{"id":13484315,"url":"https://github.com/david942j/seccomp-tools","last_synced_at":"2025-05-14T00:10:58.226Z","repository":{"id":21378553,"uuid":"92577373","full_name":"david942j/seccomp-tools","owner":"david942j","description":"Provide powerful tools for seccomp analysis","archived":false,"fork":false,"pushed_at":"2025-05-03T08:29:15.000Z","size":2842,"stargazers_count":1035,"open_issues_count":2,"forks_count":69,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-05-03T09:38:38.903Z","etag":null,"topics":["ctf","sandbox","seccomp","seccomp-filter","seccomp-tools","tools"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/david942j.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-27T06:42:43.000Z","updated_at":"2025-05-03T08:38:59.000Z","dependencies_parsed_at":"2024-01-13T19:18:05.717Z","dependency_job_id":"e8996133-3e39-4f5d-9922-f67b81f782aa","html_url":"https://github.com/david942j/seccomp-tools","commit_stats":{"total_commits":269,"total_committers":11,"mean_commits":"24.454545454545453","dds":0.5985130111524164,"last_synced_commit":"e0744249de0e68dc129c4a7d31b92ccb047f804d"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/david942j%2Fseccomp-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/david942j%2Fseccomp-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/david942j%2Fseccomp-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/david942j%2Fseccomp-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/david942j","download_url":"https://codeload.github.com/david942j/seccomp-tools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254044376,"owners_count":22005148,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","sandbox","seccomp","seccomp-filter","seccomp-tools","tools"],"created_at":"2024-07-31T17:01:22.374Z","updated_at":"2025-05-14T00:10:53.217Z","avatar_url":"https://github.com/david942j.png","language":"Ruby","funding_links":[],"categories":["Ruby","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具","others"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"readme":"[![Build Status](https://github.com/david942j/seccomp-tools/workflows/build/badge.svg)](https://github.com/david942j/seccomp-tools/actions)\n[![Code Climate](https://codeclimate.com/github/david942j/seccomp-tools/badges/gpa.svg)](https://codeclimate.com/github/david942j/seccomp-tools)\n[![Issue Count](https://codeclimate.com/github/david942j/seccomp-tools/badges/issue_count.svg)](https://codeclimate.com/github/david942j/seccomp-tools)\n[![Test Coverage](https://codeclimate.com/github/david942j/seccomp-tools/badges/coverage.svg)](https://codeclimate.com/github/david942j/seccomp-tools/coverage)\n[![Inline docs](https://inch-ci.org/github/david942j/seccomp-tools.svg?branch=master)](https://inch-ci.org/github/david942j/seccomp-tools)\n[![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](https://www.rubydoc.info/github/david942j/seccomp-tools/)\n[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)\n\n# Seccomp Tools\nProvide powerful tools for seccomp analysis.\n\nThis project targets to (but is not limited to) analyze seccomp sandbox in CTF pwn challenges.\nSome features might be CTF-specific, but also useful for analyzing seccomp of real cases.\n\n## Features\n* Dump - Automatically dumps seccomp BPF from execution file(s).\n* Disasm - Converts seccomp BPF to a human readable format.\n  - With simple decompilation.\n  - With syscall names and arguments whenever possible.\n  - Colorful!\n* Asm - Makes writing seccomp rules similar to writing codes.\n* Emu - Emulates seccomp rules.\n* Supports multi-architecture.\n\n## Installation\n\nAvailable on RubyGems.org!\n```\n$ gem install seccomp-tools\n```\n\nIf you failed when compiling, try:\n```\nsudo apt install gcc ruby-dev make\n```\nand install seccomp-tools again.\n\n## Command Line Interface\n\n### seccomp-tools\n\n```bash\n$ seccomp-tools --help\n# Usage: seccomp-tools [--version] [--help] \u003ccommand\u003e [\u003coptions\u003e]\n#\n# List of commands:\n#\n# \tasm\tSeccomp bpf assembler.