arch: use gperf to generate a perfact hash to lookup syscall names

This patch significantly improves the performance of
seccomp_syscall_resolve_name since it replaces the expensive strcmp
for each syscall in the database, with a lookup table.

The complexity for syscall_resolve_num is not changed and it
uses the linear search, that is anyway less expensive than
seccomp_syscall_resolve_name as it uses an index for comparison
instead of doing a string comparison.

On my machine, calling 1000 seccomp_syscall_resolve_name_arch and
seccomp_syscall_resolve_num_arch over the entire syscalls DB passed
from ~0.45 sec to ~0.06s.

PM: After talking with Giuseppe I made a number of additional
changes, some substantial, the highlights include:
* various style tweaks
* .gitignore fixes
* fixed subject line, tweaked the description
* dropped the arch-syscall-validate changes as they were masking
  other problems
* extracted the syscalls.csv and file deletions to other patches
  to keep this one more focused
* fixed the x86, x32, arm, all the MIPS ABIs, s390, and s390x ABIs as
  the syscall offsets were not properly incorporated into this change
* cleaned up the ABI specific headers
* cleaned up generate_syscalls_perf.sh and renamed to
  arch-gperf-generate
* fixed problems with automake's file packaging

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: see notes in the "PM" section above]
Signed-off-by: Paul Moore <paul@paul-moore.com>

38 files changed, 1139 insertions, 223 deletions

diff --git a/.travis.yml b/.travis.yml
index 7f54f00..a509652 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,6 +39,7 @@ addons:
       - valgrind
       - clang
       - lcov
+      - gperf
 
 env:
   global:
diff --git a/configure.ac b/configure.ac
index e8b77f2..40d9dcb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -119,6 +119,11 @@ AC_DEFINE_UNQUOTED([ENABLE_PYTHON],
 	[$(test "$enable_python" = yes && echo 1 || echo 0)],
 	[Python bindings build flag.])
 
+AC_CHECK_TOOL(GPERF, gperf)
+if test -z "$GPERF"; then
+	AC_MSG_ERROR([please install gperf])
+fi
+
 dnl ####
 dnl coverity checks
 dnl ####
diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
index d7eb383..2a4ebd3 100644
--- a/include/seccomp-syscalls.h
+++ b/include/seccomp-syscalls.h
@@ -274,6 +274,7 @@
 #define __PNR_utimensat_time64			-10240
 #define __PNR_ppoll				-10241
 #define __PNR_renameat				-10242
+#define __PNR_riscv_flush_icache		-10243
 
 /*
  * libseccomp syscall definitions
@@ -1507,6 +1508,12 @@
 
 #define __SNR_restart_syscall		__NR_restart_syscall
 
+#ifdef __NR_riscv_flush_icache
+#define __SNR_riscv_flush_icache	__NR_riscv_flush_icache
+#else
+#define __SNR_riscv_flush_icache	__PNR_riscv_flush_icache
+#endif
+
 #ifdef __NR_rmdir
 #define __SNR_rmdir			__NR_rmdir
 #else
diff --git a/src/.gitignore b/src/.gitignore
index 530aec7..6b31a14 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -1,3 +1,5 @@
 libseccomp.a
 arch-syscall-check
 arch-syscall-dump
+syscalls.perf
+syscalls.perf.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 0a76ed0..bfe5e3d 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -31,22 +31,25 @@ SOURCES_ALL = \
 	hash.h hash.c \
 	db.h db.c \
 	arch.c arch.h \
-	arch-x86.h arch-x86.c arch-x86-syscalls.c \
-	arch-x86_64.h arch-x86_64.c arch-x86_64-syscalls.c \
-	arch-x32.h arch-x32.c arch-x32-syscalls.c \
-	arch-arm.h arch-arm.c arch-arm-syscalls.c \
-	arch-aarch64.h arch-aarch64.c arch-aarch64-syscalls.c \
-	arch-mips.h arch-mips.c arch-mips-syscalls.c \
-	arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \
-	arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c \
-	arch-parisc.h arch-parisc.c arch-parisc64.c arch-parisc-syscalls.c \
-	arch-ppc.h arch-ppc.c arch-ppc-syscalls.c \
-	arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c \
-	arch-riscv64.h arch-riscv64.c arch-riscv64-syscalls.c \
-	arch-s390.h arch-s390.c arch-s390-syscalls.c \
-	arch-s390x.h arch-s390x.c arch-s390x-syscalls.c
-
-EXTRA_DIST = arch-syscall-validate syscalls.csv
+	arch-x86.h arch-x86.c \
+	arch-x86_64.h arch-x86_64.c \
+	arch-x32.h arch-x32.c \
+	arch-arm.h arch-arm.c \
+	arch-aarch64.h arch-aarch64.c \
+	arch-mips.h arch-mips.c \
+	arch-mips64.h arch-mips64.c \
+	arch-mips64n32.h arch-mips64n32.c \
+	arch-parisc.h arch-parisc.c arch-parisc64.c \
+	arch-ppc.h arch-ppc.c \
+	arch-ppc64.h arch-ppc64.c \
+	arch-riscv64.h arch-riscv64.c \
+	arch-s390.h arch-s390.c \
+	arch-s390x.h arch-s390x.c \
+	syscalls.h syscalls.c syscalls.perf.c
+
+EXTRA_DIST = \
+	arch-syscall-validate arch-gperf-generate \
+	syscalls.csv syscalls.perf.template
 
 TESTS = arch-syscall-check
 
@@ -67,5 +70,15 @@ libseccomp_la_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} ${CFLAGS} \
 libseccomp_la_LDFLAGS = ${AM_LDFLAGS} ${CODE_COVERAGE_LDFLAGS} ${LDFLAGS} \
 	-version-number ${VERSION_MAJOR}:${VERSION_MINOR}:${VERSION_MICRO}
 
+EXTRA_DIST += syscalls.perf.c syscalls.perf
+CLEANFILES = syscalls.perf.c syscalls.perf
+
+syscalls.perf: syscalls.csv syscalls.perf.template
+	${AM_V_GEN} ${srcdir}/arch-gperf-generate \
+		${srcdir}/syscalls.csv ${srcdir}/syscalls.perf.template
+
+syscalls.perf.c: syscalls.perf
+	${GPERF} -m 100 --null-strings --pic -tCEG -T -S1 $< > $@
+
 check-build:
 	${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS}
diff --git a/src/arch-aarch64.h b/src/arch-aarch64.h
index cde11cf..ed1877a 100644
--- a/src/arch-aarch64.h
+++ b/src/arch-aarch64.h
@@ -22,16 +22,8 @@
 #ifndef _ARCH_AARCH64_H
 #define _ARCH_AARCH64_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_aarch64;
-
-int aarch64_syscall_resolve_name(const char *name);
-const char *aarch64_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *aarch64_syscall_iterate(unsigned int spot);
+ARCH_DECL(aarch64)
 
 #endif
diff --git a/src/arch-arm.c b/src/arch-arm.c
index c797f3f..3465111 100644
--- a/src/arch-arm.c
+++ b/src/arch-arm.c
@@ -26,13 +26,58 @@
 #include "arch.h"
 #include "arch-arm.h"
 
