seccomp-tools 1.1.0 → 1.5.0

data/lib/seccomp-tools/cli/cli.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/cli/asm'
 require 'seccomp-tools/cli/disasm'
 require 'seccomp-tools/cli/dump'
@@ -9,9 +11,9 @@ module SeccompTools
   module CLI
     # Handled commands
     COMMANDS = {
-      'dump' => SeccompTools::CLI::Dump,
-      'disasm' => SeccompTools::CLI::Disasm,
       'asm' => SeccompTools::CLI::Asm,
+      'disasm' => SeccompTools::CLI::Disasm,
+      'dump' => SeccompTools::CLI::Dump,
       'emu' => SeccompTools::CLI::Emu
     }.freeze
 
@@ -23,19 +25,19 @@ List of commands:
 
 %COMMANDS
 
-See 'seccomp-tools --help <command>' to read about a specific subcommand.
+See 'seccomp-tools <command> --help' to read about a specific subcommand.
 EOS
 
     module_function
 
-    # Main work method for CLI.
+    # Main working method of CLI.
     # @param [Array<String>] argv
     #   Command line arguments.
     # @return [void]
     # @example
-    #   work(argv: %w[--help])
+    #   work(%w[--help])
     #   #=> # usage message
-    #   work(argv: %w[--version])
+    #   work(%w[--version])
     #   #=> # version message
     def work(argv)
       # all -h equivalent to --help
@@ -51,6 +53,7 @@ EOS
       cmd = argv.shift
       argv = %w[--help] if preoption.include?('--help')
       return show(invalid(cmd)) if COMMANDS[cmd].nil?
+
       COMMANDS[cmd].new(argv).handle
     end
 

data/lib/seccomp-tools/cli/disasm.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/cli/base'
 require 'seccomp-tools/disasm/disasm'
 
@@ -6,9 +8,9 @@ module SeccompTools
     # Handle 'disasm' command.
     class Disasm < Base
       # Summary of this command.
-      SUMMARY = 'Disassemble seccomp bpf.'.freeze
+      SUMMARY = 'Disassemble seccomp bpf.'
       # Usage of this command.
-      USAGE = ('disasm - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools disasm BPF_FILE [options]').freeze
+      USAGE = "disasm - #{SUMMARY}\n\nUsage: seccomp-tools disasm BPF_FILE [options]"
 
       # Define option parser.
       # @return [OptionParser]
@@ -27,8 +29,10 @@ module SeccompTools
       # @return [void]
       def handle
         return unless super
+
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
+
         output { SeccompTools::Disasm.disasm(input, arch: option[:arch]) }
       end
     end

data/lib/seccomp-tools/cli/dump.rb

@@ -1,20 +1,27 @@
+# frozen_string_literal: true
+
+require 'shellwords'
+
 require 'seccomp-tools/cli/base'
 require 'seccomp-tools/disasm/disasm'
 require 'seccomp-tools/dumper'
+require 'seccomp-tools/logger'
 
 module SeccompTools
   module CLI
     # Handle 'dump' command.
     class Dump < Base
       # Summary of this command.
-      SUMMARY = 'Automatically dump seccomp bpf from execution file.'.freeze
+      SUMMARY = 'Automatically dump seccomp bpf from execution file(s).'
       # Usage of this command.
-      USAGE = ('dump - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools dump [exec] [options]').freeze
+      USAGE = "dump - #{SUMMARY}\nNOTE : This function is only available on Linux." \
+              "\n\nUsage: seccomp-tools dump [exec] [options]"
 
       def initialize(*)
         super
         option[:format] = :disasm
         option[:limit] = 1
+        option[:pid] = nil
       end
 
       # Define option parser.
@@ -23,7 +30,8 @@ module SeccompTools
         @parser ||= OptionParser.new do |opt|
           opt.banner = usage
           opt.on('-c', '--sh-exec <command>', 'Executes the given command (via sh).',
-                 'Use this option if want to pass arguments or do pipe things to the execution file.') do |command|
+                 'Use this option if want to pass arguments or do pipe things to the execution file.',
+                 'e.g. use `-c "./bin > /dev/null"` to dump seccomp without being mixed with stdout.') do |command|
             option[:command] = command
           end
 
