Debugging Systemd Seccomp

Your support makes all the difference!
We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!
To watch for systemd seccomp issues:
sudo journalctl _AUDIT_TYPE_NAME=SECCOMP -f
Sample issue (bold added):
SECCOMP auid=4294967295 uid=108 gid=118 ses=4294967295 subj==/usr/bin/sdwdate (enforce) pid=9740 comm="sdwdate" exe="/usr/bin/python3.7" sig=31 arch=c0000015 syscall=140 compat=0 ip=0x7fff96cc7df4 code=0x0
The relevant part in above log output snippet is syscall=140
.
Found https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md for a table to translate
140
to
_llseek
Maybe a better table: https://marcin.juszkiewicz.com.pl/download/tables/syscalls.html
Note: Replace sdwdate
with the systemd unit name to debug.
sudoedit /lib/systemd/system/sdwdate.service && sudo systemctl daemon-reload && sudo systemctl restart sdwdate && sudo systemctl --no-pager status sdwdate
SystemCallFilter=
needs to be adjusted.