hyperreal.bsky.moonshadow.dev / bin
Assorted shell and Python scripts
fork atom
bin / .archived / systemd_syscall_filter
at main 2.2 kB view raw
1#!/usr/bin/env bash 2 3# Usage: 4# systemd_syscall_filter <absolute/path/to/binary> [-c] 5# 6# This script will print the syscalls the given binary executable uses 7# along with the systemd syscall-filter categories they are in. 8# This makes it easier to harden a systemd unit because you can see which 9# categories you shouldn't add to the systemd unit's .d overrides for the 10# SystemCallFilter= directive. If the given binary executable uses a 11# particular system call, you probably don't want to keep that system call 12# out of the sandbox, or the binary executable might not work as expected. 13 14syscall_categories=( 15 "@default" 16 "@aio" 17 "@basic-io" 18 "@chown" 19 "@clock" 20 "@cpu-emulation" 21 "@debug" 22 "@file-system" 23 "@io-event" 24 "@ipc" 25 "@keyring" 26 "@memlock" 27 "@module" 28 "@mount" 29 "@network-io" 30 "@obsolete" 31 "@pkey" 32 "@privileged" 33 "@process" 34 "@raw-io" 35 "@reboot" 36 "@resources" 37 "@setuid" 38 "@signal" 39 "@swap" 40 "@sync" 41 "@system-service" 42 "@timer" 43) 44 45get_used_syscalls() { 46 for category in "${syscall_categories[@]}"; do 47 readarray -t syscalls < <(sudo systemd-analyze syscall-filter --no-pager "$category" | awk '{print $1}' | tail -n+3) 48 49 for sc in "${syscalls[@]}"; do 50 if strings "$1" | grep --silent -w "$sc"; then 51 echo "${category} : ${sc}" 52 fi 53 done 54 done 55} 56 57get_unused_categories() { 58 readarray -t used_syscalls < <(get_used_syscalls "$1" | awk '{print $1}' | uniq) 59 readarray -t unused_categories < <(echo "${syscall_categories[@]}" "${used_syscalls[@]}" | tr ' ' '\n' | sort | uniq -u) 60 for category in "${unused_categories[@]}"; do 61 echo "SystemCallFilter=~${category}" 62 done 63} 64 65if [ "$#" -eq 2 ]; then 66 case "$2" in 67 "-c") 68 get_unused_categories "$1" 69 ;; 70 *) 71 echo "Unknown option: ${2}" 72 exit 1 73 ;; 74 esac 75elif [ "$#" -eq 1 ]; then 76 if ! test -x "$1"; then 77 echo "${1} is not found or is not executable" 78 exit 1 79 else 80 get_used_syscalls "$1" 81 fi 82else 83 echo "Usage: systemd_syscall_filter <abs/path/to/binary> [-c]" 84 echo "" 85 echo "To get syscalls used by the binary:" 86 echo " systemd_syscall_filter /usr/sbin/auditd" 87 echo "" 88 echo "To get syscall categories not used by the binary, pass the -c (complement) flag:" 89 echo " systemd_syscall_filter /usr/sbin/auditd -c" 90fi