# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2026-02-04 16:51+0800\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Title = #: ceccomp.adoc:1 #, no-wrap msgid "ceccomp(1)" msgstr "" #. type: Plain text #: ceccomp.adoc:3 msgid "dbgbgtf ; RocketDev " msgstr "" #. type: Title == #: ceccomp.adoc:11 #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: ceccomp.adoc:14 msgid "ceccomp - A tool to analyze seccomp filters" msgstr "" #. type: Title == #: ceccomp.adoc:15 #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: ceccomp.adoc:20 #, no-wrap msgid "" " usage: ceccomp [FILE] " "[-q|--quiet]\n" " [-f|--format FMT] [-a|--arch ARCH] [-p|--pid PID] " "[-s|--seize]\n" " [-o|--output FILE] [-c|--color WHEN] ...\n" msgstr "" #. type: Title == #: ceccomp.adoc:21 #, no-wrap msgid "CONCEPT" msgstr "" #. type: Plain text #: ceccomp.adoc:26 msgid "" "Kernel use BPF filters to limit syscall rules, applied via `seccomp` or " "`prctl` syscall. For example, down below is a simple filter to block " "`execve` syscall in hex format:" msgstr "" #. type: Plain text #: ceccomp.adoc:31 #, no-wrap msgid "" " 1: 20 00 00 00 00 00 00 00 $A = $syscall_nr\n" " 2: 15 00 00 01 3b 00 00 00 if ($A != execve) goto 4\n" " 3: 06 00 00 00 00 00 00 00 return KILL\n" " 4: 06 00 00 00 00 00 ff 7f return ALLOW\n" msgstr "" #. type: Plain text #: ceccomp.adoc:35 msgid "" "The part presented in hex is what kernel received, and `ceccomp` take it to " "disassemble back to human readable text. For instance the *lineno* in the " "left and *statement* in the right." msgstr "" #. type: Plain text #: ceccomp.adoc:38 msgid "" "Later I'll use _TEXT_ in short for BPF human readable text, and use _RAW_ in " "short for BPF raw format, please keep that in mind." msgstr "" #. type: Title == #: ceccomp.adoc:39 #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: ceccomp.adoc:44 msgid "" "`ceccomp` have 5 main functions, basically it's a C version of " "`seccomp-tools`, however, there are some breaking changes you need to know, " "which will be highlighted in each subcommand section." msgstr "" #. type: Title === #: ceccomp.adoc:45 #, no-wrap msgid "asm - ASSEMBLE" msgstr "" #. type: Plain text #: ceccomp.adoc:48 #, no-wrap msgid " ceccomp asm [-c WHEN] [-a ARCH] [-f FMT] [TEXT]\n" msgstr "" #. type: Plain text #: ceccomp.adoc:51 msgid "" "Assemble _TEXT_ to _RAW_. Use it to embed hand written filter rules into C " "code or to see the original code of some _TEXT_." msgstr "" #. type: Labeled list #: ceccomp.adoc:52 ceccomp.adoc:101 ceccomp.adoc:144 ceccomp.adoc:194 #, no-wrap msgid "WHEN" msgstr "" #. type: Plain text #: ceccomp.adoc:56 msgid "" "Determines when to display warnings and errors in color. If the value is " "_auto_, ceccomp will display color when the output target is a \"tty\". Can " "be _auto_, _never_ or _always_. The default value is _auto_." msgstr "" #. type: Labeled list #: ceccomp.adoc:57 ceccomp.adoc:105 ceccomp.adoc:159 #, no-wrap msgid "ARCH" msgstr "" #. type: Plain text #: ceccomp.adoc:62 msgid "" "Set to any architecture libseccomp supports. Will be used to determine the " "actual syscall number behind the name (for example, on x86_64, you could " "write `\"execve\"` instead of `59` like the basic example above). Your " "system arch will be taken if not set via `uname`. The default value on your " "system is {ARCH}." msgstr "" #. type: Plain text #: ceccomp.adoc:66 msgid "" "Since _version 4.0_, endianness is considered. If target endianness *ARCH* " "is different from machine endianness, the filters will be reversed (CODE and " "K) before outputting." msgstr "" #. type: Labeled list #: ceccomp.adoc:67 #, no-wrap msgid "FMT" msgstr "" #. type: Plain text #: ceccomp.adoc:71 msgid "" "Determines how `ceccomp` produces binary-format bpf code. Can be _hexfmt_, " "_hexline_ or _raw_. You could find sample output in <> section. " "The default value is _hexline_." msgstr "" #. type: Labeled list #: ceccomp.adoc:72 ceccomp.adoc:162 #, no-wrap msgid "TEXT" msgstr "" #. type: Plain text #: ceccomp.adoc:75 msgid "" "Take a optional filename to determine which file containing _TEXT_ will be " "assembled. Will read from _stdin_ if not set. `-` is treated as _stdin_." msgstr "" #. type: Plain text #: ceccomp.adoc:78 msgid "" "The assembly syntax was changed greatly since _version 4.0_, please checkout " "grammar reference below!" msgstr "" #. type: Plain text #: ceccomp.adoc:81 msgid "" "Please check out <> section to see how to write a " "rule by hand. Some examples will be displayed in <> section." msgstr "" #. type: Table #: ceccomp.adoc:92 #, no-wrap msgid "" "|Command|Difference\n" "\n" "|`seccomp-tools asm`\n" "|Use its own grammar to assemble, a bit script like; can assemble invalid " "_TEXT_\n" "which will be rejected by kernel\n" "\n" "|`ceccomp asm`\n" "|You can just take `disasm` output to `asm`, no new grammar is needed to " "learn;\n" "take `stdin` as input by default\n" msgstr "" #. type: Title === #: ceccomp.adoc:94 #, no-wrap msgid "disasm - DISASSEMBLE" msgstr "" #. type: Plain text #: ceccomp.adoc:97 #, no-wrap msgid " ceccomp disasm [-c WHEN] [-a ARCH] [RAW]\n" msgstr "" #. type: Plain text #: ceccomp.adoc:100 msgid "" "Disassemble _RAW_ to _TEXT_. Use it to see what does a filter do if you " "could not access filter via `trace` and have to manually extract the filter " "out." msgstr "" #. type: Plain text #: ceccomp.adoc:104 msgid "" "Argument description can be found in <> section. `disasm` " "may print more text in color including syntax highlighting for _TEXT_." msgstr "" #. type: Plain text #: ceccomp.adoc:110 msgid "" "Set to any architecture libseccomp supports. Will be used to determine how " "filtered syscall number in _RAW_ filter is translated to syscall name (for " "example, on x86_64, the number `0x3b` is translated to `execve` if is " "comparing syscall_nr, see the basic example above). The default value on " "your system is {ARCH}." msgstr "" #. type: Labeled list #: ceccomp.adoc:111 #, no-wrap msgid "RAW" msgstr "" #. type: Plain text #: ceccomp.adoc:114 msgid "" "A binary file with raw BPF codes. Takes _stdin_ as input if not set. Treat " "`-` as _stdin_. The file is arch-revelent, so it may not be portable on " "different archs." msgstr "" #. type: Plain text #: ceccomp.adoc:118 msgid "" "Since _version 4.0_, endianness is considered. If target endianness *ARCH* " "is different from machine endianness, the filters will be reversed (CODE and " "K) before decoding." msgstr "" #. type: Plain text #: ceccomp.adoc:123 msgid "" "ceccomp will try to resolve syscall number under an arch ONLY IF