\n# \tdisasm\tDisassemble seccomp bpf.\n# \tdump\tAutomatically dump seccomp bpf from execution file(s).\n# \temu\tEmulate seccomp rules.\n#\n# See 'seccomp-tools \u003ccommand\u003e --help' to read about a specific subcommand.\n\n$ seccomp-tools dump --help\n# dump - Automatically dump seccomp bpf from execution file(s).\n# NOTE : This function is only available on Linux.\n#\n# Usage: seccomp-tools dump [exec] [options]\n#     -c, --sh-exec \u003ccommand\u003e          Executes the given command (via sh).\n#                                      Use this option if want to pass arguments or do pipe things to the execution file.\n#                                      e.g. use `-c \"./bin \u003e /dev/null\"` to dump seccomp without being mixed with stdout.\n#     -f, --format FORMAT              Output format. FORMAT can only be one of \u003cdisasm|raw|inspect\u003e.\n#                                      Default: disasm\n#     -l, --limit LIMIT                Limit the number of calling \"prctl(PR_SET_SECCOMP)\".\n#                                      The target process will be killed whenever its calling times reaches LIMIT.\n#                                      Default: 1\n#     -o, --output FILE                Output result into FILE instead of stdout.\n#                                      If multiple seccomp syscalls have been invoked (see --limit),\n#                                      results will be written to FILE, FILE_1, FILE_2.. etc.\n#                                      For example, \"--output out.bpf\" and the output files are out.bpf, out_1.bpf, ...\n#     -p, --pid PID                    Dump installed seccomp filters of the existing process.\n#                                      You must have CAP_SYS_ADMIN (e.g. be root) in order to use this option.\n\n```\n\n### dump\n\nDumps the seccomp BPF from an execution file.\nThis work is done by utilizing the `ptrace` syscall.\n\nNOTICE: beware of the execution file will be executed.\n```bash\n$ file spec/binary/twctf-2016-diary\n# spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped\n\n$ seccomp-tools dump spec/binary/twctf-2016-diary\n#  line  CODE  JT   JF      K\n# =================================\n#  0000: 0x20 0x00 0x00 0x00000000  A = sys_number\n#  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003\n#  0002: 0x06 0x00 0x00 0x00000000  return KILL\n#  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005\n#  0004: 0x06 0x00 0x00 0x00000000  return KILL\n#  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007\n#  0006: 0x06 0x00 0x00 0x00000000  return KILL\n#  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009\n#  0008: 0x06 0x00 0x00 0x00000000  return KILL\n#  0009: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0011\n#  0010: 0x06 0x00 0x00 0x00000000  return KILL\n#  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013\n#  0012: 0x06 0x00 0x00 0x00000000  return KILL\n#  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015\n#  0014: 0x06 0x00 0x00 0x00000000  return KILL\n#  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017\n#  0016: 0x06 0x00 0x00 0x00000000  return KILL\n#  0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n\n$ seccomp-tools dump spec/binary/twctf-2016-diary -f inspect\n# \"\\x20\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x01\\x01\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x3B\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x38\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x39\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x3A\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x55\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x01\\x42\\x01\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xFF\\x7F\"\n\n$ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd\n# 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............\n# 00000010: 0600 0000 0000 0000 1500 0001 0101 0000  ................