sort syscalls in seccomp filter

sandbox.c

@@ -308,6 +308,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_fstat64
 	SC_ALLOW(fstat64),
 #endif
+#ifdef __NR_fstatat64
+	SC_ALLOW(fstatat64),
+#endif
 #ifdef __NR_getdents64
 	SC_ALLOW(getdents64),
 #endif
@@ -326,6 +329,9 @@ static struct sock_filter filter[] = {
 	/* allow FIONREAD needed by libevent */
 	SC_ALLOW_ARG(__NR_ioctl, 1, FIONREAD),
 #endif
+#ifdef __NR__llseek
+	SC_ALLOW(_llseek),
+#endif
 #ifdef __NR_lseek
 	SC_ALLOW(lseek),
 #endif
@@ -344,9 +350,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_newfstatat
 	SC_ALLOW(newfstatat),
 #endif
-#ifdef __NR_fstatat64
-	SC_ALLOW(fstatat64),
-#endif
 #ifdef __NR_oldfstat
 	SC_ALLOW(oldfstat),
 #endif
@@ -374,6 +377,9 @@ static struct sock_filter filter[] = {
 #ifdef __NR_sendmsg
 	SC_ALLOW(sendmsg),
 #endif
+#ifdef __NR_sigreturn
+	SC_ALLOW(sigreturn),
+#endif
 #ifdef __NR_statx
 	SC_ALLOW(statx),
 #endif
@@ -386,12 +392,6 @@ static struct sock_filter filter[] = {
 #ifdef __NR_writev
 	SC_ALLOW(writev),
 #endif
-#ifdef __NR__llseek
-	SC_ALLOW(_llseek),
-#endif
-#ifdef __NR_sigreturn
-	SC_ALLOW(sigreturn),
-#endif
 
 	/* disallow everything else */
 	BPF_STMT(BPF_RET | BPF_K, SC_FAIL),