that at " "that line, arch can be determined. On foreign arch (not equal to the arch " "you set), the foreign arch will be prepended to syscall name. You may notice " "that in some cases, seccomp-tools is able to resolve the name while ceccomp " "is not, that may be intended as the arch is not determined." msgstr "" #. type: Table #: ceccomp.adoc:133 #, no-wrap msgid "" "|Command|Difference\n" "\n" "|`seccomp-tools disasm`\n" "|Disassembles in its format; never check if the filter is valid\n" "\n" "|`ceccomp disasm`\n" "|Disassembles in ceccomp format, and takes `stdin` as input by default; " "check arch strictly\n" "and always display foreign arch name\n" msgstr "" #. type: Title === #: ceccomp.adoc:135 #, no-wrap msgid "emu - EMULATE" msgstr "" #. type: Plain text #: ceccomp.adoc:138 #, no-wrap msgid "" " ceccomp emu [-c WHEN] [-a ARCH] [-q] TEXT SYSCALL_NAME/SYSCALL_NR " "[ARGS[0] ARGS[1] ... ARGS[5] PC]\n" msgstr "" #. type: Plain text #: ceccomp.adoc:143 msgid "" "Emulate what will happen if `syscall(SYSCALL_NR, ARGS[0], ARGS[1], ..., " "ARGS[5])` from `PC` is called following rules described in _TEXT_. Use it to " "see the result without actually running it in program or you don't want to " "examine the filter rule manually. This subcommand can be used to " "automatically examining a filter." msgstr "" #. type: Plain text #: ceccomp.adoc:147 msgid "" "Argument description can be found in <> section. `emu` may " "print more text in color including syntax highlighting for _TEXT_ and " "skipped statements." msgstr "" #. type: Labeled list #: ceccomp.adoc:148 #, no-wrap msgid "SYSCALL_NAME/SYSCALL_NR" msgstr "" #. type: Plain text #: ceccomp.adoc:153 msgid "" "If you set *SYSCALL_NAME* (like `execve`), it will be translated to " "*SYSCALL_NR* under *ARCH* first. Or else set *SYSCALL_NR* directly (like " "`59`). Then the nr will be tested against the bpf filter to see the result " "of that syscall. This argument is NOT optional." msgstr "" #. type: Labeled list #: ceccomp.adoc:154 #, no-wrap msgid "ARGS[0-5] and PC" msgstr "" #. type: Plain text #: ceccomp.adoc:158 msgid "" "Register values when calling syscall. For example, on x86_64, these are " "equivalent to `rdi`, `rsi`, `rdx`, `r10`, `r8`, `r9` and `rip`. Their " "default value is 0." msgstr "" #. type: Plain text #: ceccomp.adoc:161 msgid "Argument description can be found in <> section." msgstr "" #. type: Plain text #: ceccomp.adoc:166 msgid "" "Take a filename to determine which file containing _TEXT_ rule will be " "tested. Note that filename CAN NOT be ignored as ceccomp can not determine " "if a positional argument is syscall or filename. Use `-` to refer to " "_stdin_." msgstr "" #. type: Labeled list #: ceccomp.adoc:167 ceccomp.adoc:219 #, no-wrap msgid "-q, --quiet" msgstr "" #. type: Plain text #: ceccomp.adoc:170 msgid "" "Only print the eval result of the filter. For example, if last statement " "emulated is `return KILL`, then `KILL` is printed." msgstr "" #. type: Table #: ceccomp.adoc:180 #, no-wrap msgid "" "|Command|Difference\n" "\n" "|`seccomp-tools emu`\n" "|Take a _RAW_ as input\n" "\n" "|`ceccomp emu`\n" "|Take a _TEXT_ as input and take `stdin` as input by default; set *PC* is\n" "possible\n" msgstr "" #. type: Title === #: ceccomp.adoc:182 #, no-wrap msgid "trace - TRACE