+#define __SCMP_NR_OABI_SYSCALL_BASE     0x900000
+#define __SCMP_ARM_NR_BASE              0x0f0000
+
+/* NOTE: we currently only support the ARM EABI, more info at the URL below:
+ *       -> http://wiki.embeddedarm.com/wiki/EABI_vs_OABI */
+#if 1
+#define __SCMP_NR_BASE                  0
+#else
+#define __SCMP_NR_BASE                  __SCMP_NR_OABI_SYSCALL_BASE
+#endif
+
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int arm_syscall_resolve_name_munge(const char *name)
+{
+	int sys;
+
+	sys = arm_syscall_resolve_name(name);
+	if (sys == __NR_SCMP_ERROR)
+		return sys;
+
+	return sys + __SCMP_NR_BASE;
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *arm_syscall_resolve_num_munge(int num)
+{
+	return arm_syscall_resolve_num(num - __SCMP_NR_BASE);
+}
+
 const struct arch_def arch_def_arm = {
 	.token = SCMP_ARCH_ARM,
 	.token_bpf = AUDIT_ARCH_ARM,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_LITTLE,
-	.syscall_resolve_name = arm_syscall_resolve_name,
-	.syscall_resolve_num = arm_syscall_resolve_num,
+	.syscall_resolve_name = arm_syscall_resolve_name_munge,
+	.syscall_resolve_num = arm_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
diff --git a/src/arch-arm.h b/src/arch-arm.h
index 9f675d8..34e6c91 100644
--- a/src/arch-arm.h
+++ b/src/arch-arm.h
@@ -22,16 +22,8 @@
 #ifndef _ARCH_ARM_H
 #define _ARCH_ARM_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_arm;
-
-int arm_syscall_resolve_name(const char *name);
-const char *arm_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *arm_syscall_iterate(unsigned int spot);
+ARCH_DECL(arm)
 
 #endif
diff --git a/src/arch-gperf-generate b/src/arch-gperf-generate
new file mode 100755
index 0000000..9e6c000
--- /dev/null
+++ b/src/arch-gperf-generate
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# NOTE: changes to the arch_syscall_table struct in syscalls.h will affect
+#       this script/gperf - BEWARE!
+
+###
+# helper functions
+
+function exit_usage() {
+	echo "usage: $0 <syscall_csv_file> <gperf_template>"
+	exit 1
+}
+
+###
+# main
+
+# sanity check
+[[ ! -r "$1" || ! -r "$2" ]] && exit_usage
+sys_csv=$1
+gperf_tmpl=$2
+
+sys_csv_tmp=$(mktemp -t generate_syscalls_XXXXXX)
+
+# filter and prepare the syscall csv file
+cat $sys_csv | grep -v '^#' | nl -ba -s, -v0 | \
+    sed -e 's/^[[:space:]]\+\([0-9]\+\),\([^,]\+\),\(.*\)/\2,\1,\3/' \
+        -e ':repeat; {s|\([^,]\+\)\(.*\)[^_]PNR|\1\2,__PNR_\1|g;}; t repeat' \
+         > $sys_csv_tmp
+[[ $? -ne 0 ]] && exit 1
+
+# create the gperf file
+sed -e "/@@SYSCALLS_TABLE@@/r $sys_csv_tmp" \
+    -e '/@@SYSCALLS_TABLE@@/d' \
+    $gperf_tmpl > syscalls.perf
+[[ $? -ne 0 ]] && exit 1
+
+# cleanup
+rm -f $sys_csv_tmp
+
+exit 0
diff --git a/src/arch-mips.c b/src/arch-mips.c
index 1d1f4e2..f0e6a14 100644
--- a/src/arch-mips.c
+++ b/src/arch-mips.c
@@ -27,13 +27,50 @@
 #include "arch.h"
 #include "arch-mips.h"
 
+/* O32 ABI */
+#define __SCMP_NR_BASE			4000
+
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int mips_syscall_resolve_name_munge(const char *name)
+{
+	int sys;
+
+	sys = mips_syscall_resolve_name(name);
+	if (sys == __NR_SCMP_ERROR)
+		return sys;
+
+	return sys + __SCMP_NR_BASE;
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *mips_syscall_resolve_num_munge(int num)
+{
+	return mips_syscall_resolve_num(num - __SCMP_NR_BASE);
+}
+
 const struct arch_def arch_def_mips = {
 	.token = SCMP_ARCH_MIPS,
 	.token_bpf = AUDIT_ARCH_MIPS,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_BIG,
-	.syscall_resolve_name = mips_syscall_resolve_name,
-	.syscall_resolve_num = mips_syscall_resolve_num,
+	.syscall_resolve_name = mips_syscall_resolve_name_munge,
+	.syscall_resolve_num = mips_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
@@ -43,8 +80,8 @@ const struct arch_def arch_def_mipsel = {
 	.token_bpf = AUDIT_ARCH_MIPSEL,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_LITTLE,
-	.syscall_resolve_name = mips_syscall_resolve_name,
-	.syscall_resolve_num = mips_syscall_resolve_num,
+	.syscall_resolve_name = mips_syscall_resolve_name_munge,
+	.syscall_resolve_num = mips_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
diff --git a/src/arch-mips.h b/src/arch-mips.h
index 51f86ce..c8752a8 100644
--- a/src/arch-mips.h
+++ b/src/arch-mips.h
@@ -23,17 +23,9 @@
 #ifndef _ARCH_MIPS_H
 #define _ARCH_MIPS_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_mips;
-extern const struct arch_def arch_def_mipsel;
-
-int mips_syscall_resolve_name(const char *name);
-const char *mips_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *mips_syscall_iterate(unsigned int spot);
+ARCH_DECL(mips)
+ARCH_DECL(mipsel)
 
 #endif
diff --git a/src/arch-mips64.c b/src/arch-mips64.c
index f98982c..9707d1c 100644
--- a/src/arch-mips64.c
+++ b/src/arch-mips64.c
@@ -25,13 +25,50 @@
 #include "arch.h"
 #include "arch-mips64.h"
 