\n# 00000020: 0600 0000 0000 0000 1500 0001 3b00 0000  ............;...\n# 00000030: 0600 0000 0000 0000 1500 0001 3800 0000  ............8...\n# 00000040: 0600 0000 0000 0000 1500 0001 3900 0000  ............9...\n# 00000050: 0600 0000 0000 0000 1500 0001 3a00 0000  ............:...\n# 00000060: 0600 0000 0000 0000 1500 0001 5500 0000  ............U...\n# 00000070: 0600 0000 0000 0000 1500 0001 4201 0000  ............B...\n# 00000080: 0600 0000 0000 0000 0600 0000 0000 ff7f  ................\n\n```\n\n### disasm\n\nDisassembles the seccomp from raw BPF.\n```bash\n$ xxd spec/data/twctf-2016-diary.bpf | head -n 3\n# 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............\n# 00000010: 0600 0000 0000 0000 1500 0001 0101 0000  ................\n# 00000020: 0600 0000 0000 0000 1500 0001 3b00 0000  ............;...\n\n$ seccomp-tools disasm spec/data/twctf-2016-diary.bpf\n#  line  CODE  JT   JF      K\n# =================================\n#  0000: 0x20 0x00 0x00 0x00000000  A = sys_number\n#  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003\n#  0002: 0x06 0x00 0x00 0x00000000  return KILL\n#  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005\n#  0004: 0x06 0x00 0x00 0x00000000  return KILL\n#  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007\n#  0006: 0x06 0x00 0x00 0x00000000  return KILL\n#  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009\n#  0008: 0x06 0x00 0x00 0x00000000  return KILL\n#  0009: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0011\n#  0010: 0x06 0x00 0x00 0x00000000  return KILL\n#  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013\n#  0012: 0x06 0x00 0x00 0x00000000  return KILL\n#  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015\n#  0014: 0x06 0x00 0x00 0x00000000  return KILL\n#  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017\n#  0016: 0x06 0x00 0x00 0x00000000  return KILL\n#  0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n\n```\n\n### asm\n\nAssembles the seccomp rules into raw bytes.\nIt's very useful when one wants to write custom seccomp rules.\n\nSupports labels for jumping and uses syscall names directly. See examples below.\n```bash\n$ seccomp-tools asm\n# asm - Seccomp bpf assembler.\n#\n# Usage: seccomp-tools asm IN_FILE [options]\n#     -o, --output FILE                Output result into FILE instead of stdout.\n#     -f, --format FORMAT              Output format. FORMAT can only be one of \u003cinspect|raw|c_array|c_source|assembly\u003e.\n#                                      Default: inspect\n#     -a, --arch ARCH                  Specify architecture.\n#                                      Supported architectures are \u003caarch64|amd64|i386|s390x\u003e.\n#                                      Default: amd64\n\n# Input file for asm\n$ cat spec/data/libseccomp.asm\n# # check if arch is X86_64\n# A = arch\n# A == ARCH_X86_64 ? next : dead\n# A = sys_number\n# A \u003e= 0x40000000 ? dead : next\n# A == write ? ok : next\n# A == close ? ok : next\n# A == dup ? ok : next\n# A == exit ? ok : next\n# return ERRNO(5)\n# ok:\n# return ALLOW\n# dead:\n# return KILL\n\n$ seccomp-tools asm spec/data/libseccomp.asm\n# \" \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x15\\x00\\x00\\b\u003e\\x00\\x00\\xC0 \\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x00\\x06\\x00\\x00\\x00\\x00@\\x15\\x00\\x04\\x00\\x01\\x00\\x00\\x00\\x15\\x00\\x03\\x00\\x03\\x00\\x00\\x00\\x15\\x00\\x02\\x00 \\x00\\x00\\x00\\x15\\x00\\x01\\x00\u003c\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x05\\x00\\x05\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xFF\\x7F\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n$ seccomp-tools asm spec/data/libseccomp.asm -f c_source\n# #include \u003clinux/seccomp.h\u003e\n# #include \u003cstdio.h\u003e\n# #include \u003cstdlib.h\u003e\n# #include \u003csys/prctl.h\u003e\n#\n# static void install_seccomp() {\n#   static unsigned char