bpf

	prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
	prctl(PR_SET_SECCOMP,1,0);
创建只能读写退出的沙箱
	prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
	prctl(PR_SET_SECCOMP,2,&code);
code第一个参数为指令长度，第二个为指令结构体
创建自定义沙箱

seccomp-tools

从Linux SECCOMP手册页：

SECCOMP_RET_ERRNO
              This value results in the SECCOMP_RET_DATA portion of the fil‐
              ter's return value being passed to user space as the errno
              value without executing the system call.

seccomp-tools dump spec/binary/twctf-2016-diary
dump出沙箱
seccomp-tools disasm spec/data/twctf-2016-diary.bpf
反汇编
seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -
汇编
#  line  CODE  JT   JF      K
# =================================
#  0000: 0x20 0x00 0x00 0x00000000  A = sys_number
#  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003
#  0002: 0x06 0x00 0x00 0x00000000  return KILL
#  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005
#  0004: 0x06 0x00 0x00 0x00000000  return KILL
#  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007
#  0006: 0x06 0x00 0x00 0x00000000  return KILL
#  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009
#  0008: 0x06 0x00 0x00 0x00000000  return KILL
#  0009: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0011
#  0010: 0x06 0x00 0x00 0x00000000  return KILL
#  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013
#  0012: 0x06 0x00 0x00 0x00000000  return KILL
#  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015
#  0014: 0x06 0x00 0x00 0x00000000  return KILL
#  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017
#  0016: 0x06 0x00 0x00 0x00000000  return KILL
#  0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW
code为操作码，JT是成功跳转的相对函数，JF是失败相对跳转，k是内存内容。
arch为架构，sys_number是调用号，args[1]是参数

A = sys_number
A != open ? ok : next
A = args[0]
A &= 0xff
A == 0x64 ? ok : next
return ERRNO
ok:
return ALLOW