeccompCondition.html
 /// [`SeccompRule`]: struct.SeccompRule.html
 macro_rules! and {
-    ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow));
-    ($($x:expr),*) => (SeccompRule::new(vec![$($x),*], SeccompAction::Allow))
+    ($($x:expr,)*) => (SeccompRule::new(vec![$($x),*]).unwrap());
+    ($($x:expr),*) => (SeccompRule::new(vec![$($x),*]).unwrap())
 }

 /// Shorthand for chaining `SeccompRule`s with the `or` operator in a `SeccompFilter`.
@ -149,66 +147,66 @@ mod mshv {
 use mshv::*;

 #[cfg(feature = "mshv")]
-fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_common_mshv() -> Result<Vec<SeccompRule>, BackendError> {
    Ok(or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_API_VERSION,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VM)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_CREATE_VP)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_STATE)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_STATE)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_API_VERSION,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VM)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_CREATE_VP)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_STATE)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_STATE)?],
        and![Cond::new(
            1,
-            ArgLen::DWORD,
+            ArgLen::Dword,
            Eq,
            MSHV_SET_PARTITION_PROPERTY
        )?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_GPA_ACCESS_STATES)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_GPA_ACCESS_STATES)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?],
    ])
 }

 #[cfg(feature = "kvm")]
-fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_common_kvm() -> Result<Vec<SeccompRule>, BackendError> {
    Ok(or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_DEVICE,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_IRQCHIP,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VCPU)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_VM)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ENABLE_CAP)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_API_VERSION,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DEVICE_ATTR,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_DIRTY_LOG)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MP_STATE)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_ONE_REG)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REGS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_REG_LIST)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SUPPORTED_CPUID,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_EVENTS,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_VCPU_MMAP_SIZE,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_MEMORY_ENCRYPT_OP)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MP_STATE)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_ONE_REG)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_REGS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_VCPU_EVENTS,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_DEVICE,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_IRQCHIP,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VCPU)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_VM)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_ENABLE_CAP)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_API_VERSION,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DEVICE_ATTR,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_DIRTY_LOG)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MP_STATE)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_ONE_REG)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REGS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_REG_LIST)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SUPPORTED_CPUID,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_EVENTS,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_VCPU_MMAP_SIZE,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_MEMORY_ENCRYPT_OP)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MP_STATE)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_ONE_REG)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_REGS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_VCPU_EVENTS,)?],
    ])
 }

-fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
    #[cfg(feature = "kvm")]
    let rules = create_vmm_ioctl_seccomp_rule_common_kvm();

@ -218,46 +216,46 @@ fn create_vmm_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error>
    rules
 }

-fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, BackendError> {
    let mut common_rules = or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, FIOCLEX)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFFLAGS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, SIOCGIFHWADDR)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFADDR)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFFLAGS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFHWADDR)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, SIOCSIFNETMASK)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TIOCSPTLCK)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGTPEER)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETFEATURES)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TUNGETIFF)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETIFF)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETOFFLOAD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TUNSETVNETHDRSZ)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GET_API_VERSION)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_CHECK_EXTENSION)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_SET_IOMMU)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_STATUS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_SET_CONTAINER)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_GET_DEVICE_FD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_INFO)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, FIOCLEX)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFFLAGS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, SIOCGIFHWADDR)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFADDR)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFFLAGS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFHWADDR)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, SIOCSIFNETMASK)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TIOCSPTLCK)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TIOCGTPEER)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TUNGETFEATURES)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TUNGETIFF)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TUNSETIFF)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TUNSETOFFLOAD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TUNSETVNETHDRSZ)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GET_API_VERSION)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_CHECK_EXTENSION)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_SET_IOMMU)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_STATUS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_SET_CONTAINER)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_GET_DEVICE_FD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_INFO)?],
        and![Cond::new(
            1,
-            ArgLen::DWORD,
+            ArgLen::Dword,
            Eq,
            VFIO_DEVICE_GET_REGION_INFO
        )?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_GET_IRQ_INFO)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_RESET)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_MAP_DMA)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_IOEVENTFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_GET_IRQ_INFO)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_RESET)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_MAP_DMA)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_IOEVENTFD)?],
    ];

    let hypervisor_rules = create_vmm_ioctl_seccomp_rule_hypervisor()?;
@ -268,7 +266,7 @@ fn create_vmm_ioctl_seccomp_rule_common() -> Result<Vec<SeccompRule>, Error> {
 }