+/* 64 ABI */
+#define __SCMP_NR_BASE			5000
+
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int mips64_syscall_resolve_name_munge(const char *name)
+{
+	int sys;
+
+	sys = mips64_syscall_resolve_name(name);
+	if (sys == __NR_SCMP_ERROR)
+		return sys;
+
+	return sys + __SCMP_NR_BASE;
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *mips64_syscall_resolve_num_munge(int num)
+{
+	return mips64_syscall_resolve_num(num - __SCMP_NR_BASE);
+}
+
 const struct arch_def arch_def_mips64 = {
 	.token = SCMP_ARCH_MIPS64,
 	.token_bpf = AUDIT_ARCH_MIPS64,
 	.size = ARCH_SIZE_64,
 	.endian = ARCH_ENDIAN_BIG,
-	.syscall_resolve_name = mips64_syscall_resolve_name,
-	.syscall_resolve_num = mips64_syscall_resolve_num,
+	.syscall_resolve_name = mips64_syscall_resolve_name_munge,
+	.syscall_resolve_num = mips64_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
@@ -41,8 +78,8 @@ const struct arch_def arch_def_mipsel64 = {
 	.token_bpf = AUDIT_ARCH_MIPSEL64,
 	.size = ARCH_SIZE_64,
 	.endian = ARCH_ENDIAN_LITTLE,
-	.syscall_resolve_name = mips64_syscall_resolve_name,
-	.syscall_resolve_num = mips64_syscall_resolve_num,
+	.syscall_resolve_name = mips64_syscall_resolve_name_munge,
+	.syscall_resolve_num = mips64_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
diff --git a/src/arch-mips64.h b/src/arch-mips64.h
index 7f231ce..c8eaba8 100644
--- a/src/arch-mips64.h
+++ b/src/arch-mips64.h
@@ -23,17 +23,9 @@
 #ifndef _ARCH_MIPS64_H
 #define _ARCH_MIPS64_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_mips64;
-extern const struct arch_def arch_def_mipsel64;
-
-int mips64_syscall_resolve_name(const char *name);
-const char *mips64_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *mips64_syscall_iterate(unsigned int spot);
+ARCH_DECL(mips64)
+ARCH_DECL(mipsel64)
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/arch-mips64n32.c b/src/arch-mips64n32.c
index 90ead98..f8088ae 100644
--- a/src/arch-mips64n32.c
+++ b/src/arch-mips64n32.c
@@ -27,13 +27,50 @@
 #include "arch.h"
 #include "arch-mips64n32.h"
 
+/* N32 ABI */
+#define __SCMP_NR_BASE			6000
+
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int mips64n32_syscall_resolve_name_munge(const char *name)
+{
+	int sys;
+
+	sys = mips64n32_syscall_resolve_name(name);
+	if (sys == __NR_SCMP_ERROR)
+		return sys;
+
+	return sys + __SCMP_NR_BASE;
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *mips64n32_syscall_resolve_num_munge(int num)
+{
+	return mips64n32_syscall_resolve_num(num - __SCMP_NR_BASE);
+}
+
 const struct arch_def arch_def_mips64n32 = {
 	.token = SCMP_ARCH_MIPS64N32,
 	.token_bpf = AUDIT_ARCH_MIPS64N32,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_BIG,
-	.syscall_resolve_name = mips64n32_syscall_resolve_name,
-	.syscall_resolve_num = mips64n32_syscall_resolve_num,
+	.syscall_resolve_name = mips64n32_syscall_resolve_name_munge,
+	.syscall_resolve_num = mips64n32_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
@@ -43,8 +80,8 @@ const struct arch_def arch_def_mipsel64n32 = {
 	.token_bpf = AUDIT_ARCH_MIPSEL64N32,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_LITTLE,
-	.syscall_resolve_name = mips64n32_syscall_resolve_name,
-	.syscall_resolve_num = mips64n32_syscall_resolve_num,
+	.syscall_resolve_name = mips64n32_syscall_resolve_name_munge,
+	.syscall_resolve_num = mips64n32_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
diff --git a/src/arch-mips64n32.h b/src/arch-mips64n32.h
index fd7e542..7f9146a 100644
--- a/src/arch-mips64n32.h
+++ b/src/arch-mips64n32.h
@@ -23,17 +23,9 @@
 #ifndef _ARCH_MIPS64N32_H
 #define _ARCH_MIPS64N32_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_mips64n32;
-extern const struct arch_def arch_def_mipsel64n32;
-
-int mips64n32_syscall_resolve_name(const char *name);
-const char *mips64n32_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *mips64n32_syscall_iterate(unsigned int spot);
+ARCH_DECL(mips64n32)
+ARCH_DECL(mipsel64n32)
 
 #endif
diff --git a/src/arch-parisc.h b/src/arch-parisc.h
index d51a227..d65169c 100644
--- a/src/arch-parisc.h
+++ b/src/arch-parisc.h
@@ -22,17 +22,9 @@
 #ifndef _ARCH_PARISC_H
 #define _ARCH_PARISC_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_parisc;
-extern const struct arch_def arch_def_parisc64;
-
-int parisc_syscall_resolve_name(const char *name);
-const char *parisc_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *parisc_syscall_iterate(unsigned int spot);
+ARCH_DECL(parisc)
+ARCH_DECL(parisc64)
 
 #endif
diff --git a/src/arch-ppc.h b/src/arch-ppc.h
index 0b5ffa5..f46aa1d 100644
--- a/src/arch-ppc.h
+++ b/src/arch-ppc.h
@@ -23,16 +23,8 @@
 #ifndef _ARCH_PPC_H
 #define _ARCH_PPC_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_ppc;
-
-int ppc_syscall_resolve_name(const char *name);
-const char *ppc_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *ppc_syscall_iterate(unsigned int spot);
+ARCH_DECL(ppc)
 
 #endif
diff --git a/src/arch-ppc64.h b/src/arch-ppc64.h
index beb24f7..a0f7eb1 100644
--- a/src/arch-ppc64.h
+++ b/src/arch-ppc64.h
@@ -23,17 +23,9 @@
 #ifndef _ARCH_PPC64_H
 #define _ARCH_PPC64_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_ppc64;
-extern const struct arch_def arch_def_ppc64le;
-
-int ppc64_syscall_resolve_name(const char *name);
-const char *ppc64_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *ppc64_syscall_iterate(unsigned int spot);
+ARCH_DECL(ppc64)
+ARCH_DECL(ppc64le)
 
 #endif
diff --git a/src/arch-riscv64.h b/src/arch-riscv64.h
index 16fca6b..96939f2 100644
--- a/src/arch-riscv64.h
+++ b/src/arch-riscv64.h
@@ -15,16 +15,8 @@
 #ifndef _ARCH_RISCV64_H
 #define _ARCH_RISCV64_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_riscv64;
-
-int riscv64_syscall_resolve_name(const char *name);
-const char *riscv64_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *riscv64_syscall_iterate(unsigned int spot);
+ARCH_DECL(riscv64)
 
 #endif
diff --git a/src/arch-s390.c b/src/arch-s390.c
index 6c13368..68bc7e4 100644
--- a/src/arch-s390.c
+++ b/src/arch-s390.c
@@ -8,6 +8,8 @@
 #include <string.h>
 #include <linux/audit.h>
 
+#include "db.h"
+#include "syscalls.h"
 #include "arch.h"
 #include "arch-s390.h"
 
@@ -15,16 +17,131 @@
 #define __s390_NR_socketcall		102
 #define __s390_NR_ipc			117
 
