Debugging Systemd Seccomp

From Kicksecure
Jump to navigation Jump to search

Architecture dependent. What works on Intel / AMD64 might not work on arm64 etc.

To watch for systemd seccomp issues:

sudo journalctl _AUDIT_TYPE_NAME=SECCOMP -f

Sample issue (bold added):

SECCOMP auid=4294967295 uid=108 gid=118 ses=4294967295 subj==/usr/bin/sdwdate (enforce) pid=9740 comm="sdwdate" exe="/usr/bin/python3.7" sig=31 arch=c0000015 syscall=140 compat=0 ip=0x7fff96cc7df4 code=0x0

The relevant part in above log output snippet is syscall=140.

Found https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.mdarchive.org for a table to translate

140

to

_llseek

Maybe a better table: https://marcin.juszkiewicz.com.pl/download/tables/syscalls.htmlarchive.org

Note: Replace sdwdate with the systemd unit name to debug.

sudoedit /lib/systemd/system/sdwdate.service && sudo systemctl daemon-reload && sudo systemctl restart sdwdate && sudo systemctl --no-pager --full status sdwdate

SystemCallFilter= needs to be adjusted.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 11 year success story and maybe DONATE!