How to SyscallFilter a systemd unit

audit_command.sh

#!/bin/bash
# $1 is the command to audit (it will be run)

echo "my pid: $$"
# Log all chidren of this shell
auditctl -a always,exit -S all -F ppid=$$

$1

audit_log_syscalls.sh

#!/bin/bash
# $1 is the parent pid

echo "SystemCallFilter=$(
    ausearch -i -pp $1 | \
    grep -o "syscall=\S*" | cut -d = -f 2 | \
    sort | uniq | \
    grep -Ev '(execve|exit|exit_group|getrlimit|rt_sigreturn|sigreturn)' \
    tr '\n' ' '
)"

gistfile1.txt

# Depends: auditd

# Add an audit rule to log all syscalls...
auditctl -a always,exit -S all -F <my filter>

# Available filters include, by an execution of the given binary:
exe=<absolute path to executable>
# by the process with pid:
pid=<pid>
# by any child of the process with pid:
ppid=<pid>

# Then run the process.

# Delete all audit rules (stop logging syscalls)
auditctl -D

# Query the audit log..
# (systemd implicitly grants the syscalls excluded by the second grep.)
ausearch -i <my filter> | grep -o "syscall=\S*" | cut -d = -f 2 | sort | uniq | \
  grep -Ev '(execve|exit|exit_group|getrlimit|rt_sigreturn|sigreturn)'
  
 
# Filter by executable:
-x <absolute path to executable>
# by the process with pid:
-p <pid>
# by any child of the process with pid:
-pp <pid>

# Then add the list to your .service file ie:
SystemCallFilter=getcwd access arch_prctl brk clone close dup2 fchdir fcntl fstat fstatfs futex getdents64 getuid ioctl lseek mmap mprotect munmap newfstatat openat pipe poll ppoll prlimit64 read recvfrom rt_sigaction rt_sigprocmask sendto set_robust_list set_tid_address socket stat statfs uname wait4 write