1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#compdef ceccomp
# Zsh completion script for ceccomp
local -a subcmd options expl arch_compstr output_compstr
local state
local archs=(
'x86_64' 'i386' 'x32' 'aarch64' 'arm' 'loongarch64' 'm68k' 'mips' 'mipsel'
'mips64' 'mipsel64' 'mips64n32' 'mipsel64n32' 'parisc' 'parisc64' 'ppc64' 'ppc64le'
'ppc' 's390x' 's390' 'riscv64'
)
arch_compstr=(
'(-a --arch)'{-a,--arch}"[Target BPF architecture]:ARCH:($archs)"
)
color_compstr=(
'(-c --color)'{-c,--color}'[When to display in color]:WHEN:(always auto never)'
)
output_compstr=(
'(-o --output)'{-o,--output}'[Print to file to avoid mixing tracee output]:FILE:_files'
)
local syscalls=(
'open' 'read' 'write' 'close' 'mmap' 'mprotect' 'execve' 'execveat' 'pread64'
'readv' 'writev' 'preadv' 'preadv2' 'openat' 'openat2' 'sendfile64' 'send'
'sendto' 'sendmsg' 'recv' 'recvfrom' 'recvmsg' 'io_uring_setup' 'io_uring_enter'
'io_uring_register' 'ptrace'
)
if (( CURRENT == 2 )) {
subcmd=(
'asm:Assemble bpf text to raw bytes'
'disasm:Disassemble raw bytes to bpf text'
'trace:Run program or trace pid, extract bpf filter and then print to text'
'emu:Emulate bpf program with given syscall and bpf text'
'probe:Trace the program for the first filter and emulate common syscalls'
'help:Display ceccomp help information'
'version:Display ceccomp version'
)
_describe 'subcmd' subcmd
return
} elif (( CURRENT > 2 )) {
case $words[2] {
(asm)
_arguments \
$arch_compstr \
$color_compstr \
'(-f --fmt)'{-f,--fmt}'[Output format of BPF]:FMT:(raw hexline hexfmt)' \
'2:BPF:_files' \
'*: :'
;;
(disasm)
_arguments \
$arch_compstr \
$color_compstr \
'2:RAW:_files' \
'*: :'
;;
(trace)
_arguments -C \
$color_compstr \
'(-p --pid)'{-p,--pid}'[Attach to which process to extract its filters]:PID:->getpid' \
'(-q --quiet)'{-q,--quiet}'[Print warning and error messages only]' \
'(-s --seize)'{-s,--seize}'[Follow pid to trace load-filter operation (pid mode)]' \
$output_compstr \
'*:arguments:_files'
# complete non-kernel pids like kill
if [[ $state == 'getpid' ]] {
local line pids lines
pids=()
# extract command output line by line
lines=("${(@f)$(ps --ppid 2 -p 2 -N -o pid=,tty=,user=,comm=)}")
for line ($lines) {
pids+=${line[(w)1]} # extract first word (pid)
}
_wanted nonk-pids expl 'non-kernel process ID' \
compadd -o nosort -ld lines -a pids
}
;;
(probe)
_arguments -C \
$color_compstr \
$output_compstr \
'(-q --quiet)'{-q,--quiet}'[Print warning and error messages only]' \
'*:arguments:_files'
;;
(emu)
_arguments -C \
$arch_compstr \
$color_compstr \
'(-q --quiet)'{-q,--quiet}'[Print return value only]' \
'2:BPF:_files' \
':NR:->syscall_nr' \
':ARGV0:->argv0' \
':ARGV1:->argv1' \
':ARGV2:->argv2' \
':ARGV3:->argv3' \
':ARGV4:->argv4' \
':ARGV5:->argv5' \
':IP:->ip' \
'*: :'
case $state {
(syscall_nr)
_message -r 'Hint: syscall_nr or syscall_name (to name but a few)'
_values SYSCALL $syscalls
;;
(argv0)
_message -r 'Hint: u64 for argv[0]'
;;
(argv1)
_message -r 'Hint: u64 for argv[1]'
;;
(argv2)
_message -r 'Hint: u64 for argv[2]'
;;
(argv3)
_message -r 'Hint: u64 for argv[3]'
;;
(argv4)
_message -r 'Hint: u64 for argv[4]'
;;
(argv5)
_message -r 'Hint: u64 for argv[5]'
;;
(ip)
_message -r 'Hint: u64 for instruction pointer'
;;
}
;;
(*)
# help and version has no completion available
return
;;
}
}
|