 #[cfg(all(target_arch = "x86_64", feature = "kvm"))]
-fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
    const KVM_CREATE_PIT2: u64 = 0x4040_ae77;
    const KVM_GET_CLOCK: u64 = 0x8030_ae7c;
    const KVM_GET_CPUID2: u64 = 0xc008_ae91;
@ -292,26 +290,26 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {

    let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
    let mut arch_rules = or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CREATE_PIT2)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CLOCK,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_CPUID2,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_FPU)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_LAPIC)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSR_INDEX_LIST)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_MSRS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_SREGS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XCRS,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_GET_XSAVE,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_KVMCLOCK_CTRL)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CLOCK)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_CPUID2)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_FPU)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_LAPIC)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_SREGS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_TSS_ADDR,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_MSRS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XCRS,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_XSAVE,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CREATE_PIT2)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CLOCK,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_CPUID2,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_FPU)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_LAPIC)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSR_INDEX_LIST)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_MSRS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_SREGS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XCRS,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_GET_XSAVE,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_KVMCLOCK_CTRL)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CLOCK)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_CPUID2)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_FPU)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_LAPIC)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_SREGS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_TSS_ADDR,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_MSRS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XCRS,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_XSAVE,)?],
    ];
    arch_rules.extend(common_rules);

@ -319,14 +317,14 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
 }

 #[cfg(all(target_arch = "aarch64", feature = "kvm"))]
-fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
    const KVM_ARM_PREFERRED_TARGET: u64 = 0x8020_aeaf;
    const KVM_ARM_VCPU_INIT: u64 = 0x4020_aeae;

    let common_rules = create_vmm_ioctl_seccomp_rule_common()?;
    let mut arch_rules = or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_PREFERRED_TARGET,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_ARM_VCPU_INIT,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_PREFERRED_TARGET,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_ARM_VCPU_INIT,)?],
    ];
    arch_rules.extend(common_rules);

@ -334,11 +332,11 @@ fn create_vmm_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
 }

 #[cfg(all(target_arch = "x86_64", feature = "mshv"))]
-fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
    create_vmm_ioctl_seccomp_rule_common()
 }

-fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
+fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
    #[cfg(feature = "kvm")]
    let rules = create_vmm_ioctl_seccomp_rule_kvm();

@ -348,182 +346,182 @@ fn create_vmm_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
    rules
 }

-fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
-    Ok(or![and![Cond::new(1, ArgLen::DWORD, Eq, FIONBIO)?],])
+fn create_api_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
+    Ok(or![and![Cond::new(1, ArgLen::Dword, Eq, FIONBIO)?]])
 }

-fn create_signal_handler_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
+fn create_signal_handler_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
    Ok(or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, TCGETS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TCSETS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, TIOCGWINSZ)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TCGETS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TCSETS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, TIOCGWINSZ)?],
    ])
 }

-fn signal_handler_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+fn signal_handler_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
    Ok(vec![
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_exit_group),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall_if(libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_recvfrom),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_sendto),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_exit_group, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_ioctl, create_signal_handler_ioctl_seccomp_rule()?),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_recvfrom, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_sendto, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ])
 }