FILTER IN RUNTIME" msgstr "" #. type: Plain text #: ceccomp.adoc:186 #, no-wrap msgid "" " ceccomp trace [-c WHEN] [-q] [-o FILE] PROGRAM [program-args]\n" " [-c WHEN] [-q] -p PID [-s]\n" msgstr "" #. type: Plain text #: ceccomp.adoc:193 msgid "" "The first line captures filters *PROGRAM* loads in runtime by tracing it; " "the second line extract seccomp filters from *PID*, or trace *PID* to " "capture subsequent seccomp filters; once fetched filters, print them in " "_TEXT_. You can only choose one of the two formats above. Use this if " "running the program is the simplest way to fetch bpf filters or a program " "with seccomp filters installed is waiting for input." msgstr "" #. type: Plain text #: ceccomp.adoc:197 msgid "" "Argument description can be found in <> section. `trace` may " "print more text in color including syntax highlighting for _TEXT_." msgstr "" #. type: Labeled list #: ceccomp.adoc:198 #, no-wrap msgid "FILE" msgstr "" #. type: Plain text #: ceccomp.adoc:203 msgid "" "May be useful when *PROGRAM* produces quite a lot output in _stderr_. " "`ceccomp` allow user to close _stdin_ and _stdout_ to limit *PROGRAM* input " "and output, so `ceccomp` use _stderr_ to print messages when running " "*PROGRAM*, set *FILE* if you want to see _TEXT_ in some other file. Treat " "`-` as _stdout_." msgstr "" #. type: Labeled list #: ceccomp.adoc:204 #, no-wrap msgid "PROGRAM" msgstr "" #. type: Plain text #: ceccomp.adoc:207 msgid "" "Set to the program you want to run, and *program-args* are its arguments " "just like running shell command `exec PROGRAM program-args`." msgstr "" #. type: Labeled list #: ceccomp.adoc:208 #, no-wrap msgid "PID" msgstr "" #. type: Plain text #: ceccomp.adoc:213 msgid "" "Set to the pid you want to inspect. *PID* is conflict with *PROGRAM*; you " "could either run a program dynamically or examine a pid in one command. " "Without `-s` flag, trace pid will try to extract seccomp filter in *PID* via " "`ptrace(PTRACE_SECCOMP_GET_FILTER)`, which may not be available in some " "systems." msgstr "" #. type: Labeled list #: ceccomp.adoc:214 #, no-wrap msgid "-s, --seize" msgstr "" #. type: Plain text #: ceccomp.adoc:218 msgid "" "*ONLY AVAILABLE FOR TRACE PID MODE.* Set this flag will override trace pid " "behavior to attach to *PID* and keep tracing for seccomp filter loading like " "trace prog mode. _This flag was introduced in version 4.0._" msgstr "" #. type: Plain text #: ceccomp.adoc:222 msgid "" "Set to suppress the extra *[INFO]* prints when detect process forking, " "exiting or seccomp filter loading. _This flag was introduced in version " "4.0._" msgstr "" #. type: Plain text #: ceccomp.adoc:226 msgid "" "To extract filters from *PID*, `CAP_SYS_ADMIN` is needed (without `-s` flag) " "and `CAP_SYS_PTRACE` may also be needed, the easiest way to acquire them is " "calling `ceccomp` with `sudo`." msgstr "" #. type: Plain text #: ceccomp.adoc:230 msgid "" "Since _version 3.1_, multiple process tracing is introduced, and when tracee " "forking/resolving/exiting, an extra INFO message is printed. You can discard " "it by running command like `ceccomp trace -q PROG 2>/dev/null`." msgstr "" #. type: Table #: ceccomp.adoc:243 #, no-wrap msgid "" "|Command|Difference\n" "\n" "|`seccomp-tools dump`\n" "|Setting output format is