-const struct arch_def arch_def_s390 = {
-	.token = SCMP_ARCH_S390,
-	.token_bpf = AUDIT_ARCH_S390,
-	.size = ARCH_SIZE_32,
-	.endian = ARCH_ENDIAN_BIG,
-	.syscall_resolve_name = s390_syscall_resolve_name,
-	.syscall_resolve_num = s390_syscall_resolve_num,
-	.syscall_rewrite = s390_syscall_rewrite,
-	.rule_add = s390_rule_add,
-};
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int s390_syscall_resolve_name_munge(const char *name)
+{
+	if (strcmp(name, "accept") == 0)
+		return __PNR_accept;
+	if (strcmp(name, "accept4") == 0)
+		return __PNR_accept4;
+	else if (strcmp(name, "bind") == 0)
+		return __PNR_bind;
+	else if (strcmp(name, "connect") == 0)
+		return __PNR_connect;
+	else if (strcmp(name, "getpeername") == 0)
+		return __PNR_getpeername;
+	else if (strcmp(name, "getsockname") == 0)
+		return __PNR_getsockname;
+	else if (strcmp(name, "getsockopt") == 0)
+		return __PNR_getsockopt;
+	else if (strcmp(name, "listen") == 0)
+		return __PNR_listen;
+	else if (strcmp(name, "recv") == 0)
+		return __PNR_recv;
+	else if (strcmp(name, "recvfrom") == 0)
+		return __PNR_recvfrom;
+	else if (strcmp(name, "recvmsg") == 0)
+		return __PNR_recvmsg;
+	else if (strcmp(name, "recvmmsg") == 0)
+		return __PNR_recvmmsg;
+	else if (strcmp(name, "send") == 0)
+		return __PNR_send;
+	else if (strcmp(name, "sendmsg") == 0)
+		return __PNR_sendmsg;
+	else if (strcmp(name, "sendmmsg") == 0)
+		return __PNR_sendmmsg;
+	else if (strcmp(name, "sendto") == 0)
+		return __PNR_sendto;
+	else if (strcmp(name, "setsockopt") == 0)
+		return __PNR_setsockopt;
+	else if (strcmp(name, "shmat") == 0)
+		return __PNR_shmat;
+	else if (strcmp(name, "shmdt") == 0)
+		return __PNR_shmdt;
+	else if (strcmp(name, "shmget") == 0)
+		return __PNR_shmget;
+	else if (strcmp(name, "shmctl") == 0)
+		return __PNR_shmctl;
+	else if (strcmp(name, "shutdown") == 0)
+		return __PNR_shutdown;
+	else if (strcmp(name, "socket") == 0)
+		return __PNR_socket;
+	else if (strcmp(name, "socketpair") == 0)
+		return __PNR_socketpair;
+
+	return s390_syscall_resolve_name(name);
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *s390_syscall_resolve_num_munge(int num)
+{
+	if (num == __PNR_accept)
+		return "accept";
+	else if (num == __PNR_accept4)
+		return "accept4";
+	else if (num == __PNR_bind)
+		return "bind";
+	else if (num == __PNR_connect)
+		return "connect";
+	else if (num == __PNR_getpeername)
+		return "getpeername";
+	else if (num == __PNR_getsockname)
+		return "getsockname";
+	else if (num == __PNR_getsockopt)
+		return "getsockopt";
+	else if (num == __PNR_listen)
+		return "listen";
+	else if (num == __PNR_recv)
+		return "recv";
+	else if (num == __PNR_recvfrom)
+		return "recvfrom";
+	else if (num == __PNR_recvmsg)
+		return "recvmsg";
+	else if (num == __PNR_recvmmsg)
+		return "recvmmsg";
+	else if (num == __PNR_send)
+		return "send";
+	else if (num == __PNR_sendmsg)
+		return "sendmsg";
+	else if (num == __PNR_sendmmsg)
+		return "sendmmsg";
+	else if (num == __PNR_sendto)
+		return "sendto";
+	else if (num == __PNR_setsockopt)
+		return "setsockopt";
+	else if (num == __PNR_shmat)
+		return "shmat";
+	else if (num == __PNR_shmdt)
+		return "shmdt";
+	else if (num == __PNR_shmget)
+		return "shmget";
+	else if (num == __PNR_shmctl)
+		return "shmctl";
+	else if (num == __PNR_shutdown)
+		return "shutdown";
+	else if (num == __PNR_socket)
+		return "socket";
+	else if (num == __PNR_socketpair)
+		return "socketpair";
+
+	return s390_syscall_resolve_num(num);
+}
 
 /**
  * Convert a multiplexed pseudo syscall into a direct syscall
@@ -448,3 +565,14 @@ add_return:
 		free(rule_dup);
 	return rc;
 }
+
+const struct arch_def arch_def_s390 = {
+	.token = SCMP_ARCH_S390,
+	.token_bpf = AUDIT_ARCH_S390,
+	.size = ARCH_SIZE_32,
+	.endian = ARCH_ENDIAN_BIG,
+	.syscall_resolve_name = s390_syscall_resolve_name_munge,
+	.syscall_resolve_num = s390_syscall_resolve_num_munge,
+	.syscall_rewrite = s390_syscall_rewrite,
+	.rule_add = s390_rule_add,
+};
diff --git a/src/arch-s390.h b/src/arch-s390.h
index 61abaf9..3881ef3 100644
--- a/src/arch-s390.h
+++ b/src/arch-s390.h
@@ -6,24 +6,8 @@
 #ifndef _ARCH_S390_H
 #define _ARCH_S390_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "db.h"
-#include "system.h"
-
-#define s390_arg_count_max		6
-
-extern const struct arch_def arch_def_s390;
-#define s390_arg_offset(x)		(offsetof(struct seccomp_data, args[x]))
-
-int s390_syscall_resolve_name(const char *name);
-const char *s390_syscall_resolve_num(int num);
-
-const struct arch_syscall_def *s390_syscall_iterate(unsigned int spot);
-
-int s390_syscall_rewrite(int *syscall);
 
-int s390_rule_add(struct db_filter *db, struct db_api_rule_list *rule);
+ARCH_DECL(s390)
 
 #endif
diff --git a/src/arch-s390x.c b/src/arch-s390x.c
index 8815e6a..c0d9fba 100644
--- a/src/arch-s390x.c
+++ b/src/arch-s390x.c
@@ -8,6 +8,8 @@
 #include <string.h>
 #include <linux/audit.h>
 
+#include "db.h"
+#include "syscalls.h"
 #include "arch.h"
 #include "arch-s390x.h"
 
@@ -15,16 +17,131 @@
 #define __s390x_NR_socketcall		102
 #define __s390x_NR_ipc			117
 