 // The filter containing the white listed syscall rules required by the VMM to
 // function.
-fn vmm_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+fn vmm_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
    Ok(vec![
-        allow_syscall(libc::SYS_accept4),
+        (libc::SYS_accept4, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_access),
+        (libc::SYS_access, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_arch_prctl),
-        allow_syscall(libc::SYS_bind),
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_clock_nanosleep),
-        allow_syscall(libc::SYS_clone),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_connect),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_arch_prctl, vec![]),
+        (libc::SYS_bind, vec![]),
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_clock_nanosleep, vec![]),
+        (libc::SYS_clone, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_connect, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_eventfd2),
-        allow_syscall(libc::SYS_execve),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_exit_group),
-        allow_syscall(libc::SYS_fallocate),
-        allow_syscall(libc::SYS_fcntl),
-        allow_syscall(libc::SYS_fdatasync),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_eventfd2, vec![]),
+        (libc::SYS_execve, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_exit_group, vec![]),
+        (libc::SYS_fallocate, vec![]),
+        (libc::SYS_fcntl, vec![]),
+        (libc::SYS_fdatasync, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_fork),
-        allow_syscall(libc::SYS_fstat),
-        allow_syscall(libc::SYS_fsync),
-        allow_syscall(SYS_FTRUNCATE),
+        (libc::SYS_fork, vec![]),
+        (libc::SYS_fstat, vec![]),
+        (libc::SYS_fsync, vec![]),
+        (SYS_FTRUNCATE, vec![]),
        #[cfg(target_arch = "aarch64")]
-        allow_syscall(libc::SYS_faccessat),
+        (libc::SYS_faccessat, vec![]),
        #[cfg(target_arch = "aarch64")]
-        allow_syscall(libc::SYS_newfstatat),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_getpid),
-        allow_syscall(libc::SYS_getrandom),
-        allow_syscall(libc::SYS_gettid),
-        allow_syscall(libc::SYS_gettimeofday),
-        allow_syscall(libc::SYS_getuid),
-        allow_syscall_if(libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
-        allow_syscall(SYS_IO_URING_ENTER),
-        allow_syscall(SYS_IO_URING_SETUP),
-        allow_syscall(SYS_IO_URING_REGISTER),
-        allow_syscall(libc::SYS_kill),
-        allow_syscall(libc::SYS_listen),
-        allow_syscall(libc::SYS_lseek),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mbind),
-        allow_syscall(libc::SYS_memfd_create),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_mremap),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_nanosleep),
-        allow_syscall(libc::SYS_newfstatat),
+        (libc::SYS_newfstatat, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_getpid, vec![]),
+        (libc::SYS_getrandom, vec![]),
+        (libc::SYS_gettid, vec![]),
+        (libc::SYS_gettimeofday, vec![]),
+        (libc::SYS_getuid, vec![]),
+        (libc::SYS_ioctl, create_vmm_ioctl_seccomp_rule()?),
+        (SYS_IO_URING_ENTER, vec![]),
+        (SYS_IO_URING_SETUP, vec![]),
+        (SYS_IO_URING_REGISTER, vec![]),
+        (libc::SYS_kill, vec![]),
+        (libc::SYS_listen, vec![]),
+        (libc::SYS_lseek, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mbind, vec![]),
+        (libc::SYS_memfd_create, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_mremap, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_nanosleep, vec![]),
+        (libc::SYS_newfstatat, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_open),
-        allow_syscall(libc::SYS_openat),
-        allow_syscall(libc::SYS_pipe2),
-        allow_syscall(libc::SYS_prctl),
-        allow_syscall(libc::SYS_pread64),
-        allow_syscall(libc::SYS_preadv),
-        allow_syscall(libc::SYS_prlimit64),
-        allow_syscall(libc::SYS_pwrite64),
-        allow_syscall(libc::SYS_pwritev),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_readv),
+        (libc::SYS_open, vec![]),
+        (libc::SYS_openat, vec![]),
+        (libc::SYS_pipe2, vec![]),
+        (libc::SYS_prctl, vec![]),
+        (libc::SYS_pread64, vec![]),
+        (libc::SYS_preadv, vec![]),
+        (libc::SYS_prlimit64, vec![]),
+        (libc::SYS_pwrite64, vec![]),
+        (libc::SYS_pwritev, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_readv, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_readlink),
+        (libc::SYS_readlink, vec![]),
        #[cfg(target_arch = "aarch64")]
-        allow_syscall(libc::SYS_readlinkat),
-        allow_syscall(libc::SYS_recvfrom),
-        allow_syscall(libc::SYS_recvmsg),
-        allow_syscall(libc::SYS_restart_syscall),
-        allow_syscall(libc::SYS_rt_sigaction),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_rt_sigreturn),
-        allow_syscall(libc::SYS_sched_getaffinity),
-        allow_syscall(libc::SYS_sendmsg),
-        allow_syscall(libc::SYS_sendto),
-        allow_syscall(libc::SYS_set_robust_list),
-        allow_syscall(libc::SYS_set_tid_address),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall_if(
+        (libc::SYS_readlinkat, vec![]),
+        (libc::SYS_recvfrom, vec![]),
+        (libc::SYS_recvmsg, vec![]),
+        (libc::SYS_restart_syscall, vec![]),
+        (libc::SYS_rt_sigaction, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_rt_sigreturn, vec![]),
+        (libc::SYS_sched_getaffinity, vec![]),
+        (libc::SYS_sendmsg, vec![]),
+        (libc::SYS_sendto, vec![]),
+        (libc::SYS_set_robust_list, vec![]),
+        (libc::SYS_set_tid_address, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (
            libc::SYS_socket,
            or![
-                and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_UNIX as u64)?],
-                and![Cond::new(0, ArgLen::DWORD, Eq, libc::AF_INET as u64)?],
+                and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_UNIX as u64)?],
+                and![Cond::new(0, ArgLen::Dword, Eq, libc::AF_INET as u64)?],
            ],
        ),
-        allow_syscall(libc::SYS_socketpair),
+        (libc::SYS_socketpair, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_stat),
-        allow_syscall(libc::SYS_statx),
-        allow_syscall(libc::SYS_tgkill),
-        allow_syscall(libc::SYS_timerfd_create),
-        allow_syscall(libc::SYS_timerfd_settime),
-        allow_syscall(libc::SYS_tkill),
-        allow_syscall_if(
+        (libc::SYS_stat, vec![]),
+        (libc::SYS_statx, vec![]),
+        (libc::SYS_tgkill, vec![]),
+        (libc::SYS_timerfd_create, vec![]),
+        (libc::SYS_timerfd_settime, vec![]),
+        (libc::SYS_tkill, vec![]),
+        (
            libc::SYS_umask,
-            or![and![Cond::new(0, ArgLen::DWORD, Eq, 0o077)?]],
+            or![and![Cond::new(0, ArgLen::Dword, Eq, 0o077)?]],
        ),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_unlink),
+        (libc::SYS_unlink, vec![]),
        #[cfg(target_arch = "aarch64")]
-        allow_syscall(libc::SYS_unlinkat),
-        allow_syscall(libc::SYS_wait4),
-        allow_syscall(libc::SYS_write),
-        allow_syscall(libc::SYS_writev),
+        (libc::SYS_unlinkat, vec![]),
+        (libc::SYS_wait4, vec![]),
+        (libc::SYS_write, vec![]),
+        (libc::SYS_writev, vec![]),
    ])
 }

