#!/usr/bin/env bash

# Usage:
#     systemd_syscall_filter <absolute/path/to/binary> [-c]
#
# This script will print the syscalls the given binary executable uses
# along with the systemd syscall-filter categories they are in.
# This makes it easier to harden a systemd unit because you can see which
# categories you shouldn't add to the systemd unit's .d overrides for the
# SystemCallFilter= directive. If the given binary executable uses a
# particular system call, you probably don't want to keep that system call
# out of the sandbox, or the binary executable might not work as expected.

syscall_categories=(
	"@default"
	"@aio"
	"@basic-io"
	"@chown"
	"@clock"
	"@cpu-emulation"
	"@debug"
	"@file-system"
	"@io-event"
	"@ipc"
	"@keyring"
	"@memlock"
	"@module"
	"@mount"
	"@network-io"
	"@obsolete"
	"@pkey"
	"@privileged"
	"@process"
	"@raw-io"
	"@reboot"
	"@resources"
	"@setuid"
	"@signal"
	"@swap"
	"@sync"
	"@system-service"
	"@timer"
)

get_used_syscalls() {
	for category in "${syscall_categories[@]}"; do
		readarray -t syscalls < <(sudo systemd-analyze syscall-filter --no-pager "$category" | awk '{print $1}' | tail -n+3)

		for sc in "${syscalls[@]}"; do
			if strings "$1" | grep --silent -w "$sc"; then
				echo "${category} : ${sc}"
			fi
		done
	done
}

get_unused_categories() {
	readarray -t used_syscalls < <(get_used_syscalls "$1" | awk '{print $1}' | uniq)
	readarray -t unused_categories < <(echo "${syscall_categories[@]}" "${used_syscalls[@]}" | tr ' ' '\n' | sort | uniq -u)
	for category in "${unused_categories[@]}"; do
		echo "SystemCallFilter=~${category}"
	done
}

if [ "$#" -eq 2 ]; then
	case "$2" in
	"-c")
		get_unused_categories "$1"
		;;
	*)
		echo "Unknown option: ${2}"
		exit 1
		;;
	esac
elif [ "$#" -eq 1 ]; then
	if ! test -x "$1"; then
		echo "${1} is not found or is not executable"
		exit 1
	else
		get_used_syscalls "$1"
	fi
else
	echo "Usage: systemd_syscall_filter <abs/path/to/binary> [-c]"
	echo ""
	echo "To get syscalls used by the binary:"
	echo "        systemd_syscall_filter /usr/sbin/auditd"
	echo ""
	echo "To get syscall categories not used by the binary, pass the -c (complement) flag:"
	echo "        systemd_syscall_filter /usr/sbin/auditd -c"
fi