-const struct arch_def arch_def_s390x = {
-	.token = SCMP_ARCH_S390X,
-	.token_bpf = AUDIT_ARCH_S390X,
-	.size = ARCH_SIZE_64,
-	.endian = ARCH_ENDIAN_BIG,
-	.syscall_resolve_name = s390x_syscall_resolve_name,
-	.syscall_resolve_num = s390x_syscall_resolve_num,
-	.syscall_rewrite = s390x_syscall_rewrite,
-	.rule_add = s390x_rule_add,
-};
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int s390x_syscall_resolve_name_munge(const char *name)
+{
+	if (strcmp(name, "accept") == 0)
+		return __PNR_accept;
+	if (strcmp(name, "accept4") == 0)
+		return __PNR_accept4;
+	else if (strcmp(name, "bind") == 0)
+		return __PNR_bind;
+	else if (strcmp(name, "connect") == 0)
+		return __PNR_connect;
+	else if (strcmp(name, "getpeername") == 0)
+		return __PNR_getpeername;
+	else if (strcmp(name, "getsockname") == 0)
+		return __PNR_getsockname;
+	else if (strcmp(name, "getsockopt") == 0)
+		return __PNR_getsockopt;
+	else if (strcmp(name, "listen") == 0)
+		return __PNR_listen;
+	else if (strcmp(name, "recv") == 0)
+		return __PNR_recv;
+	else if (strcmp(name, "recvfrom") == 0)
+		return __PNR_recvfrom;
+	else if (strcmp(name, "recvmsg") == 0)
+		return __PNR_recvmsg;
+	else if (strcmp(name, "recvmmsg") == 0)
+		return __PNR_recvmmsg;
+	else if (strcmp(name, "send") == 0)
+		return __PNR_send;
+	else if (strcmp(name, "sendmsg") == 0)
+		return __PNR_sendmsg;
+	else if (strcmp(name, "sendmmsg") == 0)
+		return __PNR_sendmmsg;
+	else if (strcmp(name, "sendto") == 0)
+		return __PNR_sendto;
+	else if (strcmp(name, "setsockopt") == 0)
+		return __PNR_setsockopt;
+	else if (strcmp(name, "shmat") == 0)
+		return __PNR_shmat;
+	else if (strcmp(name, "shmdt") == 0)
+		return __PNR_shmdt;
+	else if (strcmp(name, "shmget") == 0)
+		return __PNR_shmget;
+	else if (strcmp(name, "shmctl") == 0)
+		return __PNR_shmctl;
+	else if (strcmp(name, "shutdown") == 0)
+		return __PNR_shutdown;
+	else if (strcmp(name, "socket") == 0)
+		return __PNR_socket;
+	else if (strcmp(name, "socketpair") == 0)
+		return __PNR_socketpair;
+
+	return s390x_syscall_resolve_name(name);
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *s390x_syscall_resolve_num_munge(int num)
+{
+	if (num == __PNR_accept)
+		return "accept";
+	else if (num == __PNR_accept4)
+		return "accept4";
+	else if (num == __PNR_bind)
+		return "bind";
+	else if (num == __PNR_connect)
+		return "connect";
+	else if (num == __PNR_getpeername)
+		return "getpeername";
+	else if (num == __PNR_getsockname)
+		return "getsockname";
+	else if (num == __PNR_getsockopt)
+		return "getsockopt";
+	else if (num == __PNR_listen)
+		return "listen";
+	else if (num == __PNR_recv)
+		return "recv";
+	else if (num == __PNR_recvfrom)
+		return "recvfrom";
+	else if (num == __PNR_recvmsg)
+		return "recvmsg";
+	else if (num == __PNR_recvmmsg)
+		return "recvmmsg";
+	else if (num == __PNR_send)
+		return "send";
+	else if (num == __PNR_sendmsg)
+		return "sendmsg";
+	else if (num == __PNR_sendmmsg)
+		return "sendmmsg";
+	else if (num == __PNR_sendto)
+		return "sendto";
+	else if (num == __PNR_setsockopt)
+		return "setsockopt";
+	else if (num == __PNR_shmat)
+		return "shmat";
+	else if (num == __PNR_shmdt)
+		return "shmdt";
+	else if (num == __PNR_shmget)
+		return "shmget";
+	else if (num == __PNR_shmctl)
+		return "shmctl";
+	else if (num == __PNR_shutdown)
+		return "shutdown";
+	else if (num == __PNR_socket)
+		return "socket";
+	else if (num == __PNR_socketpair)
+		return "socketpair";
+
+	return s390x_syscall_resolve_num(num);
+}
 
 /**
  * Convert a multiplexed pseudo socket syscall into a direct syscall
@@ -450,3 +567,14 @@ add_return:
 		free(rule_dup);
 	return rc;
 }
+
+const struct arch_def arch_def_s390x = {
+	.token = SCMP_ARCH_S390X,
+	.token_bpf = AUDIT_ARCH_S390X,
+	.size = ARCH_SIZE_64,
+	.endian = ARCH_ENDIAN_BIG,
+	.syscall_resolve_name = s390x_syscall_resolve_name_munge,
+	.syscall_resolve_num = s390x_syscall_resolve_num_munge,
+	.syscall_rewrite = s390x_syscall_rewrite,
+	.rule_add = s390x_rule_add,
+};
diff --git a/src/arch-s390x.h b/src/arch-s390x.h
index 9fb087b..9592ec9 100644
--- a/src/arch-s390x.h
+++ b/src/arch-s390x.h
@@ -6,27 +6,8 @@
 #ifndef _ARCH_S390X_H
 #define _ARCH_S390X_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "db.h"
-#include "system.h"
-
-#define s390x_arg_count_max		6
-
-extern const struct arch_def arch_def_s390x;
-#define s390x_arg_offset(x)		(offsetof(struct seccomp_data, args[x]))
-
-#define s390x_arg_offset_lo(x)		(s390x_arg_offset(x) + 4)
-#define s390x_arg_offset_hi(x)		(s390x_arg_offset(x))
-
-int s390x_syscall_resolve_name(const char *name);
-const char *s390x_syscall_resolve_num(int num);
-
-const struct arch_syscall_def *s390x_syscall_iterate(unsigned int spot);
-
-int s390x_syscall_rewrite(int *syscall);
 
-int s390x_rule_add(struct db_filter *db, struct db_api_rule_list *rule);
+ARCH_DECL(s390x)
 
 #endif
diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate
index 6852782..4119963 100755
--- a/src/arch-syscall-validate
+++ b/src/arch-syscall-validate
@@ -766,7 +766,7 @@ function gen_csv() {
 
 	# abi list
 	# NOTE: the ordering here is dependent on the layout of the
-	#       arch_syscall_def_internal struct in syscalls.h - BEWARE!
+	#       arch_syscall_table struct in syscalls.h - BEWARE!
 	abi_list=""
 	abi_list+=" x86 x86_64 x32"
 	abi_list+=" arm aarch64"
diff --git a/src/arch-x32.c b/src/arch-x32.c
index d45ac06..7b97fb3 100644
--- a/src/arch-x32.c
+++ b/src/arch-x32.c
@@ -26,14 +26,48 @@
 #include "arch.h"
 #include "arch-x32.h"
 
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int x32_syscall_resolve_name_munge(const char *name)
+{
+	int sys;
+
+	sys = x32_syscall_resolve_name(name);
+	if (sys == __NR_SCMP_ERROR)
+		return sys;
+
+	return sys + X32_SYSCALL_BIT;
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *x32_syscall_resolve_num_munge(int num)
+{
+	return x32_syscall_resolve_num(num - X32_SYSCALL_BIT);
+}
+
 const struct arch_def arch_def_x32 = {
 	.token = SCMP_ARCH_X32,
 	/* NOTE: this seems odd but the kernel treats x32 like x86_64 here */
 	.token_bpf = AUDIT_ARCH_X86_64,
 	.size = ARCH_SIZE_32,
 	.endian = ARCH_ENDIAN_LITTLE,
-	.syscall_resolve_name = x32_syscall_resolve_name,
-	.syscall_resolve_num = x32_syscall_resolve_num,
+	.syscall_resolve_name = x32_syscall_resolve_name_munge,
+	.syscall_resolve_num = x32_syscall_resolve_num_munge,
 	.syscall_rewrite = NULL,
 	.rule_add = NULL,
 };
diff --git a/src/arch-x32.h b/src/arch-x32.h
index d166c3c..639fd20 100644
--- a/src/arch-x32.h
+++ b/src/arch-x32.h
@@ -22,18 +22,10 @@
 #ifndef _ARCH_X32_H
 #define _ARCH_X32_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-#define X32_SYSCALL_BIT			0x40000000
-
-extern const struct arch_def arch_def_x32;
 
