CECCOMP(1) Ceccomp Manual CECCOMP(1) ceccomp - (seccomp) usage: ceccomp [FILE] [-q|--quiet] [-f|--format FMT] [-a|--arch ARCH] [-p|--pid PID] [-s|--seize] [-o|--output FILE] [-c|--color WHEN] ... BPF seccomp prctl execve 1: 20 00 00 00 00 00 00 00 $A = $syscall_nr 2: 15 00 00 01 3b 00 00 00 if ($A != execve) goto 4 3: 06 00 00 00 00 00 00 00 return KILL 4: 06 00 00 00 00 00 ff 7f return ALLOW ceccomp Important TEXT BPF RAW BPF ceccomp 5C seccomp-tools asm - ceccomp asm [-c WHEN] [-a ARCH] [-f FMT] [TEXT] TEXT RAW C TEXT WHEN ceccomp auto ceccomp "tty" auto never always auto ARCH libseccomp x86_64 "execve" 59 uname x86_64 Note 4.0 ARCH CODE K FMT ceccomp BPF hexfmt hexline raw CECCOMP hexline TEXT TEXT - Important 4.0 TEXT CECCOMP +------------------+--------------------------------------------------------------------------------------------+ | | | +------------------+--------------------------------------------------------------------------------------------+ |seccomp-tools asm | | | | TEXT | +------------------+--------------------------------------------------------------------------------------------+ |ceccomp asm | disasm | | | | +------------------+--------------------------------------------------------------------------------------------+ disasm - ceccomp disasm [-c WHEN] [-a ARCH] [RAW] RAW TEXT trace WHEN asm - disasm TEXT ARCH libseccomp RAW x86_64 0x3b execve x86_64 RAW BPF - Note 4.0 ARCH CODE K Note ceccomp seccomp-tools ceccomp +---------------------+-----------------------------------------------------+ | | | +---------------------+-----------------------------------------------------+ |seccomp-tools disasm | | | | RAW | +---------------------+-----------------------------------------------------+ |ceccomp disasm | ceccomp | | | | | | | +---------------------+-----------------------------------------------------+ emu - ceccomp emu [-c WHEN] [-a ARCH] [-q] TEXT SYSCALL_NAME/SYSCALL_NR [ARGS[0] ARGS[1] ... ARGS[5] PC] TEXT PC syscall(SYSCALL_NR, ARGS[0], ARGS[1], ..., ARGS[5]) WHEN asm - emu TEXT SYSCALL_NAME/SYSCALL_NR SYSCALL_NAME execve ARCH SYSCALL_NR SYSCALL_NR 59 BPF ARGS[0-5] PC x86_64 rdi rsi rdx r10 r8 r9 rip 0 ARCH asm - TEXT TEXT ceccomp - -q, --quiet return KILL KILL +------------------+-----------------------------+ | | | +------------------+-----------------------------+ |seccomp-tools emu | RAW | +------------------+-----------------------------+ |ceccomp emu | TEXT | | | | | | | | | | | | PC | +------------------+-----------------------------+ trace - ceccomp trace [-c WHEN] [-o FILE] PROGRAM [program-args] [-c WHEN] -p PID [-s] PROGRAM PID seccomp PID seccomp TEXT BPF seccomp WHEN asm - trace TEXT FILE PROGRAM ceccomp PROGRAM PROGRAM ceccomp TEXT FILE - PROGRAM program-args shell exec PROGRAM program-args PID pid PID PROGRAM pid -s trace pid ptrace(PTRACE_SECCOMP_GET_FILTER) PID seccomp -s, --seize TRACE PID trace pid trace prog PID seccomp 4.0 -q, --quiet seccomp [INFO] 4.0 Note PID CAP_SYS_ADMIN -s CAP_SYS_PTRACE sudo ceccomp Note 3.1 fork/resolve/exit INFO ceccomp trace -q PROG 2>/dev/null +-------------------+-----------------------------------------------------------------------------------+ | | | +-------------------+-----------------------------------------------------------------------------------+ |seccomp-tools dump | | | | PROGRAM LIMIT PROGRAM sh | | | -c | +-------------------+-----------------------------------------------------------------------------------+ |ceccomp trace | PROGRAM | | | PROGRAM ./ fork | | | pid seccomp | | | | +-------------------+-----------------------------------------------------------------------------------+ probe - ceccomp probe [-c WHEN] [-o FILE] [-q] PROGRAM [program-args] program-args PROGRAM seccomp seccomp trace - execve open CECCOMP open -> ALLOW read -> ALLOW write -> ALLOW execve -> KILL execveat -> KILL mmap -> ALLOW mprotect -> ALLOW openat -> ALLOW sendfile -> ALLOW ptrace -> ERRNO(1) fork -> ALLOW Note seccomp-tools TEXT Important 4.0 # TEXT TEXT EBNF https://github.com/dbgbgtf1/Ceccomp/issues/17#issuecomment-3610531705 EBNF BPF ceccomp disasm asm #Label CODE JT JF K #--------------------------------- L0001: 0x06 0x00 0x00 0x7fff0000 return ALLOW #--------------------------------- # asm : L0001 _ goto disasm if ($A == 0) goto somewhere somewhere disasm CODEJTJF K asm asm K Note ceccomp disasm seccomp-tools disasm seccomp-tools ceccomp line CODE JT JF K ================================= 0000: 0x06 0x00 0x00 0x7fff0000 return ALLOW A seccomp X seccomp $A = $arch $A = $syscall_nr A 64 low_ high_ $A = $low_pc $A = $high_pc $A = $low_args[0] $A = $high_args[0] ... $A = $low_args[5] $A = $high_args[5] sizeof(struct seccomp_data) A X $A = $scmp_data_len $X = $scmp_data_len 32 A X A X "0x" "0b" $X = $mem[0] $A = $mem[0xf] $A = $mem[15] # both hex and dec index are OK $A = 0 $X = 0x3b $A = 0b1111 $A = 0333 X A X A $A = $X $X = $A $mem[3] = $X $mem[0x4] = $A A $A += 30 $A -= 4 $A *= 9 $A /= 1 $A &= 7 $A >>= 6 X $A &= $X $A |= $X $A ^= $X $A <<= $X A $A = -$A ... goto L3 ... if ($A == execve) goto L3 if ($A != 1234) goto L4 if ($A & $X) goto L5 if !($A & 7) goto L6 if ($A <= $X) goto L7 ...... if ($A > $X) goto L3, else goto L4 if ($A >= 4567) goto L5, else goto L6 0x3b execve x86_64 aarch64 if ($A == aarch64.read) goto 5 -a aarch64 aarch64 aarch64. A return $A () TRACE TRAP ERRNO () (0) return 0x13371337 return KILL return KILL_PROCESS return TRAP(123) return ERRNO(0) return TRACE return TRACE(3) return LOG return NOTIFY TEXT asm TEXT amd64 execve execveat $A = $syscall_nr if ($A == execve) goto forbid if ($A == execveat) goto forbid return ALLOW forbid: return KILL Ceccomp asm TEXT 1. TEXT '\0' TEXT 2. 384 3. TEXT 4096 4. TEXT 1 MiB asm disasm BPF 1024 ceccomp asm TEXT ANSI \x1b[31m CECCOMP html Pull Requests Issues Copyright (C) 2025- GPLv3 AUTHORS dbgbgtf RocketDev ceccomp 4.0 2026-02-13 CECCOMP(1)