Debugging Systemd Seccomp

From Kicksecure
Jump to navigation Jump to search


Architecture dependent. What works on Intel / AMD64 might not work on arm64 etc.

To watch for systemd seccomp issues:

sudo journalctl _AUDIT_TYPE_NAME=SECCOMP -f

Sample issue (bold added):

SECCOMP auid=4294967295 uid=108 gid=118 ses=4294967295 subj==/usr/bin/sdwdate (enforce) pid=9740 comm="sdwdate" exe="/usr/bin/python3.7" sig=31 arch=c0000015 syscall=140 compat=0 ip=0x7fff96cc7df4 code=0x0

The relevant part in above log output snippet is syscall=140.

Found https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md for a table to translate

140

to

_llseek

Maybe a better table: https://marcin.juszkiewicz.com.pl/download/tables/syscalls.html

Note: Replace sdwdate with the systemd unit name to debug.

sudoedit /lib/systemd/system/sdwdate.service && sudo systemctl daemon-reload && sudo systemctl restart sdwdate && sudo systemctl --no-pager status sdwdate

SystemCallFilter= needs to be adjusted.



Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.