-int x32_syscall_resolve_name(const char *name);
-const char *x32_syscall_resolve_num(int num);
+#define X32_SYSCALL_BIT                 0x40000000
 
-const struct arch_syscall_def *x32_syscall_iterate(unsigned int spot);
+ARCH_DECL(x32)
 
 #endif
diff --git a/src/arch-x86.c b/src/arch-x86.c
index fc0deaa..2a4c074 100644
--- a/src/arch-x86.c
+++ b/src/arch-x86.c
@@ -24,6 +24,8 @@
 #include <string.h>
 #include <linux/audit.h>
 
+#include "db.h"
+#include "syscalls.h"
 #include "arch.h"
 #include "arch-x86.h"
 
@@ -31,16 +33,165 @@
 #define __x86_NR_socketcall		102
 #define __x86_NR_ipc			117
 
-const struct arch_def arch_def_x86 = {
-	.token = SCMP_ARCH_X86,
-	.token_bpf = AUDIT_ARCH_I386,
-	.size = ARCH_SIZE_32,
-	.endian = ARCH_ENDIAN_LITTLE,
-	.syscall_resolve_name = x86_syscall_resolve_name,
-	.syscall_resolve_num = x86_syscall_resolve_num,
-	.syscall_rewrite = x86_syscall_rewrite,
-	.rule_add = x86_rule_add,
-};
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int x86_syscall_resolve_name_munge(const char *name)
+{
+	if (strcmp(name, "accept") == 0)
+		return __PNR_accept;
+	else if (strcmp(name, "accept4") == 0)
+		return __PNR_accept4;
+	else if (strcmp(name, "bind") == 0)
+		return __PNR_bind;
+	else if (strcmp(name, "connect") == 0)
+		return __PNR_connect;
+	else if (strcmp(name, "getpeername") == 0)
+		return __PNR_getpeername;
+	else if (strcmp(name, "getsockname") == 0)
+		return __PNR_getsockname;
+	else if (strcmp(name, "getsockopt") == 0)
+		return __PNR_getsockopt;
+	else if (strcmp(name, "listen") == 0)
+		return __PNR_listen;
+	else if (strcmp(name, "recv") == 0)
+		return __PNR_recv;
+	else if (strcmp(name, "recvfrom") == 0)
+		return __PNR_recvfrom;
+	else if (strcmp(name, "recvmsg") == 0)
+		return __PNR_recvmsg;
+	else if (strcmp(name, "recvmmsg") == 0)
+		return __PNR_recvmmsg;
+	else if (strcmp(name, "send") == 0)
+		return __PNR_send;
+	else if (strcmp(name, "sendmsg") == 0)
+		return __PNR_sendmsg;
+	else if (strcmp(name, "sendmmsg") == 0)
+		return __PNR_sendmmsg;
+	else if (strcmp(name, "sendto") == 0)
+		return __PNR_sendto;
+	else if (strcmp(name, "setsockopt") == 0)
+		return __PNR_setsockopt;
+	else if (strcmp(name, "shutdown") == 0)
+		return __PNR_shutdown;
+	else if (strcmp(name, "socket") == 0)
+		return __PNR_socket;
+	else if (strcmp(name, "socketpair") == 0)
+		return __PNR_socketpair;
+
+	if (strcmp(name, "semop") == 0)
+		return __PNR_semop;
+	else if (strcmp(name, "semget") == 0)
+		return __PNR_semget;
+	else if (strcmp(name, "semctl") == 0)
+		return __PNR_semctl;
+	else if (strcmp(name, "semtimedop") == 0)
+		return __PNR_semtimedop;
+	else if (strcmp(name, "msgsnd") == 0)
+		return __PNR_msgsnd;
+	else if (strcmp(name, "msgrcv") == 0)
+		return __PNR_msgrcv;
+	else if (strcmp(name, "msgget") == 0)
+		return __PNR_msgget;
+	else if (strcmp(name, "msgctl") == 0)
+		return __PNR_msgctl;
+	else if (strcmp(name, "shmat") == 0)
+		return __PNR_shmat;
+	else if (strcmp(name, "shmdt") == 0)
+		return __PNR_shmdt;
+	else if (strcmp(name, "shmget") == 0)
+		return __PNR_shmget;
+	else if (strcmp(name, "shmctl") == 0)
+		return __PNR_shmctl;
+
+	return x86_syscall_resolve_name(name);
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *x86_syscall_resolve_num_munge(int num)
+{
+	if (num == __PNR_accept)
+		return "accept";
+	else if (num == __PNR_accept4)
+		return "accept4";
+	else if (num == __PNR_bind)
+		return "bind";
+	else if (num == __PNR_connect)
+		return "connect";
+	else if (num == __PNR_getpeername)
+		return "getpeername";
+	else if (num == __PNR_getsockname)
+		return "getsockname";
+	else if (num == __PNR_getsockopt)
+		return "getsockopt";
+	else if (num == __PNR_listen)
+		return "listen";
+	else if (num == __PNR_recv)
+		return "recv";
+	else if (num == __PNR_recvfrom)
+		return "recvfrom";
+	else if (num == __PNR_recvmsg)
+		return "recvmsg";
+	else if (num == __PNR_recvmmsg)
+		return "recvmmsg";
+	else if (num == __PNR_send)
+		return "send";
+	else if (num == __PNR_sendmsg)
+		return "sendmsg";
+	else if (num == __PNR_sendmmsg)
+		return "sendmmsg";
+	else if (num == __PNR_sendto)
+		return "sendto";
+	else if (num == __PNR_setsockopt)
+		return "setsockopt";
+	else if (num == __PNR_shutdown)
+		return "shutdown";
+	else if (num == __PNR_socket)
+		return "socket";
+	else if (num == __PNR_socketpair)
+		return "socketpair";
+
+	if (num == __PNR_semop)
+		return "semop";
+	else if (num == __PNR_semget)
+		return "semget";
+	else if (num == __PNR_semctl)
+		return "semctl";
+	else if (num == __PNR_semtimedop)
+		return "semtimedop";
+	else if (num == __PNR_msgsnd)
+		return "msgsnd";
+	else if (num == __PNR_msgrcv)
+		return "msgrcv";
+	else if (num == __PNR_msgget)
+		return "msgget";
+	else if (num == __PNR_msgctl)
+		return "msgctl";
+	else if (num == __PNR_shmat)
+		return "shmat";
+	else if (num == __PNR_shmdt)
+		return "shmdt";
+	else if (num == __PNR_shmget)
+		return "shmget";
+	else if (num == __PNR_shmctl)
+		return "shmctl";
+
+	return x86_syscall_resolve_num(num);
+}
 