possible; each filter can be output to a " "different\n" "file; killing *PROGRAM* once *LIMIT* times of filters loaded; wrapping " "*PROGRAM*\n" "in `sh -c`\n" "\n" "|`ceccomp trace`\n" "|All filters are output to a single file; never kill *PROGRAM*; *PROGRAM* " "is\n" "launched directly, so `./` is not needed; explicitly print when forking;\n" "able to attach to pid for dynamic seccomp filter capturing\n" msgstr "" #. type: Title === #: ceccomp.adoc:245 #, no-wrap msgid "probe - TEST COMMON SYSCALLS INSTANTLY" msgstr "" #. type: Plain text #: ceccomp.adoc:248 #, no-wrap msgid " ceccomp probe [-c WHEN] [-o FILE] [-q] PROGRAM [program-args]\n" msgstr "" #. type: Plain text #: ceccomp.adoc:252 msgid "" "Run *PROGRAM* with *program-args* to captures *FIRST* seccomp filter, and " "then kill all children. Use it when a quick check against a program is " "needed, and detect potential seccomp rule issues." msgstr "" #. type: Plain text #: ceccomp.adoc:254 msgid "" "All argument descriptions can be found in <> section." msgstr "" #. type: Plain text #: ceccomp.adoc:258 msgid "" "The output for this subcommand is the emulating result of common syscalls " "like `execve`, `open` and so on. If the filter itself is not capable of " "blocking syscalls, you could know that with a glance." msgstr "" #. type: Plain text #: ceccomp.adoc:261 msgid "" "Typical output for this subcommand is described below, more detailed example " "could be found in <> section." msgstr "" #. type: Plain text #: ceccomp.adoc:273 #, no-wrap msgid "" " open -> ALLOW\n" " read -> ALLOW\n" " write -> ALLOW\n" " execve -> KILL\n" " execveat -> KILL\n" " mmap -> ALLOW\n" " mprotect -> ALLOW\n" " openat -> ALLOW\n" " sendfile -> ALLOW\n" " ptrace -> ERRNO(1)\n" " fork -> ALLOW\n" msgstr "" #. type: Plain text #: ceccomp.adoc:275 msgid "`seccomp-tools` don't have this subcommand." msgstr "" #. type: Title == #: ceccomp.adoc:276 #, no-wrap msgid "TEXT GRAMMAR REFERENCE" msgstr "" #. type: Plain text #: ceccomp.adoc:283 msgid "" "The grammar changed greatly since _version 4.0_ as we refactored lexer for " "better human readability. The wrapper now prefixed by `#` as it's a comment " "now. And _line_ is replaced by _label_, so now lexer depends on label " "declaration to decide where to jump, instead of lineno in _TEXT_ file." msgstr "" #. type: Plain text #: ceccomp.adoc:288 msgid "" "A valid _TEXT_ format is described in EBNF-like declaration here: " "https://github.com/dbgbgtf1/Ceccomp/issues/17#issuecomment-3610531705. If " "you have no interest to know what EBNF is, please keep reading for examples." msgstr "" #. type: Plain text #: ceccomp.adoc:290 msgid "BPF ops which are not described below are banned by kernel." msgstr "" #. type: Title === #: ceccomp.adoc:291 #, no-wrap msgid "Comment and Label" msgstr "" #. type: Plain text #: ceccomp.adoc:295 msgid "" "`ceccomp disasm` displays a lot of things, but some of them are optional for " "asm." msgstr "" #. type: Plain text #: ceccomp.adoc:300 #, no-wrap msgid "" " #Label CODE JT JF K\n" " #---------------------------------\n" " L0001: 0x06 0x00 0x00 0x7fff0000 return ALLOW\n" " #---------------------------------\n" msgstr "" #. type: Plain text #: ceccomp.adoc:302 msgid "Any text after `#` will be discarded by asm like some script languages." msgstr "" #. type: Plain text #: ceccomp.adoc:304 msgid "Empty lines are accepted." msgstr "" #. type: Plain text #: ceccomp.adoc:312 msgid "" "Label declaration is an identifier at the beginning of line and suffixed by " "`:` like `L0001`. An identifier is a string starts with alpha and contains " "with only alphanumeric characters and underscore `_`. Label is only " "necessary if it's the destination of `goto`, these redundant labels added by " "disasm are for readability. E.g. in `if ($A == 0) goto somewhere`, " "`somewhere` is a label and must be declared after the statement. Label " "declaration can take a line separately, or be put in front of statement." msgstr "" #. type: Plain text #: ceccomp.adoc:315 msgid "" "The `CODE`, `JT`, `JF` and `K` value generated by disasm will be discarded " "by asm, asm only parse the effective statement after `K`." msgstr "" #. type: Plain text #: ceccomp.adoc:320 msgid "" "There are some slight difference between `ceccomp disasm` and `seccomp-tools " "disasm`, down below is a general example. And some statements are different, " "so don't pipe seccomp-tools output to ceccomp blindly." msgstr "" #. type: Plain text #: ceccomp.adoc:324 #, no-wrap msgid "" " line CODE JT JF K\n" " =================================\n" " 0000: 0x06 0x00 0x00 0x7fff0000 return ALLOW\n" msgstr "" #. type: Title === #: ceccomp.adoc:325 #, no-wrap msgid "Assignment" msgstr "" #. type: Plain text #: ceccomp.adoc:329 msgid "" "`A` can be set to seccomp attributes directly. But `X` can not be assigned " "with seccomp attributes directly due to kernel limit." msgstr "" #. type: Plain text #: ceccomp.adoc:332 #, no-wrap msgid "" " $A = $arch\n" " $A = $syscall_nr\n" msgstr "" #. type: Plain text #: ceccomp.adoc:334 msgid "" "To assign `A` with those 64-bit long fields, `low_` or `high_` prefix is " "needed." msgstr "" #. type: Plain text #: ceccomp.adoc:342 #, no-wrap msgid "" " $A = $low_pc\n" " $A = $high_pc\n" " $A = $low_args[0]\n" " $A = $high_args[0]\n" " ...\n" " $A = $low_args[5]\n" " $A = $high_args[5]\n" msgstr "" #. type: Plain text #: ceccomp.adoc:345 msgid "" "A special attribute is `sizeof(struct seccomp_data)`, that can be assigned " "to `A` or `X` directly." msgstr "" #. type: Plain text #: ceccomp.adoc:348 #, no-wrap msgid "" " $A = $scmp_data_len\n" " $X = $scmp_data_len\n" msgstr "" #. type: Plain text #: ceccomp.adoc:352 msgid "" "Temporary memory is 32-bit, to access them, you could use hex or dec as " "index. Both `A` and `X` is assignable. Assigning immediate values to `A` or " "`X` accepts any format of number if you imply the correct base by \"0x\" or " "\"0b\"." msgstr "" #. type: Plain text #: ceccomp.adoc:360 #, no-wrap msgid "" " $X = $mem[0]\n" " $A = $mem[0xf]\n" " $A = $mem[15] # both hex and dec index are OK\n" " $A = 0\n" " $X = 0x3b\n" " $A = 0b1111\n" " $A = 0333\n" msgstr "" #. type: Plain text #: ceccomp.adoc:363 msgid "" "You could also assign `X` to `A` or in the reverse order. Assign `X` or `A` " "to temporary memory is definitely okay." msgstr "" #. type: Plain text #: ceccomp.adoc:368 #, no-wrap msgid "" " $A = $X\n" " $X = $A\n" " $mem[3] = $X\n" " $mem[0x4] = $A\n" msgstr "" #. type: Title === #: ceccomp.adoc:369 #, no-wrap msgid "Arithmetic Operations" msgstr "" #. type: Plain text #: ceccomp.adoc:372 