 #[cfg(feature = "kvm")]
-fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, Error> {
+fn create_vcpu_ioctl_seccomp_rule_kvm() -> Result<Vec<SeccompRule>, BackendError> {
    Ok(or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_CHECK_EXTENSION,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IOEVENTFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_IRQFD,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_DEVICE_ATTR,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_GSI_ROUTING,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_SET_USER_MEMORY_REGION,)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, KVM_RUN,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_CHECK_EXTENSION,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_IOEVENTFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_IRQFD,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_DEVICE_ATTR,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_GSI_ROUTING,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_SET_USER_MEMORY_REGION,)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, KVM_RUN,)?],
    ])
 }

 #[cfg(feature = "mshv")]
-fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, Error> {
+fn create_vcpu_ioctl_seccomp_rule_mshv() -> Result<Vec<SeccompRule>, BackendError> {
    Ok(or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_MSI_ROUTING)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IOEVENTFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_IRQFD)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_RUN_VP)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_GET_VP_REGISTERS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_SET_VP_REGISTERS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_MAP_GUEST_MEMORY)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, MSHV_VP_TRANSLATE_GVA)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_MSI_ROUTING)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IOEVENTFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_IRQFD)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_RUN_VP)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_GET_VP_REGISTERS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_SET_VP_REGISTERS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_MAP_GUEST_MEMORY)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_UNMAP_GUEST_MEMORY)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, MSHV_VP_TRANSLATE_GVA)?],
    ])
 }

-fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error> {
+fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, BackendError> {
    #[cfg(feature = "kvm")]
    let rules = create_vcpu_ioctl_seccomp_rule_kvm();

@ -533,11 +531,11 @@ fn create_vcpu_ioctl_seccomp_rule_hypervisor() -> Result<Vec<SeccompRule>, Error
    rules
 }

-fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
+fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, BackendError> {
    let mut rules = or![
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_DEVICE_SET_IRQS)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
-        and![Cond::new(1, ArgLen::DWORD, Eq, VFIO_IOMMU_UNMAP_DMA)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_DEVICE_SET_IRQS)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_GROUP_UNSET_CONTAINER)?],
+        and![Cond::new(1, ArgLen::Dword, Eq, VFIO_IOMMU_UNMAP_DMA)?],
    ];

    let hypervisor_rules = create_vcpu_ioctl_seccomp_rule_hypervisor()?;
@ -547,79 +545,79 @@ fn create_vcpu_ioctl_seccomp_rule() -> Result<Vec<SeccompRule>, Error> {
    Ok(rules)
 }

