systemd Design Dev/audio Previous page: systemd Index page: Design Next page: Dev/audio Debugging Systemd Seccomp

Seccomp Issues

Depends on architecture. What works on Intel/AMD64 (amd64) might not work on arm64, and vice versa.

Install auditd.

Install package(s) auditd following these instructions:

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: In Template.

Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

Install the auditd package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends auditd

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

Done.

The procedure of installing package(s) auditd is complete.

To monitor systemd seccomp issues:

sudo journalctl _AUDIT_TYPE_NAME=SECCOMP -f

Sample issue

bold added.

SECCOMP auid=4294967295 uid=108 gid=118 ses=4294967295 subj==/usr/bin/sdwdate (enforce) pid=9740 comm="sdwdate" exe="/usr/bin/python3.7" sig=31 arch=c0000015 syscall=140 compat=0 ip=0x7fff96cc7df4 code=0x0

Find out the syscall number.

The relevant part of the log output snippet above is syscall=140. The syscall number will very likely be different in your case.

Translate syscall number into syscall name.

This can be done with the ausyscall tool.

Note: Replace 140 with the actual syscall number.
ausyscall man page.

ausyscall 140

Expected output.

Sample output. Example:

getpriority

In this example, the name of the syscall is getpriority. In your case, the name of the syscall will likely be different.

Add syscall name to systemd unit file.

Once you have the syscall name, add it to the system call whitelist in the systemd unit of the malfunctioning process.

Note: Replace sdwdate with the systemd unit name you are debugging.

sdwdate example:

sudoedit /usr/lib/systemd/system/sdwdate.service && sudo systemctl daemon-reload && sudo systemctl restart sdwdate && sudo systemctl --no-pager --full status sdwdate

kloak example:

sudoedit /usr/lib/systemd/system/kloak.service && sudo systemctl daemon-reload && sudo systemctl restart kloak && sudo systemctl --no-pager --full status kloak

The SystemCallFilter= value needs to be adjusted. Append the missing syscall name.

Done.

Other Syscall Number to Name Lookup Methods

Usually not required. ^[1] ^[2]

Footnotes

↑ The syscall table for your particular machine is defined in a header file. Open /usr/include/ARCH-linux-gnu/asm/unistd.h , replacing ARCH. This should give you a pointer (in the form of a #include statement) to the file containing the syscall table. You may have to "dig" more than one level deep to find it. The correct file will contain a list of numbers and syscall names that looks something like this: #define __NR_read 0 #define __NR_write 1 #define __NR_open 2 #define __NR_close 3 #define __NR_stat 4 #define __NR_fstat 5 #define __NR_lstat 6 In this case we know that read has syscall number 0, write has syscall number 1, etc. Find the syscall number reported in the journal, and determine its corresponding name from the list. If you cannot find the syscall table on your system, you may need to install linux-libc-dev.
↑ There are online syscall tables, such as Chromium OS syscall tables and Marcin Juszkiewicz syscall tables. However, these are not guaranteed to be accurate for your system. It is highly recommended to use the syscall table for your distribution as documented above.

systemd Design Dev/audio Previous page: systemd Index page: Design Next page: Dev/audio

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2026 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] The syscall table for your particular machine is defined in a header file. Open /usr/include/ARCH-linux-gnu/asm/unistd.h , replacing ARCH. This should give you a pointer (in the form of a #include statement) to the file containing the syscall table. You may have to "dig" more than one level deep to find it. The correct file will contain a list of numbers and syscall names that looks something like this: #define __NR_read 0 #define __NR_write 1 #define __NR_open 2 #define __NR_close 3 #define __NR_stat 4 #define __NR_fstat 5 #define __NR_lstat 6 In this case we know that read has syscall number 0, write has syscall number 1, etc. Find the syscall number reported in the journal, and determine its corresponding name from the list. If you cannot find the syscall table on your system, you may need to install linux-libc-dev.

[2] There are online syscall tables, such as Chromium OS syscall tables and Marcin Juszkiewicz syscall tables. However, these are not guaranteed to be accurate for your system. It is highly recommended to use the syscall table for your distribution as documented above.

[1]

[2]

Debugging Systemd Seccomp

Other Syscall Number to Name Lookup Methods

Footnotes

Navigation menu

Search