@@ -45,21 +53,44 @@ module SeccompTools
                  'For example, "--output out.bpf" and the output files are out.bpf, out_1.bpf, ...') do |o|
                    option[:ofile] = o
                  end
+
+          opt.on('-p', '--pid PID', 'Dump installed seccomp filters of the existing process.',
+                 'You must have CAP_SYS_ADMIN (e.g. be root) in order to use this option.',
+                 Integer) do |p|
+            option[:pid] = p
+          end
         end
       end
 
       # Handle options.
       # @return [void]
       def handle
+        return Logger.error('Dump is only available on Linux.') unless Dumper::SUPPORTED
         return unless super
-        option[:command] = argv.shift unless argv.empty?
-        SeccompTools::Dumper.dump('/bin/sh', '-c', option[:command], limit: option[:limit]) do |bpf, arch|
+
+        block = lambda do |bpf, arch|
           case option[:format]
-          when :inspect then output { '"' + bpf.bytes.map { |b| format('\\x%02X', b) }.join + "\"\n" }
+          when :inspect then output { "\"#{bpf.bytes.map { |b| format('\\x%02X', b) }.join}\"\n" }
           when :raw then output { bpf }
           when :disasm then output { SeccompTools::Disasm.disasm(bpf, arch: arch) }
           end
         end
+        if option[:pid].nil?
+          option[:command] = argv.shift unless argv.empty?
+          SeccompTools::Dumper.dump('/bin/sh', '-c', option[:command], limit: option[:limit], &block)
+        else
+          begin
+            SeccompTools::Dumper.dump_by_pid(option[:pid], option[:limit], &block)
+          rescue Errno::EPERM, Errno::EACCES => e
+            Logger.error(<<~EOS)
+            #{e}
+            PTRACE_SECCOMP_GET_FILTER requires CAP_SYS_ADMIN
+            Try:
+                sudo env "PATH=$PATH" #{(%w[seccomp-tools] + ARGV).shelljoin}
+            EOS
+            exit(1)
+          end
+        end
       end
     end
   end

data/lib/seccomp-tools/cli/emu.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 require 'set'
 
 require 'seccomp-tools/cli/base'
+require 'seccomp-tools/const'
 require 'seccomp-tools/disasm/disasm'
 require 'seccomp-tools/emulator'
 require 'seccomp-tools/util'
@@ -10,12 +13,9 @@ module SeccompTools
     # Handle 'emu' command.
     class Emu < Base
       # Summary of this command.
-      SUMMARY = 'Emulate seccomp rules.'.freeze
+      SUMMARY = 'Emulate seccomp rules.'
       # Usage of this command.
-      USAGE = ('emu - ' +
-               SUMMARY +
-               "\n\n" \
-               'Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]').freeze
+      USAGE = "emu - #{SUMMARY}\n\nUsage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]"
 
       def initialize(*)
         super
@@ -40,13 +40,14 @@ module SeccompTools
       # @return [void]
       def handle
         return unless super
+
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
+
         raw = input
         insts = SeccompTools::Disasm.to_bpf(raw, option[:arch]).map(&:inst)
-        disasm = SeccompTools::Disasm.disasm(raw, arch: option[:arch])
         sys, *args = argv
-        sys = Integer(sys) if sys
+        sys = evaluate_sys_nr(sys) if sys
         args.map! { |v| Integer(v) }
         trace = Set.new
         res = SeccompTools::Emulator.new(insts, sys_nr: sys, args: args, arch: option[:arch]).run do |ctx|
@@ -54,26 +55,44 @@ module SeccompTools
         end
 
