Syscall

Systemd can restrict services from using particular syscalls with the help of the unit setting SystemCallFilter. Instead of mentioning all individual syscalls, systemd has predefined sets that can be used. These sets group functions that are related. To see which syscalls are part of a set, use the systemd-analyze command.

# systemd-analyze syscall-filter @ipc
@ipc
    # SysV IPC, POSIX Message Queues or other IPC
    ipc
    memfd_create
    mq_getsetattr
    mq_notify
    mq_open
    mq_timedreceive
    mq_timedreceive_time64
    mq_timedsend
    mq_timedsend_time64
    mq_unlink
    msgctl
    msgget
    msgrcv
    msgsnd
    pipe
    pipe2
    process_madvise
    process_vm_readv
    process_vm_writev
    semctl
    semget
    semop
    semtimedop
    semtimedop_time64
    shmat
    shmctl
    shmdt
    shmget

See systemd syscall filtering for all details.

Why and when to use SystemCallFilter

The setting SystemCallFilter aims to prevent misuse of syscalls that are not needed for normal functioning of a process. This powerful filtering restricts the abilities of a process, but requires understanding of processes by the system administrator. See the overview of Linux syscalls for more details.

Configuration

This setting takes a space-separated list and may be specified multiple times.

Overview of syscalls in systemd by group

Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity.