Request seccomp logging if SYSTEMD_LOG_SECCOMP environment variable is set.

diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index d6f5126ac2d1d35e03f4a0c3b34d37cc30eb8040..ea433a497a71c441cc6885ad2d48bb4cc36473aa 100644 (file)
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -90,6 +90,10 @@ systemctl:
 
 * `$SYSTEMCTL_SKIP_SYSV=1` — if set, do not call out to SysV compatibility hooks.
 
+* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering,
+  for example in systemd-nspawn, will be logged to the audit log, if the current
+  kernel version supports this.
+
 systemd-nspawn:
 
 * `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1` — if set, force nspawn into unified

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2b5ec593a150eb99d77e5eee7bc28db059829a20..1acef04f9c0fab9077571412989ca81181ce7e4a 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -12,6 +12,7 @@
 
 #include "af-list.h"
 #include "alloc-util.h"
+#include "env-util.h"
 #include "errno-list.h"
 #include "macro.h"
 #include "nsflags.h"
@@ -234,6 +235,14 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
         if (r < 0)
                 return r;
 
+#if SCMP_VER_MAJOR >= 3 || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 4)
+        if (getenv_bool("SYSTEMD_LOG_SECCOMP") > 0) {
+                r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_LOG, 1);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to enable seccomp event logging: %m");
+        }
+#endif
+
         *ret = TAKE_PTR(seccomp);
         return 0;
 }