         if option[:verbose] >= 1
-          disasm = disasm.lines
-          output { disasm.shift }
-          output { disasm.shift }
-          disasm.each_with_index do |line, idx|
-            output do
-              next line if trace.member?(idx)
-              Util.colorize(line, t: :gray)
-            end
-            # Too much remain, omit them.
-            rem = disasm.size - idx - 1
-            break output { Util.colorize("... (omitting #{rem} lines)\n", t: :gray) } if rem > 3 && idx > res[:pc] + 4
-          end
-          output { "\n" }
+          disasm = SeccompTools::Disasm.disasm(raw, arch: option[:arch]).lines
+          output_emulate_path(disasm, trace, res)
         end
         output do
-          ret_type = Const::BPF::ACTION.invert[res[:ret] & 0x7fff0000]
-          errno = ret_type == :ERRNO ? "(#{res[:ret] & 0xffff})" : ''
+          ret_type = Const::BPF::ACTION.invert[res[:ret] & Const::BPF::SECCOMP_RET_ACTION_FULL]
+          errno = ret_type == :ERRNO ? "(#{res[:ret] & Const::BPF::SECCOMP_RET_DATA})" : ''
           format("return %s%s at line %04d\n", ret_type, errno, res[:pc])
         end
       end
+
+      private
+
+      # @param [String] str
+      # @return [Integer]
+      def evaluate_sys_nr(str)
+        consts = SeccompTools::Const::Syscall.const_get(option[:arch].to_s.upcase)
+        consts[str.to_sym] || Integer(str)
+      end
+
+      # output the path during emulation
+      # @param [Array<String>] disasm
+      # @param [Set] trace
+      # @param [{Symbol => Object}] result
+      def output_emulate_path(disasm, trace, result)
+        output { disasm.shift }
+        output { disasm.shift }
+        disasm.each_with_index do |line, idx|
+          output do
+            next line if trace.member?(idx)
+
+            Util.colorize(line, t: :gray)
+          end
+          # Too much remain, omit them.
+          rem = disasm.size - idx - 1
+          break output { Util.colorize("... (omitting #{rem} lines)\n", t: :gray) } if rem > 3 && idx > result[:pc] + 4
+        end
+        output { "\n" }
+      end
     end
   end
 end

data/lib/seccomp-tools/const.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module SeccompTools
   # Define constant values.
   module Const
@@ -12,24 +14,34 @@ module SeccompTools
       # filter mode
       SECCOMP_MODE_FILTER = 2
 
+      # For syscall +seccomp+
+      SECCOMP_SET_MODE_FILTER = 1
+
+      # Masks for the return value sections.
+
+      # mask of return action
+      SECCOMP_RET_ACTION_FULL = 0xffff0000
+      # mask of return data
+      SECCOMP_RET_DATA = 0x0000ffff
+
       # bpf command classes
       COMMAND = {
-        ld:   0x0,
-        ldx:  0x1,
-        st:   0x2,
-        stx:  0x3,
-        alu:  0x4,
-        jmp:  0x5,
-        ret:  0x6,
+        ld: 0x0,
+        ldx: 0x1,
+        st: 0x2,
+        stx: 0x3,
+        alu: 0x4,
+        jmp: 0x5,
+        ret: 0x6,
         misc: 0x7
       }.freeze
 
       # types in jmp command
       JMP = {
-        ja:   0x00,
-        jeq:  0x10,
-        jgt:  0x20,
-        jge:  0x30,
+        ja: 0x00,
+        jeq: 0x10,
+        jgt: 0x20,
+        jge: 0x30,
         jset: 0x40
       }.freeze
 
@@ -42,9 +54,13 @@ module SeccompTools
 
       # seccomp action values
       ACTION = {
-        KILL:  0x00000000,
-        TRAP:  0x00030000,
+        KILL_PROCESS: 0x80000000,
+        KILL_THREAD: 0x00000000,
+        KILL: 0x00000000, # alias of KILL_THREAD
+        TRAP: 0x00030000,
         ERRNO: 0x00050000,
+        USER_NOTIF: 0x7fc00000,
+        LOG: 0x7ffc0000,
         TRACE: 0x7ff00000,
         ALLOW: 0x7fff0000
       }.freeze
@@ -65,7 +81,7 @@ module SeccompTools
         sub: 0x10,
         mul: 0x20,
         div: 0x30,
-        or:  0x40,
+        or: 0x40,
         and: 0x50,
         lsh: 0x60,
         rsh: 0x70,
@@ -101,18 +117,33 @@ module SeccompTools
       # @return [Object]
       def load_const(cons)
         arch = cons.to_s.downcase
-        filename = File.join(__dir__, 'consts', "#{arch}.rb")
+        filename = File.join(__dir__, 'consts', 'sys_nr', "#{arch}.rb")
         return unless File.exist?(filename)
+
         const_set(cons, instance_eval(IO.read(filename)))
       end
+
+      def load_args
+        hash = instance_eval(IO.read(File.join(__dir__, 'consts', 'sys_arg.rb')))
+        Hash.new do |_h, k|
+          next hash[k] if hash[k]
+          next hash[k.to_s[4..-1].to_sym] if k.to_s.start_with?('x32_')
+
+          nil
+        end
+      end
     end
 
