« Back to Systemd: Frequently Asked Questions

How to see which syscalls are part of a systemd syscall filter set

Q: How to see which syscalls are part of a systemd syscall filter set?

systemd-analyze syscall-filter @SETNAME

Systemd can restrict services from using particular syscalls with the help of the unit setting SystemCallFilter. Instead of mentioning all individual syscalls, systemd has predefined sets that can be used. These sets group functions that are related. To see which syscalls are part of a set, use the systemd-analyze command.

# systemd-analyze syscall-filter @ipc
@ipc
    # SysV IPC, POSIX Message Queues or other IPC
    ipc
    memfd_create
    mq_getsetattr
    mq_notify
    mq_open
    mq_timedreceive
    mq_timedreceive_time64
    mq_timedsend
    mq_timedsend_time64
    mq_unlink
    msgctl
    msgget
    msgrcv
    msgsnd
    pipe
    pipe2
    process_madvise
    process_vm_readv
    process_vm_writev
    semctl
    semget
    semop
    semtimedop
    semtimedop_time64
    shmat
    shmctl
    shmdt
    shmget

See systemd syscall filtering for all details.

Learn more about systemd-analyze

This article uses the systemd-analyze command to achieve its tasks. Want to learn how to use it or additional options that may be available?

» Mastering the tool

Installation and usage of systemd-analyze

Feedback

Is the described answer not working or incorrect, got another tip or question? Share your thoughts!

Learn more about systemd-analyze

Other questions related to systemd

Feedback