msgid "Various operations can be applied to `A`." msgstr "" #. type: Plain text #: ceccomp.adoc:379 #, no-wrap msgid "" " $A += 30\n" " $A -= 4\n" " $A *= 9\n" " $A /= 1\n" " $A &= 7\n" " $A >>= 6\n" msgstr "" #. type: Plain text #: ceccomp.adoc:381 msgid "The right value can be `X`." msgstr "" #. type: Plain text #: ceccomp.adoc:386 #, no-wrap msgid "" " $A &= $X\n" " $A |= $X\n" " $A ^= $X\n" " $A <<= $X\n" msgstr "" #. type: Plain text #: ceccomp.adoc:388 msgid "And there is a way to negativate `A`." msgstr "" #. type: Plain text #: ceccomp.adoc:390 #, no-wrap msgid " $A = -$A\n" msgstr "" #. type: Title === #: ceccomp.adoc:391 #, no-wrap msgid "Jump Downwards If ..." msgstr "" #. type: Plain text #: ceccomp.adoc:394 msgid "Unconditional jump:" msgstr "" #. type: Plain text #: ceccomp.adoc:396 #, no-wrap msgid " goto L3\n" msgstr "" #. type: Plain text #: ceccomp.adoc:398 msgid "Jump if:" msgstr "" #. type: Plain text #: ceccomp.adoc:404 #, no-wrap msgid "" " if ($A == execve) goto L3\n" " if ($A != 1234) goto L4\n" " if ($A & $X) goto L5\n" " if !($A & 7) goto L6\n" " if ($A <= $X) goto L7\n" msgstr "" #. type: Plain text #: ceccomp.adoc:406 msgid "If true jump to ... if false jump to...:" msgstr "" #. type: Plain text #: ceccomp.adoc:409 #, no-wrap msgid "" " if ($A > $X) goto L3, else goto L4\n" " if ($A >= 4567) goto L5, else goto L6\n" msgstr "" #. type: Plain text #: ceccomp.adoc:416 msgid "" "ONLY in conditions, you CAN replace number with syscall name or arch name. " "In example above, `0x3b` is replaced by `execve`. All the syscall name will " "be resolved to syscall number under your selected arch. If you want to " "resolve a syscall name in foreign arch (not equal to your selected arch), " "please prepend a arch and dot. For example, your arch is x86_64, and you are " "writing _aarch64_ rules, then please write like:" msgstr "" #. type: Plain text #: ceccomp.adoc:418 #, no-wrap msgid " if ($A == aarch64.read) goto 5\n" msgstr "" #. type: Plain text #: ceccomp.adoc:421 msgid "" "Note that if you manually set arch to _aarch64_ with `-a aarch64`, you can " "omit `aarch64.` in statement." msgstr "" #. type: Title === #: ceccomp.adoc:422 #, no-wrap msgid "Return Code" msgstr "" #. type: Plain text #: ceccomp.adoc:425 msgid "Return value of register `A`:" msgstr "" #. type: Plain text #: ceccomp.adoc:427 #, no-wrap msgid " return $A\n" msgstr "" #. type: Plain text #: ceccomp.adoc:431 msgid "" "Or return a immediate value, with extra field in `()`. Actions including " "`TRACE`, `TRAP` and `ERRNO` accept an extra field, without `()`, they are " "treated as `action(0)`." msgstr "" #. type: Plain text #: ceccomp.adoc:441 #, no-wrap msgid "" " return 0x13371337\n" " return KILL\n" " return KILL_PROCESS\n" " return TRAP(123)\n" " return ERRNO(0)\n" " return TRACE\n" " return TRACE(3)\n" " return LOG\n" " return NOTIFY\n" msgstr "" #. type: Title === #: ceccomp.adoc:442 #, no-wrap msgid "Short Example" msgstr "" #. type: Plain text #: ceccomp.adoc:446 msgid "" "The following _TEXT_ is valid for asm, which blocks `execve` and `execveat` " "for amd64 syscalls:" msgstr "" #. type: Plain text #: ceccomp.adoc:452 #, no-wrap msgid "" " $A = $syscall_nr\n" " if ($A == execve) goto forbid\n" " if ($A == execveat) goto forbid\n" " return ALLOW\n" " forbid: return KILL\n" msgstr "" #. type: Title == #: ceccomp.adoc:453 #, no-wrap msgid "RESTRICTIONS" msgstr "" #. type: Plain text #: ceccomp.adoc:456 msgid "Ceccomp asm put some restrictions on _TEXT_ for better performance." msgstr "" #. type: Plain text #: ceccomp.adoc:458 msgid "`'\\0'` must not be found in _TEXT_ since it's a text file." msgstr "" #. type: Plain text #: ceccomp.adoc:459 msgid "A line must be shorter than 384 *bytes*." msgstr "" #. type: Plain text #: ceccomp.adoc:460 msgid "A _TEXT_ file must have less than 4096 lines." msgstr "" #. type: Plain text #: ceccomp.adoc:461 msgid "A _TEXT_ file must be smaller than 1 MiB." msgstr "" #. type: Plain text #: ceccomp.adoc:464 msgid "" "And for both asm and disasm, effective statements (that can be encoded or " "decoded into BPF) must be less or equal than 1024, this is enforced by " "kernel." msgstr "" #. type: Plain text #: ceccomp.adoc:467 msgid "" "A fun fact about ceccomp asm: any basic ANSI color in _TEXT_ file, e.g., " "`\\x1b[31m`, will be discarded when processing." msgstr "" #. type: Title == #: ceccomp.adoc:468 #, no-wrap msgid "EXAMPLES" msgstr "" #. type: Plain text #: ceccomp.adoc:473 msgid "" "Manpage can not display images, so please check out html version of this " "page to see examples." msgstr "" #. type: Title === #: ceccomp.adoc:476 #, no-wrap msgid "asm example" msgstr "" #. type: Target for macro image #: ceccomp.adoc:477 #, no-wrap msgid "asm.webp" msgstr "" #. type: Title === #: ceccomp.adoc:478 #, no-wrap msgid "disasm example" msgstr "" #. type: Target for macro image #: ceccomp.adoc:479 #, no-wrap msgid "disasm.webp" msgstr "" #. type: Title === #: ceccomp.adoc:480 #, no-wrap msgid "emu example" msgstr "" #. type: Target for macro image #: ceccomp.adoc:481 #, no-wrap msgid "emu.webp" msgstr "" #. type: Title === #: ceccomp.adoc:482 #, no-wrap msgid "trace example" msgstr "" #. type: Plain text #: ceccomp.adoc:484 msgid "Running program:" msgstr "" #. type: Target for macro image #: ceccomp.adoc:485 #, no-wrap msgid "trace.webp" msgstr "" #. type: Plain text #: ceccomp.adoc:488 msgid "If set `-o FILE`:" msgstr "" #. type: Target for macro image #: ceccomp.adoc:489 #, no-wrap msgid "output_trick.webp" msgstr "" #. type: Plain text #: ceccomp.adoc:492 msgid "Trace pid mode:" msgstr "" #. type: Target for macro image #: ceccomp.adoc:493 #, no-wrap msgid "trace_pid.webp" msgstr "" #. type: Plain text #: ceccomp.adoc:496 msgid "Seize pid mode:" msgstr "" #. type: Target for macro image #: ceccomp.adoc:497 #, no-wrap msgid "trace_seize.webp" msgstr "" #. type: Plain text #: ceccomp.adoc:500 msgid "Completion for pid mode is available under zsh:" msgstr "" #. type: Target for macro image #: ceccomp.adoc:501 #, no-wrap msgid "trace_completion.webp" msgstr "" #. type: Title === #: ceccomp.adoc:503 #, no-wrap msgid "probe example" msgstr "" #. type: Target for macro image #: ceccomp.adoc:504 #, no-wrap msgid "probe.webp" msgstr "" #. type: Title == #: ceccomp.adoc:507 #, no-wrap msgid "REPO" msgstr "" #. type: Plain text #: ceccomp.adoc:511 msgid "" "Visit https://github.com/dbgbgtf1/Ceccomp to find the code. Pull Requests " "and Issues are welcome!" msgstr "" #. type: Plain text #: ceccomp.adoc:512 msgid "Copyright (C) 2025-present, distributed under GPLv3 or later." msgstr ""