+    # The argument names of all syscalls.
+    SYS_ARG = Syscall.load_args.freeze
+
     # Constants from https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h.
     module Audit
       # AUDIT_ARCH_*
       ARCH = {
         'ARCH_X86_64' => 0xc000003e,
-        'ARCH_I386' => 0x40000003
+        'ARCH_I386' => 0x40000003,
+        'ARCH_AARCH64' => 0xc00000b7
       }.freeze
     end
   end

data/lib/seccomp-tools/consts/sys_arg.rb

@@ -0,0 +1,432 @@
+# frozen_string_literal: true
+
+# Generated by `bundle exec rake sys_arg`
+
+{
+  io_setup: %w[nr_reqs ctx],
+  io_destroy: %w[ctx],
+  io_cancel: %w[ctx_id iocb result],
+  io_getevents: %w[ctx_id min_nr nr events timeout],
+  io_getevents_time32: %w[ctx_id min_nr nr events timeout],
+  io_pgetevents: %w[ctx_id min_nr nr events timeout sig],
+  io_pgetevents_time32: %w[ctx_id min_nr nr events timeout sig],
+  io_uring_setup: %w[entries p],
+  io_uring_enter: %w[fd to_submit min_complete flags sig sigsz],
+  io_uring_register: %w[fd op arg nr_args],
+  setxattr: %w[path name value size flags],
+  lsetxattr: %w[path name value size flags],
+  fsetxattr: %w[fd name value size flags],
+  getxattr: %w[path name value size],
+  lgetxattr: %w[path name value size],
+  fgetxattr: %w[fd name value size],
+  listxattr: %w[path list size],
+  llistxattr: %w[path list size],
+  flistxattr: %w[fd list size],
+  removexattr: %w[path name],
+  lremovexattr: %w[path name],
+  fremovexattr: %w[fd name],
+  getcwd: %w[buf size],
+  lookup_dcookie: %w[cookie64 buf len],
+  eventfd2: %w[count flags],
+  epoll_create1: %w[flags],
+  epoll_ctl: %w[epfd op fd event],
+  epoll_pwait: %w[epfd events maxevents timeout sigmask sigsetsize],
+  dup: %w[fildes],
+  dup3: %w[oldfd newfd flags],
+  fcntl: %w[fd cmd arg],
+  fcntl64: %w[fd cmd arg],
+  inotify_init1: %w[flags],
+  inotify_add_watch: %w[fd path mask],
+  inotify_rm_watch: %w[fd wd],
+  ioctl: %w[fd cmd arg],
+  ioprio_set: %w[which who ioprio],
+  ioprio_get: %w[which who],
+  flock: %w[fd cmd],
+  mknodat: %w[dfd filename mode dev],
+  mkdirat: %w[dfd pathname mode],
+  unlinkat: %w[dfd pathname flag],
+  symlinkat: %w[oldname newdfd newname],
+  linkat: %w[olddfd oldname newdfd newname flags],
+  renameat: %w[olddfd oldname newdfd newname],
+  umount: %w[name flags],
+  mount: %w[dev_name dir_name type flags data],
+  pivot_root: %w[new_root put_old],
+  statfs: %w[path buf],
+  statfs64: %w[path sz buf],
+  fstatfs: %w[fd buf],
+  fstatfs64: %w[fd sz buf],
+  truncate: %w[path length],
+  ftruncate: %w[fd length],
+  truncate64: %w[path length],
+  ftruncate64: %w[fd length],
+  fallocate: %w[fd mode offset len],
+  faccessat: %w[dfd filename mode],
+  chdir: %w[filename],
+  fchdir: %w[fd],
+  chroot: %w[filename],
+  fchmod: %w[fd mode],
+  fchmodat: %w[dfd filename mode],
+  fchownat: %w[dfd filename user group flag],
+  fchown: %w[fd user group],
+  openat: %w[dfd filename flags mode],
+  close: %w[fd],
+  vhangup: %w[],
+  pipe2: %w[fildes flags],
+  quotactl: %w[cmd special id addr],
+  getdents64: %w[fd dirent count],
+  llseek: %w[fd offset_high offset_low result whence],
+  lseek: %w[fd offset whence],