-fn vcpu_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+fn vcpu_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
    Ok(vec![
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_clock_gettime),
-        allow_syscall(libc::SYS_clock_nanosleep),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_fstat),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_getrandom),
-        allow_syscall(libc::SYS_getpid),
-        allow_syscall_if(libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?),
-        allow_syscall(libc::SYS_lseek),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mmap),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_nanosleep),
-        allow_syscall(libc::SYS_newfstatat),
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_clock_gettime, vec![]),
+        (libc::SYS_clock_nanosleep, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_fstat, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_getrandom, vec![]),
+        (libc::SYS_getpid, vec![]),
+        (libc::SYS_ioctl, create_vcpu_ioctl_seccomp_rule()?),
+        (libc::SYS_lseek, vec![]),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mmap, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_nanosleep, vec![]),
+        (libc::SYS_newfstatat, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_open),
-        allow_syscall(libc::SYS_openat),
-        allow_syscall(libc::SYS_pread64),
-        allow_syscall(libc::SYS_pwrite64),
-        allow_syscall(libc::SYS_read),
-        allow_syscall(libc::SYS_recvfrom),
-        allow_syscall(libc::SYS_recvmsg),
-        allow_syscall(libc::SYS_rt_sigaction),
-        allow_syscall(libc::SYS_rt_sigprocmask),
-        allow_syscall(libc::SYS_rt_sigreturn),
-        allow_syscall(libc::SYS_sendmsg),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_tgkill),
-        allow_syscall(libc::SYS_tkill),
+        (libc::SYS_open, vec![]),
+        (libc::SYS_openat, vec![]),
+        (libc::SYS_pread64, vec![]),
+        (libc::SYS_pwrite64, vec![]),
+        (libc::SYS_read, vec![]),
+        (libc::SYS_recvfrom, vec![]),
+        (libc::SYS_recvmsg, vec![]),
+        (libc::SYS_rt_sigaction, vec![]),
+        (libc::SYS_rt_sigprocmask, vec![]),
+        (libc::SYS_rt_sigreturn, vec![]),
+        (libc::SYS_sendmsg, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_tgkill, vec![]),
+        (libc::SYS_tkill, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_unlink),
+        (libc::SYS_unlink, vec![]),
        #[cfg(target_arch = "aarch64")]
-        allow_syscall(libc::SYS_unlinkat),
-        allow_syscall(libc::SYS_write),
-        allow_syscall(libc::SYS_writev),
+        (libc::SYS_unlinkat, vec![]),
+        (libc::SYS_write, vec![]),
+        (libc::SYS_writev, vec![]),
    ])
 }

 // The filter containing the white listed syscall rules required by the API to
 // function.
-fn api_thread_rules() -> Result<Vec<SyscallRuleSet>, Error> {
+fn api_thread_rules() -> Result<Vec<(i64, Vec<SeccompRule>)>, BackendError> {
    Ok(vec![
-        allow_syscall(libc::SYS_accept4),
-        allow_syscall(libc::SYS_brk),
-        allow_syscall(libc::SYS_close),
-        allow_syscall(libc::SYS_dup),
-        allow_syscall(libc::SYS_epoll_create1),
-        allow_syscall(libc::SYS_epoll_ctl),
-        allow_syscall(libc::SYS_epoll_pwait),
+        (libc::SYS_accept4, vec![]),
+        (libc::SYS_brk, vec![]),
+        (libc::SYS_close, vec![]),
+        (libc::SYS_dup, vec![]),
+        (libc::SYS_epoll_create1, vec![]),
+        (libc::SYS_epoll_ctl, vec![]),
+        (libc::SYS_epoll_pwait, vec![]),
        #[cfg(target_arch = "x86_64")]
-        allow_syscall(libc::SYS_epoll_wait),
-        allow_syscall(libc::SYS_exit),
-        allow_syscall(libc::SYS_fcntl),
-        allow_syscall(libc::SYS_futex),
-        allow_syscall(libc::SYS_getrandom),
-        allow_syscall_if(libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
-        allow_syscall(libc::SYS_madvise),
-        allow_syscall(libc::SYS_mprotect),
-        allow_syscall(libc::SYS_munmap),
-        allow_syscall(libc::SYS_recvfrom),
-        allow_syscall(libc::SYS_recvmsg),
-        allow_syscall(libc::SYS_sigaltstack),
-        allow_syscall(libc::SYS_write),
+        (libc::SYS_epoll_wait, vec![]),
+        (libc::SYS_exit, vec![]),
+        (libc::SYS_fcntl, vec![]),
+        (libc::SYS_futex, vec![]),
+        (libc::SYS_getrandom, vec![]),
+        (libc::SYS_ioctl, create_api_ioctl_seccomp_rule()?),
+        (libc::SYS_madvise, vec![]),
+        (libc::SYS_mprotect, vec![]),
+        (libc::SYS_munmap, vec![]),
+        (libc::SYS_recvfrom, vec![]),
+        (libc::SYS_recvmsg, vec![]),
+        (libc::SYS_sigaltstack, vec![]),
+        (libc::SYS_write, vec![]),
    ])
 }

-fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error> {
+fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
    let rules = match thread_type {
        Thread::Api => api_thread_rules()?,
        Thread::SignalHandler => signal_handler_thread_rules()?,
@ -627,10 +625,15 @@ fn get_seccomp_filter_trap(thread_type: Thread) -> Result<SeccompFilter, Error>
        Thread::Vmm => vmm_thread_rules()?,
    };

-    SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Trap)
+    SeccompFilter::new(
+        rules.into_iter().collect(),
+        SeccompAction::Trap,
+        SeccompAction::Allow,
+        std::env::consts::ARCH.try_into().unwrap(),
+    )
 }

-fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
+fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, BackendError> {
    let rules = match thread_type {
        Thread::Api => api_thread_rules()?,
        Thread::SignalHandler => signal_handler_thread_rules()?,
@ -638,21 +641,26 @@ fn get_seccomp_filter_log(thread_type: Thread) -> Result<SeccompFilter, Error> {
        Thread::Vmm => vmm_thread_rules()?,
    };

-    SeccompFilter::new(rules.into_iter().collect(), SeccompAction::Log)
+    SeccompFilter::new(
+        rules.into_iter().collect(),
+        SeccompAction::Log,
+        SeccompAction::Allow,
+        std::env::consts::ARCH.try_into().unwrap(),
+    )
 }

 /// Generate a BPF program based on the seccomp_action value
 pub fn get_seccomp_filter(
    seccomp_action: &SeccompAction,
    thread_type: Thread,
-) -> Result<BpfProgram, SeccompError> {
+) -> Result<BpfProgram, Error> {
    match seccomp_action {
        SeccompAction::Allow => Ok(vec![]),
        SeccompAction::Log => get_seccomp_filter_log(thread_type)
            .and_then(|filter| filter.try_into())
-            .map_err(SeccompError::SeccompFilter),
+            .map_err(Error::Backend),
        _ => get_seccomp_filter_trap(thread_type)
            .and_then(|filter| filter.try_into())
-            .map_err(SeccompError::SeccompFilter),
+            .map_err(Error::Backend),
    }
 }
--- a/vmm/src/vm.rs
+++ b/vmm/src/vm.rs
@ -44,7 +44,7 @@ use linux_loader::loader::elf::PvhBootCapability::PvhEntryPresent;
 #[cfg(target_arch = "aarch64")]
 use linux_loader::loader::pe::Error::InvalidImageMagicNumber;
 use linux_loader::loader::KernelLoader;
-use seccomp::{SeccompAction, SeccompFilter};
+use seccompiler::{apply_filter, SeccompAction};
 use signal_hook::{
    consts::{SIGINT, SIGTERM, SIGWINCH},
    iterator::backend::Handle,
@ -216,10 +216,10 @@ pub enum Error {
    InvalidNumaConfig,

    /// Cannot create seccomp filter
-    CreateSeccompFilter(seccomp::SeccompError),
+    CreateSeccompFilter(seccompiler::Error),

    /// Cannot apply seccomp filter
-    ApplySeccompFilter(seccomp::Error),
+    ApplySeccompFilter(seccompiler::Error),

    /// Failed resizing a memory zone.
    ResizeZone,
@ -1880,7 +1880,7 @@ impl Vm {
                        thread::Builder::new()
                            .name("signal_handler".to_string())
                            .spawn(move || {
-                                if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter)
+                                if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
                                    .map_err(Error::ApplySeccompFilter)
                                {
                                    error!("Error applying seccomp filter: {:?}", e);
@ -2442,7 +2442,7 @@ impl Snapshottable for Vm {
                        thread::Builder::new()
                            .name("signal_handler".to_string())
                            .spawn(move || {
-                                if let Err(e) = SeccompFilter::apply(signal_handler_seccomp_filter)
+                                if let Err(e) = apply_filter(&signal_handler_seccomp_filter)
                                    .map_err(Error::ApplySeccompFilter)
                                {
                                    error!("Error applying seccomp filter: {:?}", e);