From 44aaddad06184aea312524846207ccc145e30a6d Mon Sep 17 00:00:00 2001
From: Steve Dodd <steved424@gmail.com>
Date: Sun, 16 Aug 2020 21:57:41 +0100
Subject: [PATCH] Request seccomp logging if SYSTEMD_LOG_SECCOMP environment
 variable is set.

---
 docs/ENVIRONMENT.md       | 4 ++++
 src/shared/seccomp-util.c | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index d6f5126ac2..ea433a497a 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -90,6 +90,10 @@ systemctl:
 
 * `$SYSTEMCTL_SKIP_SYSV=1` — if set, do not call out to SysV compatibility hooks.
 
+* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering,
+  for example in systemd-nspawn, will be logged to the audit log, if the current
+  kernel version supports this.
+
 systemd-nspawn:
 
 * `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1` — if set, force nspawn into unified
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2b5ec593a1..1acef04f9c 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -12,6 +12,7 @@
 
 #include "af-list.h"
 #include "alloc-util.h"
+#include "env-util.h"
 #include "errno-list.h"
 #include "macro.h"
 #include "nsflags.h"
@@ -234,6 +235,14 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
         if (r < 0)
                 return r;
 
+#if SCMP_VER_MAJOR >= 3 || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 4)
+        if (getenv_bool("SYSTEMD_LOG_SECCOMP") > 0) {
+                r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_LOG, 1);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to enable seccomp event logging: %m");
+        }
+#endif
+
         *ret = TAKE_PTR(seccomp);
         return 0;
 }