+  read: %w[fd buf count],
+  write: %w[fd buf count],
+  readv: %w[fd vec vlen],
+  writev: %w[fd vec vlen],
+  pread64: %w[fd buf count pos],
+  pwrite64: %w[fd buf count pos],
+  preadv: %w[fd vec vlen pos_l pos_h],
+  pwritev: %w[fd vec vlen pos_l pos_h],
+  sendfile64: %w[out_fd in_fd offset count],
+  signalfd4: %w[ufd user_mask sizemask flags],
+  vmsplice: %w[fd iov nr_segs flags],
+  splice: %w[fd_in off_in fd_out off_out len flags],
+  tee: %w[fdin fdout len flags],
+  readlinkat: %w[dfd path buf bufsiz],
+  newfstatat: %w[dfd filename statbuf flag],
+  newfstat: %w[fd statbuf],
+  fstat64: %w[fd statbuf],
+  fstatat64: %w[dfd filename statbuf flag],
+  sync: %w[],
+  fsync: %w[fd],
+  fdatasync: %w[fd],
+  sync_file_range2: %w[fd flags offset nbytes],
+  sync_file_range: %w[fd offset nbytes flags],
+  timerfd_create: %w[clockid flags],
+  timerfd_settime: %w[ufd flags utmr otmr],
+  timerfd_gettime: %w[ufd otmr],
+  timerfd_gettime32: %w[ufd otmr],
+  timerfd_settime32: %w[ufd flags utmr otmr],
+  utimensat: %w[dfd filename utimes flags],
+  utimensat_time32: %w[dfd filename t flags],
+  acct: %w[name],
+  capget: %w[header dataptr],
+  capset: %w[header data],
+  personality: %w[personality],
+  exit: %w[error_code],
+  exit_group: %w[error_code],
+  waitid: %w[which pid infop options ru],
+  set_tid_address: %w[tidptr],
+  unshare: %w[unshare_flags],
+  futex: %w[uaddr op val utime uaddr2 val3],
+  futex_time32: %w[uaddr op val utime uaddr2 val3],
+  get_robust_list: %w[pid head_ptr len_ptr],
+  set_robust_list: %w[head len],
+  nanosleep: %w[rqtp rmtp],
+  nanosleep_time32: %w[rqtp rmtp],
+  getitimer: %w[which value],
+  setitimer: %w[which value ovalue],
+  kexec_load: %w[entry nr_segments segments flags],
+  init_module: %w[umod len uargs],
+  delete_module: %w[name_user flags],
+  timer_create: %w[which_clock timer_event_spec created_timer_id],
+  timer_gettime: %w[timer_id setting],
+  timer_getoverrun: %w[timer_id],
+  timer_settime: %w[timer_id flags new_setting old_setting],
+  timer_delete: %w[timer_id],
+  clock_settime: %w[which_clock tp],
+  clock_gettime: %w[which_clock tp],
+  clock_getres: %w[which_clock tp],
+  clock_nanosleep: %w[which_clock flags rqtp rmtp],
+  timer_gettime32: %w[timer_id setting],
+  timer_settime32: %w[timer_id flags new old],
+  clock_settime32: %w[which_clock tp],
+  clock_gettime32: %w[which_clock tp],
+  clock_getres_time32: %w[which_clock tp],
+  clock_nanosleep_time32: %w[which_clock flags rqtp rmtp],
+  syslog: %w[type buf len],
+  ptrace: %w[request pid addr data],
+  sched_setparam: %w[pid param],
+  sched_setscheduler: %w[pid policy param],
+  sched_getscheduler: %w[pid],
+  sched_getparam: %w[pid param],
+  sched_setaffinity: %w[pid len user_mask_ptr],
+  sched_getaffinity: %w[pid len user_mask_ptr],
+  sched_yield: %w[],
+  sched_get_priority_max: %w[policy],
+  sched_get_priority_min: %w[policy],
+  sched_rr_get_interval: %w[pid interval],
+  sched_rr_get_interval_time32: %w[pid interval],
+  restart_syscall: %w[],
+  kill: %w[pid sig],
+  tkill: %w[pid sig],
+  tgkill: %w[tgid pid sig],
+  sigaltstack: %w[uss uoss],
+  rt_sigsuspend: %w[unewset sigsetsize],