 /**
  * Convert a multiplexed pseudo syscall into a direct syscall
@@ -461,3 +612,14 @@ add_return:
 		free(rule_dup);
 	return rc;
 }
+
+const struct arch_def arch_def_x86 = {
+	.token = SCMP_ARCH_X86,
+	.token_bpf = AUDIT_ARCH_I386,
+	.size = ARCH_SIZE_32,
+	.endian = ARCH_ENDIAN_LITTLE,
+	.syscall_resolve_name = x86_syscall_resolve_name_munge,
+	.syscall_resolve_num = x86_syscall_resolve_num_munge,
+	.syscall_rewrite = x86_syscall_rewrite,
+	.rule_add = x86_rule_add,
+};
diff --git a/src/arch-x86.h b/src/arch-x86.h
index 4aa5e9b..a2e0b12 100644
--- a/src/arch-x86.h
+++ b/src/arch-x86.h
@@ -22,21 +22,8 @@
 #ifndef _ARCH_X86_H
 #define _ARCH_X86_H
 
-#include <stdbool.h>
-
 #include "arch.h"
-#include "db.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_x86;
-
-int x86_syscall_resolve_name(const char *name);
-const char *x86_syscall_resolve_num(int num);
-
-const struct arch_syscall_def *x86_syscall_iterate(unsigned int spot);
-
-int x86_syscall_rewrite(int *syscall);
 
-int x86_rule_add(struct db_filter *db, struct db_api_rule_list *rule);
+ARCH_DECL(x86)
 
 #endif
diff --git a/src/arch-x86_64.h b/src/arch-x86_64.h
index c770d75..fcba125 100644
--- a/src/arch-x86_64.h
+++ b/src/arch-x86_64.h
@@ -22,16 +22,8 @@
 #ifndef _ARCH_x86_64_H
 #define _ARCH_x86_64_H
 
-#include <inttypes.h>
-
 #include "arch.h"
-#include "system.h"
-
-extern const struct arch_def arch_def_x86_64;
-
-int x86_64_syscall_resolve_name(const char *name);
-const char *x86_64_syscall_resolve_num(int num);
 
-const struct arch_syscall_def *x86_64_syscall_iterate(unsigned int spot);
+ARCH_DECL(x86_64)
 
 #endif
diff --git a/src/arch.h b/src/arch.h
index e299b39..38c3a9c 100644
--- a/src/arch.h
+++ b/src/arch.h
@@ -59,6 +59,13 @@ struct arch_def {
 /* arch_def for the current architecture */
 extern const struct arch_def *arch_def_native;
 
