[
  {
    "match": [ /* qemu-pr-helper and similar */
      { "connect": { "addr": { "family": "unix", "path": "/var/run/pr-helper.sock" }, "fd": { "tag": "orig_fd" } } }
    ],
    "call": [
      { "socket": { "family": "unix", "type": "stream", "flags": 0, "protocol": 0 }, "ret": "new_fd" },
      { "connect": { "fd": { "tag": { "get": "new_fd" } }, "addr": { "family": "unix", "path": "/var/run/pr-helper.sock" } }, "ret": "y" }
    ],
    "fd": { "src": { "tag": "new_fd" }, "new": { "tag": "orig_fd" }, "close_on_exec": false },
    "return": { "tag": "y" }
  },
  {
    "match": [ /* qemu creates a tap interface */
      { "ioctl": { "path": "/dev/net/tun", "request": "TUNSETIFF", "ifr": { "name": "tap0", "flags": "IFF_TUN" } } }
    ],
    "limit": { "scope": "process", "count": 1 },
    "call": { "ioctl": { "request": "TUNSETIFF", "path": "/dev/net/tun", "ifr": { "name": "tap0", "flags": "IFF_TUN", "ret": "x" } } },
    "return": { "tag": "x" }
  },
  {
    "match": [ /* CVE-2022-0185-style */
      { "unshare": { "flags": "CLONE_NEWUSER" } }
    ],
    "return": { "value": 0, "error": -1 }
  },
  {
    "match": [ /* passt */
      { "unshare": { "flags": { "all": [ "CLONE_NEWIPC", "CLONE_NEWNS", "CLONE_NEWUTS", "CLONE_NEWPID" ] } } }
    ],
    "return": { "value": 0, "error": 0 }
  },
  {
    "match": [ /* Giuseppe's example */
      { "mknodat":
        { "path": { "tag": "path" },
          "mode": { "tag": "mode" },
          "type": { "tag": "type" },
          "major": 1,
          "minor": { "value": { "in": [ 3, 5, 7, 8, 9 ] }, "tag": "minor" }
        }
      },
      { "mknod":
        { "path": { "tag": "path" },
          "mode": { "tag": "mode" },
          "type": { "tag": "type" },
          "major": 1,
          "minor": { "value": { "in": [ 3, 5, 7, 8, 9 ] }, "tag": "minor" }
        }
      }
    ],
    "call":
      { "mknod":
        { "path": { "tag": { "get": "path" } },
          "mode": { "tag": { "get": "mode" } },
          "type": { "tag": { "get": "type" } },
          "major": 1,
          "minor": { "tag": { "get": "minor" } }
        },
        "context": { "mnt": "caller" }
      },
    "return": { "value": 0 }
  }
]

/*
 * FLAGS
 *
 * "field": { "some": [ "ipc", "mount", "uts" ] }
 *   flags & set
 *   !!(flags & (ipc | mount | ns))
 *   OP_BITWISE field AND set
 *   OP_CMP result EQ 0 -> next match
 *
 * "field": { "all": [ "ipc", "mount", "uts" ] }
 *   flags & set == set
 *   flags & (ipc | mount | ns) == (ipc | mount | ns)
 *   OP_BITWISE field AND set
 *   OP_CMP result NE set -> next match
 *
 * "field": { "none": [ "ipc", "mount", "uts" ] }
 *   !(flags & set)
 *   OP_BITWISE field AND set
 *   OP_CMP result NE 0 -> next match
 *
 * "field": { [ "ipc", "mount", "uts" ] }
 *   flags == set
 *   flags == (ipc | mount | ns)
 *
 * "field": "ipc"
 *   flags == ipc
 *
 * MASK
 *   value = (target value & known values)
 *
 * NUMBERS
 *   "arg": { "in": [ 0, 1 ] }
 *   arg == 0 || arg == 1
 */