+  rt_sigprocmask: %w[how set oset sigsetsize],
+  rt_sigpending: %w[set sigsetsize],
+  rt_sigtimedwait: %w[uthese uinfo uts sigsetsize],
+  rt_sigtimedwait_time32: %w[uthese uinfo uts sigsetsize],
+  rt_sigqueueinfo: %w[pid sig uinfo],
+  setpriority: %w[which who niceval],
+  getpriority: %w[which who],
+  reboot: %w[magic1 magic2 cmd arg],
+  setregid: %w[rgid egid],
+  setgid: %w[gid],
+  setreuid: %w[ruid euid],
+  setuid: %w[uid],
+  setresuid: %w[ruid euid suid],
+  getresuid: %w[ruid euid suid],
+  setresgid: %w[rgid egid sgid],
+  getresgid: %w[rgid egid sgid],
+  setfsuid: %w[uid],
+  setfsgid: %w[gid],
+  times: %w[tbuf],
+  setpgid: %w[pid pgid],
+  getpgid: %w[pid],
+  getsid: %w[pid],
+  setsid: %w[],
+  getgroups: %w[gidsetsize grouplist],
+  setgroups: %w[gidsetsize grouplist],
+  newuname: %w[name],
+  sethostname: %w[name len],
+  setdomainname: %w[name len],
+  getrlimit: %w[resource rlim],
+  setrlimit: %w[resource rlim],
+  getrusage: %w[who ru],
+  umask: %w[mask],
+  prctl: %w[option arg2 arg3 arg4 arg5],
+  getcpu: %w[cpu node cache],
+  gettimeofday: %w[tv tz],
+  settimeofday: %w[tv tz],
+  adjtimex: %w[txc_p],
+  adjtimex_time32: %w[txc_p],
+  getpid: %w[],
+  getppid: %w[],
+  getuid: %w[],
+  geteuid: %w[],
+  getgid: %w[],
+  getegid: %w[],
+  gettid: %w[],
+  sysinfo: %w[info],
+  mq_open: %w[name oflag mode attr],
+  mq_unlink: %w[name],
+  mq_timedsend: %w[mqdes msg_ptr msg_len msg_prio abs_timeout],
+  mq_timedreceive: %w[mqdes msg_ptr msg_len msg_prio abs_timeout],
+  mq_notify: %w[mqdes notification],
+  mq_getsetattr: %w[mqdes mqstat omqstat],
+  mq_timedreceive_time32: %w[mqdes u_msg_ptr msg_len u_msg_prio u_abs_timeout],
+  mq_timedsend_time32: %w[mqdes u_msg_ptr msg_len msg_prio u_abs_timeout],
+  msgget: %w[key msgflg],
+  old_msgctl: %w[msqid cmd buf],
+  msgctl: %w[msqid cmd buf],
+  msgrcv: %w[msqid msgp msgsz msgtyp msgflg],
+  msgsnd: %w[msqid msgp msgsz msgflg],
+  semget: %w[key nsems semflg],
+  semctl: %w[semid semnum cmd arg],
+  old_semctl: %w[semid semnum cmd arg],
+  semtimedop: %w[semid sops nsops timeout],
+  semtimedop_time32: %w[semid sops nsops timeout],
+  semop: %w[semid sops nsops],
+  shmget: %w[key size flag],
+  old_shmctl: %w[shmid cmd buf],
+  shmctl: %w[shmid cmd buf],
+  shmat: %w[shmid shmaddr shmflg],
+  shmdt: %w[shmaddr],
+  setsockopt: %w[fd level optname optval optlen],
+  getsockopt: %w[fd level optname optval optlen],
+  sendmsg: %w[fd msg flags],
+  recvmsg: %w[fd msg flags],
+  readahead: %w[fd offset count],
+  brk: %w[brk],
+  munmap: %w[addr len],
+  mremap: %w[addr old_len new_len flags new_addr],
+  add_key: %w[_type _description _payload plen destringid],
+  request_key: %w[_type _description _callout_info destringid],
+  keyctl: %w[cmd arg2 arg3 arg4 arg5],
+  execve: %w[filename argv envp],
+  fadvise64_64: %w[fd offset len advice],
+  swapon: %w[specialfile swap_flags],
+  swapoff: %w[specialfile],
+  mprotect: %w[start len prot],
+  msync: %w[start len flags],
+  mlock: %w[start len],
+  munlock: %w[start len],
+  mlockall: %w[flags],
+  munlockall: %w[],
+  mincore: %w[start len vec],