+/* macro to declare the arch specific structures and functions */
+#define ARCH_DECL(NAME) \
+	extern const struct arch_def arch_def_##NAME; \
+	int NAME##_syscall_resolve_name(const char *name); \
+	const char *NAME##_syscall_resolve_num(int num); \
+	const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot);
+
 /* syscall name/num mapping */
 struct arch_syscall_def {
 	const char *name;
diff --git a/src/syscalls.c b/src/syscalls.c
new file mode 100644
index 0000000..7f813cd
--- /dev/null
+++ b/src/syscalls.c
@@ -0,0 +1,55 @@
+/**
+ * Enhanced Seccomp x86_64 Syscall Table
+ *
+ * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ * gperf support: Giuseppe Scrivano <gscrivan@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+#include <seccomp.h>
+#include <string.h>
+
+#include "arch.h"
+#include "syscalls.h"
+
+#define ARCH_DEF(NAME) \
+	int NAME##_syscall_resolve_name(const char *name) \
+	{ \
+		return syscall_resolve_name(name, OFFSET_ARCH(NAME)); \
+	} \
+	const char *NAME##_syscall_resolve_num(int num) \
+	{ \
+		return syscall_resolve_num(num, OFFSET_ARCH(NAME)); \
+	} \
+	const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot) \
+	{ \
+		return syscall_iterate(spot, OFFSET_ARCH(NAME)); \
+	}
+
+ARCH_DEF(x86_64)
+ARCH_DEF(arm)
+ARCH_DEF(aarch64)
+ARCH_DEF(mips64n32)
+ARCH_DEF(mips64)
+ARCH_DEF(mips)
+ARCH_DEF(parisc)
+ARCH_DEF(ppc64)
+ARCH_DEF(ppc)
+ARCH_DEF(s390)
+ARCH_DEF(s390x)
+ARCH_DEF(x32)
+ARCH_DEF(x86)
+ARCH_DEF(riscv64)
diff --git a/src/syscalls.h b/src/syscalls.h
new file mode 100644
index 0000000..d638733
--- /dev/null
+++ b/src/syscalls.h
@@ -0,0 +1,62 @@
+/**
+ * Enhanced Seccomp x86_64 Syscall Table
+ *
+ * Copyright (c) 2012, 2020 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ * gperf support: Giuseppe Scrivano <gscrivan@redhat.com>
+ */
+
+#ifndef _SYSCALLS_H
+#define _SYSCALLS_H
+
+#include <stddef.h>
+
+#include "arch-aarch64.h"
+#include "arch-arm.h"
+#include "arch.h"
+#include "arch-mips64.h"
+#include "arch-mips64n32.h"
+#include "arch-mips.h"
+#include "arch-parisc.h"
+#include "arch-ppc64.h"
+#include "arch-ppc.h"
+#include "arch-s390.h"
+#include "arch-s390x.h"
+#include "arch-x32.h"
+#include "arch-x86_64.h"
+#include "arch-x86.h"
+#include "arch-x86.h"
+#include "arch-riscv64.h"
+
+/* NOTE: changes to the arch_syscall_table layout may require changes to the
+ *       generate_syscalls_perf.sh and arch-syscall-validate scripts */
+struct arch_syscall_table {
+	int name;
+	int index;
+
+	/* each arch listed here must be defined in syscalls.c  */
+	/* NOTE: see the warning above - BEWARE! */
+	int x86;
+	int x86_64;
+	int x32;
+	int arm;
+	int aarch64;
+	int mips;
+	int mips64;
+	int mips64n32;
+	int parisc;
+	int parisc64;
+	int ppc;
+	int ppc64;
+	int riscv64;
+	int s390;
+	int s390x;
+};
+#define OFFSET_ARCH(NAME) offsetof(struct arch_syscall_table, NAME)
+
+/* defined in syscalls.perf.template  */
+int syscall_resolve_name(const char *name, int offset);
+const char *syscall_resolve_num(int num, int offset);
+const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset);
+
+#endif
diff --git a/src/syscalls.perf.template b/src/syscalls.perf.template
new file mode 100644
index 0000000..f1fd3db
--- /dev/null
+++ b/src/syscalls.perf.template
@@ -0,0 +1,82 @@
+%{
+/**
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+ * Authors: Paul Moore <paul@paul-moore.com>
+ *          Giuseppe Scrivano <gscrivan@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <seccomp.h>
+#include <string.h>
+#include "syscalls.h"
+
+%}
+struct arch_syscall_table;
+
+%%
+@@SYSCALLS_TABLE@@
+%%
+
+static int syscall_get_offset_value(const struct arch_syscall_table *s,
+				    int offset)
+{
+	return *(int *)((char *)s + offset);
+}
+
+int syscall_resolve_name(const char *name, int offset)
+{
+	const struct arch_syscall_table *s;
+
+	s = in_word_set(name, strlen(name));
+	if (s == NULL)
+		return __NR_SCMP_ERROR;
+
+	return syscall_get_offset_value(s, offset);
+}
+
+const char *syscall_resolve_num(int num, int offset)
+{
+	unsigned int iter;
+
+	for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) {
+		if (syscall_get_offset_value(&wordlist[iter], offset) == num)
+			return (stringpool + wordlist[iter].name);
+	}
+
+	return NULL;
+}
+
+const struct arch_syscall_def *syscall_iterate(unsigned int spot, int offset)
+{
+	unsigned int iter;
+        /* this is thread-unsafe, only use for testing */
+	static struct arch_syscall_def arch_def;
+
+	arch_def.name = NULL;
+	arch_def.num = __NR_SCMP_ERROR;
+
+	for (iter = 0; iter < sizeof(wordlist)/sizeof(wordlist[0]); iter++) {
+		if (wordlist[iter].index == spot) {
+			arch_def.name = stringpool + wordlist[iter].name;
+			arch_def.num = syscall_get_offset_value(&wordlist[iter],
+								offset);
+			return &arch_def;
+		}
+	}
+
+	return &arch_def;
+}
diff --git a/tests/.gitignore b/tests/.gitignore
index bd00e14..c536766 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -61,3 +61,4 @@ util.pyc
 53-sim-binary_tree
 54-live-binary_tree
 55-basic-pfc_binary_tree
+56-basic-iterate_syscalls
diff --git a/tests/56-basic-iterate_syscalls.c b/tests/56-basic-iterate_syscalls.c
new file mode 100644
index 0000000..5e7ab67
--- /dev/null
+++ b/tests/56-basic-iterate_syscalls.c
@@ -0,0 +1,90 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+ * Author: Giuseppe Scrivano <gscrivan@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <seccomp.h>
+
+unsigned int arch_list[] = {
+	SCMP_ARCH_NATIVE,
+	SCMP_ARCH_X86,
+	SCMP_ARCH_X86_64,
+	SCMP_ARCH_X32,
+	SCMP_ARCH_ARM,
+	SCMP_ARCH_AARCH64,
+	SCMP_ARCH_MIPS,
+	SCMP_ARCH_MIPS64,
+	SCMP_ARCH_MIPS64N32,
+	SCMP_ARCH_MIPSEL,
+	SCMP_ARCH_MIPSEL64,
+	SCMP_ARCH_MIPSEL64N32,
+	SCMP_ARCH_PPC,
+	SCMP_ARCH_PPC64,
+	SCMP_ARCH_PPC64LE,
+	SCMP_ARCH_S390,
+	SCMP_ARCH_S390X,
+	SCMP_ARCH_PARISC,
+	SCMP_ARCH_PARISC64,
+	SCMP_ARCH_RISCV64,
+	-1
+};
+
+static int test_arch(int arch, int init)
+{
+	int n, iter = 0;
+
+	for (iter = init; iter < init + 1000; iter++) {
+		char *name;
+
+		name = seccomp_syscall_resolve_num_arch(arch, iter);
+		if (name == NULL)
+			continue;
+
+		n = seccomp_syscall_resolve_name_arch(arch, name);
+		if (n != iter)
+			return 1;
+	}
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	int iter = 0;
+
+	for (iter = 0; arch_list[iter] != -1; iter++) {
+		int init = 0;
+		if (arch_list[iter] == SCMP_ARCH_X32)
+			init = 0x40000000;
+		else if (arch_list[iter] == SCMP_ARCH_MIPS)
+			init = 4000;
+		else if (arch_list[iter] == SCMP_ARCH_MIPS64)
+			init = 5000;
+		else if (arch_list[iter] == SCMP_ARCH_MIPS64N32)
+			init = 6000;
+		if (test_arch(arch_list[iter], init) < 0)
+			return 1;
+	}
+
+	return 0;
+}
diff --git a/tests/56-basic-iterate_syscalls.py b/tests/56-basic-iterate_syscalls.py
new file mode 100755
index 0000000..77a5b89
--- /dev/null
+++ b/tests/56-basic-iterate_syscalls.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+# Author: Giuseppe Scrivano <gscrivan@redhat.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+arch_list = ["x86",
+             "x86_64",
+             "x32",
+             "arm",
+             "aarch64",
+             "mipsel",
+             "mipsel64",
+             "mipsel64n32",
+             "ppc64le",
+             "riscv64"]
+
+def test_arch(arch, init):
+    for i in range(init, init + 1000):
+        sys_name = resolve_syscall(arch, i)
+        if sys_name is None:
+            continue
+        n = resolve_syscall(i, sys_name)
+        if i != n:
+            raise RuntimeError("Test failure")
+
+def test():
+    for i in arch_list:
+        init = 0
+        if i == "x32":
+            init = 0x40000000
+        elif i == "mipsel":
+            init = 4000
+        elif i == "mipsel64":
+            init = 5000
+        elif i == "mipsel64n32":
+            init = 6000
+        test_arch(Arch(i), init)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/56-basic-iterate_syscalls.tests b/tests/56-basic-iterate_syscalls.tests
new file mode 100644
index 0000000..a84415a
--- /dev/null
+++ b/tests/56-basic-iterate_syscalls.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2020 Red Hat <gscrivan@redhat.com>
+# Author: Giuseppe Scrivano <gscrivan@redhat.com>
+#
+
+test type: basic
+
+# Test command
+56-basic-iterate_syscalls
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4bd19c8..a135278 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -94,7 +94,8 @@ check_PROGRAMS = \
 	52-basic-load \
 	53-sim-binary_tree \
 	54-live-binary_tree \
-	55-basic-pfc_binary_tree
+	55-basic-pfc_binary_tree \
+	56-basic-iterate_syscalls
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -150,7 +151,8 @@ EXTRA_DIST_TESTPYTHON = \
 	51-live-user_notification.py \
 	52-basic-load.py \
 	53-sim-binary_tree.py \
-	54-live-binary_tree.py
+	54-live-binary_tree.py \
+	56-basic-iterate_syscalls.py
 
 EXTRA_DIST_TESTCFGS = \
 	01-sim-allow.tests \
@@ -207,7 +209,8 @@ EXTRA_DIST_TESTCFGS = \
 	52-basic-load.tests \
 	53-sim-binary_tree.tests \
 	54-live-binary_tree.tests \
-	55-basic-pfc_binary_tree.tests
+	55-basic-pfc_binary_tree.tests \
+	56-basic-iterate_syscalls.tests
 
 EXTRA_DIST_TESTSCRIPTS = \
 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \