Debugging Systemd Seccomp
Seccomp Issues
Architecture dependent. What works on Intel / AMD64 might not work on arm64 etc.
To watch for systemd seccomp issues:
sudo journalctl _AUDIT_TYPE_NAME=SECCOMP -f
Sample issue (bold added):
SECCOMP auid=4294967295 uid=108 gid=118 ses=4294967295 subj==/usr/bin/sdwdate (enforce) pid=9740 comm="sdwdate" exe="/usr/bin/python3.7" sig=31 arch=c0000015 syscall=140 compat=0 ip=0x7fff96cc7df4 code=0x0
The relevant part in above log output snippet is syscall=140
.
Found https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md for a table to translate
140
to
_llseek
Maybe a better table: https://marcin.juszkiewicz.com.pl/download/tables/syscalls.html
Note: Replace sdwdate
with the systemd unit name to debug.
sudoedit /lib/systemd/system/sdwdate.service && sudo systemctl daemon-reload && sudo systemctl restart sdwdate && sudo systemctl --no-pager --full status sdwdate
SystemCallFilter=
needs to be adjusted.
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!