+  madvise: %w[start len behavior],
+  remap_file_pages: %w[start size prot pgoff flags],
+  mbind: %w[start len mode nmask maxnode flags],
+  get_mempolicy: %w[policy nmask maxnode addr flags],
+  set_mempolicy: %w[mode nmask maxnode],
+  migrate_pages: %w[pid maxnode from to],
+  move_pages: %w[pid nr_pages pages nodes status flags],
+  rt_tgsigqueueinfo: %w[tgid pid sig uinfo],
+  perf_event_open: %w[attr_uptr pid cpu group_fd flags],
+  recvmmsg: %w[fd msg vlen flags timeout],
+  recvmmsg_time32: %w[fd msg vlen flags timeout],
+  wait4: %w[pid stat_addr options ru],
+  prlimit64: %w[pid resource new_rlim old_rlim],
+  fanotify_init: %w[flags event_f_flags],
+  fanotify_mark: %w[fanotify_fd flags mask fd pathname],
+  name_to_handle_at: %w[dfd name handle mnt_id flag],
+  open_by_handle_at: %w[mountdirfd handle flags],
+  clock_adjtime: %w[which_clock tx],
+  clock_adjtime32: %w[which_clock tx],
+  syncfs: %w[fd],
+  setns: %w[fd nstype],
+  sendmmsg: %w[fd msg vlen flags],
+  process_vm_readv: %w[pid lvec liovcnt rvec riovcnt flags],
+  process_vm_writev: %w[pid lvec liovcnt rvec riovcnt flags],
+  kcmp: %w[pid1 pid2 type idx1 idx2],
+  finit_module: %w[fd uargs flags],
+  sched_setattr: %w[pid attr flags],
+  sched_getattr: %w[pid attr size flags],
+  renameat2: %w[olddfd oldname newdfd newname flags],
+  seccomp: %w[op flags uargs],
+  getrandom: %w[buf count flags],
+  memfd_create: %w[uname_ptr flags],
+  bpf: %w[cmd attr size],
+  execveat: %w[dfd filename argv envp flags],
+  userfaultfd: %w[flags],
+  membarrier: %w[cmd flags],
+  mlock2: %w[start len flags],
+  copy_file_range: %w[fd_in off_in fd_out off_out len flags],
+  preadv2: %w[fd vec vlen pos_l pos_h flags],
+  pwritev2: %w[fd vec vlen pos_l pos_h flags],
+  pkey_mprotect: %w[start len prot pkey],
+  pkey_alloc: %w[flags init_val],
+  pkey_free: %w[pkey],
+  statx: %w[dfd path flags mask buffer],
+  rseq: %w[rseq rseq_len flags sig],
+  open_tree: %w[dfd path flags],
+  move_mount: %w[from_dfd from_path to_dfd to_path ms_flags],
+  fsopen: %w[fs_name flags],
+  fsconfig: %w[fs_fd cmd key value aux],
+  fsmount: %w[fs_fd flags ms_flags],
+  fspick: %w[dfd path flags],
+  pidfd_send_signal: %w[pidfd sig info flags],
+  ioperm: %w[from num on],
+  pciconfig_read: %w[bus dfn off len buf],
+  pciconfig_write: %w[bus dfn off len buf],
+  pciconfig_iobase: %w[which bus devfn],
+  spu_run: %w[fd unpc ustatus],
+  spu_create: %w[name flags mode fd],
+  open: %w[filename flags mode],
+  link: %w[oldname newname],
+  unlink: %w[pathname],
+  mknod: %w[filename mode dev],
+  chmod: %w[filename mode],
+  chown: %w[filename user group],
+  mkdir: %w[pathname mode],
+  rmdir: %w[pathname],
+  lchown: %w[filename user group],
+  access: %w[filename mode],
+  rename: %w[oldname newname],
+  symlink: %w[old new],
+  stat64: %w[filename statbuf],
+  lstat64: %w[filename statbuf],
+  pipe: %w[fildes],
+  dup2: %w[oldfd newfd],
+  epoll_create: %w[size],
+  inotify_init: %w[],
+  eventfd: %w[count],
+  signalfd: %w[ufd user_mask sizemask],
+  sendfile: %w[out_fd in_fd offset count],
+  newstat: %w[filename statbuf],
+  newlstat: %w[filename statbuf],
