How exactly does one use seccomp to alter/intercept syscalls instead of simply blocking or allowing them? I can't find anything which uses it like that with a search.
GP is misinformed. seccomp is an optimization to ptrace-based syscall interception, when you're only interested in intercepting a subset of a process's syscalls. Instead of getting an event and processing every single syscall a process makes, you can register a seccomp filter that fires a ptrace event in only specific cases (which can be super coarse like "the syscall number is open", or more fine grained like "the syscall number is open and the file is being opened with O_WRONLY or O_RDWR"). Without something like this, ptrace based interception would be almost unusably slow for many cases.