filter[] = {32,0,0,0,4,0,0,0,21,0,0,8,62,0,0,192,32,0,0,0,0,0,0,0,53,0,6,0,0,0,0,64,21,0,4,0,1,0,0,0,21,0,3,0,3,0,0,0,21,0,2,0,32,0,0,0,21,0,1,0,60,0,0,0,6,0,0,0,5,0,5,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0};\n#   struct prog {\n#     unsigned short len;\n#     unsigned char *filter;\n#   } rule = {\n#     .len = sizeof(filter) \u003e\u003e 3,\n#     .filter = filter\n#   };\n#   if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) \u003c 0) { perror(\"prctl(PR_SET_NO_NEW_PRIVS)\"); exit(2); }\n#   if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, \u0026rule) \u003c 0) { perror(\"prctl(PR_SET_SECCOMP)\"); exit(2); }\n# }\n\n$ seccomp-tools asm spec/data/libseccomp.asm -f assembly\n# install_seccomp:\n#   push   rbp\n#   mov    rbp, rsp\n#   push   38\n#   pop    rdi\n#   push   0x1\n#   pop    rsi\n#   xor    eax, eax\n#   mov    al, 0x9d\n#   syscall\n#   push   22\n#   pop    rdi\n#   lea    rdx, [rip + _filter]\n#   push   rdx /* .filter */\n#   push   _filter_end - _filter \u003e\u003e 3 /* .len */\n#   mov    rdx, rsp\n#   push   0x2\n#   pop    rsi\n#   xor    eax, eax\n#   mov    al, 0x9d\n#   syscall\n#   leave\n#   ret\n# _filter:\n# .ascii \"\\040\\000\\000\\000\\004\\000\\000\\000\\025\\000\\000\\010\\076\\000\\000\\300\\040\\000\\000\\000\\000\\000\\000\\000\\065\\000\\006\\000\\000\\000\\000\\100\\025\\000\\004\\000\\001\\000\\000\\000\\025\\000\\003\\000\\003\\000\\000\\000\\025\\000\\002\\000\\040\\000\\000\\000\\025\\000\\001\\000\\074\\000\\000\\000\\006\\000\\000\\000\\005\\000\\005\\000\\006\\000\\000\\000\\000\\000\\377\\177\\006\\000\\000\\000\\000\\000\\000\\000\"\n# _filter_end:\n\n\n# let's asm then disasm!\n$ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -\n#  line  CODE  JT   JF      K\n# =================================\n#  0000: 0x20 0x00 0x00 0x00000004  A = arch\n#  0001: 0x15 0x00 0x08 0xc000003e  if (A != ARCH_X86_64) goto 0010\n#  0002: 0x20 0x00 0x00 0x00000000  A = sys_number\n#  0003: 0x35 0x06 0x00 0x40000000  if (A \u003e= 0x40000000) goto 0010\n#  0004: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0009\n#  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009\n#  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009\n#  0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009\n#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO(5)\n#  0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n#  0010: 0x06 0x00 0x00 0x00000000  return KILL\n\n```\n\nSince v1.6.0 [not released yet], `asm` has switched to using a yacc-based syntax parser, hence supports more flexible and intuitive syntax!\n\n```bash\n$ cat spec/data/example.asm\n# # An example of supported assembly syntax\n# if (A == X)\n#   goto next # 'next' is a reserved label, means the next statement (\"A = args[0]\" in this example)\n# else\n#   goto err_label # custom defined label\n# A = args[0]\n# if (\n#   A # put a comment here is also valid\n#     == 0x123\n#   ) goto disallow\n# if (! (A \u0026 0x1337)) # support bang in if-conditions\n#   goto 0 # equivalent to 'goto next'\n# else goto 2 # goto $ + 2, 'mem[0] = A' in this example\n# A = sys_number\n# A = instruction_pointer \u003e\u003e 32\n# mem[0] = A\n# A = data[4] # equivalent to 'A = arch'\n# err_label: return ERRNO(1337)\n# disallow:\n# return KILL\n\n$ seccomp-tools asm spec/data/example.asm -f raw | seccomp-tools disasm -\n#  line  CODE  JT   JF      K\n# =================================\n#  0000: 0x1d 0x00 0x07 0x00000000  if (A != X) goto 0008\n#  0001: 0x20 0x00 0x00 0x00000010  A = args[0]\n#  0002: 0x15 0x06 0x00 0x00000123  if (A == 0x123) goto 0009\n#  0003: 0x45 0x02 0x00 0x00001337  if (A \u0026 0x1337) goto 0006\n#  0004: 0x20 0x00 0x00 0x00000000  A = sys_number\n#  0005: 0x20 0x00 0x00 0x0000000c  A = instruction_pointer \u003e\u003e 32\n#  0006: 0x02 0x00 0x00 0x00000000  mem[0] = A\n#  0007: 0x20 0x00 0x00 0x00000004  A = arch\n#  0008: 0x06 0x00 0x00 0x00050539  return ERRNO(1337)\n#  0009: 0x06 0x00 0x00 0x00000000  return KILL\n\n```\n\nThe output of `seccomp-tools disasm \u003cfile\u003e --asm-able` is a valid input of `asm`:\n```bash\n$ seccomp-tools disasm spec/data/x32.bpf --asm-able\n# 0000: A = arch\n# 0001: if (A != ARCH_X86_64) goto 0011\n# 0002: A = sys_number\n# 0003: if (A \u003c 0x40000000) goto 0011\n# 0004: if (A == x32_read) goto 0011\n# 0005: if (A == x32_write) goto 0011\n# 0006: if (A == x32_iopl) goto 0011\n# 0007: if (A != x32_mmap) goto 0011\n# 0008: A = args[0]\n# 0009: if (A == 0x0) goto 0011\n# 0010: return ERRNO(5)\n# 0011: return ALLOW\n\n\n# disasm then asm then disasm!\n$ seccomp-tools disasm spec/data/x32.bpf --asm-able | seccomp-tools asm - -f raw | seccomp-tools disasm -\n#  line  CODE  JT   JF      K\n# =================================\n#  0000: 0x20 0x00 0x00 0x00000004  A = arch\n#  0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011\n#  0002: 0x20 0x00 0x00 0x00000000  A = sys_number\n#  0003: 0x35 0x00 0x07 0x40000000  if (A \u003c 0x40000000) goto 0011\n#  0004: 0x15 0x06 0x00 0x40000000  if (A == x32_read) goto 0011\n#  0005: 0x15 0x05 0x00 0x40000001  if (A == x32_write) goto 0011\n#  0006: 0x15 0x04 0x00 0x400000ac  if (A == x32_iopl) goto 0011\n#  0007: 0x15 0x00 0x03 0x40000009  if (A != x32_mmap) goto 0011\n#  0008: 0x20 0x00 0x00 0x00000010  A = addr # x32_mmap(addr, len, prot, flags, fd, pgoff)\n#  0009: 0x15 0x01 0x00 0x00000000  if (A == 0x0) goto 0011\n#  0010: 0x06 0x00 0x00 0x00050005  return ERRNO(5)\n#  0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n\n```\n\n### Emu\n\nEmulates seccomp given `sys_nr`, `arg0`, `arg1`, etc.\n```bash\n$ seccomp-tools emu --help\n# emu - Emulate seccomp rules.\n#\n# Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]\n#     -a, --arch ARCH                  Specify architecture.\n#                                      Supported architectures are \u003caarch64|amd64|i386|s390x\u003e.\n#                                      Default: amd64\n#     -q, --[no-]quiet                 Run quietly, only show emulation result.\n\n$ seccomp-tools emu spec/data/libseccomp.bpf write 0x3\n#  line  CODE  JT   JF      K\n# =================================\n#  0000: 0x20 0x00 0x00 0x00000004  A = arch\n#  0001: 0x15 0x00 0x08 0xc000003e  if (A != ARCH_X86_64) goto 0010\n#  0002: 0x20 0x00 0x00 0x00000000  A = sys_number\n#  0003: 0x35 0x06 0x00 0x40000000  if (A \u003e= 0x40000000) goto 0010\n#  0004: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0009\n#  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009\n#  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009\n#  0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009\n#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO(5)\n#  0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n#  0010: 0x06 0x00 0x00 0x00000000  return KILL\n#\n# return ALLOW at line 0009\n\n```\n\n## Screenshots\n\n### Dump\n![dump](https://github.com/david942j/seccomp-tools/blob/master/examples/dump-diary.png?raw=true)\n\n### Emu\n![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-libseccomp.png?raw=true)\n\n![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-amigo.png?raw=true)\n\n## Supported Architectures\n\n- [x] x86_64\n- [x] x32\n- [x] x86\n- [x] arm64 (@saagarjha)\n- [x] s390x (@iii-i)\n\nPull Requests of adding more architectures support are welcome!\n\n## Development\n\nI recommend to use [rbenv](https://github.com/rbenv/rbenv) for your Ruby environment.\n\n### Setup\n\n- Install bundler\n  - `$ gem install bundler`\n- Clone the source\n  - `$ git clone https://github.com/david942j/seccomp-tools \u0026\u0026 cd seccomp-tools`\n- Install dependencies\n  - `$ bundle install`\n\n### Run tests\n\n`$ bundle exec rake`\n\n## I Need You\n\nAny suggestions or feature requests are welcome!\nFeel free to file issues or send pull requests.\nAnd, if you like this work, I'll be happy to be [starred](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavid942j%2Fseccomp-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavid942j%2Fseccomp-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavid942j%2Fseccomp-tools/lists"}