+  fadvise64: %w[fd offset len advice],
+  alarm: %w[seconds],
+  getpgrp: %w[],
+  pause: %w[],
+  time: %w[tloc],
+  time32: %w[tloc],
+  utime: %w[filename times],
+  utimes: %w[filename utimes],
+  futimesat: %w[dfd filename utimes],
+  futimesat_time32: %w[dfd filename t],
+  utime32: %w[filename t],
+  utimes_time32: %w[filename t],
+  creat: %w[pathname mode],
+  getdents: %w[fd dirent count],
+  select: %w[n inp outp exp tvp],
+  poll: %w[ufds nfds timeout],
+  epoll_wait: %w[epfd events maxevents timeout],
+  ustat: %w[dev ubuf],
+  vfork: %w[],
+  bdflush: %w[func data],
+  oldumount: %w[name],
+  uselib: %w[library],
+  sysctl: %w[args],
+  sysfs: %w[option arg1 arg2],
+  fork: %w[],
+  stime: %w[tptr],
+  stime32: %w[tptr],
+  sigpending: %w[uset],
+  sigprocmask: %w[how set oset],
+  sgetmask: %w[],
+  ssetmask: %w[newmask],
+  signal: %w[sig handler],
+  nice: %w[increment],
+  kexec_file_load: %w[kernel_fd initrd_fd cmdline_len cmdline_ptr flags],
+  waitpid: %w[pid stat_addr options],
+  chown16: %w[filename user group],
+  lchown16: %w[filename user group],
+  fchown16: %w[fd user group],
+  setregid16: %w[rgid egid],
+  setgid16: %w[gid],
+  setreuid16: %w[ruid euid],
+  setuid16: %w[uid],
+  setresuid16: %w[ruid euid suid],
+  getresuid16: %w[ruid euid suid],
+  setresgid16: %w[rgid egid sgid],
+  getresgid16: %w[rgid egid sgid],
+  setfsuid16: %w[uid],
+  setfsgid16: %w[gid],
+  getgroups16: %w[gidsetsize grouplist],
+  setgroups16: %w[gidsetsize grouplist],
+  getuid16: %w[],
+  geteuid16: %w[],
+  getgid16: %w[],
+  getegid16: %w[],
+  socketcall: %w[call args],
+  stat: %w[filename statbuf],
+  lstat: %w[filename statbuf],
+  fstat: %w[fd statbuf],
+  readlink: %w[path buf bufsiz],
+  old_select: %w[arg],
+  gethostname: %w[name len],
+  old_getrlimit: %w[resource rlim],
+  ipc: %w[call first second third ptr fifth],
+  mmap_pgoff: %w[addr len prot flags fd pgoff],
+  old_mmap: %w[arg],
+  ni_syscall: %w[],
+  io_submit: %w[ctx_id nr iocbpp],
+  pselect6: %w[n inp outp exp tsp sig],
+  pselect6_time32: %w[n inp outp exp tsp sig],
+  ppoll: %w[ufds nfds tsp sigmask sigsetsize],
+  ppoll_time32: %w[ufds nfds tsp sigmask sigsetsize],
+  rt_sigaction: %w[sig act oact sigsetsize],
+  socket: %w[family type protocol],
+  socketpair: %w[family type protocol usockvec],
+  bind: %w[fd umyaddr addrlen],
+  listen: %w[fd backlog],
+  accept: %w[fd upeer_sockaddr upeer_addrlen],
+  connect: %w[fd uservaddr addrlen],
+  getsockname: %w[fd usockaddr usockaddr_len],
+  getpeername: %w[fd usockaddr usockaddr_len],
+  sendto: %w[fd buff len flags addr addrlen],
+  recvfrom: %w[fd ubuf len flags addr addrlen],
+  shutdown: %w[fd how],
+  clone: %w[clone_flags newsp parent_tidptr child_tidptr tls],
+  accept4: %w[fd upeer_sockaddr upeer_addrlen flags],
+  recv: %w[fd ubuf len flags],
+  send: %w[fd buff len flags],
+  sigaction: %w[sig act oact],
+  old_readdir: %w[fd dirent count],
+  uname: %w[name],
+  olduname: %w[name],
+  arch_prctl: %w[code addr],
+  mmap: %w[addr len prot flags fd pgoff],
+  _llseek: %w[fd offset_high offset_low result whence],
+  _sysctl: %w[args],
+  _newselect: %w[n inp outp exp tvp]
+}